Re: iptables udp and output

From: NeoSadist (neosad1st_at_charter.net)
Date: 01/14/04


Date: Wed, 14 Jan 2004 07:21:33 -0700

charly wrote:

>> Don't you mean:
>> iptables -A INPUT -p tcp --sport 137:139 -j DROP
>> iptables -A INPUT -p udp --sport 137:139 -j DROP
> yes, thanx !
>
> I post my script here for comments and remarks before testing it tonight :
> IPTABLES="/usr/local/iptables-1.2.9/iptables"

Forget "make install"?

> INSMOD="/sbin/insmod"
> INTERNET_SERVICES="25,110,119"
> LOCAL_SERVICES="20,21,22"
>
> # Modules to load
> $INSMOD ip_tables
> $INSMOD ip_conntrack
> $INSMOD ip_conntrack_ftp
> $INSMOD ipt_state
> $INSMOD iptable_nat
> $INSMOD ipt_MASQUERADE

Not necessary: your machine will load the modules it needs as it needs them.

>
>
> $IPTABLES -F
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat

Not necessary:
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> #$IPTABLES -P FORWARD ACCEPT

No, it should be drop forwarded unless you need to forward packets, and even
then the policy should always be DROP or REJECT unless you have other
needs.

>
>
> #-----------------------------
> # INPUT RULES
> #-----------------------------
> $IPTABLES -A INPUT -o lo -j ACCEPT

Uh, actually this is better:
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

>
> # Drop ALL attempted port scans
> $IPTABLES -A INPUT -m psd -j DROP

Good idea.
Try this one too:
$IPTABLES -A INPUT -f -j DROP

Most vulnerabilities for windows machines are based on packet fragmentation
reassembly, and by just dropping all fragmented packets, it helps a lot.
I've dropped fragmented packets since 2000 with NPF, then with IPTables.

>
> # ping falls dead
> $IPTABLES -A INPUT -p icmp -j DROP

Why? Ping can be a nice tool to help troubleshoot the network with. You
can just limit it if you're scared:
$IPTABLES -A INPUT -p icmp -m limit --limit 3/minute -j ACCEPT

Even then, you're dropping ALL icmp, and there are other things your network
needs from ICMP. A better way to do it would be to include it in your
state machine:
$IPTABLES -A INPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED \
-j ACCEPT

Also, you could just add a blanket statement to drop all invalid state
packets:
$IPTABLES -A INPUT -i eth0 -m state --state INVALID -j DROP

>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

What? No -p ! icmp ?
You should exclude icmp from that part, because icmp functions differently.

> $IPTABLES -A INPUT -p tcp --match multiport --sports $INTERNET_SERVICES
> -j ACCEPT
> $IPTABLES -A INPUT -p tcp --match multiport --dports $LOCAL_SERVICES -j
> ACCEPT

The state machine should work well enough for that, but if you insist...
If those are incoming connection requests, you could specify that they're
SYN packets by adding --syn after -p tcp:
$IPTABLES -A INPUT -p tcp --syn -m multiport --sports ...

>
> # Stop W2K Chatter
> $IPTABLES -A INPUT -p tcp --sport 137:139 -j DROP
> $IPTABLES -A INPUT -p udp --sport 137:139 -j DROP

Should not be necessary: if you have no incoming state NEW and no incoming
ports 137:139 specified, these should get dropped. However, you can
manually drop them ...
I'd recommend dropping 135:139 and 445 for Netbios... Win2000/xp use port
445 more often ...

>
> #Allow incoming DNS traffic
> $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT

DNS traffic is UDP. To prevent DNS spoofing/poisoning, you can specify
where the DNS should come from (since you should only communicate DNS with
the DNS servers your ISP uses):

$IPTABLES -A INPUT -p udp -s 24.240.225.10 --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 24.240.225.10 --dport 53 -j ACCEPT

BTW: for non-loopback stuff, you can be more specific on ALL rules by adding
"-i eth0" for INPUT and "-o eth0" for output.
Also, when specifying ports, remember it's source port (--sport) for INPUT
and destination port (--dport) for OUTPUT.
I suggest you download and install ethereal, and watch your network and see
how it acts.

>
> #Allow incoming NMBD/SMB traffic
> $IPTABLES -A INPUT -p udp --dport 137 -i eth0 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 138 -i eth0 -j ACCEPT

Uh, wait. You just shut off all that traffic above, and now you're
accepting it? Dude, get a clue.

>
>
> #-----------------------------
> # OUTPUT RULES
> #-----------------------------
> $IPTABLES -A OUTPUT -o lo -j ACCEPT

This should be up with the loopback input rule.

> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

No, you can safely use --state NEW,ESTABLISHED,RELATED here, just specify
that the output interface is "-o eth0"

> $IPTABLES -A OUTPUT -m state --state NEW -m owner --uid-owner charly -j
> ACCEPT

What if root wants to ping the network while troubleshooting? What about
things that run suid root? I think that, if it's a single user machine,
specifying the owner is pointless.

>
> # No ping answer allowed
> $IPTABLES -A OUTPUT -p icmp -j DROP

Again, I don't see why you limit ping by blocking all icmp. If you want to
enable/disable ping, You can enable the good types (0 for request and 8 for
reply) and disable the bad types if you'd like, but other types are needed
for normal networking (i.e. networking by the rules in the RFC/IEEE
standard), such as type 3 "destination unreachable".
Go to www.netfilter.org and go to the iptables tutorial -- read and learn.

-- 
Living in LA is like not having a date on Saturday night.
                -- Candice Bergen