* Please critique my iptables script
@ 2002-06-03 3:43 Jeff Bonner
0 siblings, 0 replies; only message in thread
From: Jeff Bonner @ 2002-06-03 3:43 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 862 bytes --]
Greetings,
After reading all the documentation I could find (and understand), and
viewing numerous examples, I have begun to write my own iptables script.
I chose not to use something like ShoreWall, because I wanted to
understand what was going on, and keep it as simple as possible.
Since I had only limited experience with ipchains before this, and I'm a
newbie at Linux in general, I don't know if there are any glaring holes
or omissions in the script, or if things could be done more "cleanly",
etc. I would like to solicit any constructive criticism, comments or
suggestions that may be appropriate.
The script can be viewed at http://firegate.lunarfox.com and is also
attached to this mail. I have placed comments throughout, to explain
what I'm trying to do, and also to ask questions in certain places.
Thanks in advance,
Jeff Bonner
[-- Attachment #2: firewall.040 --]
[-- Type: text/plain, Size: 6682 bytes --]
#!/bin/bash
# Program Name = FireGate
# Intended Use = An IPTABLES firewall ruleset and NAT gateway
# Revision Num = 0.40
# Created File = 20 Jan 2002
# Last Updated = 01 Jun 2002
#
# Copyright 2002 Jeff Bonner (lunar@xrs.net, http://www.lunarfox.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License,
# Version 2, as published by the Free Software Foundation (for
# complete text, see http://www.gnu.org/copyleft/gpl.html).
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTIBILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
echo -e -n "\nStarting FireGate v0.40... "
# Basic Variables;
#
IPT="/sbin/iptables" # Where is IPTABLES
EVIL="24.0.0.203" # Blacklisted IPs
DHCP="172.30.166.36" # DHCP server IP
DNS="68.60.32.5 206.141.251.2" # DNS server IP
# SYSCTL DoS Prevention, etc;
# Definitions at http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-13.html
#
echo 1 > /proc/sys/net/ipv4/ip_forward # Enable masq below
echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Rebound to new addr
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # No TCP SYN overload
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No Smurf amplifying
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Spoof/route/redirect
echo 0 > /proc/sys/net/ipv4/tcp_timestamps # Uptime/Gigabit ether
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # No route altering
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Impossible addresses;
echo 1 > $r # can "2" be used here
done # for full reversepath?
# Performance Tuning;
# What are appropriate values to change here, if any, for 2.4.x?
#
# echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Reduce dead sockets?
# echo 180 > /proc/sys/net/ipv4/tcp_keepalive_intvl # Is this even needed?
# Erase Previous Rules, Define Policy;
#
$IPT -F # Flush built-in rules
$IPT -X # Erase custom rules
$IPT -Z # Zero all counters
$IPT -F -t nat # Flush pre/postrouting
$IPT -P INPUT DROP #
$IPT -P OUTPUT ACCEPT # Set default policies
$IPT -P FORWARD DROP #
$IPT -A INPUT -i lo -j ACCEPT # Loopback traffic OK
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP #
$IPT -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP #
$IPT -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP # Toss any private
$IPT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP # addresses coming in
$IPT -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP # from ext interface
$IPT -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP #
$IPT -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP #
$IPT -A INPUT -s 255.255.255.255 -d 0/0 -j DROP # No bogus routing
for e in $EVIL; do #
$IPT -A INPUT -s $e -j DROP # Drop blacklist sites
done #
# Toss any inbound
$IPT -A INPUT -p udp --sport 137:139 -j DROP # ... SMB
$IPT -A INPUT -p tcp --dport 80 -j DROP # ... HTTP
$IPT -A INPUT -p tcp --dport 22:23 -j DROP # ... Telnet/SSH
$IPT -A INPUT -p tcp --dport 1214 -j DROP # ... KaZaA
# Redirect ports for ReAIM proxy;
#
iptables -t nat -A PREROUTING -i eth0 -p tcp \
--dport 5190 -j REDIRECT --to-ports 5190 # AIM/ICQ Clients
iptables -t nat -A PREROUTING -i eth0 -p tcp \
--dport 1863 -j REDIRECT --to-ports 1863 # MSN Clients
# Port Scanners, etc;
# Is this effective (or even necessary)?
#
$IPT -N SCAN
$IPT -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j SCAN
$IPT -A SCAN -m limit --limit 1/s -j LOG --log-level info \
--log-prefix "**PORTSCAN** "
$IPT -A SCAN -j DROP
# Fragmented Packets;
# How often are these seen? Are they mostly hostile? What do they break?
#
$IPT -A INPUT -i eth0 -f -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**FRAGMENT** "
$IPT -A INPUT -i eth0 -f -j DROP
# Hostile TCP Flags;
#
$IPT -N FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j FLAGS
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j FLAGS
$IPT -A FLAGS -m limit --limit 60/minute -j LOG \
--log-level info --log-prefix "**BADFLAGS** "
$IPT -A FLAGS -j DROP
# Miscellaneous Stuff;
#
$IPT -A INPUT -i eth0 -p tcp ! --syn -m state \
--state NEW -j DROP # New TCP must be SYN
$IPT -A INPUT -p tcp --dport 113 -j REJECT \
--reject-with tcp-reset # Handle auth/ident
$IPT -A INPUT -p udp -s $DHCP --sport 67 -d 0/0 \
--dport 68 -j ACCEPT # Let firewall get IP
# Allow authorized DNS servers;
#
for d in $DNS; do
$IPT -A INPUT -p udp -s $d --sport 53 -d 0/0 \
-j ACCEPT
done
# Blocked Outbound Trojan, Etc ports;
#
$IPT -N STOPOUT
$IPT -A OUTPUT -p tcp --dport 137:139 -j STOPOUT # SMB
$IPT -A OUTPUT -p tcp --dport 31335:31337 -j STOPOUT # Trinoo
$IPT -A OUTPUT -p tcp --dport 27444 -j STOPOUT # Trinoo Slave
$IPT -A OUTPUT -p tcp --dport 27655 -j STOPOUT # Trinoo Master
$IPT -A STOPOUT -m limit --limit 1/s -j LOG \
--log-level info --log-prefix "**OUTBOUND** " # Log these attempts
$IPT -A STOPOUT -j DROP # then drop packets
# ICMP Control;
# Are these the only 'proper' ones to allow?
#
$IPT -A INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT # ICMP echo reply
$IPT -A INPUT -p icmp --icmp-type 3 -s 0/0 -j ACCEPT # ICMP dest-unreach
$IPT -A INPUT -p icmp --icmp-type 11 -s 0/0 -j ACCEPT # ICMP time-exceeded
$IPT -A INPUT -p icmp -j LOG -m limit --limit 30/minute \
--log-level info --log-prefix "**ICMP DROP** " # Log anything denied
$IPT -A INPUT -p icmp -j DROP # Drop failed packets
# Open IM File Xfer, Direct Connect for ReAIM;
#
$IPT -A INPUT -p tcp --dport 5190 -j ACCEPT # AOL/ICQ Client
$IPT -A INPUT -p tcp --dport 1863 -j ACCEPT # MSN IM Client
# Main Ruleset;
#
$IPT -N TRAFFIC
$IPT -A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A TRAFFIC -m state --state NEW -i ! eth0 -j ACCEPT
$IPT -A TRAFFIC -j LOG -m limit --limit 60/minute \
--log-level info --log-prefix "**PACKET DROP** " # Log anything denied
$IPT -A TRAFFIC -j DROP # Drop failed packets
$IPT -A FORWARD -j TRAFFIC # Send FORWARD to above
$IPT -A INPUT -j TRAFFIC # Send INPUT to above
# Enable NAT/Masquerading;
# Should this be located earlier in the script?
#
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Enable sNAT
echo -e "DONE.\n"
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2002-06-03 3:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-03 3:43 Please critique my iptables script Jeff Bonner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox