iptables (own script) checkup
Hi,
I'm new to iptables and below is the simple script I wrote for my
firewall/gateway. The machine has a static address and on eth1 there
is a local lan 10.0.0.0/24.
I want to drop all new incomming connections on eth0 except ssh.
If someone could check it I would be gratefull. Also any tips to make
it better are welcome.
#!/bin/sh
# Start/stop the firewall
STATIC_IP=w.x.y.z
LOCALLAN=eth1
INTERNET=eth0
IPTABLES=/sbin/iptables
test -f $IPTABLES || exit 0
case "$1" in
start) echo "Starting firewall:"
echo -n " flushing rules: "
$IPTABLES -t nat -F
$IPTABLES -F
echo "ok"
echo -n " setting default policy: "
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
echo "ok"
echo -n " setting INPUT chain: "
# Accept all established and related connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept all new connections coming from the local lan
$IPTABLES -A INPUT -m state --state NEW -i ! $INTERNET -j ACCEPT
# Accept SSH from everywhere
$IPTABLES -A INPUT -p tcp -dport 22 -j ACCEPT
# Accept mail
# Not needed yet
echo "ok"
echo -n " setting OUTPUT chain: "
echo "ok"
echo -n " setting FORWARD chain:"
# Drop all tcp and udp connections to port 135,139, 445 and 593
# Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
#
# A buffer overrun vulnerability has been reported in Microsoft Windows
# that can be exploited remotely via a DCOM RPC interface that listens
# on TCP/UDP port 135. The issue is due to insufficient bounds checking
# of client DCOM object activation requests. Exploitation of this issue
# could result in execution of malicious instructions with Local System
# privileges on an affected system.
#
# This issue may be exposed on other ports that the RPC Endpoint Mapper
# listens on, such as TCP ports 139, 135, 445 and 593. This has not been
# confirmed. Under some configurations the Endpoint Mapper may receive
# traffic via port 80.
# [ http://www.symantec.com/avcenter/security/Content/8205.html ]
$IPTABLES -A FORWARD -p tcp --dport 135 -j DROP
$IPTABLES -A FORWARD -p udp --dport 135 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 139 -j DROP
$IPTABLES -A FORWARD -p udp --dport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 445 -j DROP
$IPTABLES -A FORWARD -p udp --dport 445 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 593 -j DROP
$IPTABLES -A FORWARD -p udp --dport 593 -j DROP
# Drop all connections coming from the local lan to port 6667:6668
# Some worms send information to an IRC server
$IPTABLES -A FORWARD -s 10.0.0.0/24 -p tcp --dport 6667:6668 -j DROP
# Accept all established and related connections
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward all new connections comming from the local lan
$IPTABLES -A FORWARD -m state --state NEW -i ! $INTERNET -j ACCEPT
echo "ok"
echo -n " turning on ip_forward:"
echo 1 > /proc/sys/net/ipv4/ip_forward
# Turning on SNAT
$IPTABLES -t nat -A POSTROUTING -o $INTERNET -j SNAT --to $STATIC_IP
echo "ok"
echo "Firewall started."
;;
stop) echo -n "Stopping firewall"
# SNAT is disabled and the machines continues as a normal machine.
# This is put so that I can easy close the local lan.
$IPTABLES -t nat -F
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
echo "."
;;
restart) echo -n "Restarting firewall"
echo "."
;;
reload|force-reload) echo -n "Reloading configuration files for firewall"
echo "."
;;
*) echo "Usage: /etc/init.d/firewall start|stop|restart|reload|force-reload"
exit 1
;;
esac
exit 0
--
Rudy Gevaert rudy@zeus.UGent.be
Web page http://www.webworm.org
GNU/Linux user and Savannah hacker http://savannah.gnu.org
One of the symptoms of an approaching nervous breakdown is the
belief that one's work is terribly important.
-- Bertrand Russell
Reply to: