1 |
2009/7/17 Dave <dave.mehler@×××××.com>: |
2 |
> Hello, |
3 |
> Can anyone good with iptables give this script a once over? It is |
4 |
> working, but in a very inconsistent manner, sometimes it lets traffic in, |
5 |
> other times not. Two things it does not have are dhcp rules as this box gets |
6 |
> it's address via dhcp and cifs rules, this machine mounts cifs shares, if |
7 |
> anyone has those i'd appreciate them. This is a single nic box, not a router |
8 |
> just an internal client i'd like to protect. |
9 |
> Adapted from: |
10 |
> |
11 |
> http://www.novell.com/coolsolutions/feature/18139.html |
12 |
> |
13 |
> Thanks. |
14 |
> Dave. |
15 |
> |
16 |
> #!/bin/bash |
17 |
> # |
18 |
> # Script for iptables firewall |
19 |
> |
20 |
> # define variables |
21 |
> IF_PUB=eth0 |
22 |
> IP_PUB=192.168.0.106 |
23 |
> NET_PRV=192.168.0.0/24 |
24 |
> ANYWHERE=0.0.0.0/0 |
25 |
> |
26 |
> # set up default policies |
27 |
> iptables -P INPUT DROP |
28 |
> iptables -P OUTPUT DROP |
29 |
> iptables -P FORWARD DROP |
30 |
> |
31 |
> # remove any existing rules |
32 |
> iptables -F -t nat |
33 |
> iptables -F -t mangle |
34 |
> iptables -F -t filter |
35 |
> # Removes any user-defined chains |
36 |
> iptables -X |
37 |
> |
38 |
> # If the machine is a router enable the next line |
39 |
> #echo 1 > /proc/sys/net/ipv4/ip_forward |
40 |
|
41 |
If you don't want to forward then echo 0, instead of 1, or instead of |
42 |
just commenting it out. |
43 |
|
44 |
> # forward from the public interface |
45 |
> #iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j |
46 |
> ACCEPT |
47 |
> |
48 |
> # allow everything to and from the loopback |
49 |
> iptables -A INPUT -i lo -j ACCEPT |
50 |
> iptables -A OUTPUT -o lo -j ACCEPT |
51 |
> |
52 |
> # allow communications on the local network |
53 |
> # This allows unrestricted communications |
54 |
> #iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT |
55 |
> # This allows only established or forwarded connections |
56 |
> iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT |
57 |
> iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT |
58 |
|
59 |
Not sure that this is necessary. |
60 |
|
61 |
> # If your doing nat |
62 |
> #iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB |
63 |
> |
64 |
> # allow various types of ICMP |
65 |
> # 8 for echo request, echo response, destination unreachable, and time |
66 |
> exceeded |
67 |
> iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT |
68 |
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT |
69 |
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT |
70 |
> iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT |
71 |
> |
72 |
> # allow ssh |
73 |
> iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute |
74 |
> --limit-burst 1 -j ACCEPT |
75 |
|
76 |
This opens *all* tcp ports and throttles the connection (you'll be |
77 |
dropping packets and get an unreliable connection). I suggest that |
78 |
you only open the port you need; e.g. -m tcp --dport 10201, also if |
79 |
you only access this box via ssh from your LAN, then restrict access |
80 |
to it from your private subnet: -s NET_PRV and remove the --limit |
81 |
match completely. If you're worried about brute force attacks on your |
82 |
sshd, then perhaps use something like fail2ban, or better use public |
83 |
key authentication only (no passwd), or construct a set of rules to |
84 |
limit the amount of accepted attempts: |
85 |
===================================== |
86 |
Name it something: |
87 |
|
88 |
blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --set |
89 |
|
90 |
Log the persistent attacks: |
91 |
|
92 |
blah-blah -m state --state NEW --dport 22 -m recent --name |
93 |
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j LOG -m limit |
94 |
--limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH |
95 |
REJECT: ' |
96 |
|
97 |
Block them: |
98 |
|
99 |
blah-blah -m state --state NEW --dport 22 -m recent --name |
100 |
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j REJECT |
101 |
--reject-with tcp-reset |
102 |
===================================== |
103 |
|
104 |
> # mail and web server on a different host |
105 |
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j |
106 |
> DNAT --to 192.168.1.254 |
107 |
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j |
108 |
> DNAT --to 192.168.1.253 |
109 |
> #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p |
110 |
> tcp --dport http -j ACCEPT |
111 |
> |
112 |
> # send a tcp reject |
113 |
> iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
114 |
> |
115 |
> # block irc |
116 |
> #iptables -A INPUT -p tcp --dport irc -j DROP |
117 |
> #iptables -A INPUT -p udp --dport irc -j DROP |
118 |
> #iptables -A INPUT -p tcp --dport irc-serv -j DROP |
119 |
> #iptables -A INPUT -p udp --dport irc-serv -j DROP |
120 |
> #iptables -A INPUT -p tcp --dport ircs -j DROP |
121 |
> #iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC, |
122 |
> IRC server and Secure IRC traffic. |
123 |
> |
124 |
> # block a specific host |
125 |
> #iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with |
126 |
> icmp-host-prohibited |
127 |
> |
128 |
> # traffic from one port to another |
129 |
> #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j |
130 |
> DNAT --to 192.168.1.254:443 |
131 |
> #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p |
132 |
> tcp --dport 443 -j ACCEPT |
133 |
|
134 |
Then block anything else: |
135 |
|
136 |
iptables -A INPUT -p all -i any -j DROP |
137 |
|
138 |
|
139 |
Finally, run nmap from within/out your LAN on all ports and see what you get. |
140 |
|
141 |
HTH. |
142 |
-- |
143 |
Regards, |
144 |
Mick |