Re: iptables ruleset
Martin A. Hansen, 2002-Jan-04 10:12 +0100:
> ok, here goes:
>
>
> root@willy:/home/maasha# iptables -vL
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 4221 259K ACCEPT all -- lo any anywhere anywhere
> 0 0 LOG all -- !lo any 127.0.0.0/8 anywhere LOG level warning
> 0 0 DROP all -- !lo any 127.0.0.0/8 anywhere
> 0 0 ACCEPT all -- eth0 any anywhere 255.255.255.255
> 4031 298K ACCEPT all -- eth0 any localnet/24 anywhere
> 0 0 ACCEPT !tcp -- eth0 any anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- tr0 any localnet/24 anywhere LOG level warning
> 0 0 DROP all -- tr0 any localnet/24 anywhere
> 720 239K ACCEPT all -- tr0 any anywhere 255.255.255.255
> 375 127K ACCEPT all -- tr0 any anywhere rhpc119-213.rh.dk
> 0 0 ACCEPT all -- tr0 any anywhere 130.226.255.255
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
Looking at the INPUT chain, there is a lot of logging, which is
fine if you're going to monitor the logs. I don't really know
you what your interface and IP config is but, it looks like you
accepting all broadcast and multicast traffic and everything on
the local network. This may be okay, but this seems risky to me,
especially if you're on a cable loop...you're wide open to all on
the same loop.
I'm attaching my script which is for two interfaces and using NAT
for all traffic from the private network. It allows a few
specified protocols in, but it doesn't do any forwarding to an
internal system. Place this in /etc/init.d and add a link to it
in /etc/rc2.d like
ln -s ../init.d/iptables.scr S11iptables
This will make it load at boot time. Be sure to make the changes
to it for IP and interface names first.
jc
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
#!/bin/sh
#
# My Iptables setup script, run at bootup
# from /etc/init.d/iptables.scr
#
test -x /sbin/iptables || exit 0
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
IPT=/sbin/iptables
# Load Modules
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_REJECT
clear_tables () {
# Clear out any existing firewall rules and any chains
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
}
build_tables () {
# Setup our policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Log and Drop Badflags
$IPT -N badflags
$IPT -A badflags -j LOG --log-prefix "Badflags: "
$IPT -A badflags -j DROP
# A separate chain for logging and dropping from the INPUT chain
$IPT -N dropwall
$IPT -A dropwall -j LOG --log-prefix "Dropped: "
$IPT -A dropwall -j DROP
# A separate chain for silently dropping traffic
$IPT -N silent
$IPT -A silent -j DROP
# Allow all internally generated traffic to flow
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# Accept ourselves (loopback interface)
$IPT -A INPUT -i lo -j ACCEPT
# Allow SSH
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow FTP
# $IPT -A INPUT -p tcp --dport 20 -j ACCEPT
# $IPT -A INPUT -p tcp --dport 21 -j ACCEPT
# Allow WEB
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SMTP
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT
# Drop those nasty packets!
# These are all TCP flag combinations that should never, ever occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways, so we just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
# INPUT Table
#
# Drop the stupid broadcasts coming from my cable mode, and all the stupid DHCP
# Client requests coming in off the cable loop
$IPT -A INPUT -s 192.168.100.1 -j silent
$IPT -A INPUT -i eth0 -p udp --dport 68 -j silent
# Reject ident-auth:113 and nntp:119
# $IPT -A INPUT -p tcp --dport 113 -j REJECT
# $IPT -A INPUT -p udp --dport 113 -j REJECT
# $IPT -A INPUT -p tcp --dport 119 -j REJECT
# $IPT -A INPUT -p udp --dport 119 -j REJECT
# Drop sunprc:111 and printer:515
# $IPT -A INPUT -p tcp --dport 111 -j silent
# $IPT -A INPUT -p udp --dport 111 -j silent
# $IPT -A INPUT -p tcp --dport 515 -j silent
# $IPT -A INPUT -p udp --dport 515 -j silent
# Drop icmp, but only after letting certain types through
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp -j LOG --log-prefix "Drop ICMP: "
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j silent
# Final catchall INPUT rule
$IPT -A INPUT -j dropwall
# IP Masquerading
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
}
case "$1" in
start)
echo -n "Starting $DESC: "
build_tables
echo "Done."
;;
stop)
echo -n "Stopping $DESC: "
clear_tables
echo "Done."
;;
restart|reload|force-reload)
echo -n "Restarting $DESC: "
clear_tables
build_tables
echo "Done."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
exit 1
;;
esac
# This masquerades my cable modem for any PC on 192.168.0.0/24,
# denies all incoming connections unless related to or established
# by an inside machine and allows ssh, www and ftp in.
exit 0
Reply to: