[gentoo-user] iptables firewall script

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] iptables firewall script
@ 2009-07-17 11:12 Dave
  2009-07-17 12:52 ` Mick
  0 siblings, 1 reply; 2+ messages in thread
From: Dave @ 2009-07-17 11:12 UTC (permalink / raw
  To: gentoo-user

Hello,
	Can anyone good with iptables give this script a once over? It is
working, but in a very inconsistent manner, sometimes it lets traffic in,
other times not. Two things it does not have are dhcp rules as this box gets
it's address via dhcp and cifs rules, this machine mounts cifs shares, if
anyone has those i'd appreciate them. This is a single nic box, not a router
just an internal client i'd like to protect.
Adapted from:

http://www.novell.com/coolsolutions/feature/18139.html

Thanks.
Dave.

#!/bin/bash
#
# Script for iptables firewall

# define variables
IF_PUB=eth0
IP_PUB=192.168.0.106
NET_PRV=192.168.0.0/24
ANYWHERE=0.0.0.0/0

# set up default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# remove any existing rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Removes any user-defined chains
iptables -X

# If the machine is a router enable the next line
#echo 1 > /proc/sys/net/ipv4/ip_forward

# forward from the public interface
#iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
ACCEPT

# allow everything to and from the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow communications on the local network
# This allows unrestricted communications
#iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
# This allows only established or forwarded connections
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT

# If your doing nat
#iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB

# allow various types of ICMP
# 8 for echo request, echo response, destination unreachable, and time
exceeded
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

# allow ssh
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
--limit-burst 1 -j ACCEPT

# mail and web server on a different host
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
DNAT --to 192.168.1.254
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
DNAT --to 192.168.1.253
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p
tcp --dport http -j ACCEPT

# send a tcp reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

# block irc
#iptables -A INPUT -p tcp --dport irc -j DROP
#iptables -A INPUT -p udp --dport irc -j DROP
#iptables -A INPUT -p tcp --dport irc-serv -j DROP
#iptables -A INPUT -p udp --dport irc-serv -j DROP
#iptables -A INPUT -p tcp --dport ircs -j DROP
#iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC,
IRC server and Secure IRC traffic.

# block a specific host
#iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
icmp-host-prohibited

# traffic from one port to another
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j
DNAT --to 192.168.1.254:443
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p
tcp --dport 443 -j ACCEPT




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [gentoo-user] iptables firewall script
  2009-07-17 11:12 [gentoo-user] iptables firewall script Dave
@ 2009-07-17 12:52 ` Mick
  0 siblings, 0 replies; 2+ messages in thread
From: Mick @ 2009-07-17 12:52 UTC (permalink / raw
  To: gentoo-user

2009/7/17 Dave <dave.mehler@gmail.com>:
> Hello,
>        Can anyone good with iptables give this script a once over? It is
> working, but in a very inconsistent manner, sometimes it lets traffic in,
> other times not. Two things it does not have are dhcp rules as this box gets
> it's address via dhcp and cifs rules, this machine mounts cifs shares, if
> anyone has those i'd appreciate them. This is a single nic box, not a router
> just an internal client i'd like to protect.
> Adapted from:
>
> http://www.novell.com/coolsolutions/feature/18139.html
>
> Thanks.
> Dave.
>
> #!/bin/bash
> #
> # Script for iptables firewall
>
> # define variables
> IF_PUB=eth0
> IP_PUB=192.168.0.106
> NET_PRV=192.168.0.0/24
> ANYWHERE=0.0.0.0/0
>
> # set up default policies
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # remove any existing rules
> iptables -F -t nat
> iptables -F -t mangle
> iptables -F -t filter
> # Removes any user-defined chains
> iptables -X
>
> # If the machine is a router enable the next line
> #echo 1 > /proc/sys/net/ipv4/ip_forward

If you don't want to forward then echo 0, instead of 1, or instead of
just commenting it out.

> # forward from the public interface
> #iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> # allow everything to and from the loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # allow communications on the local network
> # This allows unrestricted communications
> #iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
> # This allows only established or forwarded connections
> iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT

Not sure that this is necessary.

> # If your doing nat
> #iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB
>
> # allow various types of ICMP
> # 8 for echo request, echo response, destination unreachable, and time
> exceeded
> iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
>
> # allow ssh
> iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
> --limit-burst 1 -j ACCEPT

This opens *all* tcp ports and throttles the connection (you'll be
dropping packets and get an unreliable connection).  I suggest that
you only open the port you need; e.g. -m tcp --dport 10201, also if
you only access this box via ssh from your LAN, then restrict access
to it from your private subnet: -s NET_PRV and remove the --limit
match completely.  If you're worried about brute force attacks on your
sshd, then perhaps use something like fail2ban, or better use public
key authentication only (no passwd), or construct a set of rules to
limit the amount of accepted attempts:
=====================================
Name it something:

blah-blah   -m state --state NEW --dport 22 -m recent --name ssh_crackers --set

Log the persistent attacks:

blah-blah   -m state --state NEW --dport 22 -m recent --name
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j LOG -m limit
--limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH
REJECT: '

Block them:

blah-blah  -m state --state NEW --dport 22 -m recent --name
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j REJECT
--reject-with tcp-reset
=====================================

> # mail and web server on a different host
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
> DNAT --to 192.168.1.254
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
> DNAT --to 192.168.1.253
> #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p
> tcp --dport http -j ACCEPT
>
> # send a tcp reject
> iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
>
> # block irc
> #iptables -A INPUT -p tcp --dport irc -j DROP
> #iptables -A INPUT -p udp --dport irc -j DROP
> #iptables -A INPUT -p tcp --dport irc-serv -j DROP
> #iptables -A INPUT -p udp --dport irc-serv -j DROP
> #iptables -A INPUT -p tcp --dport ircs -j DROP
> #iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC,
> IRC server and Secure IRC traffic.
>
> # block a specific host
> #iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
> icmp-host-prohibited
>
> # traffic from one port to another
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j
> DNAT --to 192.168.1.254:443
> #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p
> tcp --dport 443 -j ACCEPT

Then block anything else:

iptables -A INPUT -p all -i any -j DROP


Finally, run nmap from within/out your LAN on all ports and see what you get.

HTH.
-- 
Regards,
Mick



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2009-07-17 12:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-17 11:12 [gentoo-user] iptables firewall script Dave
2009-07-17 12:52 ` Mick

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox