Re: iptables for 1 interface pc and other questions
Hello,
below is the new 1 nic firewall setup with a lot of recommendations
and ideas from Jason McCarty.
I changed the INPUT and OUTPUT rules mainly but didn't touch the
FORWARD rule. I think all the line's there are useless in a 1 nic
setup.
#!/bin/sh
# Set variables needed for a 1 interface system where interface eth0 gets
# an ip from the isp (cable modem) over dhcp
IPT=`which iptables`
DEP=`which depmod`
INS=`which insmod`
EXTIF="eth0"
LO="lo"
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
#Insert necessary modules
$INS ip_tables
$INS ip_conntrack
$INS ip_conntrack_ftp
$INS ip_conntrack_irc
$INS iptable_filter
$INS ipt_limit
$INS ipt_state
$INS ipt_unclean
#Clearing any previous configuration
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
# Create the rules
$IPT -N inet_in
$IPT -N local_in
$IPT -N checkspoof
$IPT -N logspoof
$IPT -N inet_out
$IPT -N local_out
# Dynamic IP
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Disable spoofing
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
# Block all echo requests
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Add synflood protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Log martians
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Not accept ICMP redirect messages
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Track nr of connections
echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max
# Disable ICMP send_redirect
echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
# Don't accept source routed packets.
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
# ICMP Broadcasting protection (smurf amplifier protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ICMP Dead Error Messages protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# LooseUDP patch is required by some internet-based games
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# IP forwarding (need it to perform for example NAT)
# echo "1" > /proc/sys/net/ipv4/ip_forward
# Reduce DoS'ing ability by reducing timeouts
# Defaults:
# echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
# echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
# echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
# echo 1 > /proc/sys/net/ipv4/tcp_sack
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
# Set out local port range
# Default echo "1024 4999" > /proc/sys/net/ipv4/ip_local_port_range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
# Time To Live (TTL) is the term for a data field in the internet protocol.
# TTL is today interpreted to indicate the maximum number of routers a packet may transit.
echo "64" > /proc/sys/net/ipv4/ip_default_ttl
# Increase the default queuelength. (Kernel Default: 1024)
echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
# Enable ECN? (Explicit Congestion Notification)
echo "1" > /proc/sys/net/ipv4/tcp_ecn
###############################################################################
logspoof ####
###############################################################################
$IPT -A logspoof -m limit --limit 3/min -j LOG --log-prefix \
"ip spoofing detected " --log-tcp-sequence --log-level info
$IPT -A logspoof -j DROP
###############################################################################
checkspoof ####
###############################################################################
# this ip is used by my isp for something (don't know what) and is send every 2 minutes so i do
# not even want to log this! Annoying isp. It goes to address 224.0.0.1
$IPT -A checkspoof -s 10.95.11.80 -j DROP
## Class A Reserved
$IPT -A checkspoof -s 10.0.0.0/8 -j logspoof
## Class B Reserved
$IPT -A checkspoof -s 172.16.0.0/12 -j logspoof
## Class C Reserved
$IPT -A checkspoof -s 192.168.0.0/16 -j logspoof
## Class D Reserved
$IPT -A checkspoof -s 224.0.0.0/4 -j logspoof
## Class E Reserved
$IPT-A checkspoof -s 240.0.0.0/5 -j logspoof
for NET in $RESERVED_NET; do
$IPT -A checkspoof -s $NET -j logspoof
done
###############################################################################
inet_in ####
###############################################################################
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "inet_in: New not syn:"
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A inet_in -j checkspoof
$IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
###############################################################################
local_in ####
###############################################################################
iptables -A local_in -j ACCEPT
###############################################################################
inet_out ####
###############################################################################
### allow outside: ping, dns, proxy of isp (8080), dhcp, news, smtp, msn/gaim?,
### irc, www, imap, pop3, ftp (+ftpdata), ssh
### all tcp ports ###
#$IPT -A inet_out -o eth0 -p tcp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
$IPT -A inet_out -o eth0 -p tcp --dport 80 -j ACCEPT # www
$IPT -A inet_out -o eth0 -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A inet_out -o eth0 -p tcp --dport 21 -j ACCEPT # ftp
$IPT -A inet_out -o eth0 -p tcp --dport 110 -j ACCEPT # pop3
$IPT -A inet_out -o eth0 -p tcp --dport 143 -j ACCEPT # imap
$IPT -A inet_out -o eth0 -p tcp --dport 6667 -j ACCEPT # irc
$IPT -A inet_out -o eth0 -p tcp --dport 25 -j ACCEPT # smtp
$IPT -A inet_out -o eth0 -p tcp --dport 119 -j ACCEPT # news
$IPT -A inet_out -o eth0 -p tcp --dport 8080 -j ACCEPT # proxy isp
$IPT -A inet_out -o eth0 -p tcp --dport 53 -j ACCEPT # dns
### all udp ports ###
$IPT -A inet_out -o eth0 -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
$IPT -A inet_out -o eth0 -p udp --dport 53 -j ACCEPT # dns
### all icmp ###
$IPT -A inet_out -o eth0 -p icmp --icmp-type 3 -j ACCEPT
$IPT -A inet_out -o eth0 -p icmp --icmp-type 8 -j ACCEPT
$IPT -A inet_out -o eth0 -p icmp --icmp-type 0 -j ACCEPT
$IPT -A inet_out -o eth0 -p icmp --icmp-type 11 -j ACCEPT
###############################################################################
local_out ####
###############################################################################
$IPT -A local_out -j ACCEPT
###############################################################################
INPUT ####
###############################################################################
#is covered by last rule? $IPT -A INPUT -p ALL -m state --state NEW,INVALID -j DROP
$IPT -A INPUT -i $EXTIF -j inet_in
$IPT -A INPUT -i $LO -j local_in
$IPT -A INPUT -i $EXTIF -p ALL --log-level info --log-prefix "INPUT: dropped packets" -j LOG
$IPT -A INPUT -i $EXTIF -p ALL -j DROP
###############################################################################
#### OUTPUT ####
###############################################################################
$IPT -A OUTPUT -o $EXTIF -j inet_out
$IPT -A OUTPUT -o $LO -j local_out
$IPT -A OUTPUT -o $EXTIF -p ALL --log-level info --log-prefix "OUTPUT: dropped packets" -j LOG
$IPT -A OUTPUT -o $EXTIF -p ALL -j DROP
###############################################################################
#### FORWARD ####
###############################################################################
### i found these in a tutorial somewhere. are these handy or not of use in a
### 1 interface environment
# Syn-flood protection:
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Furtive port scanner:
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Ping of death:
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -m state --state INVALID -j DROP
### log all the rest (i shouldn't get packets here?) ###
$IPT -A FORWARD -p ALL --log-level info --log-prefix "FORWARD: dropped packets" -j LOG
$IPT -A FORWARD -p ALL -j DROP
Reply to: