* Any holes in this firewall script?
@ 2003-06-04 1:08 Jun Sun
2003-06-04 5:00 ` Dharmendra.T
0 siblings, 1 reply; 6+ messages in thread
From: Jun Sun @ 2003-06-04 1:08 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 565 bytes --]
Hi,
I have a pretty standard setup. A linux gateway connects to Internet
through cable modem and a subnet behind it. I run web server, sendmail
and sshd on the gateway machine.
So far I have been using ipchains and it seems to be OK so far.
I now want to move to redhat 9 and I probably have to use iptables.
After looking around the net, I come up with the following firewall
rules. See the attachment.
I wonder if some security experts here can take a look, just to make sure
there are no obvious mistakes or holes?
Thanks in advanced.
Cheers.
Jun
[-- Attachment #2: junk2 --]
[-- Type: text/plain, Size: 5330 bytes --]
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# JSUN :
# I like all allowed ports to be grouped together, easier to modify
# later
#
###########################################################################
#
# 1. Configuration options.
#
# debugs
set -x
DEBUG_LEVEL=INFO
# $DEBUG_LEVEL_LEVEL=DEBUG
# interfaces
EXTIF="eth0"
EXTIP=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
EXTBROAD=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3
}'`
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo External IP: $EXTIP
echo External broadcast: $EXTBROAD
echo Default GW: $EXTGW
echo " --- "
INTIP="192.168.0.2"
INTLAN="192.168.0.0/16"
#INTIF="eth1"
INTIF="wlan0"
echo Internal Interface: $INTIF
echo Internal IP: $INTIP
echo Internal LAN: $INTLAN
echo " --- "
LOIF="lo"
LOIP="127.0.0.1"
BROADCAST="255.255.255.255"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
# JSUN: are these necessary?
# /sbin/depmod -a
# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe iptable_nat
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_state
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
#
# Cleanup and set initial policies
#
# Set policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
# flush old chains
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# delete user defined chains
$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#
# 4.1.4 INPUT chain
#
# $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
# we trust INTIF and LOIF, to a large degree
$IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT
# we take broadcast packages from INTIF
$IPTABLES -A INPUT -p ALL -i $INTIF -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
# JSUN: can we just use a simplified version?
#$IPTABLES -A INPUT -p ALL -i $INTIF -j ACCEPT
#$IPTABLES -A INPUT -p ALL -i $LOIF -j ACCEPT
# established connections can go through
$IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# initiation packets are allowed on selected TCP ports
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport smtp -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport http -j ACCEPT
#$IPTABLES -A INPUT -p TCP --sync -s 0/0 --dport https -j allowed
# JSUN: do we need to worry about ntp port? We will see
# only take echo-request(8), echo-reply(0) and time-exceeded(11) for icmp
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type time-exceeded -j ACCEPT
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $EXTIF -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
# exclude some annoying packets from logging
$IPTABLES -A INPUT -d $EXTBROAD -j DROP
$IPTABLES -A INPUT -d $BROADCAST -j DROP
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level $DEBUG_LEVEL --log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
#
# Accept the packets we actually want to forward
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level $DEBUG_LEVEL --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LOIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INTIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT
# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level $DEBUG_LEVEL --log-prefix "IPT OUTPUT packet died: "
######
# 4.2 nat table
#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Any holes in this firewall script?
2003-06-04 1:08 Any holes in this firewall script? Jun Sun
@ 2003-06-04 5:00 ` Dharmendra.T
2003-06-04 5:05 ` Jun Sun
0 siblings, 1 reply; 6+ messages in thread
From: Dharmendra.T @ 2003-06-04 5:00 UTC (permalink / raw)
To: Jun Sun; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 7441 bytes --]
hi,
I just don't see any firewalling (blocking) in the script. You are
simply allowing everything. Define clear rule like block all and allow
only wanted ports.
Regards
Dharmu
On Wed, 2003-06-04 at 06:38, Jun Sun wrote:
Hi,
I have a pretty standard setup. A linux gateway connects to Internet
through cable modem and a subnet behind it. I run web server, sendmail
and sshd on the gateway machine.
So far I have been using ipchains and it seems to be OK so far.
I now want to move to redhat 9 and I probably have to use iptables.
After looking around the net, I come up with the following firewall
rules. See the attachment.
I wonder if some security experts here can take a look, just to make sure
there are no obvious mistakes or holes?
Thanks in advanced.
Cheers.
Jun
____________________________________________________________________
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# JSUN :
# I like all allowed ports to be grouped together, easier to modify
# later
#
###########################################################################
#
# 1. Configuration options.
#
# debugs
set -x
DEBUG_LEVEL=INFO
# $DEBUG_LEVEL_LEVEL=DEBUG
# interfaces
EXTIF="eth0"
EXTIP=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
EXTBROAD=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3
}'`
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo External IP: $EXTIP
echo External broadcast: $EXTBROAD
echo Default GW: $EXTGW
echo " --- "
INTIP="192.168.0.2"
INTLAN="192.168.0.0/16"
#INTIF="eth1"
INTIF="wlan0"
echo Internal Interface: $INTIF
echo Internal IP: $INTIP
echo Internal LAN: $INTLAN
echo " --- "
LOIF="lo"
LOIP="127.0.0.1"
BROADCAST="255.255.255.255"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
# JSUN: are these necessary?
# /sbin/depmod -a
# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe iptable_nat
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_state
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
#
# Cleanup and set initial policies
#
# Set policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
# flush old chains
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# delete user defined chains
$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#
# 4.1.4 INPUT chain
#
# $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
# we trust INTIF and LOIF, to a large degree
$IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT
# we take broadcast packages from INTIF
$IPTABLES -A INPUT -p ALL -i $INTIF -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
# JSUN: can we just use a simplified version?
#$IPTABLES -A INPUT -p ALL -i $INTIF -j ACCEPT
#$IPTABLES -A INPUT -p ALL -i $LOIF -j ACCEPT
# established connections can go through
$IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# initiation packets are allowed on selected TCP ports
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport smtp -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport http -j ACCEPT
#$IPTABLES -A INPUT -p TCP --sync -s 0/0 --dport https -j allowed
# JSUN: do we need to worry about ntp port? We will see
# only take echo-request(8), echo-reply(0) and time-exceeded(11) for icmp
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type time-exceeded -j ACCEPT
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $EXTIF -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
# exclude some annoying packets from logging
$IPTABLES -A INPUT -d $EXTBROAD -j DROP
$IPTABLES -A INPUT -d $BROADCAST -j DROP
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level $DEBUG_LEVEL --log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
#
# Accept the packets we actually want to forward
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level $DEBUG_LEVEL --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LOIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INTIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT
# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level $DEBUG_LEVEL --log-prefix "IPT OUTPUT packet died: "
######
# 4.2 nat table
#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
--
Regards
Dharmendra.T
This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.
[-- Attachment #2: Type: text/html, Size: 20616 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Any holes in this firewall script?
2003-06-04 5:00 ` Dharmendra.T
@ 2003-06-04 5:05 ` Jun Sun
2003-06-04 5:42 ` Dharmendra.T
0 siblings, 1 reply; 6+ messages in thread
From: Jun Sun @ 2003-06-04 5:05 UTC (permalink / raw)
To: Dharmendra.T; +Cc: netfilter
On Wed, Jun 04, 2003 at 10:30:31AM +0530, Dharmendra.T wrote:
> hi,
>
> I just don't see any firewalling (blocking) in the script. You are
> simply allowing everything. Define clear rule like block all and allow
> only wanted ports.
>
The default policy is set to "DROP" for the filter table.
Jun
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Any holes in this firewall script?
2003-06-04 5:05 ` Jun Sun
@ 2003-06-04 5:42 ` Dharmendra.T
2003-06-04 15:15 ` Jun Sun
0 siblings, 1 reply; 6+ messages in thread
From: Dharmendra.T @ 2003-06-04 5:42 UTC (permalink / raw)
To: Jun Sun; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 816 bytes --]
Yes, but after that you are allowing everything from all the
interfaces. Which is not recommended to do so.
Dharmu
On Wed, 2003-06-04 at 10:35, Jun Sun wrote:
On Wed, Jun 04, 2003 at 10:30:31AM +0530, Dharmendra.T wrote:
> hi,
>
> I just don't see any firewalling (blocking) in the script. You are
> simply allowing everything. Define clear rule like block all and allow
> only wanted ports.
>
The default policy is set to "DROP" for the filter table.
Jun
--
Regards
Dharmendra.T
This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.
[-- Attachment #2: Type: text/html, Size: 1826 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Any holes in this firewall script?
2003-06-04 5:42 ` Dharmendra.T
@ 2003-06-04 15:15 ` Jun Sun
2003-06-05 4:42 ` Dharmendra.T
0 siblings, 1 reply; 6+ messages in thread
From: Jun Sun @ 2003-06-04 15:15 UTC (permalink / raw)
To: Dharmendra.T; +Cc: netfilter
On Wed, Jun 04, 2003 at 11:12:37AM +0530, Dharmendra.T wrote:
> Yes, but after that you are allowing everything from all the
> interfaces. Which is not recommended to do so.
>
Eh? Which rules allow everything from all interfaces?
I have the following, which only allow all packets with the right
IP address range from internal interface and lo:
$IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT
Jun
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Any holes in this firewall script?
2003-06-04 15:15 ` Jun Sun
@ 2003-06-05 4:42 ` Dharmendra.T
0 siblings, 0 replies; 6+ messages in thread
From: Dharmendra.T @ 2003-06-05 4:42 UTC (permalink / raw)
To: Jun Sun; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1296 bytes --]
Hi Jun,
What about the destination ips? These rules will allow from interal to
any of the destination and external to any of the internal ips which is
ofcourse dangerous. So I do suggest you to defie the rules for the
destinations also(-d). And do not allow all the protocals.
Regards
Dharmendra T.
On Wed, 2003-06-04 at 20:45, Jun Sun wrote:
On Wed, Jun 04, 2003 at 11:12:37AM +0530, Dharmendra.T wrote:
> Yes, but after that you are allowing everything from all the
> interfaces. Which is not recommended to do so.
>
Eh? Which rules allow everything from all interfaces?
I have the following, which only allow all packets with the right
IP address range from internal interface and lo:
$IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT
Jun
--
Regards
Dharmendra.T
This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.
[-- Attachment #2: Type: text/html, Size: 2567 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-06-05 4:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-04 1:08 Any holes in this firewall script? Jun Sun
2003-06-04 5:00 ` Dharmendra.T
2003-06-04 5:05 ` Jun Sun
2003-06-04 5:42 ` Dharmendra.T
2003-06-04 15:15 ` Jun Sun
2003-06-05 4:42 ` Dharmendra.T
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.