From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-98042-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1MRmvh-0000EX-Rr
	for garchives@archives.gentoo.org; Fri, 17 Jul 2009 12:52:50 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7AD0CE037F;
	Fri, 17 Jul 2009 12:52:48 +0000 (UTC)
Received: from mail-fx0-f211.google.com (mail-fx0-f211.google.com [209.85.220.211])
	by pigeon.gentoo.org (Postfix) with ESMTP id 2767DE037F
	for <gentoo-user@lists.gentoo.org>; Fri, 17 Jul 2009 12:52:48 +0000 (UTC)
Received: by fxm7 with SMTP id 7so620126fxm.34
        for <gentoo-user@lists.gentoo.org>; Fri, 17 Jul 2009 05:52:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=S9sZQ5KJ0EVahrBGOmyuaprO9lYmTLxF0fDSOSXvaRU=;
        b=QVNWlcXqQQn3YreKcY/O9ndKoR6YAOHgdI8RY9J6hbZrWiC8gpwf//JR0ltsDSpOJo
         HIjILM14iM+q3Bc5RWVews3MU2VeD/db2P4n0XCThYZu6fHqBIeDRp3f0imzqLWgRMiJ
         ZhW6UokpzlpO0cOcTn4ea36T2XUSA/ZvMXZDU=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=V0TURFT36gPXueyx1sBRmGSb29UgTpjZzV/ZoUWbhJBFPFQKTEigDj8i+JW7+IrvL7
         ByNoZOiWZZ1Qc7nqPkWZrYH5kz+URx3y3ca5ZEQWxfX9jDMAXVkYhwmXtIMlJo1PjBI8
         kVk0iHctq2+tcZlb1xQjqS3cvD0V6u44AFvHg=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.103.212.9 with SMTP id o9mr508204muq.135.1247835167522; Fri, 
	17 Jul 2009 05:52:47 -0700 (PDT)
In-Reply-To: <46704986DF6D48C3ACB58D9BC8102670@hades>
References: <46704986DF6D48C3ACB58D9BC8102670@hades>
Date: Fri, 17 Jul 2009 13:52:47 +0100
Message-ID: <358eca8f0907170552v12632015l945b60f02b2348d4@mail.gmail.com>
Subject: Re: [gentoo-user] iptables firewall script
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: ed5edf8e-ce76-486e-9b48-faed77c3ea67
X-Archives-Hash: 44930b8cafccd6ae9b4612531de6288a

2009/7/17 Dave <dave.mehler@gmail.com>:
> Hello,
> =A0 =A0 =A0 =A0Can anyone good with iptables give this script a once over=
? It is
> working, but in a very inconsistent manner, sometimes it lets traffic in,
> other times not. Two things it does not have are dhcp rules as this box g=
ets
> it's address via dhcp and cifs rules, this machine mounts cifs shares, if
> anyone has those i'd appreciate them. This is a single nic box, not a rou=
ter
> just an internal client i'd like to protect.
> Adapted from:
>
> http://www.novell.com/coolsolutions/feature/18139.html
>
> Thanks.
> Dave.
>
> #!/bin/bash
> #
> # Script for iptables firewall
>
> # define variables
> IF_PUB=3Deth0
> IP_PUB=3D192.168.0.106
> NET_PRV=3D192.168.0.0/24
> ANYWHERE=3D0.0.0.0/0
>
> # set up default policies
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # remove any existing rules
> iptables -F -t nat
> iptables -F -t mangle
> iptables -F -t filter
> # Removes any user-defined chains
> iptables -X
>
> # If the machine is a router enable the next line
> #echo 1 > /proc/sys/net/ipv4/ip_forward

If you don't want to forward then echo 0, instead of 1, or instead of
just commenting it out.

> # forward from the public interface
> #iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> # allow everything to and from the loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # allow communications on the local network
> # This allows unrestricted communications
> #iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
> # This allows only established or forwarded connections
> iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCE=
PT
> iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT

Not sure that this is necessary.

> # If your doing nat
> #iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_P=
UB
>
> # allow various types of ICMP
> # 8 for echo request, echo response, destination unreachable, and time
> exceeded
> iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCE=
PT
>
> # allow ssh
> iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
> --limit-burst 1 -j ACCEPT

This opens *all* tcp ports and throttles the connection (you'll be
dropping packets and get an unreliable connection).  I suggest that
you only open the port you need; e.g. -m tcp --dport 10201, also if
you only access this box via ssh from your LAN, then restrict access
to it from your private subnet: -s NET_PRV and remove the --limit
match completely.  If you're worried about brute force attacks on your
sshd, then perhaps use something like fail2ban, or better use public
key authentication only (no passwd), or construct a set of rules to
limit the amount of accepted attempts:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Name it something:

blah-blah   -m state --state NEW --dport 22 -m recent --name ssh_crackers -=
-set

Log the persistent attacks:

blah-blah   -m state --state NEW --dport 22 -m recent --name
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j LOG -m limit
--limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH
REJECT: '

Block them:

blah-blah  -m state --state NEW --dport 22 -m recent --name
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j REJECT
--reject-with tcp-reset
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

> # mail and web server on a different host
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp =
-j
> DNAT --to 192.168.1.254
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http =
-j
> DNAT --to 192.168.1.253
> #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB =
-p
> tcp --dport http -j ACCEPT
>
> # send a tcp reject
> iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
>
> # block irc
> #iptables -A INPUT -p tcp --dport irc -j DROP
> #iptables -A INPUT -p udp --dport irc -j DROP
> #iptables -A INPUT -p tcp --dport irc-serv -j DROP
> #iptables -A INPUT -p udp --dport irc-serv -j DROP
> #iptables -A INPUT -p tcp --dport ircs -j DROP
> #iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP I=
RC,
> IRC server and Secure IRC traffic.
>
> # block a specific host
> #iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
> icmp-host-prohibited
>
> # traffic from one port to another
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -=
j
> DNAT --to 192.168.1.254:443
> #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV =
-p
> tcp --dport 443 -j ACCEPT

Then block anything else:

iptables -A INPUT -p all -i any -j DROP


Finally, run nmap from within/out your LAN on all ports and see what you ge=
t.

HTH.
--=20
Regards,
Mick