This message should have had arrived before the other one, but I was in error since I had attached the script instead of just pasting it into the email. Anyways I was on a holiday to Paris for a while so sorry for the delay. I've put the script below the original email.
---------- Forwarded Message ---------- Subject: Need opinions, suggestion, remarks etc on my iptables script. Date: Thu, 21 Feb 2002 11:58:45 +0100 From: TD - Sales International Holland B.V. <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hey there, I've been around on some of these lists for a while and the time has come for me to write my own iptables script. You can find it attached. Problem is, I can't test it yet since the system won't be hung onto the internet until tomorrow. Anyways, I'd like some opinions/remarks/suggestions/ideas/possible extra features and things to look at, etc. Ofcourse you're all free to use it for your own purpose. I've replaced the IP addresses for my own adsl line and the one here at work with others but that shouldn't matter. What we need/the setup: The linux box will have 3 network cards, 1 for the local network 192.168.0.0/24 one for the local network 10.0.0.0/24 and one to communicate with the ADSL router (172.16.0.0/24) which isn't used in the script since PPP will be started over it using VPN so we get a ppp* interface (yes my internet connection is setup through VPN not PPPoE, I know it's a bit strange but I didn't choose the ADSL's setup KPN (mxstream) uses in the netherlands :-), perhaps we can secure it a bit though by only allow data from and to the VPN tunnel to the router (Alcatel Speed Touch Home). I doubt that will do anything, any opinions are welcome. Note that the 2 networks (192.168.0.x and 10.0.0.x) are NOT allowed to communicate with each other. (192.168.0.x is a test network where we also test cards that might be defective and stuff like that and it should not be able to interfear with our production/sales network). The Linux box will function as a: gateway (NAT for ICQ, IRC, MSN whatever) webserver (everyone, HTTP and HTTPS) ftp server (only for localnets) ssh (localnets and my homebox only) telnet (localnets and my homebox only) mailserver (SMTP and POP, POP is only allowed for localnets) dns server (localnets only) proxyserver (localnets only) firewall (this speaks for itself I assume :-)) database (mysql, only localhost and localnets for now so they can update with access or something) dhcp (only for the 192.168.0.x network but it's setup to bind only to that interface). fileserver (SaMBa, localnets only) This is one heavily loaded P-II 333 :-), only the webserver and the SMTP server (qmail) should be accessible from the outside for anyone, so I think we're reasonably safe. >From the internet only the SMTP server (so we can receive mail) and the webserver (apache + SSL so 80 & 443) should be available. People here don't have any restrictions, so if they want to ICQ, MSN, visit porn sites, whatever I'm fine with that. Please note that both telnet and ssh are protected by both the firewall and tcpwrappers to only allow my homebox (with static ip) and the localnets to connect to them. I would like to urge you, if you say something like this or that is insecure that you also explain to me (and the rest of the list) why that it is, so we can actually learn something and understand why it is so, which is, far more interesting than just knowing it's insecure, cuz without knowing why it will get poor judgement. Hoping to get some good replies and learn a thing or two. Things I'm really interested in are among other things the files in /proc/sys/net/ipv4 if I left any interesting/nice feature ones out. Also I'd like to hear from someone on the limit options, which are nice for syn flood protection. Only it's my understanding that such a limit counts for all IP's (thus if IP 1.1.1.1 sends so much packets the limit runs out IP 2.2.2.2 can't connect any more either) and I'm really unsure what those limits should be on HTTP(S) and SMTP. This won't be a really crowded server but older browsers don't reuse connections and thus might trigger the limit a lot and I don't want to stop legitimate traffic. Well, I'll hear how I did it I guess.... This is the first time I actually wrote a firewall from scratch myself so I'm hoping I did a reasonable job atleast. Kind regards, Ferry van Steen PS, I'm thinking of adding start and stop functionality, but I doubt it's worth the effort since the firewall shouldn't go down ever anyways and the rest of the people here won't be using the box. Perhaps some checks if every rule gets inserted properly could be nice and if not just shutdown the whole net access by dropping everything (in case of failure thus) rc.firewall: #!/bin/sh # This is the main script to setup the firewall (using iptables) # This script was written by Ferry van Steen, aka freaky # [EMAIL PROTECTED] # # Use a variable for pointing to iptables, this will ease things if the # location of the file might change or when this file is ported to another # system ipt=/usr/sbin/iptables mod=/sbin/modprobe # First load some required modules $mod ip_conntrack $mod ip_conntrack_ftp $mod ip_conntrack_irc $mod ip_nat_ftp $mod ip_nat_irc $mod ipt_REJECT $mod ipt_state # Use a variable for my homebox (maintenance issues) freaky=2.3.4.5 # Use variables for the 2 local nets net1=192.168.0.0/24 net2=10.0.0.0/24 # Use a variable for the internet interface (static IP, ADSL) adsl=6.7.8.9 # First set the policies to DROP everything. $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT DROP # Setup the rp_filter on all devices. This should check if the source address of # packets is a normal one on that interface (Thus no packets coming from 195.96.29.92 # (internet address) coming in on the local network interface and vice versa for f in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo 1 > $f; done # Setup ip forwarding /bin/echo 1 > /proc/sys/net/ipv4/ip_forward # Set the local port range (ports used for outgoing connections) to a high range /bin/echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range # Enable Syncookies protection /bin/echo 1 > /proc/sys/net/ipv4/tcp_syncookies # # INPUT SECTION # # Allow all traffic from localhost, the localhost IP should only communicate with other # localhost IP's and not to the outside. $ipt -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # Allow webserver traffic, this includes SSL $ipt -A INPUT -p tcp -s 0/0 -d $adsl --dport 80 -j ACCEPT $ipt -A INPUT -p tcp -s 0/0 -d $adsl --dport 443 -j ACCEPT # Allow SMTP to come in $ipt -A INPUT -p tcp -s 0/0 -d $adsl --dport 25 -j ACCEPT # Allow remote assistance from freaky (SSH, telnet) $ipt -A INPUT -p tcp -s $freaky -d $adsl --dport 22 -j ACCEPT $ipt -A INPUT -p tcp -s $freaky -d $adsl --dport 23 -j ACCEPT # Allow the localnets to have access to all ports (all services can and should be accessible # by the localnets) $ipt -A INPUT -s $net1 -d 0/0 -j ACCEPT $ipt -A INPUT -s $net2 -d 0/0 -j ACCEPT # Reject port 113 so IRC and other identd using protocols connect a bit faster and don't wait # for the time out $ipt -A INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT # Allow packets part of an existing connection since else incoming packets from a connection # created by a local process will be dropped $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # FORWARD SECTION # # Disallow internal net's to forward packets to eachother $ipt -A FORWARD -s $net1 -d $net2 -j DROP $ipt -A FORWARD -s $net2 -d $net1 -j DROP # Allow local net's to be forwarded/natted to the internet $ipt -A FORWARD -s $net1 -d 0/0 -j ACCEPT $ipt -A FORWARD -s $net2 -d 0/0 -j ACCEPT # Allow packets part of an existing connection cuz I think the NAT will fail else # on packets coming back since they aren't allowed in this chain yet $ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # OUTPUT SECTION # # I think we can allow all output in principle... But we'll stop destination port 137-139 # towards the internet so we can be sure Windows SMB doesn't leak $ipt -A OUTPUT -p tcp -d $net1 --dport 137:139 -j ACCEPT $ipt -A OUTPUT -p tcp -d $net2 --dport 137:139 -j ACCEPT $ipt -A OUTPUT -p tcp -d 0/0 --dport 137:139 -j DROP # Allow all other output $ipt -A OUTPUT -j ACCEPT # # POSTROUTING SECTION # # Allow the localnets to talk to the big bad outside world. Since we'll be specifying an # output interface we can be sure the localnets won't talk to each other $ipt -t nat -A POSTROUTING -s $net1 -d 0/0 -o ppp+ -j SNAT --to $adsl $ipt -t nat -A POSTROUTING -s $net2 -d 0/0 -o ppp+ -j SNAT --to $adsl
