Please critique my iptables script

[Jeff Bonner <lunar@comcast.net>]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

Greetings,

After reading all the documentation I could find (and understand), and 
viewing numerous examples, I have begun to write my own iptables script. 
  I chose not to use something like ShoreWall, because I wanted to 
understand what was going on, and keep it as simple as possible.

Since I had only limited experience with ipchains before this, and I'm a 
newbie at Linux in general, I don't know if there are any glaring holes 
or omissions in the script, or if things could be done more "cleanly", 
etc.  I would like to solicit any constructive criticism, comments or 
suggestions that may be appropriate.

The script can be viewed at http://firegate.lunarfox.com and is also 
attached to this mail.  I have placed comments throughout, to explain 
what I'm trying to do, and also to ask questions in certain places.

Thanks in advance,

Jeff Bonner

[-- Attachment #2: firewall.040 --]
[-- Type: text/plain, Size: 6682 bytes --]

#!/bin/bash

# Program Name = FireGate
# Intended Use = An IPTABLES firewall ruleset and NAT gateway
# Revision Num = 0.40
# Created File = 20 Jan 2002
# Last Updated = 01 Jun 2002
#
# Copyright 2002 Jeff Bonner (lunar@xrs.net, http://www.lunarfox.com)
# 
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License,
# Version 2, as published by the Free Software Foundation (for
# complete text, see http://www.gnu.org/copyleft/gpl.html).
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTIBILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

echo -e -n "\nStarting FireGate v0.40... "

# Basic Variables;
#
IPT="/sbin/iptables"					# Where is IPTABLES
EVIL="24.0.0.203"					# Blacklisted IPs
DHCP="172.30.166.36"					# DHCP server IP
DNS="68.60.32.5 206.141.251.2"				# DNS server IP

# SYSCTL DoS Prevention, etc;
# Definitions at http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-13.html
#
echo 1 > /proc/sys/net/ipv4/ip_forward			# Enable masq below
echo 1 > /proc/sys/net/ipv4/ip_dynaddr			# Rebound to new addr
echo 1 > /proc/sys/net/ipv4/tcp_syncookies		# No TCP SYN overload
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No Smurf amplifying
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians	# Spoof/route/redirect
echo 0 > /proc/sys/net/ipv4/tcp_timestamps		# Uptime/Gigabit ether
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects	# No route altering
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for r in /proc/sys/net/ipv4/conf/*/rp_filter; do	# Impossible addresses;
 echo 1 > $r						# can "2" be used here
done							# for full reversepath?

# Performance Tuning;
# What are appropriate values to change here, if any, for 2.4.x?
#
# echo 30  > /proc/sys/net/ipv4/tcp_fin_timeout		# Reduce dead sockets?
# echo 180 > /proc/sys/net/ipv4/tcp_keepalive_intvl	# Is this even needed?

# Erase Previous Rules, Define Policy;
#
$IPT -F							# Flush built-in rules
$IPT -X							# Erase custom rules
$IPT -Z							# Zero all counters
$IPT -F -t nat						# Flush pre/postrouting 

$IPT -P INPUT DROP					#
$IPT -P OUTPUT ACCEPT					# Set default policies
$IPT -P FORWARD DROP					#

$IPT -A INPUT -i lo -j ACCEPT				# Loopback traffic OK

$IPT -A INPUT -i eth0 -s 10.0.0.0/8 	-j DROP		#
$IPT -A INPUT -i eth0 -s 172.16.0.0/12	-j DROP		#
$IPT -A INPUT -i eth0 -s 192.168.0.0/16	-j DROP		# Toss any private
$IPT -A INPUT -i eth0 -s 127.0.0.0/8	-j DROP		# addresses coming in
$IPT -A INPUT -i eth0 -s 169.254.0.0/16	-j DROP		# from ext interface
$IPT -A INPUT -i eth0 -s 224.0.0.0/4	-j DROP		#
$IPT -A INPUT -i eth0 -s 240.0.0.0/5	-j DROP		#

$IPT -A INPUT -s 255.255.255.255 -d 0/0 -j DROP		# No bogus routing

for e in $EVIL; do					#
 $IPT -A INPUT -s $e -j DROP				# Drop blacklist sites
done							#

							# Toss any inbound
$IPT -A INPUT -p udp --sport 137:139 -j DROP		#  ... SMB
$IPT -A INPUT -p tcp --dport 80      -j DROP		#  ... HTTP
$IPT -A INPUT -p tcp --dport 22:23   -j DROP		#  ... Telnet/SSH
$IPT -A INPUT -p tcp --dport 1214    -j DROP		#  ... KaZaA

# Redirect ports for ReAIM proxy;
#
iptables -t nat -A PREROUTING -i eth0 -p tcp \
	--dport 5190 -j REDIRECT --to-ports 5190 	# AIM/ICQ Clients
iptables -t nat -A PREROUTING -i eth0 -p tcp \
	--dport 1863 -j REDIRECT --to-ports 1863	# MSN Clients
	
# Port Scanners, etc;
# Is this effective (or even necessary)?
#
$IPT -N SCAN
$IPT -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j SCAN
$IPT -A SCAN -m limit --limit 1/s -j LOG --log-level info \
   --log-prefix "**PORTSCAN** "
$IPT -A SCAN -j DROP

# Fragmented Packets;
# How often are these seen? Are they mostly hostile? What do they break?
#
$IPT -A INPUT -i eth0 -f -j LOG -m limit --limit 1/s \
     --log-level info --log-prefix "**FRAGMENT** "
$IPT -A INPUT -i eth0 -f -j DROP

# Hostile TCP Flags;
#
$IPT -N FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j FLAGS
$IPT -A FLAGS -m limit --limit 60/minute -j LOG \
     --log-level info --log-prefix "**BADFLAGS** "
$IPT -A FLAGS -j DROP

# Miscellaneous Stuff;
#
$IPT -A INPUT -i eth0 -p tcp ! --syn -m state \
     --state NEW -j DROP				# New TCP must be SYN

$IPT -A INPUT -p tcp --dport 113 -j REJECT \
     --reject-with tcp-reset				# Handle auth/ident

$IPT -A INPUT -p udp -s $DHCP --sport 67 -d 0/0 \
     --dport 68 -j ACCEPT				# Let firewall get IP

# Allow authorized DNS servers;
#
for d in $DNS; do
  $IPT -A INPUT -p udp -s $d --sport 53 -d 0/0 \
     -j ACCEPT
done

# Blocked Outbound Trojan, Etc ports;
#
$IPT -N STOPOUT
$IPT -A OUTPUT -p tcp --dport 137:139     -j STOPOUT	# SMB
$IPT -A OUTPUT -p tcp --dport 31335:31337 -j STOPOUT	# Trinoo
$IPT -A OUTPUT -p tcp --dport 27444       -j STOPOUT	# Trinoo Slave
$IPT -A OUTPUT -p tcp --dport 27655       -j STOPOUT	# Trinoo Master
$IPT -A STOPOUT -m limit --limit 1/s -j LOG \
	--log-level info --log-prefix "**OUTBOUND** "	# Log these attempts
$IPT -A STOPOUT -j DROP					# then drop packets

# ICMP Control;
# Are these the only 'proper' ones to allow?
#
$IPT -A INPUT -p icmp --icmp-type 0 -s 0/0  -j ACCEPT	# ICMP echo reply
$IPT -A INPUT -p icmp --icmp-type 3 -s 0/0  -j ACCEPT	# ICMP dest-unreach
$IPT -A INPUT -p icmp --icmp-type 11 -s 0/0 -j ACCEPT	# ICMP time-exceeded
$IPT -A INPUT -p icmp -j LOG -m limit --limit 30/minute \
     --log-level info --log-prefix "**ICMP DROP** "	# Log anything denied
$IPT -A INPUT -p icmp -j DROP				# Drop failed packets

# Open IM File Xfer, Direct Connect for ReAIM;
#
$IPT -A INPUT -p tcp --dport 5190 	-j ACCEPT	# AOL/ICQ Client
$IPT -A INPUT -p tcp --dport 1863	-j ACCEPT	# MSN IM Client

# Main Ruleset;
#
$IPT -N TRAFFIC
$IPT -A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A TRAFFIC -m state --state NEW -i ! eth0 -j ACCEPT
$IPT -A TRAFFIC -j LOG -m limit --limit 60/minute \
     --log-level info --log-prefix "**PACKET DROP** "	# Log anything denied
$IPT -A TRAFFIC -j DROP					# Drop failed packets

$IPT -A FORWARD -j TRAFFIC				# Send FORWARD to above
$IPT -A INPUT 	-j TRAFFIC				# Send INPUT to above

# Enable NAT/Masquerading;
# Should this be located earlier in the script?
#
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE	# Enable sNAT

echo -e "DONE.\n"