[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updated firewall script.

Thanks for your further input.

Yesterday I installed latest Ubuntu (already have Deb-test 7 sid
ThinkPad-T42) to see how it looks.  NO FIREWALL at all, everything open.
Meanwhile I enhanced my iptables script to allow only ssh and nfs within my network as well as limit damage from www, as follows, I used your and others input to upgrade my previously overly simple script: 

=================================================

#!/bin/sh
# /OPT/sbin/ziptables
# /etc/init.d/local
#
# FLUSH, DELETE, ZERO
  iptables -t mangle -F     # flush: mangle,nat,filter
  iptables -t nat    -F
  iptables -t filter -F
  iptables -X               # delete existing chains
  iptables -Z               # zero counters
#
# Following may be redundant, but cannot hurt
  echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  echo 0 > /proc/sys/net/ipv4/ip_forward
# ---------------------------------------------------------- unexpected
# DROP any fragments and "NEW but not syn"
  iptables -A FORWARD -j DROP
  iptables -A INPUT  -j DROP   -f
  iptables -A INPUT  -j DROP   -m state --state NEW -p tcp ! --syn
iptables -A INPUT -j DROP -m state --state NEW -p tcp --tcp-flags ALL ALL iptables -A INPUT -j DROP -m state --state NEW -p tcp --tcp-flags ALL NONE 
# ---------------------------------------------------------- expected
# ACCEPT all expected LocalNet & WWW
  iptables -A INPUT  -j ACCEPT -m state --state ESTABLISHED,RELATED
  iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# ----------------------------------------------------------- LOOPBACK:
# ALLOW: within local-host(loopback): ALL
  iptables -A INPUT  -j ACCEPT -s 127.0.0.1    # localhost.localdomain
  iptables -A OUTPUT -j ACCEPT -d 127.0.0.1    #
# ==========================================================LOCAL-NET:
# ALLOW: within local-network=:
# TCP: 22=ssh,111=portmap,2049=nfs,631=print
  iptables -A INPUT  -j ACCEPT -s 192.168.0.0/28  -p tcp \
    -m state --state NEW -m multiport --ports 22,67,68,111,631,2049,33333
  iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28  -p tcp  \
    -m state --state NEW -m multiport --ports 22,111,631,2049,33333
# UDP: 53=dns,33333=mount
  iptables -A INPUT  -j ACCEPT -s 192.168.0.0/28  -p udp \
    -m state --state NEW -m multiport --ports 22,53,67,68,111,2049,33333
  iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28  -p udp  \
    -m state --state NEW -m multiport --ports 22,53,111,2049,33333
# ICMP: allow NFS, avoid ping etc
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 -p icmp -m icmp --icmp-type 3 iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28 -p icmp -m icmp --icmp-type 3 
# NFS/mount: force static port
##  export MOUNTD_PORT="33333"
  rpc.mountd -p 33333
# ============================================================ WWW-NET:
# ALLOW for individual ports/processes in foreign-WWW network
# TCP: 21=ftp,25=smtp,37=time,80=http,110=pop3,119=usenet,443=https
# UDP: 53=dns
  iptables -A OUTPUT -j ACCEPT -p udp -m state --state NEW --dport 53
  iptables -A OUTPUT -j ACCEPT -p tcp -m state --state NEW \
    -m multiport --ports 21,25,37,80,110,119,443
# ============================================================ Log
# Log drop throughs for diagnostics,  -> /var/log/messages
  iptables -A INPUT  -j LOG -m limit --limit 5/m  # avoid flood
  iptables -A INPUT  -j LOG --log-prefix ZZI-
  iptables -A OUTPUT -j LOG --log-prefix ZZO-
  iptables -A INPUT  -j DROP                  # drop all unexpected
  iptables -A OUTPUT -j DROP                  # drop all unexpected
  iptables -L
#
Reply to: