epike on Tue, 31 Dec 2002 12:21:05 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] my 1st fw script, rev.3


Hi list

Thanks for all your help! now I'm posting my latest
firewall iptables script.  In case anybody wants
to use it, expand on it, or to comment on it...

Its works fine and almost complete--the only missing
details are:

1. the icmp stuff at the end.  For one thing,
   The type 5 should be allowed only from the gateway.
2. WAN_DEVICE_BROADCAST.  I still cant really decide
   wether to allow it, or what.  Thats probably depends
   to the network the server is in.  I'd just
   disallow broadcast packets if i werent using
   dhcp or samba.

this script is designed only for machines with 1 
nic (no forwarding or masq), i tried to write
as simple as possible that will do the job.

jondz / epike


#! /bin/sh 
###################################################################
# SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY
#
# OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc)
#             2. Log everything else thats not allowed, then drop them
#
# JondZ Mon Dec 23 16:12:14 EST 2002
# JondZ Thu Dec 26 14:57:26 EST 2002 revised (thanks to PLUG)
# JondZ Fri Dec 27 11:56:25 EST 2002 revised (thanks to PLUG)
####################################################################

VERSION="JondZ 12/2002"
WAN_DEVICE=eth0
WAN_DEVICE_BROADCAST=192.168.1.255/32
TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,443,3128
UDP_OPENPORTS=53,137,138,139

IPTABLES=/sbin/iptables

echo "$0 ($VERSION): Starting custom firewall..."

###########################################################
# INITIALIZE CHAINS
###########################################################
echo "$0: initializing chains..."
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X 
$IPTABLES -Z 

#############################################3
# IMPLEMENT DEFAULT POLICIES
#############################################3
echo "$0: applying default policies..."
$IPTABLES -P INPUT    DROP
$IPTABLES -P OUTPUT   ACCEPT
$IPTABLES -P FORWARD  DROP

#############################################
# lo CONNECTIONS
#############################################
echo "$0: Accepting lo connections..."
$IPTABLES -A INPUT  -i lo -j ACCEPT

#############################################
# LOG FORWARDING ATTEMPTS
#############################################
$IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED "

#######################################################################
# ENABLE BROADCAST PACKETS
# 
# NOTES
# -----
# On some setups you may want to ACCEPT broadcasts (eg, SAMBA, DHCP)
# On some setups you may want to DENY broadcasts
#######################################################################
echo "$0: accepting broadcast packets.."
$IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT

#############################################
# INCOMING TCP CONNECTIONS for WAN_DEVICE
#############################################
echo "$0: Allowing TCP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m state --state INVALID -j DROP
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m state --state NEW -m multiport \
         --destination-port $TCP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m limit --limit 3/s -j LOG --log-prefix "TCP_IN "

############################################################################
# INCOMING UDP CONNECTIONS for WAN_DEVICE
# WARNING: DO NOT -p udp -m state --state NEW!!!  does not seem to work!
############################################################################
echo "$0: Allowing UDP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
          -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
          -m multiport --destination-port $UDP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
          -m limit --limit 3/s -j LOG --log-prefix "UDP_IN "

#############################################
# INCOMING ICMP CONNECTIONS
#############################################
echo "$0: allowing some ICMP Connections..."

########################################################################
# ICMP TYPES (incomplete)
# --------------------------
# 0  - echo reply
# 3  - Destination Unreachable
# 4  - source quench
# 5  - redirect 
# 8  - echo
# 11 - Time Exceeded
# 30 - Traceroute (not implemented) (??)
#
# Ping - udp types 0,8
# destination unreachable - 3
# traceroute - 11,30
#
# NOTES - icmp type 5 is needed for routing with other network segments!
#       - no need to limit icmp type 5!
#       - icmp type 4 source quench - when packets arrive too fast to
#         be processed type 4 is sent (??).  
# INCOMPLETE - ICMP type 5 - for route discovery.  Allow only FROM 
#         the default gateway!
########################################################################
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 0 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp \
          --icmp-type 3 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 4 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 5 -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 8 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 11 -m limit --limit 3/s -j ACCEPT

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug