Is my iptables ok? I wanted to submit it indeed... :)
-- The pivotal point is the "second chance", judged by another set of criteria. In Linux We Trust -- http://linux.nf and news://news.hkpcug.org
#!/bin/sh # bibliography: # # 1. "Taming the Wild Netfilter", Sept 2001, http://www.linuxjournal.com # 2. ipchains script rc.firewall.hunley, section security, http://linux.nf # 3. iptables tutorial, http://www.ibm.com/developerworks # 4. http://www.cs.princeton.edu/~jns/security/iptables/index.html # to ban IP: iptables -I input -s $TARGET$ -j DROP # to list active iptables chains: iptables -L -n --line-numbers # to delete an iptables chain: iptables -D <chain> <line-number> # Source function library. . /etc/rc.d/init.d/functions IPT=/usr/local/sbin/iptables # note: policies must be resetted carefully function flushrules { echo "flush all chains and delete user chains" for i in INPUT OUTPUT FORWARD do $IPT -P $i ACCEPT done # $IPT -t $i -Z $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -t filter -F $IPT -t filter -X return 0 } LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" # privileged ports P_PORTS="0:1023" UP_PORTS="1024:65535" TR_SRC_PORTS="32769:65535" TR_DEST_PORTS="33434:33523" # I opened these ports. if you don't, # set the following 2 variables to empty space, ie "" TCP_OPEN="20 21 22 25 119 123 8080" UDP_OPEN="123" # copied from the article modprobe ip_tables modprobe ip_nat_ftp modprobe ip_conntrack_ftp case "$1" in start) #####START FIREWALL##### echo "Starting firewall:" $flushrules #this part came from http://linux.nf REMOTENET=0/0 # this is my external interface # for I-Cable(HK) and non-pppoe users, modify the following line OUTIF=ppp0 # this is my internal network interface INTIF=eth0 OUTIP=`ifconfig $OUTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` OUTMASK=`ifconfig $OUTIF | grep Mas | cut -d : -f 4` OUTNET=$OUTIP/$OUTMASK INTIP=`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` INTMASK=`ifconfig $INTIF | grep Mas | cut -d : -f 4` INTNET=$INTIP/$INTMASK # web servers for public use: # WEB=192.168.0.2-192.168.0.6:80 # if the above or below is a range of servers, netfilter will perform # a rudimentary form of load balancing # DNS servers: # DNS=192.168.0.8-192.168.0.9:53 ### # first, turn off forwarding # to guarantee no attack when the firewall is not yet ready echo 0 > /proc/sys/net/ipv4/ip_forward #this part came from http://linux.nf # Turn on Source Address Verification if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then echo -e "\t\tDisabling IP Spoofing" for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $f done fi # Turn on SYN COOKIES PROTECTION (Thanks Holger!) if [ -e /proc/sys/net/ipv4/tcp_syncookies ] then echo -e "\t\tEnabling TCP SYN Cookie protection" echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi # Enable ICMP broadcast echo (may affect samba) echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Turn on ICMP sanity checks if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] then echo -e "\t\tDisabling replies to ICMP echo broadcasts" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi # Enable bad error message protection if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] then echo -e "\t\tEnable 'bad error message' protection" echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi # Disable ICMP Redirects if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ] then echo -e "\t\tDisabling ICMP redirects" for i in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $i done fi # Disable source-routed packets if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] then echo -e "\t\tDisabling source-routed packets" for i in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $i done fi # Log spoofed, source-routed, or redirected packets if [ -e /proc/sys/net/ipv4/conf/all/log_martians ] then echo -e "\t\tTurning on logging of 'Martian' packets" for i in /proc/sys/net/ipv4/conf/*/log_martians do echo 1 > $i done fi #explicitly enable ECN # some software may need eco to be disabled... if [ -e /proc/sys/net/ipv4/tcp_ecn ] then echo 1 > /proc/sys/net/ipv4/tcp_ecn fi # create my own logdrop chain $IPT -N logdrop $IPT -A logdrop -j LOG -m limit --limit 10/minute --log-prefix "iptables " # according to ibm's article, this could fool into believing # that there are actually no service activated at my ports. $IPT -A logdrop -j REJECT -p tcp --reject-with tcp-reset $IPT -A logdrop -j REJECT -p udp --reject-with icmp-port-unreachable # default policy $IPT -P INPUT DROP # allow all traffic from internal net $IPT -A INPUT -i ! $OUTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # allowing incoming packets to established outgoing connections $IPT -A INPUT -i $OUTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # from the princeton student's work # if your ISP blocks "fragmentation needed" ICMP packets, i.e.,: # web browsers connect, then hang with no data received # small e-mail works OK, but large e-mails hang # ssh works OK, but scp hangs after initial handshake # uncomment the following: $IPT -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ### ## ports opened to the world for port in $TCP_OPEN do $IPT -A INPUT -i $OUTIF -p tcp --dport $port -m limit --limit 3/second -m state --state NEW -j ACCEPT done for port in $UDP_OPEN do $IPT -A INPUT -i $OUTIF -p udp --dport $port -m limit --limit 3/second -m state --state NEW -j ACCEPT done # 2) passive ftp. # This involves a connection # outbound from a port >1023 on the local machine, # to a port >1023 on the remote machine # previously passed over the ftp channel via a PORT command. # The ip_conntrack_ftp module recognizes the connection # as RELATED to the original outgoing connection to port 21 # so we don't need NEW as a state match. $IPT -A INPUT -i $OUTIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o $OUTIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT # Refuse spoofed packets pretending to be from your IP address. $IPT -A INPUT -i $OUTIF -s $OUTIP -j logdrop # Refuse packets claiming to be from a Class A private network. $IPT -A INPUT -i $OUTIF -s $CLASS_A -j logdrop # Refuse packets claiming to be from a Class B private network. $IPT -A INPUT -i $OUTIF -s $CLASS_B -j logdrop # Refuse packets claiming to be from a Class C private network. $IPT -A INPUT -i $OUTIF -s $CLASS_C -j logdrop # Refuse Class D multicast addresses. Multicast is illegal as a source address. $IPT -A INPUT -i $OUTIF -s $CLASS_D_MULTICAST -j logdrop # Refuse Class E reserved IP addresses. $IPT -A INPUT -i $OUTIF -s $CLASS_E_RESERVED_NET -j logdrop #log any intruders before dropping them # you may prefer to log only "-m state --state NEW,INVALID" $IPT -A INPUT -i $OUTIF -j logdrop #if using static IP, use source NAT $IPT -t nat -A POSTROUTING -o $OUTIF -j SNAT --to $OUTIP # if using masquerading, when you cannot determine your next OUTIP # $IPT -t nat -A POSTROUTING -o $OUTIF -s $INTNET -j MASQUERADE ## DNAT RULES GO HERE ## # $IPT -t nat -A PREROUTING -d $OUTIP -p tcp --dport 80 -j DNAT --to-destination $WEB # $IPT -t nat -A PREROUTING -d $OUTTIP -p udp --dport 53 -j DNAT --to-destination $DNS # now for snat: (when on i-cable) # $IPT -t nat -A POSTROUTING -o $OUTIF -s $INTNET -j SNAT --to-source $OUTIP # Port forward # for NetMeeting, one needs: 389,522,1503,1720,1731 #$IPT -t nat -A PREROUTING -p tcp -i $EXTIF --dport $port -j DNAT --to 192.168.2.9:$port # a few mangle rules you might or might not want to try out # note that ssh sets its own TOS value, so is not required below $IPT -t mangle -A PREROUTING -m multiport -p tcp --dport 8080,21 -j TOS --set-tos 16 $IPT -t mangle -A PREROUTING -m multiport -p tcp --sport 8080,21 -j TOS --set-tos 16 $IPT -t mangle -A PREROUTING -p tcp --dport ftp-data -j TOS --set-tos 8 $IPT -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos 8 $IPT -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos 4 $IPT -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos 2 # if you have a line in your /etc/sysctl.conf like this: # net.ipv4.ip_forward = 1 # uncomment the following and comment out the echo line below it #/sbin/sysctl -p > /dev/null echo 1 > /proc/sys/net/ipv4/ip_forward echo echo -e "\tInternal: $INTIF $INTNET" echo -e "\tExternal: $OUTIF $OUTNET" echo logger -t firewall start ;; #####STOP FIREWALL#### stop) echo "Shutting down firewall:" flushrules echo -e "\033[71G done" logger -t firewall stop ;; *) echo "" echo " USAGE: $0 [command] " echo "" echo " COMMANDS:" echo " start - Enables Firewall and Masquerading (if installed)." echo " stop - Disables Firewall and Masquerading (if installed)." echo "" exit 1 ;; esac exit 0
