firewall script

firewall script

[Craig Steadman]

Hi everyone.

I've been tinkering with iptables for a few years and have created
some bash scripts to help manage my private VPN.  If anyone is
interested I've made them available on sourceforge.

http://bastionx.sourceforge.net/

Any feedback is welcomed.

Cheers
   Craig

Firewall script

[Boskey]

[-- Attachment #1: Type: text/plain, Size: 499 bytes --]

Hi All,

A customer of ours has a firewall script made for there organization.

The customer , even after enabling the firewall script has a huge spammer 
inside the network get across, and spam from the IP.

I have seen the script and feel that his firewall is  good when it comes to 
not allowing people into the system.

But i guess people inside the network  ( local ) can  get across easily.

Can someone help me by confirming this.

The firewall script is attached herewith.

Regards,

Boskey

[-- Attachment #2: itm-firewall-script --]
[-- Type: application/x-shellscript, Size: 12295 bytes --]

Re: Firewall script

[Rob Sterenborg]

On Tue, September 27, 2005 13:09, Boskey wrote:
> Hi All,
>
> A customer of ours has a firewall script made for there organization.
>
> The customer , even after enabling the firewall script has a huge
> spammer
> inside the network get across, and spam from the IP.
>
> I have seen the script and feel that his firewall is  good when it
> comes to
> not allowing people into the system.
>
> But i guess people inside the network  ( local ) can  get across
> easily.
>
> Can someone help me by confirming this.

===============
#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

[....]

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

===============

Move the state rule right below the "bad tcp packets" rule (better
performance).

Then, below the state rule, log and reject packets for dport 25 :

$IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
  -p tcp --dport 25 -j LOG --log-prefix "SMTP_REJECT: "
$IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
  -p tcp --dport 25 -j REJECT --reject-with tcp-reset

This way no-one can send email diectly to some smtp server on the
internet and at the same time you will log the offending IP.
You may want to limit (-m limit --limit 1/second or something) if your
logs get filled too quickly.

However.. If you're doing this, you need your own smtp server so
people can send (legitimate) email when they need to able to do that.
When they start spamming using *your* smtp server, you will have the
smtp logs available...


Gr,
Rob

Firewall script

[Edmundo Carmona]

On 9/27/05, Rob Sterenborg <rob@sterenborg.info> wrote:
...
>
> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>   -p tcp --dport 25 -j LOG --log-prefix "SMTP_REJECT: "
> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>   -p tcp --dport 25 -j REJECT --reject-with tcp-reset
>
.
.
.
I have had this question in my mind for some time by now, but never
had the need to answer it.. however, this post brings it on.

As you can see, first, you have a LOG, and then in the same chain for
the same traffic, you REJECT. What other targets allow traversal to go
on in the same chain?

Re: Firewall script

[Rob Sterenborg]

On Tue, September 27, 2005 15:55, Edmundo Carmona wrote:
> On 9/27/05, Rob Sterenborg <rob@sterenborg.info> wrote:
> ...
>>
>> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>>   -p tcp --dport 25 -j LOG --log-prefix "SMTP_REJECT: "
>> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>>   -p tcp --dport 25 -j REJECT --reject-with tcp-reset
>>
>
> I have had this question in my mind for some time by now, but never
> had the need to answer it.. however, this post brings it on.
>
> As you can see, first, you have a LOG, and then in the same chain for
> the same traffic, you REJECT. What other targets allow traversal to
> go on in the same chain?

Not all targets are valid in every chain, but I suppose that would be
(almost ?) all targets that alter packets in some way (not NAT/MASQ)
and do not decide wether to ACCEPT, REJECT or DROP a packet.
Of course, if you don't specify a target (use a rule as byte-counter
or something) a packet passes through to the next rule.

For targets, see also man iptables.
(http://iptables-tutorial.frozentux.net/other/iptables.html)


Gr,
Rob

Re: Firewall script

[Rob Sterenborg]

On Tue, September 27, 2005 15:55, Edmundo Carmona wrote:
> On 9/27/05, Rob Sterenborg <rob@sterenborg.info> wrote:
> ...
>>
>> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>>   -p tcp --dport 25 -j LOG --log-prefix "SMTP_REJECT: "
>> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>>   -p tcp --dport 25 -j REJECT --reject-with tcp-reset
>>
>
> I have had this question in my mind for some time by now, but never
> had the need to answer it.. however, this post brings it on.
>
> As you can see, first, you have a LOG, and then in the same chain for
> the same traffic, you REJECT. What other targets allow traversal to
> go on in the same chain?

Not all targets are valid in every chain, but I suppose that would be
(almost ?) all targets that alter packets in some way (not NAT/MASQ)
and do not decide wether to ACCEPT, REJECT or DROP a packet.
Of course, if you don't specify a target (use a rule as byte-counter
or something) a packet passes through to the next rule.

For targets, see also man iptables.
(http://iptables-tutorial.frozentux.net/other/iptables.html)


Gr,
Rob

Re: Firewall script

[Rob Sterenborg]

On Tue, September 27, 2005 15:55, Edmundo Carmona wrote:
> On 9/27/05, Rob Sterenborg <rob@sterenborg.info> wrote:
> ...
>>
>> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>>   -p tcp --dport 25 -j LOG --log-prefix "SMTP_REJECT: "
>> $IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
>>   -p tcp --dport 25 -j REJECT --reject-with tcp-reset
>
> I have had this question in my mind for some time by now, but never
> had the need to answer it.. however, this post brings it on.
>
> As you can see, first, you have a LOG, and then in the same chain for
> the same traffic, you REJECT. What other targets allow traversal to
> go on in the same chain?

Not all targets are valid in all chains, but I guess that those would
be most targets that alter a packet, not being NAT or MASQ, and of
course rules without a target.
If a rule doesn't make a decision wether to ACCEPT, REJECT, DROP, NAT
or MASQ a packet, a packet continues to traverse. (I hope I summed it
all now.. Please correct me if I'm wrong.)

For valid targets, check man iptables.


Gr,
Rob

Firewall script...

[Vilmos Branyik]

Hello,

I haven't written many iptables scripts but would like your input on this
one.

What I am attempting to do is to only allow connection from my dial up
routers on my public subnet on ports 645 & 646. Then use NAT to forward to
my Radius server behind the firewall. 

Also I would allow ssh in from the public subnet only.

I welcome any input you may have.

$IPTABLES - location of iptables
$INTIF - Internal interface
$EXTIF - External interface
$INTNET - Internal subnet (address ie. 192.168.1.0/24)
$EXTNET - External subnet (local to us)
$EXTIP - External IP address

# Flush rules
$IPTABLES -P INPUT ACCEPT
$IPTABLES  -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

# Drop everything
$IPTABLES -A INPUT DROP

# Kill invalid packets (too short, illegal, zero length)
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP

# Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state INVALID -j DROP
$IPTABLES -A FORWARD -m state INVALID -j DROP

# Allow connections from local interface
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop connections to lo from the outside
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT

# Allow traffic from the inside
$IPTABLES -A INPUT -i $INTIF -s $INTNET -j ACCEPT

# Reject anything from the outside claiming to be from the inside
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -j REJECT

# Allow established connections
$IPTABLES -A INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT

# Allow forwarding from the inside
$IPTABLES -A FORWARD -o $EXTIF -i $INTIF -j ACCEPT

# Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state -state ESTABLISHED,RELATED -j ACCEPT

# Allow ssh from local external subnet
$IPTABLES -A INPUT -s $EXTNET -p tcp -dport 22 -j ACCEPT

# Block anything directly addresses to the internal net
$IPTABLES -A PREROUTING -t nat -i $EXTIF -d $INTIF -j DROP

# Start NAT

# Service at port 645 tcp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 645 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 645 \
  -j DNAT --to $PORTFWIP:645

# Service at port 645 udp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 645 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 645 \
  -j DNAT --to $PORTFWIP:645

# Service at port 646 tcp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 646 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 646 \
  -j DNAT --to $PORTFWIP:646

# Service at port 646 udp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 646 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 646 \
  -j DNAT --to $PORTFWIP:646

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Thanks for all your help.

Vilmos