Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] iptables firewall script
Date: Fri, 17 Jul 2009 12:52:50
Message-Id: 358eca8f0907170552v12632015l945b60f02b2348d4@mail.gmail.com
In Reply to: [gentoo-user] iptables firewall script by Dave
1 2009/7/17 Dave <dave.mehler@×××××.com>:
2 > Hello,
3 >        Can anyone good with iptables give this script a once over? It is
4 > working, but in a very inconsistent manner, sometimes it lets traffic in,
5 > other times not. Two things it does not have are dhcp rules as this box gets
6 > it's address via dhcp and cifs rules, this machine mounts cifs shares, if
7 > anyone has those i'd appreciate them. This is a single nic box, not a router
8 > just an internal client i'd like to protect.
9 > Adapted from:
10 >
11 > http://www.novell.com/coolsolutions/feature/18139.html
12 >
13 > Thanks.
14 > Dave.
15 >
16 > #!/bin/bash
17 > #
18 > # Script for iptables firewall
19 >
20 > # define variables
21 > IF_PUB=eth0
22 > IP_PUB=192.168.0.106
23 > NET_PRV=192.168.0.0/24
24 > ANYWHERE=0.0.0.0/0
25 >
26 > # set up default policies
27 > iptables -P INPUT DROP
28 > iptables -P OUTPUT DROP
29 > iptables -P FORWARD DROP
30 >
31 > # remove any existing rules
32 > iptables -F -t nat
33 > iptables -F -t mangle
34 > iptables -F -t filter
35 > # Removes any user-defined chains
36 > iptables -X
37 >
38 > # If the machine is a router enable the next line
39 > #echo 1 > /proc/sys/net/ipv4/ip_forward
40
41 If you don't want to forward then echo 0, instead of 1, or instead of
42 just commenting it out.
43
44 > # forward from the public interface
45 > #iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
46 > ACCEPT
47 >
48 > # allow everything to and from the loopback
49 > iptables -A INPUT -i lo -j ACCEPT
50 > iptables -A OUTPUT -o lo -j ACCEPT
51 >
52 > # allow communications on the local network
53 > # This allows unrestricted communications
54 > #iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
55 > # This allows only established or forwarded connections
56 > iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
57 > iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT
58
59 Not sure that this is necessary.
60
61 > # If your doing nat
62 > #iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB
63 >
64 > # allow various types of ICMP
65 > # 8 for echo request, echo response, destination unreachable, and time
66 > exceeded
67 > iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
68 > iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
69 > iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
70 > iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
71 >
72 > # allow ssh
73 > iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
74 > --limit-burst 1 -j ACCEPT
75
76 This opens *all* tcp ports and throttles the connection (you'll be
77 dropping packets and get an unreliable connection). I suggest that
78 you only open the port you need; e.g. -m tcp --dport 10201, also if
79 you only access this box via ssh from your LAN, then restrict access
80 to it from your private subnet: -s NET_PRV and remove the --limit
81 match completely. If you're worried about brute force attacks on your
82 sshd, then perhaps use something like fail2ban, or better use public
83 key authentication only (no passwd), or construct a set of rules to
84 limit the amount of accepted attempts:
85 =====================================
86 Name it something:
87
88 blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --set
89
90 Log the persistent attacks:
91
92 blah-blah -m state --state NEW --dport 22 -m recent --name
93 ssh_crackers --rcheck --seconds 60 --hitcount 4 -j LOG -m limit
94 --limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH
95 REJECT: '
96
97 Block them:
98
99 blah-blah -m state --state NEW --dport 22 -m recent --name
100 ssh_crackers --rcheck --seconds 60 --hitcount 4 -j REJECT
101 --reject-with tcp-reset
102 =====================================
103
104 > # mail and web server on a different host
105 > #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
106 > DNAT --to 192.168.1.254
107 > #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
108 > DNAT --to 192.168.1.253
109 > #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p
110 > tcp --dport http -j ACCEPT
111 >
112 > # send a tcp reject
113 > iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
114 >
115 > # block irc
116 > #iptables -A INPUT -p tcp --dport irc -j DROP
117 > #iptables -A INPUT -p udp --dport irc -j DROP
118 > #iptables -A INPUT -p tcp --dport irc-serv -j DROP
119 > #iptables -A INPUT -p udp --dport irc-serv -j DROP
120 > #iptables -A INPUT -p tcp --dport ircs -j DROP
121 > #iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC,
122 > IRC server and Secure IRC traffic.
123 >
124 > # block a specific host
125 > #iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
126 > icmp-host-prohibited
127 >
128 > # traffic from one port to another
129 > #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j
130 > DNAT --to 192.168.1.254:443
131 > #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p
132 > tcp --dport 443 -j ACCEPT
133
134 Then block anything else:
135
136 iptables -A INPUT -p all -i any -j DROP
137
138
139 Finally, run nmap from within/out your LAN on all ports and see what you get.
140
141 HTH.
142 --
143 Regards,
144 Mick
Report Message
Find on MARC Find on Google Groups