Re: [PLUG] myfirst fw rules(rev.2)

Martin DiViaio on Thu, 26 Dec 2002 23:10:45 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] myfirst fw rules(rev.2)

From: Martin DiViaio <scatterbrained@usermail.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] myfirst fw rules(rev.2)

Date: Thu, 26 Dec 2002 22:54:00 -0500 (EST)

Delivery-date: Thu, 26 Dec 2002 23:10:45 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

I see three problems... 1.. The state checks for TCP should probably come after the rest of your rules (if at all.) Having them at the beginning is a BIG security hole. (I know this from first hand experience.) 2.. UDP is stateless. Checking for state is a waste of time. Especially for established or related packets. (It may even error when iptables tries to insert the rule.) The question of allowing UDP at all is open to debate. Some will argue that you shouldn't allow it all. Some will say it allows some services to run faster. That's something you need to decide. 3.. ICMP type 5 should only be allowed from your default gateway. There is no need to limit it's usage. In fact, it might cause some problems if you do. ICMP type 5 is route discovery. It's primary use is for a router to tell your server that another router on the network is the destination for the packet it just received. It saves you having to define static routes for the other network segments on every server. On the 26th day of December in the year 2002 you wrote: > Date: Thu, 26 Dec 2002 15:17:56 -0500 (EST) > From: epike@isinet.com > To: plug@lists.phillylinux.org > X-Spam-Status: No, hits=0.6 required=5.0 tests=NO_REAL_NAME version=2.20 > Subject: [PLUG] myfirst fw rules(rev.2) > > Hi > > thanks for all the people who responded, my > firewall rule script now looks like this. > > Suggestions are still welcome and much appreciated > thanks! > > jondz / epike > > (changes: broadcast address was wrong, changes in ICMP section) > --------------------------------------------------------------- > > #! /bin/sh > ################################################################### > # SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY > # > # OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc) > # 2. Log everything else thats not allowed, then drop them > # > # JondZ Mon Dec 23 16:12:14 EST 2002 > # JondZ Thu Dec 26 14:57:26 EST 2002 revised (thanks to PLUG) > #################################################################### > > VERSION="JondZ 12/2002" > WAN_DEVICE=eth0 > WAN_DEVICE_BROADCAST=192.168.1.255/32 > TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,3128 > UDP_OPENPORTS=53,137,138,139 > > IPTABLES=/sbin/iptables > > echo "$0 ($VERSION): Starting custom firewall..." > > ########################################################### > # INITIALIZE CHAINS > ########################################################### > echo "$0: initializing chains..." > $IPTABLES -F INPUT > $IPTABLES -F OUTPUT > $IPTABLES -F FORWARD > $IPTABLES -X > $IPTABLES -Z > > #############################################3 > # IMPLEMENT DEFAULT DRACONIAN POLICIES > #############################################3 > echo "$0: applying default policies..." > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD DROP > > ############################################# > # lo CONNECTIONS > ############################################# > echo "$0: Accepting lo connections..." > $IPTABLES -A INPUT -i lo -j ACCEPT > > ############################################# > # LOG FORWARDING ATTEMPTS > ############################################# > $IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED " > > ####################################################################### > # ENABLE BROADCAST PACKETS > # > # NOTES > # ----- > # On some setups you may want to ACCEPT broadcasts (eg, SAMBA, DHCP) > # On some setups you may want to DENY broadcasts > ####################################################################### > echo "$0: accepting broadcast packets.." > $IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT > > ############################################# > # INCOMING TCP CONNECTIONS for WAN_DEVICE > ############################################# > echo "$0: Allowing TCP Services..." > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state INVALID -j DROP > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state NEW -m multiport \ > --destination-port $TCP_OPENPORTS -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m limit --limit 3/s -j LOG --log-prefix "TCP_IN " > > ################################################# > # INCOMING UDP CONNECTIONS for WAN_DEVICE > ################################################# > echo "$0: Allowing UDP Services..." > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m state --state NEW -m multiport \ > --destination-port $UDP_OPENPORTS -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m limit --limit 3/s -j LOG --log-prefix "UDP_IN " > > ############################################# > # INCOMING ICMP CONNECTIONS > ############################################# > echo "$0: allowing some ICMP Connections..." > > ######################################################################## > # ICMP TYPES (incomplete) > # -------------------------- > # (ideas gathered from fw script of vogt@hansenet.com) > # > # 0 - echo reply > # 3 - Destination Unreachable > # 4 - source quench > # 5 - redirect > # 8 - echo > # 11 - Time Exceeded > # 30 - Traceroute > # > # Ping - udp types 0,8 > # destination unreachable - 3 > # traceroute - 11,30 > # > # NOTES - icmp type 5 is needed for routing with other network segments! > # - icmp type 4 source quench - when packets arrive too fast to > # be processed type 4 is sent (??). > ######################################################################## > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \ > --icmp-type 0 -m limit --limit 3/s -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp \ > --icmp-type 3 -m limit --limit 3/s -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \ > --icmp-type 4 -m limit --limit 3/s -j ACCEPT > # $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \ > # --icmp-type 5 -m limit --limit 2/s -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \ > --icmp-type 8 -m limit --limit 3/s -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \ > --icmp-type 11 -m limit --limit 3/s -j ACCEPT > _________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce > General Discussion -- http://lists.netisland.net/mailman/listinfo/plug > _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] myfirst fw rules(rev.2)
From: epike@isinet.com

Re: [PLUG] myfirst fw rules(rev.2)
From: epike@isinet.com

References:

[PLUG] myfirst fw rules(rev.2)
From: epike@isinet.com

Prev by Date: Re: [PLUG] myfirst fw rules(rev.2)

Next by Date: [PLUG] spamassassin

Previous by thread: Re: [PLUG] myfirst fw rules(rev.2)

Next by thread: Re: [PLUG] myfirst fw rules(rev.2)

Index(es):

Date

Thread