* Firewalll script
@ 2002-12-23 12:32 system
2002-12-23 14:22 ` hare ram
2002-12-23 15:14 ` Anders Fugmann
0 siblings, 2 replies; 3+ messages in thread
From: system @ 2002-12-23 12:32 UTC (permalink / raw)
To: iptables
[-- Attachment #1: Type: text/plain, Size: 5617 bytes --]
Hi All,
Following is the policy that my firewall generation script gives, but my system hangs when i execute this, I am using ssh to execute this script. My aim is very simple to close all unused ports. My entire scripts goes like this. Can you please help me in correcting the script.
############################################################################
#######
# IPTABLES Firewalll script
# written by ts
############################################################################
#######
#!/bin/sh
IPTABLES="//sbin/iptables"
echo "Flushing rules..."
$IPTABLES -F
$IPTABLES -X
#Set default policies to DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
LOOP_IF="lo"
###########################################################################
#----Set network sysctl options-----#
echo "--Setting sysctl options--"
echo "Disabling IP Spoofing attacks"
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo "Disabling respond to broadcast pings"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Blocking source routing"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Kill timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo "Enable SYN Cookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Kill redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Enabling bad error message protection"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Logging martians (packets with impossible addresses)"
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo "Reducing DoS'ing ability by reducing timeouts"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "Done..."
#########################################################################
echo "--Setting up standard rules--"
echo "Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo "Enabling SYN-FLOODING PROTECTION"
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
echo "Making sure NEW tcp connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "Logging fragments caught"
$IPTABLES -N fragments
$IPTABLES -A INPUT -f -j fragments
$IPTABLES -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPTABLES -A fragments -j DROP
echo "Refusing spoofed packets pretending to be from your IP address"
#$IPTABLES -A INPUT -s $NET_IPADDR -j DROP
echo "Done..."
##########################################################################
echo "--Setting up user defined chains--"
echo "Allow SSH(22/tcp)"
$IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
echo "Allow ftp"
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
echo "Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
echo "Passive ftp"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allow DNS(53/tcp&udp)"
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
echo "Allow SFTP(115/tcp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT
echo "Allow IMAP2"
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
echo "Allow HTTP(80)(tcp&udp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
echo "Allow https"
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
echo "Allow plesk admin"
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 8443 -j ACCEPT
echo "Rejecting all connections to 137:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -p udp --sport 137:139 -j NETBIOS
$IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
$IPTABLES -A NETBIOS -j DROP
echo "Allowing SMTP"
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT
echo "Allowing POP3"
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT
echo "Allowing Ident"
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT
echo "Rejecting all other packets"
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
echo "Done..."
############################################################################
#####
echo "Firewall construction completed"
[-- Attachment #2: Type: text/html, Size: 6546 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Firewalll script
2002-12-23 12:32 Firewalll script system
@ 2002-12-23 14:22 ` hare ram
2002-12-23 15:14 ` Anders Fugmann
1 sibling, 0 replies; 3+ messages in thread
From: hare ram @ 2002-12-23 14:22 UTC (permalink / raw)
To: system, iptables
[-- Attachment #1: Type: text/plain, Size: 6279 bytes --]
Hi
check the Iptables Place
is this correct, suppose to be /sbin/iptables ( depend on distro using)
IPTABLES="//sbin/iptables"
better you run the script from console, so you will find, if any errors in the script
hare
----- Original Message -----
From: system@eluminoustechnologies.com
To: iptables
Sent: Monday, December 23, 2002 6:02 PM
Subject: Firewalll script
Hi All,
Following is the policy that my firewall generation script gives, but my system hangs when i execute this, I am using ssh to execute this script. My aim is very simple to close all unused ports. My entire scripts goes like this. Can you please help me in correcting the script.
############################################################################
#######
# IPTABLES Firewalll script
# written by ts
############################################################################
#######
#!/bin/sh
IPTABLES="//sbin/iptables"
echo "Flushing rules..."
$IPTABLES -F
$IPTABLES -X
#Set default policies to DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
LOOP_IF="lo"
###########################################################################
#----Set network sysctl options-----#
echo "--Setting sysctl options--"
echo "Disabling IP Spoofing attacks"
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo "Disabling respond to broadcast pings"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Blocking source routing"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Kill timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo "Enable SYN Cookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Kill redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Enabling bad error message protection"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Logging martians (packets with impossible addresses)"
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo "Reducing DoS'ing ability by reducing timeouts"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "Done..."
#########################################################################
echo "--Setting up standard rules--"
echo "Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo "Enabling SYN-FLOODING PROTECTION"
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
echo "Making sure NEW tcp connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "Logging fragments caught"
$IPTABLES -N fragments
$IPTABLES -A INPUT -f -j fragments
$IPTABLES -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPTABLES -A fragments -j DROP
echo "Refusing spoofed packets pretending to be from your IP address"
#$IPTABLES -A INPUT -s $NET_IPADDR -j DROP
echo "Done..."
##########################################################################
echo "--Setting up user defined chains--"
echo "Allow SSH(22/tcp)"
$IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
echo "Allow ftp"
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
echo "Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
echo "Passive ftp"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allow DNS(53/tcp&udp)"
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
echo "Allow SFTP(115/tcp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT
echo "Allow IMAP2"
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
echo "Allow HTTP(80)(tcp&udp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
echo "Allow https"
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
echo "Allow plesk admin"
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 8443 -j ACCEPT
echo "Rejecting all connections to 137:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -p udp --sport 137:139 -j NETBIOS
$IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
$IPTABLES -A NETBIOS -j DROP
echo "Allowing SMTP"
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT
echo "Allowing POP3"
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT
echo "Allowing Ident"
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT
echo "Rejecting all other packets"
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
echo "Done..."
############################################################################
#####
echo "Firewall construction completed"
[-- Attachment #2: Type: text/html, Size: 8254 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Firewalll script
2002-12-23 12:32 Firewalll script system
2002-12-23 14:22 ` hare ram
@ 2002-12-23 15:14 ` Anders Fugmann
1 sibling, 0 replies; 3+ messages in thread
From: Anders Fugmann @ 2002-12-23 15:14 UTC (permalink / raw)
To: system; +Cc: iptables
system@eluminoustechnologies.com wrote:
> Hi All,
>
> Following is the policy that my firewall generation script gives, but my
> system hangs when i execute this, I am using ssh to execute this script.
> My aim is very simple to close all unused ports. My entire scripts goes
> like this. Can you please help me in correcting the script.
Your ssh connection hangs because you close off communication to port
22. The lines:
> echo "Allow SSH(22/tcp)"
> $IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
Are wrong, as you want to match the destination port on input and sport
on output.
In general, it is not considered offensive to have and
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
which will also make the rules alot simpler. For starters, I would even
recomment that you allow all outgoing packets.
The lines:
> echo "Disabling IP Spoofing attacks"
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
Are somewhat incorrect. It should be '1' and not '2'. I have seen many
scripts and tutorials with this misconseption of what to set where, but
in the kernel source says 0|1.
> echo "Logging martians (packets with impossible addresses)"
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
This is incorrect. The setting determines if packets violating RFC1122
should be logged or not. Setting this to '1', disables logging.
Hope it helps.
Regards
Anders Fugmann
--
Author of FIAIF.
FIAIF is an intelligent firewall
http://fiaif.fugmann.dhs.org
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-12-23 15:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-23 12:32 Firewalll script system
2002-12-23 14:22 ` hare ram
2002-12-23 15:14 ` Anders Fugmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.