From: <netfilter@sbgit.com>
To: netfilter@lists.netfilter.org
Subject: Re-2: Is my script good and secure?
Date: 15 Mar 2004 14:32:05 UT [thread overview]
Message-ID: <DIIE.000000E400002A95@sbgit.com> (raw)
> > iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
> > iptables -A OUTPUT -o lo -p tcp --destination-port 10024 -j ACCEPT
> > iptables -A INPUT -i lo -p tcp --destination-port 10025 -j ACCEPT
> > iptables -A OUTPUT -o lo -p tcp --destination-port 10025 -j ACCEPT
>
> You specified you want want to accept all lo traffic. Why add rules ?
>
> --
I changed some rules, some rules are removed and the position of the rules are
changed. So i hope the script is more secure.
I wan't to use an separate file to be included like an blacklist of trajan ports,
but i'm very new with iptables (work since one week with it).
How i have to build the rule do include an seperate file with near of 351 entries of ports
wich are used by trojans?
How i have to build the file (like "65536 #Adore Worm/Linux" ??)
Thanx Peter
But here my current script:
#! /bin/sh
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_conntrack_pptp
modprobe ip_conntrack_proto_gre
modprobe ip_nat
modprope ip_nat_pptp
modprobe ip_nat_proto_gre
# Flushen, Deleting, Create#
################################################################
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N input_sperre
iptables -N forward_sperre
# Antworten zulassen #
######################
iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT
# first contact #
#################
iptables -A sperre -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP # Drop everything how not comes from lokal LAN
iptables -A sperre -i eth1 --dport 22,19,21,22,25,3389,1723,23000:23001 -j ACCEPT # Allow outbound only for specific ports
iptables -A sperre -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT # Allow everything from loopback
iptables -A sperre -i eth0 -s 192.168.1.0/255.255.255.0 -j DROP # Drop everyting how comes fro outside to inside with LAN IP's
# acceptstuff #
###############
iptables -A sperre -p tcp --dport 21 -j ACCEPT # ftp
iptables -A sperre -p tcp --dport 23000:23001 -j ACCEPT # Battlefield Server
iptables -A sperre -p tcp --dport 90 -j ACCEPT # DVISE
iptables -A sperre -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A sperre -p tcp --dport 3389 -j ACCEPT # VPN
# Reject everything else (RFC-conform) #
#######################################
iptables -A sperre -p tcp -j REJECT --reject-with tcp-reset
iptables -A sperre -p udp -j REJECT --reject-with icmp-port-unreachable
# activating sperre#
#####################
iptables -A INPUT -j input_sperre
iptables -A FORWARD -j forward_sperre
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT # output accept
iptables -P OUTPUT ACCEPT -t nat
# NAT #
#######
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.1.198 # FTP to FTP-Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.1.2 # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p 47 -j DNAT --to 192.168.1.2 # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to 192.168.1.2 # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4661:4662 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6343 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6300 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4242 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8888 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6661:6662 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4665 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4672 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 6665 -j DNAT --to 192.168.1.198 # EDONKEY
# Special Rules
iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --destination-port 10024 -j ACCEPT
iptables -A INPUT -i lo -p tcp --destination-port 10025 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --destination-port 10025 -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward # Initialising of Forwarding
echo "Firewall started"
To: blancher@cartel-securite.fr
Cc: netfilter@lists.netfilter.org
next reply other threads:[~2004-03-15 14:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-15 14:32 netfilter [this message]
2004-03-16 9:16 ` Re-2: Is my script good and secure? Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DIIE.000000E400002A95@sbgit.com \
--to=netfilter@sbgit.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.