[nzlug] Firewall ruleset check
Peter
webwiz at pl.net
Wed May 14 17:56:29 NZST 2008
This is probably a FAQ, but havent seen one for a while, and probably better than bothering the netfilter list.
Appreciate anyones ideas on how to improve my early draft firewall ruleset. It started off a cut and paste ruleset from various sources, then i worked through much of the iptabels tutorial:
#!/bin/bash
###############################################################
#
# FIREWALL SCRIPT
#
# Custom firewall script for 2 nic gateway router /server
# Deisgned for Webspaces Intranet Package, (c) Peter Scott 2008
#
# We get this to run at boot (debian etch) so...
# save this script as /etc/init.d/firewall ,then
# chmod 755 /etc/init.d/firewall
# update-rc.d firewall defaults
# ( but make sure its runlevel 2 S number is higher than mysql's
# on my system i get this
# S19mysql -> ../init.d/mysql
# S20iptables -> ../init.d/firewall )
#
# Script relies on /usr/bin/perl /root/ipacc/users-insert.pl
# Which picks user ips out of a db table and inserts accounting rules.
# Also becasue the firewall wont be running until a while
# after the interface is up, do also put a temp block-all
# firewall in place at eth1 preup
#
#
###############################################################
IPT='/sbin/iptables'
WAN=eth1
LAN=eth0
start () {
# Enable forwarding
echo '1' > /proc/sys/net/ipv4/ip_forward
#################### SETUP #######################
# Flush old rules
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat
$IPT -X
# Set default policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# A chain to log unauthorised traffic
$IPT -N Firewall
$IPT -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "DROPPED: "
$IPT -A Firewall -j DROP
# Set up acounting
$IPT -N Accounting
$IPT -A Accounting -j Firewall
$IPT -N Accounting2
$IPT -A Accounting2 -o $WAN
$IPT -A Accounting2 -i $WAN
$IPT -A Accounting2 -o $LAN
$IPT -A Accounting2 -i $LAN
$IPT -A FORWARD -j Accounting
$IPT -A INPUT -j Accounting2
$IPT -A OUTPUT -j Accounting2
# Accounting uers
#these are script injected later but add any static users if you like
#$IPT -I Accounting 1 -s 192.168.0.200 -j RETURN
#$IPT -I Accounting 1 -d 192.168.0.200 -j RETURN
#################### FORWARD #######################
# Masquerade out
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
$IPT -A FORWARD -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
#Incoming Port forwarding
#P2P port
#this is broken, post $WAN on dhcp, worked for static WAN
$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 18802 -j DNAT --to 192.168.0.200:18802
$IPT -A FORWARD -i $WAN -p tcp --dport 18802 -m state --state NEW -j ACCEPT
# Do not allow any other new incoming conenctions
$IPT -A FORWARD -i $WAN -m state --state NEW,INVALID -j Firewall
#################### INPUT #######################
# Accept connections from the localhost and LAN
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN -j ACCEPT
# Accept related and established connections
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# A list of well known combination of Bad TCP flags
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Firewall
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Firewall
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j Firewall
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Firewall
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Firewall
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Firewall
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j Firewall
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j Firewall
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Firewall
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Firewall
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Firewall
$IPT -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j Firewall
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j Firewall
# Accept certain icmp message, drop the others
# 0=echo reply 3=Destination Unreachable 11=Time Exceeded 8=Echo (avoid ping flood)
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j Firewall
# Servers we want to allow
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
# WAN dhcp client
$IPT -A INPUT -i $WAN -p udp --sport 67 --dport 68 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --sport 67 --dport 68 -j ACCEPT
$IPT -A INPUT -i $WAN -d 255.255.255.255 -j ACCEPT
# drop and log the rest
$IPT -A INPUT -j Firewall
#################### OUTPUT #######################
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o $LAN -j ACCEPT
$IPT -A OUTPUT -o $WAN -p udp --sport 68 --dport 67 -j ACCEPT
$IPT -A OUTPUT -o $WAN -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -o $WAN -p udp --sport 138:139 -j DROP
#$IPT -A OUTPUT -j LOG -m limit --limit 10/minute --log-prefix "OUTPUT: "
#################### ADD USERS #######################
/usr/bin/perl /root/ipacc/users-insert.pl
}
case "$1" in
start)
echo -n "Starting firewall..."
start
;;
stop)
echo -n "Stopping firewall..."
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
;;
esac
exit 0
#!/bin/bash
###############################################################
#
# INITIAL FIREWALL SCRIPT
#
# This is a temp minimal firewall script (debian etch)
# Deisgned for Webspaces Intranet Package, (c) Peter Scott 2008
#
# We run this just before eth1 comes up.
#
# save this as /etc/network/if-preup.d/iptables-preup
# chmod 700 /etc/network/if-up.d/iptables-preup
#
#
###############################################################
IPT='/sbin/iptables'
WAN=eth1
LAN=eth0
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# whats needed to get us a dhcp address from the modem half bridge
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $WAN -p udp --sport 67 --dport 68 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --sport 67 --dport 68 -j ACCEPT
$IPT -A INPUT -i $WAN -d 255.255.255.255 -j ACCEPT
#half bridge hack
# not needed as it transpires
#/sbin/route add -host 118.90.11.129 dev eth1
#/sbin/route add default gw 118.90.11.129 dev eth1
exit 0
More information about the NZLUG
mailing list