Re:firewall troubleshooting
appologies for wrong subject line
:)
KC wrote:
> Hi, I have posted my first firewall script previously.. this is basically
> the same script but it is optimized..
>
>
> #! /bin/bash
>
> #modprobe ip_conntrack_FTP
>
> ### SYMBOLIC CONSTANTS ###
>
> CONNECTION_TRACKING="1"
> DHCP_CLIENT="1"
> INTERNET="eth1"
> LOOPBACK_INTERFACE="lo"
> IPADDR=`ifconfig eth0|awk '/inet/{print $2}'|awk -F ':' '{print $2}'`
> INTERNAL_IP=`ifconfig eth1|awk '/inet/{print $2}'|awk -F ':' '{print $2}'`
> SUBNET_BASE="192.168.3.0"
> SUBNET_BROADCAST="192.168.3.255"
> MY_ISP="24.156.100.1"
> LOCAL="eth0"
>
> NAMESERVER_1="value not shown"
> NAMESERVER_2="value not shown"
> NAMESERVER_3="value not shown"
> POP_SERVER_1="value not shown"
> POP_SERVER_2="value not shown"
> POP_SERVER_3="value not shown"
> POP_SERVER_4="value not shown"
> POP_SERVER_5="value not shown"
> IMAP_SERVER_1="value not shown"
> IMAP_SERVER_2="value not shown"
> SMTP_SERVER_1="value not shown"
> SMTP_SERVER_2="value not shown"
> TIME_SERVER="value not shown"
> DHCP_SERVER="value not shown"
> SSH_CLIENT="value not shown"
>
> LOOPBACK="127.0.0.0/8"
> CLASS_A="10.0.0.0/8"
> CLASS_B="172.16.0.0/12"
> CLASS_C="192.168.0.0/16"
> CLASS_D_MULTICAST="224.0.0.0/4"
> CLASS_E_RESERVED_NET="240.0.0.0/5"
> BROADCAST_SRC="0.0.0.0"
> BROADCAST_DEST="255.255.255.255"
>
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"
>
> ## Hosts
> DESKTOP="192.168.3.41"
> DESKTOP2="192.168.3.40"
> WWW="192.168.3.42"
>
> ## PORTS
> IRC_PORT="6667"
> WEB_PORT="80"
> SSL_PORT="443"
> SSH_PORT="22"
> DK_PORT="4660:4661"
> XWINDOW_PORTS="6000:6063"
> TRACEROUTE_SRC_PORTS="32769:65535"
> TRACEROUTE_DEST_PORTS="33434:33523"
>
> USER_CHAINS="EXT-input EXT-output
> tcp-state-flags connection-tracking
> source-address-check destination-address-check
> local-dns-server-query remote-dns-server-response
> local-tcp-client-request remote-tcp-server-response
> remote-tcp-client-request local-tcp-server-response
> local-udp-client-request remote-udp-server-response
> local-dhcp-client-query remote-dhcp-server-response
> EXT-icmp-out EXT-icmp-in
> EXT-log-in EXT-log-out
> log-tcp-state"
>
> #############################################################################
>
> ## Enable broadcast echo Protection
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> ## Disable Source Routed Packets
> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ## Enable TCP SYN Cookie Protection
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> ## Disable ICMP Redirect Acceptance
> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
>
> ## Don't send Redirect Messages
> for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
> echo 0 > $f
> done
>
> ## Drop spoofed packets with resulting reply to another interface
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
>
> # Log packets with impossible addresses
> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 1 > $f
> done
>
> echo "Done Protection Scripting"
> ##########################################################################
>
> # Remove any existing
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
>
> # Unlimited traffic on the loopback interface
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Set the default policy to drop
> iptables --policy INPUT DROP
> iptables --policy OUTPUT DROP
> iptables --policy FORWARD DROP
>
> iptables -t nat --policy PREROUTING ACCEPT
> iptables -t nat --policy OUTPUT ACCEPT
> iptables -t nat --policy POSTROUTING ACCEPT
> iptables -t mangle --policy PREROUTING ACCEPT
> iptables -t mangle --policy OUTPUT ACCEPT
>
> # Remove any pre-existing user-defined chains
> iptables --delete-chain
> iptables -t nat --delete-chain
> iptables -t mangle --delete-chain
>
> # Create the user-defined chains
> for i in $USER_CHAINS; do
> iptables -N $i
> done
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> ######################################################################
>
> #iptables -A INPUT -i $INTERNET -d $IPADDR -j EXT-input
> #iptables -A OUTPUT -o $INTERNET -j EXT-output
>
> # DNS Caching Name Server
>
> iptables -A EXT-output -p udp --sport 53 --dport 53 -j local-dns-server-query
> iptables -A EXT-input -p udp --sport 53 --dport 53 -j
> remote-dns-server-response
>
> # DNS over tcp
>
> iptables -A EXT-output -p tcp --sport $UNPRIVPORTS --dport 53 -j
> local-dns-server-query
> iptables -A EXT-input -p tcp ! --syn --sport 53 --dport $UNPRIVPORTS -j
> remote-dns-server-response
> echo " DNS Caching done"
> #######################################################################
> # DNS Forwarding Name Server or client requests
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A local-dns-server-query -d $NAMESERVER_1 -m state --state NEW
> -j ACCEPT
> iptables -A local-dns-server-query -d $NAMESERVER_2 -m state --state NEW
> -j ACCEPT
> iptables -A local-dns-server-query -d $NAMESERVER_3 -m state --state NEW
> -j ACCEPT
> fi
>
> iptables -A local-dns-server-query -d $NAMESERVER_1 -j ACCEPT
> iptables -A local-dns-server-query -d $NAMESERVER_2 -j ACCEPT
> iptables -A local-dns-server-query -d $NAMESERVER_3 -j ACCEPT
>
> # DNS response to local requests
>
> iptables -A INPUT -i $INTERNET -s $NAMESERVER_1 -j ACCEPT
> iptables -A OUTPUT -o $INTERNET -d $NAMESERVER_1 -j ACCEPT
>
> iptables -A remote-dns-server-response -s $NAMESERVER_1 -j ACCEPT
> iptables -A remote-dns-server-response -s $NAMESERVER_2 -j ACCEPT
> iptables -A remote-dns-server-response -s $NAMESERVER_3 -j ACCEPT
>
> echo " DNS forwarding and response to local requests"
>
> ###########################################################################
> # Local TCP client output and remote server input chains
>
> iptables -A EXT-output -p tcp --sport $UNPRIVPORTS -j local-tcp-client-request
> iptables -A EXT-input -p tcp ! --syn --dport $UNPRIVPORTS -j
> remote-tcp-server-response
>
>
> #SSH client
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A local-tcp-client-request -p tcp -d $SSH_CLIENT --dport 22
> --syn -m state --state NEW -j ACCEPT
> fi
>
> iptables -A local-tcp-client-request -p tcp -d $SSH_CLIENT --dport 22 -j ACCEPT
> iptables -A remote-tcp-server-response -p tcp ! --syn -s $SSH_CLIENT
> --sport 22 -j ACCEPT
>
> #.............................................................................................
> # Client rules for HTTP, HTTPS
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A local-tcp-client-request -p tcp -m multiport
> --destination-port 80,443 --syn -m state --state NEW -j ACCEPT
> fi
>
> iptables -A local-tcp-client-request -p tcp -m multiport --destination-port
> 80,443 -j ACCEPT
> iptables -A remote-tcp-server-response -p tcp -m multiport --source-port
> 80,443 ! --syn -j ACCEPT
>
> #...............................................................................................
> # POP client
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_1 --dport 110
> --syn -m state --state NEW -j ACCEPT
> iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_2 --dport 110
> --syn -m state --state NEW -j ACCEPT
> iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_3 --dport 110
> --syn -m state --state NEW -j ACCEPT
> fi
>
> iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_1 --dport 110 -j
> ACCEPT
> iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_2 --dport 110 -j
> ACCEPT
> iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_3 --dport 110 -j
> ACCEPT
>
> iptables -A remote-tcp-server-response -p tcp ! --syn -s $POP_SERVER_1
> --sport 110 -j ACCEPT
> iptables -A remote-tcp-server-response -p tcp ! --syn -s $POP_SERVER_2
> --sport 110 -j ACCEPT
> iptables -A remote-tcp-server-response -p tcp ! --syn -s $POP_SERVER_3
> --sport 110 -j ACCEPT
>
> #...............................................................................................
> # SMTP mail Client
>
> if [ " $CONNECTION_TRACKING" = "1" ]; then
> iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_1 --dport 25
> --syn -m state --state NEW -j ACCEPT
> iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_2 --dport 25
> --syn -m state --state NEW -j ACCEPT
> fi
>
> iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_1 --dport 25 -j
> ACCEPT
> iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_2 --dport 25 -j
> ACCEPT
>
> iptables -A remote-tcp-server-response -p tcp ! --syn -s $SMTP_SERVER_1
> --sport 25 -j ACCEPT
> iptables -A remote-tcp-server-response -p tcp ! --syn -s $SMTP_SERVER_2
> --sport 25 -j ACCEPT
>
> echo "Client Rules Setup"
>
> ################################################################################################
> # Local TCP server, remote client
>
> #iptables -A EXT-input -p tcp --sport $UNPIRVPORTS -j remote-tcp-client-request
> iptables -A EXT-output -p tcp ! --syn --dport $UNPRIVPORTS -j
> local-tcp-server-response
>
> echo "TCP server, remote client"
> ################################################################################################
> # Remote TCP client input and local server output chains
>
> # SSH server
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A remote-tcp-client-request -p tcp -s $SSH_CLIENT
> --destination-port 22 -m state --state NEW -j ACCEPT
> fi
>
> iptables -A remote-tcp-client-request -p tcp -s $SSH_CLIENT
> --destination-port 22 -j ACCEPT
> iptables -A local-tcp-server-response -p tcp ! --syn --source-port 22 -d
> $SSH_CLIENT -j ACCEPT
>
> echo "Input and local server output chains"
> ################################################################################################
> ## Local UDP client, remote server
>
> iptables -A EXT-output -p udp --sport $UNPRIVPORTS -j local-udp-client-request
> iptables -A EXT-input -p udp --dport $UNPRIVPORTS -j remote-udp-server-response
>
> ################################################################################################
> # NTP time client
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A local-udp-client-request -p udp -d $TIME_SERVER --dport 123
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A local-udp-client-request -p udp -d $TIME_SERVER --dport 123 -j
> ACCEPT
> iptables -A remote-udp-server-response -p udp -s $TIME_SERVER --sport 123
> -j ACCEPT
>
> echo "NTP time client"
> ################################################################################################
> # ICMP
>
> iptables -A EXT-input -p icmp -j EXT-icmp-in
> iptables -A EXT-output -p icmp -j EXT-icmp-out
>
>
> #################################################################################################
> # ICMP traffic
>
> # Log and drop intial ICMP fragments
> iptables -A EXT-icmp-in --fragment -j LOG --log-prefix "Fragmented incoming
> ICMP: "
> iptables -A EXT-icmp-in --fragment -j DROP
> iptables -A EXT-icmp-out --fragment -j LOG --log-prefix "Fragmented
> outgoing ICMP: "
> iptables -A EXT-icmp-out --fragment -j DROP
>
> # Outgoing ping
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A EXT-icmp-out -p icmp --icmp-type echo-request -m state
> --state NEW -j ACCEPT
> fi
>
> iptables -A EXT-icmp-out -p icmp --icmp-type echo-request -j ACCEPT
> iptables -A EXT-icmp-in -p icmp --icmp-type echo-reply -j ACCEPT
>
> # Incoming ping
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A EXT-icmp-in -p icmp -s $MY_ISP --icmp-type echo-request -m
> state --state NEW -j ACCEPT
> fi
>
> iptables -A EXT-icmp-in -p icmp --icmp-type echo-request -s $MY_ISP -j ACCEPT
> iptables -A EXT-icmp-out -p icmp --icmp-type echo-reply -d $MY_ISP -j ACCEPT
>
> iptables -A EXT-icmp-out -p icmp --icmp-type fragmentation-needed -j ACCEPT
> iptables -A EXT-icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT
>
> iptables -A EXT-icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT
> iptables -A EXT-icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT
>
> iptables -A EXT-icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
> iptables -A EXT-icmp-out -p icmp --icmp-type source-quench -j ACCEPT
> iptables -A EXT-icmp-in -p icmp --icmp-type source-quench -j ACCEPT
>
> ####################################################################################################
> # TCP State Flags
>
> # All of the bits are cleared
> iptables -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state
> iptables -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j log-tcp-state
> iptables -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state
> iptables -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state
> iptables -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j log-tcp-state
> iptables -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j log-tcp-state
> iptables -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j log-tcp-state
>
> echo "TCP state done"
> ####################################################################################################
> # Log and drop tcp packets with bad state combinations
>
> iptables -A log-tcp-state -p tcp -j LOG --log-prefix "Illegal TCP state: "
> --log-ip-options --log-tcp-options
> iptables -A log-tcp-state -j DROP
>
> #####################################################################################################
> # By-pass rule checking for ESTABLISHED exchanges
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A connection-tracking -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A connection-tracking -m state --state INVALID -j LOG
> --log-prefix "INVALID packet:"
> iptables -A connection-tracking -m state --state INVALID -j DROP
> fi
> #####################################################################################################
> # DHCP traffic
>
> if [ "$DHCP_CLIENT" = "1" ]; then
> iptables -A local-dhcp-client-query -s $BROADCAST_SRC -d $BROADCAST_DEST
> -j ACCEPT
> iptables -A remote-dhcp-server-response -s $BROADCAST_SRC -d
> $BROADCAST_DEST -j ACCEPT
> iptables -A local-dhcp-client-query -s $BROADCAST_SRC -d $DHCP_SERVER -j
> ACCEPT
> iptables -A remote-dhcp-server-response -s $DHCP_SERVER -d
> $BROADCAST_DEST -j ACCEPT
> iptables -A remote-dhcp-server-response -s $DHCP_SERVER -j ACCEPT
> iptables -A local-dhcp-client-query -s $IPADDR -d $DHCP_SERVER -j ACCEPT
> fi
> echo "DHCP traffic"
>
> #######################################################################################################
> # Source address spoof checks
>
> iptables -A source-address-check -s $CLASS_A -j DROP
> iptables -A source-address-check -s $CLASS_B -j DROP
> iptables -A source-address-check -s $CLASS_C -j DROP
> iptables -A source-address-check -s $CLASS_D_MULTICAST -j DROP
> iptables -A source-address-check -s $CLASS_E_RESERVED_NET -j DROP
> iptables -A source-address-check -s $LOOPBACK -j DROP
>
> iptables -A source-address-check -s 0.0.0.0/8 -j DROP
> iptables -A source-address-check -s 169.254.0.0/16 -j DROP
> iptables -A source-address-check -s 192.0.2.0/24 -j DROP
>
> ########################################################################################################
> # Bad Destination Address and Port Checks
>
> iptables -A destination-address-check -d $BROADCAST_DEST -j DROP
> iptables -A destination-address-check -d $SUBNET_BASE -j DROP
> iptables -A destination-address-check -d $SUBNET_BROADCAST -j DROP
> iptables -A destination-address-check -p ! udp -d $CLASS_D_MULTICAST -j DROP
> iptables -A destination-address-check -p tcp --destination-port
> $XWINDOW_PORTS --syn -j DROP
>
> #########################################################################################################
> # Logging rules prior to Dropping
>
> iptables -A EXT-log-in -p icmp --icmp-type ! echo-request -m limit -j LOG
> iptables -A EXT-log-in -p tcp --dport 0:650 -j LOG
> iptables -A EXT-log-in -p udp --dport 0:110 -j LOG
> iptables -A EXT-log-out -j LOG
> echo " LOG ESTABLISHED"
> ####################################################################################################
> # User defined chains
>
> iptables -A INPUT -p tcp -j tcp-state-flags
> iptables -A OUTPUT -p tcp -j tcp-state-flags
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A INPUT -j connection-tracking
> iptables -A OUTPUT -j connection-tracking
> fi
>
> if [ "$DHCP_CLIENT" = "1" ]; then
> iptables -A INPUT -i $INTERNET -p udp --sport 67 --dport 68 -j
> remote-dhcp-server-response
> iptables -A OUTPUT -o $INTERNET -p udp --sport 68 --dport 67 -j
> local-dhcp-client-query
> fi
>
> # Test for illegal source and destination addresses incoming
>
> iptables -A INPUT -p ! tcp -j source-address-check
> iptables -A INPUT -p tcp --syn -j source-address-check
> iptables -A INPUT -j destination-address-check
>
> iptables -A OUTPUT -j destination-address-check
> iptables -A INPUT -i $INTERNET -d $IPADDR -j EXT-input
> iptables -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j DROP
> iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR -d $CLASS_D_MULTICAST -j DROP
> iptables -A OUTPUT -o $INTERNET -s $IPADDR -j EXT-output
>
>
> echo "Setting connection timeouts"
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>
> echo "Enabling AntiPortscanning Rules"
> echo "*NULL Scan"
> iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
> echo "*NMAP FIN/URG/PSH (Xmas scan)"
> iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> echo "*SYN/RST Scan"
> iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> echo "*SYN/FIN Scan"
> iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP
>
> iptables -A FORWARD -s 192.168.3.0/24 -d 0/0 -i $LOCAL -j ACCEPT
> iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
> iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 80 -j DNAT --to
> $WWW:80
> #iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 6112 -j DNAT --to
> $WWW:22
> iptables -t nat -A PREROUTING -p udp -d $IPADDR --dport 4660 -j DNAT --to
> $DESKTOP:4660
> iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 4660 -j DNAT --to
> $DESKTOP:4660
> iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 4661 -j DNAT --to
> $DESKTOP2:4661
> iptables -t nat -A PREROUTING -p udp -d $IPADDR --dport 4661 -j DNAT --to
> $DESKTOP2:4661
> #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 81 -j DNAT
> --to $DESKTOP:22
> #iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 6667 -j DNAT
> --to $IRC:6667
> iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 215 -j DNAT --to
> $DESKTOP:22
>
>
> # Log anything that fell through before it drops
>
> iptables -A INPUT -j EXT-log-in
> iptables -A OUTPUT -j EXT-log-out
>
> exit 0
>
>
> Dave Ewart wrote:
>
>>On Monday, 04.07.2005 at 10:40 +0100, jpff@codemist.co.uk wrote:
>>
>>
>>
>>>I have just (well yesterday) changed by firewall from an aging RedHat
>>>system to Debian. Most things seem OK (couple of minor spamassassin
>>>problems) but there is one MAJOR problem that I do not understand.
>>>
>>>The simplest form is when a user inside the firewall attempts to
>>>upload a photo to flickr.com it just hangs and eventually times out.
>>>If the same thing is done from the firewall itself it works instantly.
>>>I deduce that something in Debian is being very cautious, but I do not
>>>know what. The iptables I have as the same as on previous system, and
>>>it used to work.
>>>
>>>Any suggestions as were to look? This is a major problem as it also
>>>affects on-line banking which is important for the company..
>>
>>
>>We might be able to assist if you show us the firewall rulesets and some
>>log files ...
>>
>>Dave.
>
>
>
Reply to: