Request for comments: iptables script for use on laptops.

To: debian-laptop@lists.debian.org, debian-security@lists.debian.org
Subject: Request for comments: iptables script for use on laptops.
From: Uwe Hermann <uwe@hermann-uwe.de>
Date: Sun, 21 May 2006 19:40:24 +0200
Message-id: <[🔎] 20060521174024.GA1833@aragorn>

Hi everyone,

this is crossposted to debian-laptop and debian-security, as I believe
it is relevant to both.

Today, I have heavily updated my (GPL'd) iptables script which I have been
using for quite a while now to secure my laptop (and various workstations).
The script is available from http://www.hermann-uwe.de/files/fw_laptop
and is also attached to this email.

The goal is to have a very paranoid/secure firewall ruleset (don't allow
any incoming traffic, only allow minimal outgoing traffic) which makes
sense for laptops.

One major change is that EGRESS traffic is now blocked by default, too
(INGRESS traffic was already blocked previously), and some more sysctl
settings...

I'd like to hear your opinions, comments, suggestions on the approach
and the script. Did I miss some important issues? Did I mess up
somewhere? Are there any serious flaws?


Thanks in advance, Uwe.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

#!/bin/sh
#------------------------------------------------------------------------------
# File: fw_laptop
# Author: Uwe Hermann <uwe@hermann-uwe.de>
# URL: http://www.hermann-uwe.de/files/fw_laptop
# License: GNU GPL (version 2, or any later version).
# $Id: fw_laptop 515 2006-05-21 17:13:43Z uh1763 $
#------------------------------------------------------------------------------

# A firewall script intended to be used on workstations / laptops. It basically
# blocks all incoming traffic and only allows minimal outgoing traffic.

# Note: This is work in progress! Any comments and suggestions are welcome!

# Thanks for comments and suggestions:
#   * Jean Christophe André <jean-christophe.andre@auf.org>
#   * Ryan Giobbi <rgiobbi@gmail.com>


#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging.
# IPTABLES="/sbin/iptables -v"

IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"

# Logging options.
# Note: We use --log-level debug, so that the messages are not output
# to all virtual consoles (which would be quite annoying).
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
# /etc/init.d/klogd startup-script.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Load required kernel modules (if automatic module loading is disabled).
$MODPROBE ip_conntrack_ftp


#------------------------------------------------------------------------------
# Kernel configuration.
# For details see:
#   * http://www.securityfocus.com/infocus/1711
#   * http://www.linuxgazette.com/issue77/lechnyr.html
#   * /usr/src/linux/Documentation/filesystems/proc.txt
#   * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: Turning this on and off should reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# Enable IP spoofing protection (i.e. source address verification).
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all (incoming + outgoing) ICMP ECHO requests (i.e. disable PING).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP ECHO requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# echo 0 > /proc/sys/net/ipv4/conf/all/mc_forwarding

# Disable proxy_arp. Should not be needed, usually.
echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp 

# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects 

# Disable bootp_relay. Should not be needed, usually.
echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay

# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time

# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Default policies: drop everything.
#------------------------------------------------------------------------------

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP


#------------------------------------------------------------------------------
# Custom user-defined chains.
#------------------------------------------------------------------------------

# LOG packets, then ACCEPT them.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG --log-prefix "ACCEPTLOG "
$IPTABLES -A ACCEPTLOG -j ACCEPT

# LOG packets, then DROP them.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG --log-prefix "DROPLOG "
$IPTABLES -A DROPLOG -j DROP

# LOG packets, then REJECT them. TCP packets are rejected with TCP Reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG --log-prefix "REJECTLOG "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT


#------------------------------------------------------------------------------
# ICMP.
#------------------------------------------------------------------------------

# Allow outgoing pings (echo request, fragmentation needed, time exceeded).
$IPTABLES -A OUTPUT -m state --state NEW -p icmp --icmp-type 8 -j ACCEPT 
$IPTABLES -A OUTPUT -m state --state NEW -p icmp --icmp-type 3 -j ACCEPT 
$IPTABLES -A OUTPUT -m state --state NEW -p icmp --icmp-type 11 -j ACCEPT 

# Allow incoming pings, but rate-limit them. We don't want to be DoS'd.
$IPTABLES -A INPUT -m limit --limit 3/s --limit-burst 8 \
          -p icmp --icmp-type 8 -j ACCEPT 
$IPTABLES -A INPUT -m limit --limit 3/s --limit-burst 8 \
          -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/s --limit-burst 8 \
          -p icmp --icmp-type 11 -j ACCEPT


#------------------------------------------------------------------------------
# Miscellaneous.
#------------------------------------------------------------------------------

# Drop SMB, CIFS, and related Windows traffic without logging. We don't care.
$IPTABLES -A INPUT -p tcp -m multiport \
          --sports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport \
          --sports 135,137,138,139,445,1433,1434 -j DROP

# Hinder portscanners a bit.
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# Limit logging in case of flooding.
# $IPTABLES -A INPUT -j LOG -m limit --limit 1/s --limit-burst 8

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG


#------------------------------------------------------------------------------
# Drop any traffic from IANA-reserved IPs.
# For details see:
#   * ftp://ftp.iana.org/assignments/ipv4-address-space
#   * http://www.cymru.com/Documents/bogon-bn-agg.txt
#------------------------------------------------------------------------------

# TODO: Is this a good idea? Does it work?

$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
# $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP


#------------------------------------------------------------------------------
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------

# Allow all ingoing and outgoing connections on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections related to existing allowed connections.
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Uncomment this (and comment the above line) to allow ALL outgoing traffic.
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 

#------------------------------------------------------------------------------
# Selectively allow certain outbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT

# Allow outgoing "submission" requests.
# Submission (RFC 2476) is used for sending email, and uses port 587.
# This can be encrypted or unencrypted, depending on the server (I think).
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT

# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow outgoing FTP requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_ftp kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow outgoing NNTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow outgoing Tor (http://tor.eff.org) requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT

# TODO: DCHP, IRC, ICQ, ...?


#------------------------------------------------------------------------------
# Selectively allow certain inbound connections, block the rest.
#------------------------------------------------------------------------------

# Allow DNS requests.
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow HTTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow HTTPS requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow POP3 requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

# Allow POP3S requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow SMTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# Allow SSH requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow FTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow BitTorrent requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT

# # Allow nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT


#------------------------------------------------------------------------------
# Log and drop / reject everything else.
#------------------------------------------------------------------------------

# Explicitly REJECT (not DROP) incoming auth requests for increased speed.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 113 -j REJECTLOG

$IPTABLES -A INPUT -j DROPLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j DROPLOG


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Request for comments: iptables script for use on laptops.
  - From: Vineet Kumar <vineet@doorstop.net>

Prev by Date: Re: wpasupplicant dhcp ifplugd
Next by Date: Any good Wireless Tools?
Previous by thread: GRMN Garmin
Next by thread: Re: Request for comments: iptables script for use on laptops.
Index(es):
- Date
- Thread