iptables for 1 interface pc and other questions
Hello,
i'm trying to setup an iptables firewall instead of letting shorewall do it for
me. Shorewall works great but i'm trying to learn iptables. After having read
the manpages, and some tutorials, i'm going to take the plunge.
My setup is also simple: eth0 gets an ip address of my isp via DHCP. That's it.
What i'm trying to accomplish is rather simple:
* deny everything in except if it was from an existing or related connection.
* Also only certain services are allowed out (to work against trojans)
These services are ping, dns, proxy of isp (8080), dhcp, news, smtp, msn/gaim,
irc, www, imap, pop3, ftp (+ftpdata), ssh
All the rest should be blocked and logged.
This is the script:
================================================================
#!/bin/sh
# Set variables needed for a 1 interface system where interface eth0 gets
# an ip from the isp (cable modem) over dhcp
IPT=`which iptables`
DEP=`which depmod`
INS=`which insmod`
EXTIF="eth0"
LO="lo"
#Insert necessary modules
$INS ip_tables
$INS ip_conntrack
$INS ip_conntrack_ftp
$INS ip_conntrack_irc
$INS iptable_filter
$INS ipt_limit
$INS ipt_state
$INS ipt_unclean
# Dynamic IP
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Clearing any previous configuration
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -X
$IPT -Z
###############################################################################
#### INPUT ####
###############################################################################
#is covered by last rule? $IPT -A INPUT -p ALL -m state --state NEW,INVALID -j DROP
$IPT -A INPUT -p ALL -m state --state ESTABLISHED, RELATED -j ACCEPT
$IPT -A INPUT -p ALL --log-level info --log-prefix "INPUT: dropped packets" -j LOG
$IPT -A INPUT -p ALL -j DROP
###############################################################################
#### OUTPUT ####
###############################################################################
### allow outside: ping, dns, proxy of isp (8080), dhcp, news, smtp, msn/gaim?,
### irc, www, imap, pop3, ftp (+ftpdata), ssh
### all tcp ports ###
$IPT -A OUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # www
$IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A OUTPUT -p tcp --dport 21 -j ACCEPT # ftp
$IPT -A OUTPUT -p tcp --dport 110 -j ACCEPT # pop3
$IPT -A OUTPUT -p tcp --dport 143 -j ACCEPT # imap
$IPT -A OUTPUT -p tcp --dport 194 -j ACCEPT # irc
$IPT -A OUTPUT -p tcp --dport 25 -j ACCEPT # smtp
$IPT -A OUTPUT -p tcp --dport 119 -j ACCEPT # news
$IPT -A OUTPUT -p tcp --dport 8080 -j ACCEPT # proxy isp
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT # dns
### all udp ports ###
$IPT -A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
$IPT -A OUTPUT -p udp --dport 80 -j ACCEPT # www
$IPT -A OUTPUT -p udp --dport 22 -j ACCEPT # ssh
$IPT -A OUTPUT -p udp --dport 21 -j ACCEPT # ftp
$IPT -A OUTPUT -p udp --dport 110 -j ACCEPT # pop3
$IPT -A OUTPUT -p udp --dport 143 -j ACCEPT # imap
$IPT -A OUTPUT -p udp --dport 194 -j ACCEPT # irc
$IPT -A OUTPUT -p udp --dport 25 -j ACCEPT # smtp
$IPT -A OUTPUT -p udp --dport 119 -j ACCEPT # news
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT # dns
### all icmp ###
$IPT -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
### log all the rest ###
$IPT -A OUTPUT -p ALL --log-level info --log-prefix "OUTPUT: dropped packets" -j LOG
$IPT -A OUTPUT -p ALL -j DROP
###############################################################################
#### FORWARD ####
###############################################################################
### i found these in a tutorial somewhere. are these handy or not of use in a
### 1 interface environment
# Syn-flood protection:
# $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Furtive port scanner:
# $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Ping of death:
# $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
### log all the rest (i shouldn't get packets here?) ###
$IPT -A FORWARD -p ALL --log-level info --log-prefix "FORWARD: dropped packets" -j LOG
$IPT -A FORWARD -p ALL -j DROP
================================================================
Is this setup workable and safe? What should i add?
Do i need to add a rule to explicitly deny addresses on eth0 that are RFC 1918
or is this already covered by the rules i specified? (i think so)
Also, do i need to add rules for ping of death in my input chain? Or is this
supposed to be added in the forward chain.
Some other questions:
* Am i correct in assuming that on a 1 interface system as above,
only the INPUT and OUTPUT chains are used? Or should one check the FORWARD
chain anyway?
* In a 2 interface gateway, eth0 (internet), eth1(lan):
-> from the net, to the firewall machine and then to a host on the lan passes
the FORWARD chain on eth0 and the INPUT chain on eth1. Correct?
-> from a host on the lan, to the firewall machine and then to the net passes
the OUTPUT chain on eth1 and the FORWARD chain on eth0. Correct?
If this works out, i'm going to extend this script for a 2 lan system. My server
is in repair but as soon as it's repaired (probably mobo dead), i'll reinstall
woody there and try my hand at a similar iptables script. There eth0 will get
the ip address from the ISP and eth1 is the internal ip where also the dhcp
server is listening to serve ip's to the computers on my lan.
Thanks,
Benedict
Reply to: