iptables firewall script for debian-woody, 2.4.24

• Previous message: Brian Hatch: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Next in thread: cookie: "Re: iptables firewall script for debian-woody, 2.4.24"
• Reply: cookie: "Re: iptables firewall script for debian-woody, 2.4.24"
• Reply: Arno van Amersfoort: "Re: iptables firewall script for debian-woody, 2.4.24"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 31 Mar 2004 16:24:50 -0500
To: focus-linux@securityfocus.com

Hello all,

I've created a custom IPTables firewall script for a Debian 3.0 server
(2.4.24 kernel) running Bind DNS and SSH.

I have used the script on other systems, and have commented out the ports
that are not needed for this setup. When I nmap the server with the
firewall script off, I get different results than when the firewall script
is on. I am looking to have the ports needed to run DNS and SSH available
regardless of the firewall status.

If anyone can spot why 53/udp and 32768/udp show up as filtered, please let
me know.
--Gord.

#### Output from NMAP while firewall is ON:
lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770' 216.xxx.xxx.xxx

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31 14:50 EST
Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
(The 84 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
53/udp open domain
32768/udp open omad

Nmap run completed -- 1 IP address (1 host up) scanned in 34.068 seconds

#### Output from NMAP while firewall is ON:
lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770' 216.xxx.xxx.xxx

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31 14:47 EST
Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
(The 86 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain

Nmap run completed -- 1 IP address (1 host up) scanned in 6.804 seconds

#### IP Firewall script:
dns2:/etc/init.d# more ipfirewall
#!/bin/bash
#
# Simple firewall script by Gord P.

NAME="ipfirewall"
IPTABLES="/sbin/iptables"

case "$1" in
   start)
     echo -n "Starting firewall.."

     #Flush then restrict
     $IPTABLES -F
     $IPTABLES -P FORWARD DROP
     $IPTABLES -P INPUT DROP
     $IPTABLES -P OUTPUT DROP

     # For ping and traceroute
     $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
     $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
     $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
     $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
     $IPTABLES -A INPUT -p icmp --icmp-type 30 -j ACCEPT

     # For traceroute
     $IPTABLES -A INPUT -i eth0 -p udp --source-port 32769:65535 \
     --destination-port 33434:33523 -j ACCEPT

     $IPTABLES -A OUTPUT -p udp --source-port 32769:65535 \
     --destination-port 33434:33523 -j ACCEPT

     $IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
     $IPTABLES -A OUTPUT -p icmp --icmp-type 30 -j ACCEPT

     $IPTABLES -A INPUT -i lo -j ACCEPT
     $IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
     $IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

     # For already established and related allows
     $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     $IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT # SSH
     $IPTABLES -A INPUT -p tcp --destination-port 53 -j ACCEPT #DNS
     $IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT #DNS
     $IPTABLES -A INPUT -p udp --destination-port 32768 -j ACCEPT #DNS
     #$IPTABLES -A INPUT -p udp --destination-port 135:139 -j ACCEPT # SMB
     #$IPTABLES -A INPUT -p tcp --destination-port 135:139 -j ACCEPT # SMB
     #$IPTABLES -A INPUT -p tcp --destination-port 6674 -j ACCEPT # sched
     #$IPTABLES -A INPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
     #$IPTABLES -A INPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
     #$IPTABLES -A INPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
     #$IPTABLES -A INPUT -p tcp --destination-port 25 -j ACCEPT # SMTP

     $IPTABLES -A INPUT -p tcp --dport auth --j REJECT # Reject sunrpc 111

     $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
     $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
     $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
     #$IPTABLES -A OUTPUT -p tcp --destination-port 80 -j ACCEPT # HTTP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
     #$IPTABLES -A OUTPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
     #$IPTABLES -A OUTPUT -p tcp --destination-port 6674 -j ACCEPT # sched
     #$IPTABLES -A OUTPUT -p tcp --destination-port 110 -j ACCEPT # POP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 995 -j ACCEPT # SPOP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 993 -j ACCEPT # SIMAP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 25 -j ACCEPT # SMTP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 1494 -j ACCEPT # Citrix
     #$IPTABLES -A OUTPUT -p tcp --destination-port 5222 -j ACCEPT #
     #$IPTABLES -A OUTPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 119 -j ACCEPT # NNTP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 23 -j ACCEPT # Telnet
     #$IPTABLES -A OUTPUT -p tcp --destination-port 7741 -j ACCEPT #
     #$IPTABLES -A OUTPUT -p tcp --destination-port 445 -j ACCEPT
     #$IPTABLES -A OUTPUT -p udp --destination-port 137:139 -j ACCEPT # SMB
     #$IPTABLES -A OUTPUT -p tcp --destination-port 538 -j ACCEPT #
     #$IPTABLES -A OUTPUT -p tcp --destination-port 3306 -j ACCEPT # MySQL
     #$IPTABLES -A OUTPUT -p tcp --destination-port 81 -j ACCEPT # HTTP
     #$IPTABLES -A OUTPUT -p tcp --destination-port 43 -j ACCEPT # Whois
     #$IPTABLES -A OUTPUT -p tcp --destination-port 9628 -j ACCEPT #
Objectsocket.php
     #$IPTABLES -A OUTPUT -p tcp --destination-port 6667 -j ACCEPT # IRC

     $IPTABLES -A INPUT -p tcp -i lo -d 0/0 -j ACCEPT
     echo "..done"
     ;;
   stop)
     echo -n "Stopping firewall.."
     $IPTABLES -F
     $IPTABLES -P FORWARD DROP
     $IPTABLES -P OUTPUT ACCEPT
     $IPTABLES -P INPUT ACCEPT
     echo "done"
     ;;
   *)
     echo "Usage: $NAME {start|stop}"
     exit 1
     ;;
esac

• Previous message: Brian Hatch: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Next in thread: cookie: "Re: iptables firewall script for debian-woody, 2.4.24"
• Reply: cookie: "Re: iptables firewall script for debian-woody, 2.4.24"
• Reply: Arno van Amersfoort: "Re: iptables firewall script for debian-woody, 2.4.24"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]