[PLUG] iptables

Jeff Abrahamson on 17 Jan 2005 20:43:13 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] iptables

From: Jeff Abrahamson <jeff@purple.com>

To: PLUG <plug@lists.phillylinux.org>

Subject: [PLUG] iptables

Date: Mon, 17 Jan 2005 15:42:51 -0500

Mail-followup-to: PLUG <plug@lists.phillylinux.org>

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Mutt/1.5.6+20040722i

I'm setting up IP tables on my lab's machines at work. (Something exists, but we don't like what's there by default.) I'm curious what others think of this script (attached). Do you believe the comments and the code make the same statements? I want to say for one machine that outgoing packets are allowed only if they are part of an ssh or http connection that an external party is trying to establish or has established. But I don't see how this is done. I'm also rather unclear on how to say, "Accept packets on connections that are already established or where we've begun a handshake, regardless of port." Anyone see any rules I ought to have that I don't? Thanks much for any help or suggestions. -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> +1 215/837-2287 GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B
#!/bin/bash # This script was written by Jeff Abrahamson <jeffa@cs.drexel.edu in # Januar 2005. Some examples were inspired by a 2-April-2001 post the # PLUG list by Darxus@ChaosReigns.com. # This script is intended to permit ssh connections from the following # addresses only, all in cs.drexel.edu: # mst # ramsey # krypton # graph # # tux (many machines) # queen # # Jeff at home: puddle.purple.com # the subnets used by Fatih, Trip, and Ali to log in from home # (to do) # Note that we do not accept ssh connections *from* karma, as this # should not happen in normal usage. # If this machine is mst, it is an SFS server and should accept SFS # connections from krypton and from puddle.purple.com (Jeff's home # machine). this_host=`hostname | awk -F. '{print $1}'` # Lab workstations lab_ws="mst ramsey krypton graph" # Lab machines lab="$lab_ws karma" # The machines in the tux cluster. This list may be updated by running # ssh username@tux.cs.drexel.edu gnames tux`; echo $x; unset x # This can't be done by root, however. tuxes=ws38 ws43 ws44 ws45 ws46 ws47 ws48 ws49 ws50 ws51 ws55 ws56 ws57 ws64 \ ws65 ws69 ws70 ws71 ws75 ws76 ws77 ws78 ws79 ws80 ws81 ws82 \ tweedledum tweedledee trusted="$tux queen" # Home IP's (and IP ranges) of AAL folks homes=puddle.purple.com # If this machine is mst or karma, incoming http is accepted. iptables -F # flush rules iptables -Z # reset counters # Change policy to default to deny all incoming connections. # Don't forward anything. iptable -P INPUT DENY iptable -P FORWARD DENY if [ $host = karma ]; then iptable -P OUTPUT DENY # Except ssh and http connections that want to be established--how # do I do this? fi # Allow all connections to/from the loopback device. # This is much better than allowing everything from localhost, since # that would allow incoming connections from a spoofed IP of 127.0.0.1. iptable -i lo -A INPUT -j ACCEPT iptable -i lo -A OUTPUT -j ACCEPT # Deny connections from reserved subnets - anything from here can be # assumed to be spoofed.. The last 2 could eventually be assigned/valid. # # Reject connections to reserved networks: local users are allowed to # know their packets are being dropped. for source in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16 169.254.0.0/16 192.0.2.0/24 240.0.0.0/8 0/8; #1.0.0.0/8 2.0.0.0/8 do iptable -l -A INPUT -p all -s $source -j DENY do iptable -l -A OUTPUT -p all -s $source -j REJECT done # Deny from some broadcast type stuff. # These would only be spoofed as well. for range in 127.0.0.0/8 0.0.0.0/32 255.255.255.255/32 255.255.255.0/32 ; do iptable -l -A INPUT -p all -d $range iptable -l -A INPUT -p all -s $range done # Allow incoming ssh from these hosts only: for host in $lab_ws $trusted; do iptable -A INPUT --source $host.cs.drexel.edu -p tcp --destination-port ssh -j ACCEPT done # Allow incoming http if this is mst or karma: case $host in mst) karma) iptable -A INPUT --source $host.cs.drexel.edu -p tcp --destination-port ssh -j ACCEPT; break; *) break; esac # Allow return connections. # - Allows incoming traffic from all outgoing connections. # # THESE ARE PROBABLY WRONG. I DON'T UNDERSTAND HOW TO DO THIS. iptable -A OUTPUT -p tcp ! -y -j ACCEPT iptable -A OUTPUT -p udp --destination-port 1024: -j ACCEPT # Allow NTP responses from NTP servers listed in /etc/ntp.conf. # "server" lines in /etc/ntpd.conf must be delimited with 1 space. #iptable -A eth0-in -p udp --destination-port 123 -j ACCEPT for source in `grep ^server /etc/ntp.conf | cut -d' ' -f2` do iptable -A INPUT -p udp --destination-port 123 -s $source -j ACCEPT done
Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] iptables
From: gyoza@comcast.net

Re: [PLUG] iptables
From: Stephen Gran <steve@lobefin.net>

Re: [PLUG] iptables
From: Tobias DiPasquale <toby@cbcg.net>

Prev by Date: [PLUG] encryption

Next by Date: Re: [PLUG] iptables

Previous by thread: [PLUG] encryption

Next by thread: Re: [PLUG] iptables

Index(es):

Date

Thread