Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Minimal secure iptables firewall

from [Meidinger Chris] Network Security [Permanent Link]
Subject: RE: Minimal secure iptables firewall
Date: Thu, 21 Jul 2005 21:38:36 +0200 
actually, here's what i use as a 'plug in the values' minimal firewall. It's
got elements from a number of different sources as well as my own code.

Just plug in what ports are TCP/UDP Ingress/Egress allowed, and you're set.

(There is a forward chain to adapt easily to multihomed hosts, you just need
to add chains between the interfaces, anti-spoofing and scaning is already
there if you want to use this script for a router)

Cheers,

Chris

(root@$my-server)(247/pts/0)(09:14pm:07/21/05)-
(#:~)- cat /etc/init.d/rc.iptables
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Init Stuff
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

modprobe ip_conntrack
modprobe ip_conntrack_ftp
IPT=/sbin/iptables

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Initialize all the chains by removing all the rules
# tied to them
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT --delete-chain
$IPT -t nat --delete-chain
$IPT -t mangle --delete-chain

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  DROP
$IPT --policy FORWARD DROP

$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -A INPUT  -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
#
# Define networks
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

EXTERNAL_INT="eth0"             # External Internet interface
EXTERNAL_IP="213.164.XXX.XXX"    # Internet Interface IP address

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Initialize our user-defined chains
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -N valid-src
$IPT -N valid-dst
$IPT -N valid-proto
$IPT -N dropchain

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Verify valid source and destination addresses for all packets
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -A INPUT   -i $EXTERNAL_INT -j valid-src
$IPT -A FORWARD -i $EXTERNAL_INT -j valid-src
$IPT -A OUTPUT  -o $EXTERNAL_INT -j valid-dst
$IPT -A FORWARD -o $EXTERNAL_INT -j valid-dst

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Source and Destination Address Sanity Checks
#
# Drop packets from networks covered in RFC 1918 (private nets)
# Drop packets from external interface IP
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#

$IPT -A valid-src -s $10.0.0.0/8     -j DROP
$IPT -A valid-src -s $172.16.0.0/12  -j DROP
$IPT -A valid-src -s $192.168.0.0/16 -j DROP
$IPT -A valid-src -s $224.0.0.0/4    -j DROP
$IPT -A valid-src -s $240.0.0.0/5    -j DROP
$IPT -A valid-src -s $127.0.0.0/8    -j DROP
$IPT -A valid-src -s 0.0.0.0/8       -j DROP
$IPT -A valid-src -d 255.255.255.255 -j DROP
$IPT -A valid-src -s 169.254.0.0/16  -j DROP
$IPT -A valid-src -s $EXTERNAL_IP    -j DROP
$IPT -A valid-dst -d $224.0.0.0/4    -j DROP

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Verify valid Flags for all packets
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -A INPUT   -i $EXTERNAL_INT -j valid-proto
$IPT -A FORWARD -i $EXTERNAL_INT -j valid-proto
$IPT -A OUTPUT  -o $EXTERNAL_INT -j valid-proto
$IPT -A FORWARD -o $EXTERNAL_INT -j valid-proto

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Valid TCP checks
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#

# drop bad flags
$IPT -A valid-proto -p tcp --tcp-flags ALL FIN,URG,PSH -j dropchain
$IPT -A valid-proto -p tcp --tcp-flags ALL ALL -j dropchain
$IPT -A valid-proto -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j dropchain
$IPT -A valid-proto -p tcp --tcp-flags ALL NONE -j dropchain
$IPT -A valid-proto -p tcp --tcp-flags SYN,RST SYN,RST -j dropchain
$IPT -A valid-proto -p tcp --tcp-flags SYN,FIN SYN,FIN -j dropchain

#drop bad state
$IPT -A valid-proto -p tcp ! --syn -m state --state NEW -j dropchain
$IPT -A valid-proto -p tcp -m state --state INVALID -m limit --limit 10/m -j
dropchain

#protect against SYN-Flood
$IPT -N syn-flood
$IPT -I INPUT -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Allow outbound DNS queries from the FW and the replies too
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
$IPT -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Allow outbound ntp queries from the FW and the replies too
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -A OUTPUT -p udp -o eth0 --dport 123 --sport 123 -j ACCEPT

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Allow outbound HTTP/HTTPS/FTP/SMTP cxns from the FW
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

#TCPEGRESSALLOWED[0]=80
#TCPEGRESSALLOWED[1]=443
#TCPEGRESSALLOWED[2]=21
#TCPEGRESSALLOWED[3]=25
#TCPEGRESSALLOWED[4]=22
#TCPEGRESSALLOWED[5]=53

for i in ${TCPEGRESSALLOWED[*]}; do
        $IPT -A OUTPUT -p tcp -o eth0 --dport ${i} --sport 1024:65535 -m
state --state NEW -j ACCEPT
done

#UDPEGRESSALLOWED[0]=123
#
#for i in ${UDPEGRESSALLOWED[*]}; do
#        $IPT -A OUTPUT -p udp -o eth0 --dport ${i} --sport 1024:65535 -m
state --state NEW -j ACCEPT
#done


#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Allow previously established connections
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Allow connections to the firewall
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

TCPINGRESSALLOWED[0]=22
#TCPINGRESSALLOWED[1]=80
TCPINGRESSALLOWED[2]=25
#TCPINGRESSALLOWED[3]=8443
TCPINGRESSALLOWED[4]=443
#TCPINGRESSALLOWED[5]=143
#TCPINGRESSALLOWED[6]=5729
#TCPINGRESSALLOWED[7]=993
#TCPINGRESSALLOWED[8]=465
#TCPINGRESSALLOWED[9]=8080

for i in ${TCPINGRESSALLOWED[*]}; do
        $IPT -A INPUT -p tcp -i eth0 --dport ${i} --sport 1024:65535 -m
state --state NEW -j ACCEPT
done

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# Log and drop all other packets to file /var/log/messages
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

$IPT -A OUTPUT -j dropchain
$IPT -A INPUT -j dropchain
$IPT -A FORWARD -j dropchain

$IPT -A dropchain -p tcp --dport 135:139 -j DROP
$IPT -A dropchain -p udp  --dport 135:139 -j DROP
$IPT -A dropchain -p tcp --dport 445 -j DROP
$IPT -A dropchain -p tcp --dport 1433:1434 -j DROP
$IPT -A dropchain -j LOG
$IPT -A dropchain -j DROP


-----Original Message-----
From: Harry Bobbaers [mailto:Rik.Bobbaers@cc.kuleuven.be] 
Sent: Wednesday, July 20, 2005 10:21 PM
To: cneither@gmail.com
Cc: firewalls@securityfocus.com
Subject: Re: Minimal secure iptables firewall

Quoting cneither@gmail.com:


if you put these lines at the begginig, all packets wil be dropped.
All packets are tested, starting from first line. If packet 

match, it

do
what was specified, if not the next rule in the chain is examined.
So, all
packet will be matched to these rules, and whole trafic will be
stoped!!
you should set policy, at the first lines:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
(you have to add some rules for output)
iptables -P FORWARD DROP


sorry, you're right, i mistyped... stupid mistake default 
policy should
always be drop, allow only what you need, and be as specific 
as possible


i think,
-A INPUT -p --dport 80 -j ACCEPT,
will be enough, without using -m options, in this case


true again... thanx for noticing ;)

(see you all at wth? :p)

-- 
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50
Rik.Bobbaers@cc.kuleuven.ac.be -=- http://harry.ulyssis.org 

"Work hard and do your best, it'll make it easier for the rest"
-- Garfield
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PIX and PASV ftp, Bill Stout
Next by Date:  Re: SYSLOG server position, Kevin
Previous by Thread:  Re: Minimal secure iptables firewall, Carlos Costa
Next by Thread:  PIX os 7 ASDM, Andrew Shore
Indexes:  [Date] [Thread] [Top] [All Lists]