|
This section is part of a larger install-script I'm working on, and my knowledge of iptables stinks (still learning it), so what I need is for this to be in the right order, with the right options enabled. Basically I want: - to allow in what need be, to drop (not reject - what I don't want) - to have separation of the info into the appropriate custom log files in /var/log - to be as safe as possible and secure against probes, attacks etc, yet still usable - to allow NAT port forwarding (I have a router like many people do) (I use SSH and VNC in/out) This is intended to be used on an Ubuntu desktop machine (Lucid Lynx or later) Again... I know this stinks, but I need some serious help with it. Some options are in there, just not enabled, and that's fine. I've updated the script on 08/13/10. #! /bin/bash # # ####################################################################################################################### # iptables setup and configuration # ####################################################################################################################### # # The following is a script for setting up and configuring iptables on a desktop computer running Ubuntu. # iptables -F # # ####################################################################################################################### # Logging # ####################################################################################################################### # iptables -A OUTPUT -j LOG iptables -A INPUT -j LOG iptables -A FORWARD -j LOG # # # ####################################################################################################################### # iptables-rules-input-policies # ####################################################################################################################### # iptables -P INPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # # ####################################################################################################################### # Allow unlimited outbound traffic # ####################################################################################################################### # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # # ####################################################################################################################### # icmp, INPUT and ports setup # ####################################################################################################################### # iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5500 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5800 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT # # ####################################################################################################################### # Securing INPUT # ####################################################################################################################### # iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # # ####################################################################################################################### # Allow freenode to talk to gidentd # ####################################################################################################################### # iptables -A INPUT -s chat.freenode.net -p tcp --dport 113 -j ACCEPT # # ####################################################################################################################### # Enable IP Forwarding # ####################################################################################################################### # echo 1 > /proc/sys/net/ipv4/ip_forward # # ####################################################################################################################### # IP Masquerading # ####################################################################################################################### # # (not needed if intranet is not using private ip-addresses) iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # # ####################################################################################################################### # iptables-anti-attack-measures-policies # ####################################################################################################################### # # In the following section set it 1 to enable the feature or 0 to disable the feature # # TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # # Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # # ####################################################################################################################### # Lockdown INPUT # ####################################################################################################################### # iptables -A INPUT -j DROP iptables -P INPUT DROP # # ####################################################################################################################### # iptables-save workaround # ####################################################################################################################### # iptables-save -c > /etc/iptables.rules iptables-restore |
|
I'm not an iptables expert, but I can give a few pointers. With iptables order is important as the first commands executed will be the first rules in the chains. I would start the file with a --flush command to make sure that other rules won't get in the way. Then, I like to set the default policy (-P). Since you say in your file that you want unlimited outbound traffic, I would give OUTPUT a default of ACCEPT. All others I would set to DROP. Then, I would allow for internal packets to be accpeted. With this as a starting place, I would go through first finding the things that I don't want to allow out and then things that I do want to allow in. Remember that once a packet is dropped, it won't be able to be logged, so do the logging before dropping. Usually, I put the rules together in the file so that it is logged right before it is dropped. At the very end of the file, I would then allow all remaining ESTABLISHED,RELATED packets to INPUT to ACCEPT. However, right before that, I would DROP all NEW tcp packets not marked with SYN (iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP). You may note that this is more of a whitelist, but you really want some sort of a whitelist for security reasons. You can allays give certain protocols and ACCEPT rule at the end to make it a blacklist. These are mostly very broad and vague suggestions, but perhaps they show the method that I use to write my iptables script. Can you post yur layout / code on how you setup your tables please?
(13 Aug '10, 15:03)
Ron ♦
|
|
Hi Hi, at the end, how is your /etc/iptables.rules look like? If i am not in mistake... ..you are doing nat & ip forwarding, but you are dropping all forwarding packets. Also, whole your firewall is oriented only for INPUT. It's not good way to drop ICMP type 8 packets (ping), especially for routers. Here is some notes, from the way I saw how it's done (copy from configuration file - i'am using fedora):
It's good to accept everything ESTABLISHED and RELATED, so after that rule, everything else should be with state NEW, right? So it doesn't sense to put : -m state --state NEW. I saw, that you are using SSH. My suggestion is to use separate chain for that port. With that chain you can manage more precision way.:
Note, that i use separate chain for dropping. (When i drop, i want to be SURE that it's drop, no matter how ;) ). First it's good to be done friendly. If it's just DROP-ing, the sender will try AGAIN shortly. But if you reject and say "man, there is nothing there", the sender stop sending that requests:
Also, you can find useful to work with '-m limit --limit 20/minute -j ACCEPT' and '-j LOG --log-level debug --log-prefix ":note: " ' |
Please accept an answer so the question/answer can be finished. Or provide more details so we can help.