iptables troubles
Hi All,
I am trying to get a firewall running, but I am no networking expert.
I use Debian Sid, and kernel 2.4.25-1-386 (yes I need to upgrade ;)).
Anyway. I got my fw script from a webpage, and it looks pretty ok to
me. When I run it, it certainly blocks everything except the ports I
want it to allow. Fine.
However, I got reports from users that it was not working for them. I
asked some 5 different people, and it some 3 of them could not reach
the server, while others could. Very weird. They tried it on http,
port 80. It is open in the firewall, and Apache is running.
I have *no* clues what is wrong. I Googled around a lot, tried to
understand the iptables script (I think I do to a degree that I can
understand what each line does), but it al looks fine to me. But how
on earth does it come it is still blocking traffic from *some* users??
This server is in a 19" rack at an ISP. No NAT, just one IP adress.
Very simple setup.
Any clues would be highly appreciated, I am really lost here.
Here is my script:
#!/bin/sh
# This is a sample Firewall script made with Citadec Solutions
# sample firewall generator at http://www.citadec.com
# Remember that this is meant to help you to make your own
# firewall. Allways read this script through before using it!
IPT=/sbin/iptables
LSMOD=/sbin/lsmod
# Flushing old rules
$IPT -F
$IPT -t nat -F
# Next is your IP
NET=<the public IP of my server>
# ICMP Echo-request deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type echo-request -j DROP
# ICMP Host-unreachable deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
host-unreachable -j DROP
# ICMP Host-redirect deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type redirect -j DROP
# ICMP Timestamp-request deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
timestamp-request -j DROP
# ICMP Timestamp-reply deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
timestamp-reply -j DROP
# ICMP Address-mask-request deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
address-mask-request -j DROP
# ICMP Address-mask-reply deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
address-mask-reply -j DROP
# ICMP Source-quench deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type source-quench -j DROP
# ICMP Destination-unreachable deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
destination-unreachable -j DROP
# DROP IF NO FLAGS SET OR ALL FLAGS SET (Some scanning methods uses these)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --tcp-flags ALL NONE -j DROP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --tcp-flags ALL ALL -j DROP
# We dont need ipchains
$LSMOD | grep ipchains -q -s && rmmod ipchains
# Allow everything on the loopback interface
$IPT -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
# This is done to enable source verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 2 > $f
done
fi
# This one is for syncookies protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# We dont want ICMP Dead Errors
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# We want to Ignore ICMP Broadcasts
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# We dont want anyone to play with dynamic TCP/IP
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
fi
# These IP addresses are blocked, because they are not "routable"
$IPT -t filter -A INPUT -s 1.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 7.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 23.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 27.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 31.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 41.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 45.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 60.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 68.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 69.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 70.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 71.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 80.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 88.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 90.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 91.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 92.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 100.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 111.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 112.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 127.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 127.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 128.66.0.0/16 -d $NET -j DROP
$IPT -t filter -A INPUT -s 172.16.0.0/12 -d $NET -j DROP
$IPT -t filter -A INPUT -s 197.0.0.0/16 -d $NET -j DROP
$IPT -t filter -A INPUT -s 201.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 220.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 222.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 240.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 242.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 244.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 251.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 254.0.0.0/8 -d $NET -j DROP
# In this Firewall we dont want Multicast allowed
$IPT -t filter -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -t filter -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
$IPT -t filter -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP
$IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP
# Block Packets with Stuffed Routing
$IPT -t filter -A INPUT -s 255.255.255.255 -j DROP
$IPT -t filter -A INPUT -d 0.0.0.0 -j DROP
$IPT -t filter -A OUTPUT -s 255.255.255.255 -j DROP
$IPT -t filter -A OUTPUT -d 0.0.0.0 -j DROP
# ICMP Should be allowed out
$IPT -A OUTPUT -p icmp -s $NET -d 0/0 -j ACCEPT
# Open inbound established connections (ssh)
$IPT -A INPUT -p tcp --sport 22 --destination-port 513:65535 ! --syn
-m state --state RELATED -j ACCEPT
# FTP Data fix
$IPT -A INPUT -p tcp --sport 20 --destination-port 1023:65535 ! --syn
-m state --state RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -s 0/0 -d $NET --destination-port 1023:65535 -j ACCEPT
# Open ports for outbound established connections
$IPT -A OUTPUT -p tcp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT
$IPT -A OUTPUT -p udp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT
# FTP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 20 !
--syn -j ACCEPT
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 21 -j ACCEPT
# SSH allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 22 -j ACCEPT
# SMTP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 25 -j ACCEPT
# POP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 110 -j ACCEPT
# IMAP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 143 -j ACCEPT
# HTTP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 80 -j ACCEPT
# HTTPS allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 443 -j ACCEPT
# These TCP ports are opened also
$IPT -t filter -A INPUT -p tcp --destination-port 465 -j ACCEPT
$IPT -t filter -A INPUT -p tcp --destination-port 993 -j ACCEPT
$IPT -t filter -A INPUT -p tcp --destination-port 995 -j ACCEPT
# THESE IPS HAVE FULL ACCESS TO THIS SYSTEM
$IPT -A INPUT -s <my admin box's IP> -d $NET
# RESTART KLOGD (So we dont get flooded by iptables to tty)
killall -9 klogd
/sbin/klogd -x -c 4
# Deny everything not let through earlier
$IPT -A INPUT -j DROP
-- end of script--
Regards,
Pim Bliek
Reply to: