Iptables question(s)
I'm running Woody with kernel 2.4.6 at home. I'm using IPTables to
Masquerade the internet to my internal network and to protect my Linux
hosts from possible scan or crack attempts.
So far, I've found my Netfilter script to work very well. However, I
have noticed a *few* minor problems with it.
I use a simple IP spoof line wich drops datagrams that are pretending to
originate from my host. Since my external interface is configured via
DHCP I use the following operation of determining my IP.
IPADDR="`/sbin/pump --status | /bin/grep IP: | /bin/sed -e 's/.*IP:
//'`"
I later, call that operation in a rule to prevent IP Spoofing.
iptables -A INPUT --source $IPADDR -i $EXTIFACE -j DROP
This works, but only once. When I flush all rules, and then delete all
user defiened chains, and then re-run my NetFilter script I always get
an "Operation failed" message from the kernel.
Is there any way to circumvent this? Should I use another DHCP client
program that would allow me to re-run my NetFilter script after a DHCP
lease expires and renews?
I have included my Netfilter script onto this e-mail for further reading
if need be. PLease let me know if there are other problems with my
script or if you have other suggestions for me :-D
Thanks,
Stef
#!/bin/sh
# /etc/network/netfilter
# basic Netfilter firewall script
# by Stefan Srdic
PATH="/sbin" # Set the Path
LANIFACE="eth1" # Internal network interface
LAN="192.168.0.0/24" # Internal network address range
NODEFILTER="192.168.0.1/24" # Internal network server
EXTIFACE="eth0" # External network interface
# External IP address
#IPADDR="`/sbin/pump --status | /bin/grep IP: | /bin/sed -e 's/.*IP: //'`"
LOOPBACK="lo" # Loopback device
LOCALHOST="127.0.0.1"
ANYADDR="0/0" # Any address
PRINAME="199.185.220.36" # Primary name server
SECNAME="199.185.220.52" # Secondary name server
SMTP="smtp.telusplanet.net" # Remote SMTP server
POP3="pop.telusplanet.net" # Remote POP3 server
DHCP="198.161.157.115" # DHCP server
WELLKNOWN="0:1023" # Well known port range
REGISTERED="1024:49151" # Registered port range
PRIVATE="49152:65535" # Private port range
CLASS_A="10.0.0.0/8" # private class A network range
CLASS_B="172.16.0.0/12" # private class B network range
CLASS_C="192.168.0.0/16" # private class C network range
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
# TCP services that we wish to pass as listed in /etc/services
TCP="smtp,www,ftp,ftp-data,pop3,nntp,bootpc"
# UDP services that we wish to to pass listed in /etc/services
UDP="bootpc"
# Load IPTables module (s)
depmod -a
modprobe ip_tables
#Clear the table, delete user defined chains, prep for a new ruleset.
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Create a chain which logs and the drops all datagrams
iptables -N LOGNDROP 2>/dev/null
iptables -A LOGNDROP --protocol tcp -m limit --limit 3/minute \
--limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
iptables -A LOGNDROP --protocol udp -m limit --limit 3/minute \
--limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Denied UDP: '
iptables -A LOGNDROP --protocol icmp -m limit --limit 3/minute \
--limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Denied ICMP: '
iptables -A LOGNDROP -j DROP
# Log and drop fragmented datagrams
iptables -A INPUT -f -j LOGNDROP
# Log and drop Reject malformed datagrams
#iptables -A INPUT --match unclean -j LOGNDROP
# IPSpoofing protection
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
#iptables -A INPUT --source $IPADDR -i $EXTIFACE -j DROP
# Drop incoming datagrans spoofing the loopback
iptables -A INPUT --source $LOCALHOST -i $EXTIFACE -j DROP
# Drop incoming datagrams claiming to be from the localnet
iptables -A INPUT --source $LAN -i $EXTIFACE -j DROP
# Drop incoming packets claiming to be from a Class A, B or C private network
iptables -A INPUT --source $CLASS_A -i $EXTIFACE -j DROP
iptables -A INPUT --source $CLASS_B -i $EXTIFACE -j DROP
iptables -A INPUT --source $CLASS_C -i $EXTIFACE -j DROP
# Drop broadcast address SOURCE packets
iptables -A INPUT --source $BROADCAST_DEST -i $EXTIFACE -j DROP
iptables -A INPUT --destination $BROADCAST_SRC -i $EXTIFACE -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT --source $CLASS_D_MULTICAST -i $EXTIFACE -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT --source $CLASS_E_RESERVED_NET -i $EXTIFACE -j DROP
# ICMP filters -> eleminate ICMP types that we do not want
# to see on our external interface
# create a chain for incomming ICMP datagrams
iptables -N ICMP 2>/dev/null
# Divert all incomming and outgoing ICMP from the external interface
# into the ICMP chain
iptables -A INPUT -i $EXTIFACE --protocol icmp -j ICMP
iptables -A OUTPUT -o $EXTIFACE --protocol icmp -j ICMP
# Allow those ICMP types that we need for everyday conversations
iptables -A ICMP -i $EXTIFACE --protocol icmp \
--icmp-type echo-reply -j ACCEPT
iptables -A ICMP -i $EXTIFACE --protocol icmp \
--icmp-type destination-unreachable -j ACCEPT
iptables -A ICMP -i $EXTIFACE --protocol icmp \
--icmp-type time-exceeded -j ACCEPT
iptables -A ICMP -o $EXTIFACE --protocol icmp \
--icmp-type echo-request -j ACCEPT
iptables -A ICMP -o $EXTIFACE --protocol icmp \
--icmp-type destination-unreachable -j ACCEPT
iptables -A ICMP -o $EXTIFACE --protocol icmp \
--icmp-type time-exceeded -j ACCEPT
# Log N Drop all other ICMP datagrams
iptables -A ICMP -j LOGNDROP
# Masquerading for Internal network
iptables -t nat -A POSTROUTING -o $EXTIFACE -j MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i $LANIFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# create a chain to filter incomming and outgoing DNS
iptables -N DNS 2>/dev/null
# Divert DNS queries into the DNS chain
iptables -A INPUT --protocol tcp --destination-port domain -j DNS
iptables -A INPUT --protocol udp --destination-port domain -j DNS
iptables -A OUTPUT --protocol tcp --source-port domain -j DNS
iptables -A OUTPUT --protocol udp --source-port domain -j DNS
# Domain Name Service
# allow our caching-only nameserver to forward queries to our ISP's
# nameservers and to listen to our local net for internal queries
# Permit incomming and outgoing DNS queries from the localhost
iptables -A DNS -i $LOOPBACK -s $LOCALHOST -j ACCEPT
iptables -A DNS -o $LOOPBACK -d $LOCALHOST -j ACCEPT
# Permit incomming and outgoing DNS queries from our LAN
iptables -A DNS -i $LANIFACE -s $LAN -j ACCEPT
iptables -A DNS -o $LANIFACE -d $LAN -j ACCEPT
# Permit incomming and outgoing datagrams from and to
# our ISP's nameservers
iptables -A DNS -i $EXTIFACE -s $PRINAME -j ACCEPT
iptables -A DNS -i $EXTIFACE -s $SECNAME -j ACCEPT
iptables -A DNS -o $EXTIFACE -d $PRINAME -j ACCEPT
iptables -A DNS -o $EXTIFACE -d $SECNAME -j ACCEPT
# All filtering is done, Log N Drop all other DNS datagrams
iptables -A DNS -j LOGNDROP
# SAMBA
# Filter NetBIOS datagrams in order to protect our network shares and
# create a chain for NetBIOS datagrams to divert incomming and outgoing
# datagrams into that chain
iptables -N SAMBA 2>/dev/null
iptables -A INPUT --protocol udp --destination-port 137:139 -j SAMBA
iptables -A INPUT --protocol tcp --destination-port 137:139 -j SAMBA
iptables -A OUTPUT --protocol udp --source-port 137:139 -j SAMBA
iptables -A OUTPUT --protocol tcp --source-port 137:139 -j SAMBA
# allow the localhost access to the SAMBA server
iptables -A SAMBA -i $LOOPBACK -d $NODEFILTER -j ACCEPT
iptables -A SAMBA -o $LOOPBACK -s $NODEFILTER -j ACCEPT
# allow our internal network to access the SAMBA server
iptables -A SAMBA -i $LANIFACE -s $LAN -j ACCEPT
iptables -A SAMBA -o $LANIFACE -d $LAN -j ACCEPT
# Log N Drop everything else
iptables -A SAMBA -j LOGNDROP
# TCP filters
# Log N Drop invalid or random slinged packets
iptables -A INPUT -i $EXTIFACE --protocol tcp --match \
state --state INVALID -j LOGNDROP
# Log N Drop incomming connection attempts to our external interface
iptables -A INPUT -i $EXTIFACE --protocol tcp \
--destination-port $WELLKNOWN --syn -j LOGNDROP
# Allow outgoing connection attemps to those services that we wish to use
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --match \
multiport --source-port $TCP --syn -j ACCEPT
# Keep all existing connections
iptables -A INPUT -i $EXTIFACE --protocol tcp --match multiport \
--destination-port $TCP ! --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --match multiport \
--source-port $TCP ! --tcp-flags SYN,ACK ACK -j ACCEPT
# Log N Drop all TCP datagrams comming through or going out
# the well know, registered, or private port ranges
iptables -A INPUT -i $EXTIFACE --protocol tcp \
--destination-port $WELLKNOWN -j LOGNDROP
iptables -A INPUT -i $EXTIFACE --protocol tcp \
--destination-port $PRIVATE -j LOGNDROP
iptables -A OUTPUT -o $EXTIFACE --protocol tcp \
--source-port $WELLKNOWN -j LOGNDROP
iptables -A OUTPUT -o $EXTIFACE --protocol tcp \
--source-port $PRIVATE -j LOGNDROP
# UDP
# Allow UDP to pass through the Registered port range
iptables -A INPUT -i $EXTIFACE --protocol udp \
--destination-port $REGISTERED -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol udp \
--source-port $REGISTERED -j ACCEPT
# generic UDP datagram filters for those serices that we wish to use
# Allow those UDP services that we wish to use
iptables -A INPUT -i $EXTIFACE --protocol udp --match \
multiport --destination-port $UDP -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol udp --match \
multiport --source-port $UDP -j ACCEPT
# Log N Drop all other UDP datagrams attempting to come through or leave
# through well know or private ports
iptables -A INPUT -i $EXTIFACE --protocol udp -j LOGNDROP
iptables -A OUTPUT -o $EXTIFACE --protocol udp -j LOGNDROP
Reply to: