Re: iptables firewall script for debian-woody, 2.4.24
From: cookie (cookie_at_rknrobin.com)
Date: 04/02/04
- Previous message: Mike Hogsett: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- In reply to: Gord Philpott: "iptables firewall script for debian-woody, 2.4.24"
- Next in thread: Gord Philpott: "Re: iptables firewall script for debian-woody, 2.4.24"
- Reply: Gord Philpott: "Re: iptables firewall script for debian-woody, 2.4.24"
- Reply: Konstantin Gavrilenko: "Re: iptables firewall script for debian-woody, 2.4.24"
- Reply: Eugenijus Januškevičius: "Re: iptables firewall script for debian-woody, 2.4.24"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 01 Apr 2004 14:08:34 -0800 To: Gord Philpott <tech@gordphilpott.com>, focus-linux@securityfocus.com
Gord Philpott wrote:
> Hello all,
>
> I've created a custom IPTables firewall script for a Debian 3.0 server
> (2.4.24 kernel) running Bind DNS and SSH.
>
> I have used the script on other systems, and have commented out the
> ports that are not needed for this setup. When I nmap the server
> with the firewall script off, I get different results than when the
> firewall script is on. I am looking to have the ports needed to run
> DNS and SSH available regardless of the firewall status.
>
> If anyone can spot why 53/udp and 32768/udp show up as filtered,
> please let me know.
> --Gord.
>
> #### Output from NMAP while firewall is ON:
> lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770'
> 216.xxx.xxx.xxx
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31
> 14:50 EST
> Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
> (The 84 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
> 53/udp open domain
> 32768/udp open omad
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 34.068 seconds
>
>
> #### Output from NMAP while firewall is ON:
> lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770'
> 216.xxx.xxx.xxx
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31
> 14:47 EST
> Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
> (The 86 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 6.804 seconds
>
>
>
> #### IP Firewall script:
> dns2:/etc/init.d# more ipfirewall
> #!/bin/bash
> #
> # Simple firewall script by Gord P.
>
> NAME="ipfirewall"
> IPTABLES="/sbin/iptables"
>
> case "$1" in
> start)
> echo -n "Starting firewall.."
>
> #Flush then restrict
> $IPTABLES -F
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
>
> # For ping and traceroute
> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 30 -j ACCEPT
>
> # For traceroute
> $IPTABLES -A INPUT -i eth0 -p udp --source-port 32769:65535 \
> --destination-port 33434:33523 -j ACCEPT
>
> $IPTABLES -A OUTPUT -p udp --source-port 32769:65535 \
> --destination-port 33434:33523 -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type 30 -j ACCEPT
>
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
> $IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
>
> # For already established and related allows
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT # SSH
> $IPTABLES -A INPUT -p tcp --destination-port 53 -j ACCEPT #DNS
> $IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT #DNS
> $IPTABLES -A INPUT -p udp --destination-port 32768 -j ACCEPT #DNS
> #$IPTABLES -A INPUT -p udp --destination-port 135:139 -j ACCEPT # SMB
> #$IPTABLES -A INPUT -p tcp --destination-port 135:139 -j ACCEPT # SMB
> #$IPTABLES -A INPUT -p tcp --destination-port 6674 -j ACCEPT # sched
> #$IPTABLES -A INPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
> #$IPTABLES -A INPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
> #$IPTABLES -A INPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
> #$IPTABLES -A INPUT -p tcp --destination-port 25 -j ACCEPT # SMTP
>
> $IPTABLES -A INPUT -p tcp --dport auth --j REJECT # Reject sunrpc 111
>
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
> #$IPTABLES -A OUTPUT -p tcp --destination-port 80 -j ACCEPT # HTTP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
> #$IPTABLES -A OUTPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
> #$IPTABLES -A OUTPUT -p tcp --destination-port 6674 -j ACCEPT # sched
> #$IPTABLES -A OUTPUT -p tcp --destination-port 110 -j ACCEPT # POP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 995 -j ACCEPT # SPOP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 993 -j ACCEPT # SIMAP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 25 -j ACCEPT # SMTP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 1494 -j ACCEPT #
> Citrix
> #$IPTABLES -A OUTPUT -p tcp --destination-port 5222 -j ACCEPT #
> #$IPTABLES -A OUTPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 119 -j ACCEPT # NNTP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 23 -j ACCEPT # Telnet
> #$IPTABLES -A OUTPUT -p tcp --destination-port 7741 -j ACCEPT #
> #$IPTABLES -A OUTPUT -p tcp --destination-port 445 -j ACCEPT
> #$IPTABLES -A OUTPUT -p udp --destination-port 137:139 -j ACCEPT #
> SMB
> #$IPTABLES -A OUTPUT -p tcp --destination-port 538 -j ACCEPT #
> #$IPTABLES -A OUTPUT -p tcp --destination-port 3306 -j ACCEPT # MySQL
> #$IPTABLES -A OUTPUT -p tcp --destination-port 81 -j ACCEPT # HTTP
> #$IPTABLES -A OUTPUT -p tcp --destination-port 43 -j ACCEPT # Whois
> #$IPTABLES -A OUTPUT -p tcp --destination-port 9628 -j ACCEPT #
> Objectsocket.php
> #$IPTABLES -A OUTPUT -p tcp --destination-port 6667 -j ACCEPT # IRC
>
> $IPTABLES -A INPUT -p tcp -i lo -d 0/0 -j ACCEPT
> echo "..done"
> ;;
> stop)
> echo -n "Stopping firewall.."
> $IPTABLES -F
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P INPUT ACCEPT
> echo "done"
> ;;
> *)
> echo "Usage: $NAME {start|stop}"
> exit 1
> ;;
> esac
>
>
>
a quick glance shows this to be pretty sound... I don't see any reason
your box should be dropping 53 requests after running these rules...
then again, there's no way to know for certain unless you take a look
at the running rules (iptables -L INPUT -n;iptables -L OUTPUT -n) and
scan through it for anything iffy if you're still unsure, I'd post that
here as well.
PS. commented lines aren't really necessary for diagnosing a ruleset.
- Previous message: Mike Hogsett: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- In reply to: Gord Philpott: "iptables firewall script for debian-woody, 2.4.24"
- Next in thread: Gord Philpott: "Re: iptables firewall script for debian-woody, 2.4.24"
- Reply: Gord Philpott: "Re: iptables firewall script for debian-woody, 2.4.24"
- Reply: Konstantin Gavrilenko: "Re: iptables firewall script for debian-woody, 2.4.24"
- Reply: Eugenijus Januškevičius: "Re: iptables firewall script for debian-woody, 2.4.24"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
