Re: IPtables bash script

To: "Ralph Sanchez" <rwsanchez3@gmail.com>
Cc: "debian-firewall@lists.debian.org" <debian-firewall@lists.debian.org>
Subject: Re: IPtables bash script
From: Jonathan Plews <jonathan@plews.org.uk>
Date: Mon, 23 May 2016 07:00:42 -0000
Message-id: <[🔎] 20160523065306-3502-3593-mailpile@motoko>
In-reply-to: <[🔎] CAJJ2v1W43WtW=emKfHpK=xMEhcwmr6HDmV+1dqHFyBOz=deDDw@mail.gmail.com>
References: <[🔎] CAJJ2v1W43WtW=emKfHpK=xMEhcwmr6HDmV+1dqHFyBOz=deDDw@mail.gmail.com>

I'm not saying knowing iptables is bad, but Shorewall is much
better than these kind of things.

I think you may have some unlogged drops, that'd be the first
thing to check.


Ralph Sanchez <rwsanchez3@gmail.com> wrote:
> Hello All, I have taken up to writing this bash script to
> change my iptables rules. It seems the only issue I've found is
> that it seems to not want to connect to certain websites at
> some moments and not others, or generally but sometimes it
> let's it through without changing anything. This completely
> stops if I add RELATED to my OUTPUT ACCEPT next to NEW, just
> not sure how that impacts security exactly.
> 
> Also, any advice on making this script better, or stronger per
> secuirty, would be appreciated as this is both my first time
> scripting in bash from scratch and my first IPTABLES venture.
> 
> Oh, and don't mind the echo lines, those are solely for my
> entertainment upon running.
> 
> #!/bin/sh
> 
> IPT=/sbin/iptables
> IP6=/sbin/ip6tables
> echo "[+] ENTRY PLUG EJECTED, READY FOR PILOT ENTRY" read OK
> 
> echo " $OK ENTRY PLUG INSERTION COMPLETE"
> 
> echo "[+] Flooding the cockpit with LCL. Don't try and hold
> your breath, just breath normal. It's weird at first, but
> you'll get used to it "
> 
> $IPT -F
> 
> $IPT -F  -t nat
> 
> $IPT -X
> 
> echo "[+] Synch ratio 99%, within permissable parameters..."
> 
> $IP6 -P INPUT DROP
> 
> $IP6 -P FORWARD DROP
> 
> $IP6 -P OUTPUT DROP
> 
> $IPT -P INPUT DROP
> 
> $IPT -P FORWARD DROP
> 
> $IPT -P OUTPUT DROP
> ## INPUT  Rules ###
> 
> echo "[+] AT Field is active, moving EVA UNIT 1 to elevator
> 24..."
> 
> $IPT -A INPUT -m conntrack --ctstate INVALID -j LOG
> --log-prefix "INVALID_DROPS" --log-ip-options --log-tcp-options
> 
> $IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
> "NEW_DROPS" --log-ip-options --log-tcp-options
> 
> $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
> 
> $IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
> 
> $IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
> 
> $IPT -A INPUT --in-interface lo -j ACCEPT
> 
> $IPT -A INPUT -p tcp --dport 443 -j ACCEPT
> 
> $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
> 
> ## FORWARD Rules ##
> 
> #$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG
> --log-prefix "INVALID_FORWARD" --log-ip-options
> --log-tcp-options
> 
> #$IPT -A FORWARD -i lo -j ACCEPT
> 
> #$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP
> 
> #$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
> ## OUTPUT Rules ##
> 
> echo "[+] It's up to you now, Shinji..."
> 
> $IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL
> Loopback traffic
> 
> $IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only
> allow NEW connection outbound.
> 
> $IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
> --uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and
> HTTPS
> 
> $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound
> https
> 
> $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound
> http (DO NOT LEAVE ACTIVE!)
> 
> $IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL
> root requests
>

Attachment: Encryption key for Jonathan Plews.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP Digital Signature

Reply to:

References:
- IPtables bash script
  - From: Ralph Sanchez <rwsanchez3@gmail.com>

Prev by Date: IPtables bash script
Next by Date: Re: Mason Error
Previous by thread: IPtables bash script
Next by thread: Re: IPtables bash script
Index(es):
- Date
- Thread