iptables.sh keeps hanging!!!!
Once again I've edited my iptables script for better functionality.
However, now the script seems to hang!!!
I rebooted my machine and received the following errors when IPtables.sh
was called via my networking rc script.
insmod: Note: /etc/modules.conf is more recent then
/lib/modules/2.4.9-ext3/modules.dep
This error repeats about 6 or 7 times then everything hangs untill I hit
CTRL-C
What's going on? I can run my old iptables script with no problems at
all. Could this be a problem with the kernel module loader? Or is it bad
syntax in the script itself?
Thanks,
Stef
PS -> See attachment.
#!/bin/sh
# /etc/network/netfilter
# basic Netfilter firewall script
# by Stefan Srdic
# Define our path
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
# Define a few network parameters
EXTIFACE= # External ethernet connection
LANIFACE= # Internal ethernet connection
LOOPBACK= # Loopback interface
# External IP address
IPADDR=
LAN= # Local arean address range
NODEFILTER= # LAN host
LOCALHOST=127.0.0.1 # Localhost
ANYADDR=0/0 # Any address
# Our ISP's networked hosts
PRINAME= # Primary name server
SECNAME= # Secondary name server
SMTP= # Remote SMTP server
POP3= # Remote POP3 server
NEWS= # Remote NNTP server
DHCP= # DHCP server
# Private or reserved address ranges
CLASS_A=10.0.0.0/8 # private class A network range
CLASS_B=172.16.0.0/12 # private class B network range
CLASS_C=192.168.0.0/16 # private class C network range
CLASS_D_MULTICAST=224.0.0.0/4 # class D multicast addresses
CLASS_E_RESERVED_NET=240.0.0.0/5 # class E reserved addresses
BROADCAST_SRC=0.0.0.0 # broadcast source address
BROADCAST_DEST=255.255.255.255 # broadcast destination address
# Various port ranges
WELLKNOWN=0:1023 # Well known port range
REGISTERED=1024:49151 # Registered port range
PRIVATE=49152:65535 # Private port range
# 0 -> LOG
# 1 -> DROP
# 2 -> LOG then DROP
OPTION=1
# Load IPTables module (s)
depmod -a
modprobe ip_tables
# Set the default policies on the filter table.
for p in INPUT FORWARD OUTPUT; do
iptables -t filter -P $p DROP
done
# Set the default policies on the nat table.
for p in PREROUTING POSTROUTING OUTPUT; do
iptables -t nat -P $p ACCEPT
done
# Set the default policies on the mangle table
for p in PREROUTING OUTPUT; do
iptables -t mangle -P $p ACCEPT
done
# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
iptables -t $t -F
iptables -t $t -X
done
# Drop fragmented datagrams
iptables -A INPUT -f -j DROP
# Drop incoming datagrams spoofing the localhost, the local network,
# or our external interface
for ip in $LOCALHOST $LAN $IPADDR; do
iptables -A INPUT --source $ip -i $EXTIFACE -j DROP
done
# Drop datagrams claiming to be from a Class A, B or C private networks
# Drop Class D multicast addresses and Class E reserved IP addresses
for class in $CLASS_A $CLASS_B $CLASS_C $CLASS_D_MULTICAST $CLASS_E_RESERVED_NET; do
iptables -A INPUT --source $class -i $EXTIFACE -j DROP
iptables -A INPUT --destination $class -i $EXTIFACE -j DROP
iptables -A OUTPUT --source $class -o $EXTIFACE -j DROP
iptables -A OUTPUT --destination $class -o $EXTIFACE -j DROP
done
# Drop broadcast address SOURCE packets
iptables -A INPUT --source $BROADCAST_DEST -i $EXTIFACE -j DROP
iptables -A INPUT --destination $BROADCAST_SRC -i $EXTIFACE -j DROP
# Masquerade the LAN out the external interface
iptables -t nat -A POSTROUTING -s $LAN -o $EXTIFACE -j MASQUERADE
iptables -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
# Disallow NEW and INVALID forwarded packets from external interface.
iptables -A FORWARD -i $EXTIFACE -m state --state NEW,INVALID -j DROP
# Allow full access on our localhost
iptables -A INPUT -i $LOOPBACK -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK -j ACCEPT
# Allow full access between our LAN and our host
iptables -A INPUT -i $LANIFACE -s $LAN -d $NODEFILTER -j ACCEPT
iptables -A OUTPUT -o $LANIFACE -d $LAN -s $NODEFILTER -j ACCEPT
for iface in $LOOPBACK $LANIFACE $EXTIFACE; do
iptables -A OUTPUT -o $iface --protocol icmp -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $iface --protocol icmp -m state --state \
ESTABLISHED,RELATED -j ACCEPT
done
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# filter well-known TCP services
# DNS rules for TCP
iptables -A INPUT -s $PRINAME --protocol tcp --sport $REGISTERED -d \
$IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A INPUT -s $SECNAME --protocol tcp --sport $REGISTERED -d \
$IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
$PRINAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
$SECNAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
# DNS rules for UDP
# Allow for outgoing DNS queries
iptables -A INPUT -s $PRINAME --protocol udp --sport $REGISTERED -d \
$IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A INPUT -s $SECNAME --protocol udp --sport $REGISTERED -d \
$IPADDR --dport domain -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol udp --sport $REGISTERED -d \
$PRINAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol udp --sport $REGISTERED -d \
$SECNAME --dport domain -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
# SMTP
iptables -A INPUT -s $SMTP --protocol tcp --sport $REGISTERED -d \
$IPADDR --dport smtp -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
$SMTP --dport smtp -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
# POP3
iptables -A INPUT -s $POP3 --protocol tcp --sport $REGISTERED -d \
$IPADDR --dport pop3 -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
$POP3 --dport pop3 -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
# NNTP
iptables -A INPUT -s $NEWS --protocol tcp --sport $REGISTERED -d \
$IPADDR --dport nntp -m state --state ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -s $IPADDR --protocol tcp --sport $REGISTERED -d \
$NEWS --dport nntp -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
## WWW
iptables -A INPUT --protocol tcp --sport www -m state --state \
ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT --protocol tcp --dport www -m state \
--state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
# HTTPS
iptables -A INPUT --protocol tcp --sport https -m state --state \
ESTABLISHED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT --protocol tcp --dport https -m state --state \
NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
# FTP
iptables -A INPUT -i $EXTIFACE --protocol tcp --sport ftp -m state \
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --dport ftp -m state \
--state NEW,ESTABLISHED -j ACCEPT
# Active FTP
iptables -A INPUT -i $EXTIFACE --protocol tcp --sport ftp-data -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --dport ftp-data -m state \
--state ESTABLISHED -j ACCEPT
# Passive FTP
iptables -A INPUT -i $EXTIFACE --protocol tcp --sport $REGISTERED --dport \
$REGISTERED -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $EXTIFACE --protocol tcp --sport $REGISTERED --dport \
$REGISTERED -m state --state ESTABLISHED,RELATED -j ACCEPT
# This rule takes care of programs which aren't covered above
# I need to find a way around this :-(
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $EXTIFACE -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -o $EXTIFACE -j ACCEPT
case "$OPTION" in
0) #Log forbidden TCP datagrams
iptables -A INPUT --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ';
iptables -A INPUT --protocol udp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied UDP: ';
iptables -A INPUT --protocol icmp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied ICMP: ';
;;
1) # Disallow NEW and INVALID
iptables -A INPUT -m state --state NEW,INVALID -j DROP;
# Drop all other incoming datagrams (if any)
iptables -A INPUT -j DROP;
;;
2) #Log forbidden datagrams
iptables -A INPUT --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ';
iptables -A INPUT --protocol udp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied UDP: ';
iptables -A INPUT --protocol icmp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied ICMP: ';
# Disallow NEW and INVALID
iptables -A INPUT -m state --state NEW,INVALID -j DROP;
# Drop all other incoming datagrams
iptables -A INPUT -j DROP;
;;
esac
Reply to: