RE: iptables and apt-get

["Jones, Steven" <sjones08@eds.com>]

I'd put the default INPUT policy last.

 

here is mine

 

note some of this is experimental as per my notes in the file.

 

#!/bin/bash
#iptables firewall script
#17/06/01
#14/5/02 flushing and prerouting logs added, other rules added but not
#27/9/2002 mods for wireless laptop and 3 nics active
#8/12/2002 wi-fi working mk1
#start ip_forwarding in /etc/network/options
#elvis firewall 19/12/2002

# rules below to be tested
# Disable response to ping.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

 

# network. Source routing is rarely used for legitimate purposes.
#/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

 

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter
# your routeing tables, possibly to a bad end.
#/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 

#These 3 lines below allow flushing without a
#reBoot.

 

iptables -F
iptables -X
iptables -Z
echo "flushed rules"

 

#set constants
outer_nic="eth0"
#wifi_nic1="eth1"
#inner_nic2="eth2"
inner_nic1="eth1"
#wifiipsec="ipsec0"
#wifi_nw1="172.31.0.0/16"
echo "firewall constants setup"
#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
echo "started connection tracking"

 

#individual port forwarding
echo "no portfw started"

 

#post routeing rules
#iptables -t nat -A POSTROUTING -s $wifi_nw1 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw2 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw2 -d 0.0.0.0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw1 -o inner_nic2 \

#-j MASQUERADE

 

#forward rules
#iptables -A FORWARD -i $wifi_nic1 -j DROP
#iptables -A FORWARD -i $wifi_nic1 -j ACCEPT
#iptables -A FORWARD -i $wifiipsec -j ACCEPT
#iptables -A FORWARD -i $inner_nic2 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
#echo "FORWARD rules in place"
echo "no FORWARD rules in place"

 

#INPUT rules
#specific ipsec lines
#iptables -A INPUT -p udp --dport 500 -j ACCEPT
#iptables -A INPUT -p 50 -j ACCEPT
#iptables -A INPUT -p 51 -j ACCEPT
#echo "IPSEC rules now in place"
echo "IPSEC rules not activated"
#general
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 21 -j ACCEPT
#smb
iptables -A INPUT -p udp --dport 137 -j ACCEPT
#iptables -A INPUT -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -p udp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
#web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#x11 drop
iptables -A INPUT  -p udp --dport 6000:6009 -j DROP
iptables -A INPUT  -p tcp --dport 6000:6009 -j DROP
#specific worm / problem blocking
iptables -A INPUT  -p tcp --dport 23 -j DROP
iptables -A INPUT  -p tcp --dport 25 -j DROP
iptables -A INPUT  -p tcp --dport 53 -j DROP
iptables -A INPUT  -p udp --dport 53 -j DROP
iptables -A INPUT  -p tcp --dport 135 -j DROP
iptables -A INPUT  -p tcp --dport 445 -j DROP
iptables -A INPUT  -p tcp --dport 1080 -j DROP
iptables -A INPUT  -p tcp --dport 1214 -j DROP
iptables -A INPUT  -p tcp --dport 1433 -j DROP
iptables -A INPUT  -p tcp --dport 1434 -j DROP
iptables -A INPUT  -p tcp --dport 1080 -j DROP

 

#iptables -A INPUT -s $wifi_nw1 -p tcp --syn --dport 22 -j ACCEPT
#iptables -A INPUT -i $wifi_nic1 -p TCP --destination-port 22 -j ACCEPT
#iptables -A INPUT -s $inner_fw -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $outer_nic -j ACCEPT

#iptables -A INPUT -i $wifiipsec -j ACCEPT

 

#allow ping replies (may not be desired)
#iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
#me playing below with icmp
iptables -A INPUT -p icmp -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
#to be tested
#iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS:
#"
#iptables -A INPUT -i $outer_nic -f -j DROP

 

iptables -P INPUT DROP
echo "INPUT rules now in place"

 

#output tables are default
#echo "output rules now in place"
#limit logging levels to save clutter and /var from being swamped
iptables -A FORWARD -m limit -j LOG
echo "log limiting in place"

 

#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \
--limit 1/s -j ACCEPT
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
echo "DoS defences setup"

 

exit

regards

Thing

-----Original Message-----
From: Ian Goodall [mailto:ijg@iangoodall.co.uk]
Sent: Tuesday, 11 March 2003 2:21
To: Jones, Steven; debian-security@lists.debian.org
Subject: Re: iptables and apt-get

Here is my rule set:

 

 

#default input policy
/sbin/iptables -P INPUT DROP
#allow www/https(ssl)
/sbin/iptables -A INPUT -s 0/0 -d 172.16.5.92 -p tcp --dport https -j ACCEPT
#allow ssh
/sbin/iptables -A INPUT -s 0/0 -d 172.16.5.92 -p tcp --dport ssh -j ACCEPT
#allow smtp
/sbin/iptables -A INPUT -s 0/0 -d 172.16.5.92 -p tcp --dport smtp -j ACCEPT

 

#create a new rule for drop # log
#/sbin/iptables -N drop-and-log-it
#log it
#/sbin/iptables -A drop-and-log-it -j LOG --log-level info --log-prefix 'DROPIT'
#drop it
#/sbin/iptables -A drop-and-log-it -j DROP

 

#now call the rule to drop and log

 

/sbin/iptables -A INPUT -j drop-and-log-it

 

 

-----------

Thanks

 

ijg0

----- Original Message -----

From: Jones, Steven

To: 'Ian Goodall' ; debian-security@lists.debian.org

Sent: Tuesday, March 11, 2003 1:11 AM

Subject: RE: iptables and apt-get

shouldnt do

 

unless you changed the output rules?

 

please provide your ruleset

 

Thing

-----Original Message-----
From: Ian Goodall [mailto:ijg@iangoodall.co.uk]
Sent: Tuesday, 11 March 2003 2:06
To: debian-security@lists.debian.org
Subject: iptables and apt-get

Hi Guys,

 

I am setting up iptables on my debain woody box. I have decided to close everyting and then open up just ssh and ssl. This obviously prevents my apt-get update from working. What ports do I need to open for this to work. If it helps I am going through a proxy to get to the internet.

 

Thanks

 

ijg0