* Re: Is my script good and secure?
2004-03-15 13:28 Is my script good and secure? netfilter
@ 2004-03-15 13:50 ` Antony Stone
2004-03-15 14:06 ` Cedric Blancher
1 sibling, 0 replies; 3+ messages in thread
From: Antony Stone @ 2004-03-15 13:50 UTC (permalink / raw)
To: netfilter
On Monday 15 March 2004 1:28 pm, netfilter@sbgit.com wrote:
> Is this a good and secure Firewall Script?
> echo "1" > /proc/sys/net/ipv4/ip_forward # Initialising of Forwarding
Suggest you do this at the end, after setting up all the rules, instead of at
the beginning, when some packets might get forwarded before you're ready.
> iptables -F sperre
> iptables -X sperre
> iptables -N sperre
I notice you are calling this user-defined chain from both INPUT and FORWARD -
this means that all the protocols you allow *through* the firewall are also
accepted *to* it - is this what you want?
> iptables -A sperre -i eth1 --dport 22,19,21,22,25,3389,1723,23000:23001 -j
> ACCEPT # Allow outbound only for specific ports
For example, the above rule is going to get called by both FORWARD and INPUT -
think about whether that's what you meant to set up.
> iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT # Battlefield
Did you mean "--dport 23000:23001"?
> iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT
Put this rule at the top of the chain, so it gets matched first - nearly all
of your traffic will match here, so make it efficient to process.
> iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to 192.168.1.220
You have a VPN which uses protocol 37 (DDP: Datagram Delivery Protocol) ???
I think you mean 47: GRE.
> # Special Rules
> iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j
> ACCEPT
No need for this rule as packets will match on the INPUT rule above (unless
you meant eth1?)
> iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
Missing a "-i" there :)
> echo "Firewall started"
Good luck.
Antony.
--
Most people have more than the average number of legs.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Is my script good and secure?
2004-03-15 13:28 Is my script good and secure? netfilter
2004-03-15 13:50 ` Antony Stone
@ 2004-03-15 14:06 ` Cedric Blancher
1 sibling, 0 replies; 3+ messages in thread
From: Cedric Blancher @ 2004-03-15 14:06 UTC (permalink / raw)
To: netfilter; +Cc: netfilter
Le lun 15/03/2004 à 14:28, netfilter@sbgit.com a écrit :
> Is this a good and secure Firewall Script?
See below for comments.
> # Flushen, Deleting, Create#
> ################################################################
> iptables -F
> iptables -F -t nat
>
> iptables -F sperre
Flushing sperre chain is useless. It has already been flushed by prior
"iptables -F" that flush all chains, including user ones.
> iptables -X sperre
> iptables -N sperre
Why destroy the sperre chain to recreate it just after ?
> iptables -F sperre
Flushing (again) sperre chain here is useless, since it as just been
created, so is empty.
Theses two lines will just do the same, except for byte count that is
zeroed by chain deletion :
iptables -F
iptables -t nat -F
If counter zeroing is important to you, juste add :
iptables -Z
However, when I write a script, I like to flush everything at startup so
I can launch my script whatever rules I can have. So I would do this :
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N sperre
> # first contact #
> #################
> iptables -A sperre -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP # Drop everything how not comes from lokal LAN
This should be handled through reverse patch filtering, that check
source against your routing table. So, if a source that should be routed
via another interface than eth1 comes to it, then packet is destroyed.
> iptables -A sperre -i eth1 --dport
> 22,19,21,22,25,3389,1723,23000:23001 -j ACCEPT # Allow outbound only
> for specific ports
This rule won't work :
--dport switch needs -p tcp or -p udp
--dort has only one argument
Should be :
iptables -A sperre -i eth1 -p tcp -m mport \
--dports 22,19,21,22,25,3389,1723,23000:23001 \
-j ACCEPT
> iptables -A sperre -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT
> # Allow everything from loopback
Note that you can have other sources on loopback. Suppose you ping your
eth1 address. Supposing it is 192.168.1.1, when you do :
ping 192.168.1.1
You'll see 192.168.1.1 pinging 192.168.1.1 on lo. This very rule does
not accept this.
> iptables -A sperre -i eth0 -s 192.168.1.0/255.255.255.0 -j
> DROP # Drop everyting how comes fro outside to
> inside with LAN IP's
Reverse path filtering will handle this fine.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filters
> # acceptstuff #
> ###############
> iptables -A sperre -p tcp --dport 21 -j ACCEPT # ftp
> iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT # Battlefield Server
Check your range. There's not range here.
> iptables -A sperre -p tcp --dport 90 -j ACCEPT # DVISE
> iptables -A sperre -p tcp --dport 80 -j ACCEPT # HTTP
> iptables -A sperre -p tcp --dport 3389 -j ACCEPT # VPN
VPN ? You mean Terminal Server I guess. I would accept Terminal Server
only through SSH redirection.
> # Antworten zulassen #
> ######################
> iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT
This rule should be at the very begining for it's the rule that will
match most of the packets you'll handle. This is an optimisation.
> # activating sperre#
> #####################
> iptables -A INPUT -j sperre
> iptables -A FORWARD -j sperre
I don't think handling INPUT and FORWARD through the same chain is a
good idea, for you must not have the same needs for them. I mean this
will end in allowing stuff for INPUT that should not be, and the same
for FORWARD.
> iptables -P OUTPUT ACCEPT # output accept
> iptables -P OUTPUT ACCEPT -t nat
Not needed. You should not touch nat chain policies.
> # NAT #
> #######
[...]
> iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to
> 192.168.1.220 # VPN Server
IP proto 37 is not used for VPN. This rule is not needed.
> # Special Rules
> iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
Your firewall is to connect to internal host on TCP/25 ? Why have an
ACCEPT on output, you OUTPUT policy is ACCEPT ?
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j ACCEPT
This rule will never get matched. It is impossible, and you stated it
before, that a 192.168.1.0/24 originated packet comes through eth0,k
since this network is attached to eth1.
> iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
You do not need to have OUTPUT accept rules, since OUTPUT policy is
ACCEPT.
> iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
> iptables -A OUTPUT -o lo -p tcp --destination-port 10024 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --destination-port 10025 -j ACCEPT
> iptables -A OUTPUT -o lo -p tcp --destination-port 10025 -j ACCEPT
You specified you want want to accept all lo traffic. Why add rules ?
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 3+ messages in thread