* Is my script good and secure?
@ 2004-03-15 13:28 netfilter
2004-03-15 13:50 ` Antony Stone
2004-03-15 14:06 ` Cedric Blancher
0 siblings, 2 replies; 3+ messages in thread
From: netfilter @ 2004-03-15 13:28 UTC (permalink / raw)
To: netfilter
Is this a good and secure Firewall Script?
Thanx Peter
----------------------------------------------------
#! /bin/sh
echo "1" > /proc/sys/net/ipv4/ip_forward # Initialising of Forwarding
# Flushen, Deleting, Create#
################################################################
iptables -F
iptables -F -t nat
iptables -F sperre
iptables -X sperre
iptables -N sperre
iptables -F sperre
# first contact #
#################
iptables -A sperre -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP # Drop everything how not comes from lokal LAN
iptables -A sperre -i eth1 --dport 22,19,21,22,25,3389,1723,23000:23001 -j ACCEPT # Allow outbound only for specific ports
iptables -A sperre -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT # Allow everything from loopback
iptables -A sperre -i eth0 -s 192.168.1.0/255.255.255.0 -j DROP # Drop everyting how comes fro outside to inside with LAN IP's
# acceptstuff #
###############
iptables -A sperre -p tcp --dport 21 -j ACCEPT # ftp
iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT # Battlefield Server
iptables -A sperre -p tcp --dport 90 -j ACCEPT # DVISE
iptables -A sperre -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A sperre -p tcp --dport 3389 -j ACCEPT # VPN
# Antworten zulassen #
######################
iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT
# Reject everything else (RFC-conform) #
#######################################
iptables -A sperre -p tcp -j REJECT --reject-with tcp-reset
iptables -A sperre -p udp -j REJECT --reject-with icmp-port-unreachable
# activating sperre#
#####################
iptables -A INPUT -j sperre
iptables -A FORWARD -j sperre
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT # output accept
iptables -P OUTPUT ACCEPT -t nat
# NAT #
#######
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.1.198 # FTP to FTP-Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.220 # Terminal Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.1.2 # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p 47 -j DNAT --to 192.168.1.220 # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to 192.168.1.220 # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4661:4662 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6343 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6300 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4242 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8888 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6661:6662 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4665 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4672 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 6665 -j DNAT --to 192.168.1.198 # EDONKEY
# Special Rules
iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --destination-port 10024 -j ACCEPT
iptables -A INPUT -i lo -p tcp --destination-port 10025 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --destination-port 10025 -j ACCEPT
echo "Firewall started"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Is my script good and secure?
2004-03-15 13:28 Is my script good and secure? netfilter
@ 2004-03-15 13:50 ` Antony Stone
2004-03-15 14:06 ` Cedric Blancher
1 sibling, 0 replies; 3+ messages in thread
From: Antony Stone @ 2004-03-15 13:50 UTC (permalink / raw)
To: netfilter
On Monday 15 March 2004 1:28 pm, netfilter@sbgit.com wrote:
> Is this a good and secure Firewall Script?
> echo "1" > /proc/sys/net/ipv4/ip_forward # Initialising of Forwarding
Suggest you do this at the end, after setting up all the rules, instead of at
the beginning, when some packets might get forwarded before you're ready.
> iptables -F sperre
> iptables -X sperre
> iptables -N sperre
I notice you are calling this user-defined chain from both INPUT and FORWARD -
this means that all the protocols you allow *through* the firewall are also
accepted *to* it - is this what you want?
> iptables -A sperre -i eth1 --dport 22,19,21,22,25,3389,1723,23000:23001 -j
> ACCEPT # Allow outbound only for specific ports
For example, the above rule is going to get called by both FORWARD and INPUT -
think about whether that's what you meant to set up.
> iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT # Battlefield
Did you mean "--dport 23000:23001"?
> iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT
Put this rule at the top of the chain, so it gets matched first - nearly all
of your traffic will match here, so make it efficient to process.
> iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to 192.168.1.220
You have a VPN which uses protocol 37 (DDP: Datagram Delivery Protocol) ???
I think you mean 47: GRE.
> # Special Rules
> iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j
> ACCEPT
No need for this rule as packets will match on the INPUT rule above (unless
you meant eth1?)
> iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
Missing a "-i" there :)
> echo "Firewall started"
Good luck.
Antony.
--
Most people have more than the average number of legs.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Is my script good and secure?
2004-03-15 13:28 Is my script good and secure? netfilter
2004-03-15 13:50 ` Antony Stone
@ 2004-03-15 14:06 ` Cedric Blancher
1 sibling, 0 replies; 3+ messages in thread
From: Cedric Blancher @ 2004-03-15 14:06 UTC (permalink / raw)
To: netfilter; +Cc: netfilter
Le lun 15/03/2004 à 14:28, netfilter@sbgit.com a écrit :
> Is this a good and secure Firewall Script?
See below for comments.
> # Flushen, Deleting, Create#
> ################################################################
> iptables -F
> iptables -F -t nat
>
> iptables -F sperre
Flushing sperre chain is useless. It has already been flushed by prior
"iptables -F" that flush all chains, including user ones.
> iptables -X sperre
> iptables -N sperre
Why destroy the sperre chain to recreate it just after ?
> iptables -F sperre
Flushing (again) sperre chain here is useless, since it as just been
created, so is empty.
Theses two lines will just do the same, except for byte count that is
zeroed by chain deletion :
iptables -F
iptables -t nat -F
If counter zeroing is important to you, juste add :
iptables -Z
However, when I write a script, I like to flush everything at startup so
I can launch my script whatever rules I can have. So I would do this :
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N sperre
> # first contact #
> #################
> iptables -A sperre -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP # Drop everything how not comes from lokal LAN
This should be handled through reverse patch filtering, that check
source against your routing table. So, if a source that should be routed
via another interface than eth1 comes to it, then packet is destroyed.
> iptables -A sperre -i eth1 --dport
> 22,19,21,22,25,3389,1723,23000:23001 -j ACCEPT # Allow outbound only
> for specific ports
This rule won't work :
--dport switch needs -p tcp or -p udp
--dort has only one argument
Should be :
iptables -A sperre -i eth1 -p tcp -m mport \
--dports 22,19,21,22,25,3389,1723,23000:23001 \
-j ACCEPT
> iptables -A sperre -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT
> # Allow everything from loopback
Note that you can have other sources on loopback. Suppose you ping your
eth1 address. Supposing it is 192.168.1.1, when you do :
ping 192.168.1.1
You'll see 192.168.1.1 pinging 192.168.1.1 on lo. This very rule does
not accept this.
> iptables -A sperre -i eth0 -s 192.168.1.0/255.255.255.0 -j
> DROP # Drop everyting how comes fro outside to
> inside with LAN IP's
Reverse path filtering will handle this fine.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filters
> # acceptstuff #
> ###############
> iptables -A sperre -p tcp --dport 21 -j ACCEPT # ftp
> iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT # Battlefield Server
Check your range. There's not range here.
> iptables -A sperre -p tcp --dport 90 -j ACCEPT # DVISE
> iptables -A sperre -p tcp --dport 80 -j ACCEPT # HTTP
> iptables -A sperre -p tcp --dport 3389 -j ACCEPT # VPN
VPN ? You mean Terminal Server I guess. I would accept Terminal Server
only through SSH redirection.
> # Antworten zulassen #
> ######################
> iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT
This rule should be at the very begining for it's the rule that will
match most of the packets you'll handle. This is an optimisation.
> # activating sperre#
> #####################
> iptables -A INPUT -j sperre
> iptables -A FORWARD -j sperre
I don't think handling INPUT and FORWARD through the same chain is a
good idea, for you must not have the same needs for them. I mean this
will end in allowing stuff for INPUT that should not be, and the same
for FORWARD.
> iptables -P OUTPUT ACCEPT # output accept
> iptables -P OUTPUT ACCEPT -t nat
Not needed. You should not touch nat chain policies.
> # NAT #
> #######
[...]
> iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to
> 192.168.1.220 # VPN Server
IP proto 37 is not used for VPN. This rule is not needed.
> # Special Rules
> iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
Your firewall is to connect to internal host on TCP/25 ? Why have an
ACCEPT on output, you OUTPUT policy is ACCEPT ?
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j ACCEPT
This rule will never get matched. It is impossible, and you stated it
before, that a 192.168.1.0/24 originated packet comes through eth0,k
since this network is attached to eth1.
> iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
You do not need to have OUTPUT accept rules, since OUTPUT policy is
ACCEPT.
> iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
> iptables -A OUTPUT -o lo -p tcp --destination-port 10024 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --destination-port 10025 -j ACCEPT
> iptables -A OUTPUT -o lo -p tcp --destination-port 10025 -j ACCEPT
You specified you want want to accept all lo traffic. Why add rules ?
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-03-15 14:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-15 13:28 Is my script good and secure? netfilter
2004-03-15 13:50 ` Antony Stone
2004-03-15 14:06 ` Cedric Blancher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.