Re: iptables firewall script for linux



On Thu, 9 Nov 2006, in the Usenet newsgroup comp.security.firewalls, in article
<ej03mj$6ib$1@xxxxxxxxxxxxxxxxx>, John F wrote:

Had been using an ipchains firewall script, which you can see as
firewall.sh inside the tarball
www.forkosh.com/ipchains-firewall-1.7.3.tar.gz
(can't find it on web anymore),
but trying to run ipchains under the new kernel emitted message,
"ipchains: Incompatible with this kernel".

IPCHAINS is rather old. Most people have been using iptables since it was
introduced about six years ago. It's much more versatile.

So I'm looking for an iptables firewall bash script kind of like the
above. This is for a workstation, not server, so it should pretty
much deny everyone everything.

Why not start out by running 'netstat -tupan' and determining why any
port is shown as LISTENING. As it's not a server, the only thing that
should be open is port 113, and that ONLY if you have determined that
you need 'auth' or 'identd' to respond to queries from hosts you are
connecting to. This means /etc/inetd.conf probably has no line
uncommented (all should begin with a '#' character). Then look at your
startup scripts and see that no unwanted daemons are being started
there.

You _may_ want to allow SSH in - but at the very least you should tightly
restrict what addresses are allowed to connect. As port 22 is targeted by
skript kiddiez and worms, consider moving your daemon to a different port
number. Some would call it security by obscurity, but all it's doing is
avoiding nuisance from the totally clueless.

And it should also be plug-and-play foolproof (that would be me).
Google shows lots of relevant stuff, but I don't know enough to separate
the wheat from the chaff.

What's wrong with reading the HOWTOs? While some are a bit old, you
could start with:

708351 Nov 14 2005 IP-Masquerade-HOWTO
17605 Jul 21 2004 Masquerading-Simple-HOWTO
155096 Jan 23 2004 Security-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO

and Rusty Russell's (the guy responsible for the firewall code itself as
well as the tools like IPCHAINS and iptables that control it) fine
documentation at http://www.iptables.org/documentation/HOWTO/
Masquerading is almost certainly unwanted, but those two HOWTOs are
included for their basic firewall concepts. Your firewall should be no
more than about a half dozen lines - basically

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

The first three set defaults. The -F flushes any _other_ rules. The
next one allows traffic on the loopback interface, while the last allows
_responses_ to traffic you initiate. No big deal. See the HOWTOs mentioned
above, and the man page for any additional help.

Old guy

.