PDA

View Full Version : IPtables script, submitted for consideration



Dave_Bechtel
10-11-2003, 05:03 PM
--I know next to nothing about iptables, even went thru some HOWTO's and got nothing but mind-boggled. So I googled for "iptables basic protection" and a few other things, and hacked together a basic-protection script with the help of various sources.

--Anyone who knows ins/outs of iptables security, please examine and see if there's anything redundant or useful that can be added.

--Script as supplied is pppoe-centric (ppp0):
o Allows loopback 127.0.0.1
o Allows ping from inside and outside boxes
o Allows bittorrent
o Allows ssh
o Allows squid (port 3128)

o Disallows nmap except from localhost
o Blocks certain known-bad Windows ports.

--So far I haven't tested it yet for VNC or ssh port-forwarding. Bittorrent definitely works tho.

--Note: I had to re-edit and jump thru some hoops for ssh to work properly. First crack at this, my existing ssh session died. Then the existing session stayed, but I couldn't reconnect with a new session. The existing rules are a lot now, but allows ssh to work as you would expect. I'm wondering if I can cut this down a bit tho, and optimize it.

--In this post, I'll put the basic code; the full source with references and comments will go into a reply-topic. TIA.


#BEGIN basic-prot
#!/bin/sh
iptables -F
iptables -X
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p udp --sport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP

Dave_Bechtel
10-11-2003, 05:27 PM
Full source with comments and references, for
#BEGIN basic-prot


#!/bin/sh

# Use ipreset to clearall
# This allows nmap localhost but not from any other machine :)

# Debug:
##tcpdump -i eth0 not port 22 # Everything but ssh

# Trace, exit at 1st err
set -x -e

# Flush 1st
iptables -F

# Deletes any tables that you've created, and leaves the
# default (input, output, forward, etc.)
iptables -X

# Allow loopback access. This rule must come before the rules denying
# port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
##iptables -A INPUT -i lo -j ACCEPT


#This allows all data that has been sent out for the computer running the
# firewall to come back (for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
# Allow outside ping
iptables -A INPUT -p icmp -j ACCEPT


#These lines add rules (-A) to the OUTPUT and INPUT tables
# that match state as well. However, this time it only matches
# packets that are related to packets that have already been
# passed, or packets that are a part of an already-established
# connection (-m state --state RELATED,ESTABLISHED) and allows
# them to be accepted (-j ACCEPT). Think of this as a
# combination of yahoo sending its web page to you and you
# asking for a second one.
#/* You would need to load at least the ip_conntrack, iptable_filter and
#ipt_state modules, and would probably want to load the ip_conntrack_ftp
#module too.
#These rules should block incoming traffic which isn't associated to a
#connection which you've initiated from your machine.
#*/

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Well, crap - we got rid of 8 rules in favor of 1 :)

#Allow incoming FTP requests - xxx uncomment
iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT

## Allow Squid from local net
iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT

# Allow BitTorrent connections
# xxx 2003.1012 modified for only 3 ports (was 6881:6889)
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT

# Allow 1 VNC
iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT


#####
##### BLOCKING
#####

#Example: Block all ports, besides port 22 to allow sshd:
##/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
###/sbin/iptables -A INPUT -p tcp --syn -j DROP

#Block all ports,besides port 22, and only allow predefined IP to access that
#port.
##/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
##/sbin/iptables -A INPUT -p tcp --syn -j DROP

#/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
#allow connection to sshd from IP 192.168.1.100
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
#allow httpd server to be accessed by world
#/sbin/iptables -A INPUT -p tcp --syn -j DROP
#block all ports (besides the limitations of above)


#More elaborate rules can be created that control access to specific subnets,
#or even specific nodes, within a LAN. You can also restrict certain dubious
#services such as trojans, worms, and other client/server viruses from
#contacting their server. For example, there are some trojans that scan
#networks for services on ports from 31337 to 31340 (called the elite ports
#in cracking lingo). Since there are no legitimate services that communicate
#via these non-standard ports, blocking it can effectively diminish the
#chances that potentially infected nodes on your network independently
#communicate with their remote master servers. Note that the following rule
#is only useful if your default OUTPUT policy is set to ACCEPT. If you set
#OUTPUT policy to DROP, then this rule is not needed.

#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
# Remember, dport can only be used with -ptcp or -pudp specific.
iptables -A INPUT -i ppp0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A OUTPUT -o ppp0 -p tcp --dport 31337 --sport 31337 -j DROP

#FORWARD rules can be implemented to restrict certain types of traffic to the
#LAN only, such as local network file shares through NFS or Samba. The
#following rules reject outside connections to Samba shares:

iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP


# remote interface, claiming to be local machines, IP spoofing, get lost
# This turns out to be same as non-routable IPs
##iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP
# New way:
# Block nonroutable IPs
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP

#"A" for append, "INPUT" to specify the state for the condition (coming,
#going, or forwarding), and "sport" for source port.

# Block common Windoze ports / specific ports
iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DROP
iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa
iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DROP


# Block incoming Blaster Worm traffic on ports 153 and 707
# Chgd eth0 to ppp0, added -p tcp and got it to work :)
iptables -A INPUT -i ppp0 -p tcp --dport 153 -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 707 -j DROP

# Block infected machines from spreading Blaster Worm on 153 and 707
##/sbin/iptables -A OUTPUT -o ppp0 --dport 153 -j DROP
##/sbin/iptables -A OUTPUT -o ppp0 --dport 707 -j DROP


# !! Consider dropping all traffic to port 25 (mail)
# Block ports 127, 137, 138 and 139 (Sambe/windows) - blocked in FORWARD, above




# Fallthru

# Default rule
# Sets the default policy (-P) for INPUT packets to DROP. If a
# packet comes into your interface and doesn't match any other
# rules, the default policy takes effect and the packet is dropped.
iptables -P INPUT DROP


# Default rule
# Sets the default policy (-P) for FORWARD packets to DROP. If
# a packet needs to be routed from one interface to another
# (such as a firewall/router with two network cards) and
# doesn't match any other rules, the default policy takes
# effect and the packet is dropped.
iptables -P FORWARD DROP

# Final rule (stopgap)
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP

exit;



# References:
# http://nekohako.xware.cx/tech/adsl-2.4.html
# http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-fw.html
# http://uug.byu.edu/pipermail/uug-list/2003-April/002060.html
# http://www.linuxchix.org/pipermail/techtalk/2003-August/016116.html
# http://linuxwiki.de/FlorianWoegerer/Notizen
# http://www.linuxforum.com/forums/index.php?s=2f9a3a12448e23a0de24814e16807622&showtopic=1548&st=0&#entry5637
# http://www.ltsp.org/contrib/vnc.html

## Orig ssh mess:
# Allow ssh
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 22 -j ACCEPT
# XXX added below
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --dport 22 -j ACCEPT
#(Orig:)
##iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
##iptables -A OUTPUT -p udp --sport 22 -j ACCEPT

# Added more
##iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
##iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT

# UNUSED:
#To take the restrictions a step further, block all outside connections that
#attempt to spoof private IP address ranges to infiltrate your LAN. If a LAN
#uses the 192.168.1.0/24 range, a rule can set the Internet facing network
#device (for example, eth0) to drop any packets to that device with an
#address in your LAN IP range. Because it is recommended to reject forwarded
#packets as a default policy, any other spoofed IP address to the
#external-facing device (eth0) will be rejected automatically.
#
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
# xxx corrected
##iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i ppp0 -j DROP

# Block common Windoze ports / specific ports
# (this just doesnt wrk)
# I bet the reason is because -j DENY doesn't exist. Chg to DROP.
# Got it working :)
##iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DENY

# for transprent proxy
#> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
#> --to-port 3128