[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables.sh keeps hanging!!!!



Once again I've edited my iptables script for better functionality. However, now the script seems to hang!!!

I rebooted my machine and received the following errors when IPtables.sh was called via my networking rc script.

insmod: Note: /etc/modules.conf is more recent then /lib/modules/2.4.9-ext3/modules.dep

This error repeats about 6 or 7 times then everything hangs untill I hit CTRL-C

What's going on? I can run my old iptables script with no problems at all. Could this be a problem with the kernel module loader? Or is it bad syntax in the script itself?

Thanks,

Stef

PS -> See attachment.
#!/bin/sh
# /etc/network/netfilter
# basic Netfilter firewall script 
# by Stefan Srdic

# Define our path
PATH=/sbin:/bin:/usr/sbin:/usr/bin      
export PATH

# Define a few network parameters                  
EXTIFACE=				# External ethernet connection
LANIFACE=                         	# Internal ethernet connection
LOOPBACK=				# Loopback interface
# External IP address 
IPADDR=
LAN=		                    	# Local arean address range
NODEFILTER=		             	# LAN host
LOCALHOST=127.0.0.1			# Localhost
ANYADDR=0/0                           	# Any address 

# Our ISP's networked hosts
PRINAME=                		# Primary name server
SECNAME=               			# Secondary name server
SMTP=             			# Remote SMTP server
POP3=		             		# Remote POP3 server
NEWS=					# Remote NNTP server
DHCP=		                  	# DHCP server

# Private or reserved address ranges
CLASS_A=10.0.0.0/8                   	# private class A network range
CLASS_B=172.16.0.0/12                 	# private class B network range
CLASS_C=192.168.0.0/16                	# private class C network range
CLASS_D_MULTICAST=224.0.0.0/4         	# class D multicast addresses
CLASS_E_RESERVED_NET=240.0.0.0/5      	# class E reserved addresses
BROADCAST_SRC=0.0.0.0                	# broadcast source address
BROADCAST_DEST=255.255.255.255        	# broadcast destination address

# Various port ranges
WELLKNOWN=0:1023                      	# Well known port range
REGISTERED=1024:49151                 	# Registered port range
PRIVATE=49152:65535                   	# Private port range

# 0 -> LOG
# 1 -> DROP
# 2 -> LOG then DROP
OPTION=1

# Load IPTables module (s)

depmod -a
modprobe ip_tables 

# Set the default policies on the filter table.
for p in INPUT FORWARD OUTPUT; do
    iptables -t filter -P $p DROP
done

# Set the default policies on the nat table.
for p in PREROUTING POSTROUTING OUTPUT; do
    iptables -t nat -P $p ACCEPT
done

# Set the default policies on the mangle table
for p in PREROUTING OUTPUT; do
    iptables -t mangle -P $p ACCEPT
done

# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
    iptables -t $t -F
    iptables -t $t -X
done

# Drop fragmented datagrams
iptables -A INPUT -f -j DROP
# Drop incoming datagrams spoofing the localhost, the local network, 
# or our external interface
for ip in $LOCALHOST $LAN $IPADDR; do
    iptables -A INPUT --source $ip -i $EXTIFACE -j DROP
done

# Drop datagrams claiming to be from a Class A, B or C private networks
# Drop Class D multicast addresses and Class E reserved IP addresses
for class in $CLASS_A $CLASS_B $CLASS_C $CLASS_D_MULTICAST $CLASS_E_RESERVED_NET; do
    iptables -A INPUT --source $class -i $EXTIFACE -j DROP
    iptables -A INPUT --destination $class -i $EXTIFACE -j DROP
    iptables -A OUTPUT --source $class -o $EXTIFACE -j DROP
    iptables -A OUTPUT --destination $class -o $EXTIFACE -j DROP
done

# Drop broadcast address SOURCE packets
iptables -A INPUT --source $BROADCAST_DEST -i $EXTIFACE -j DROP
iptables -A INPUT --destination $BROADCAST_SRC -i $EXTIFACE -j DROP

# Masquerade the LAN out the external interface
iptables -t nat -A POSTROUTING -s $LAN -o $EXTIFACE -j MASQUERADE
iptables -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN \
    -j TCPMSS --clamp-mss-to-pmtu 
# Disallow NEW and INVALID forwarded packets from external interface.
iptables -A FORWARD -i $EXTIFACE -m state --state NEW,INVALID -j DROP

# Allow full access on our localhost
iptables -A INPUT -i $LOOPBACK -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK -j ACCEPT

# Allow full access between our LAN and our host
iptables -A INPUT -i $LANIFACE -s $LAN -d $NODEFILTER -j ACCEPT
iptables -A OUTPUT -o $LANIFACE -d $LAN -s $NODEFILTER -j ACCEPT

for iface in $LOOPBACK $LANIFACE $EXTIFACE; do
    iptables -A OUTPUT -o $iface --protocol icmp -m state --state \
	NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i $iface --protocol icmp -m state --state \
	ESTABLISHED,RELATED -j ACCEPT
done

# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# filter well-known TCP services
# DNS rules for TCP
iptables -A INPUT -s $PRINAME --protocol tcp --sport $REGISTERED -d \
    $IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A INPUT -s $SECNAME --protocol tcp --sport $REGISTERED -d \
    $IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT

iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
    $PRINAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
    $SECNAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
# DNS rules for UDP
# Allow for outgoing DNS queries
iptables -A INPUT -s $PRINAME --protocol udp --sport $REGISTERED -d \
    $IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A INPUT -s $SECNAME --protocol udp --sport $REGISTERED -d \
    $IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT

iptables -A OUTPUT -s $IPADDR --protocol udp --sport $REGISTERED -d \
    $PRINAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol udp --sport $REGISTERED -d \
    $SECNAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT

# SMTP
iptables -A INPUT -s $SMTP --protocol tcp --sport $REGISTERED -d \
    $IPADDR --dport smtp -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
    $SMTP --dport smtp -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT

# POP3    
iptables -A INPUT -s $POP3 --protocol tcp --sport $REGISTERED -d \
    $IPADDR --dport pop3 -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
    $POP3 --dport pop3 -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT

# NNTP
iptables -A INPUT -s $NEWS --protocol tcp --sport $REGISTERED -d \
    $IPADDR --dport nntp -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
    $NEWS --dport nntp -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT

## WWW 
iptables -A INPUT --protocol tcp --sport www -m state --state \
    ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT --protocol tcp --dport www -m state \
    --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT

# HTTPS
iptables -A INPUT --protocol tcp --sport https -m state --state \
    ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT --protocol tcp --dport https -m state --state \
    NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT

# FTP
iptables -A INPUT -i $EXTIFACE --protocol tcp --sport ftp -m state \
    --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --dport ftp -m state \
    --state NEW,ESTABLISHED -j ACCEPT
# Active FTP
iptables -A INPUT -i $EXTIFACE --protocol tcp --sport ftp-data -m state \
    --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --dport ftp-data -m state \
    --state ESTABLISHED -j ACCEPT
# Passive FTP
iptables -A INPUT -i $EXTIFACE --protocol tcp --sport $REGISTERED --dport \
    $REGISTERED -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --sport $REGISTERED --dport \
    $REGISTERED -m state --state ESTABLISHED,RELATED -j ACCEPT

# This rule takes care of programs which aren't covered above
# I need to find a way around this :-(
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT

case "$OPTION" in
    0)  #Log forbidden TCP datagrams
        iptables -A INPUT --protocol tcp -m limit --limit 1/minute \
        --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ';
	iptables -A INPUT --protocol udp -m limit --limit 1/minute \
        --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied UDP: ';
	iptables -A INPUT --protocol icmp -m limit --limit 1/minute \
        --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied ICMP: ';
        ;;
    1)  # Disallow NEW and INVALID 
	iptables -A INPUT -m state --state NEW,INVALID -j DROP;
        # Drop all other incoming datagrams (if any)
        iptables -A INPUT -j DROP;
        ;;
    2)  #Log forbidden datagrams
        iptables -A INPUT --protocol tcp -m limit --limit 1/minute \
        --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ';
	iptables -A INPUT --protocol udp -m limit --limit 1/minute \
        --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied UDP: ';
	iptables -A INPUT --protocol icmp -m limit --limit 1/minute \
        --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied ICMP: ';
	# Disallow NEW and INVALID 
	iptables -A INPUT -m state --state NEW,INVALID -j DROP;
        # Drop all other incoming datagrams
        iptables -A INPUT -j DROP;
        ;;
esac



Reply to: