Re: Iptables and Logins at boot-up

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



you don't want iptables turned off.
without it, you leave the risk that eventually, someone will "root" the box 
and then it will no longer be yours.

in most default installs these days, you shouldn't even be allowed to login as 
root (excessively dangerous!!!) and should only be allowed to login as user. 
something is up of you are getting the other way around....

I am not sure that is an iptables issues per se.

I do have a script. how there is a way to disable iptables on boot (the 
command is: chkconfig --level 2345 iptables off).

I would then edit the rc.local script in the /etc/rc.d directory and add the 
following lines (pointed to the following script)
************************
in rc.local add:

#firewall script
/etc/rc.d/firewall.tables

#end
************************

the lines above have to be at the very end of the file.

here is my firewall tables script that I use on a mandrake 10 installation (as 
a firewall):
******************************
#!/bin/sh
# ----------------------------------------------------------------------|
#             This is it...MonMotha's Firewall 2.3.1-pre2!              |
#
# Notes about configuration:                                            |
# Some things take more than one option; separate with spaces.          |
# You probably don't want all the ports I have under here open, portscan|
#       yourself to find what you want open.                            |
# For SSH you need port 22 in TCP_ALLOW, and set the appropriate SSH    |
#       system(s) to "TRUE".                                            |
# If you want to used host-based identd allowing, do NOT put 113 in     |
#       TCP_ALLOW and DO set ALLOW_TCP_HOSTWISE (using 113 as the port).|
#       Of course, you can also put 113 in TCP_ALLOW to allow anyone.   |
# The same applies to DNS (only use port 53 and UDP).                   |
# MAC_LAN is ONLY used to the purposes of masquerading and it will      |
#       override the INTERNAL_LAN setting for masquerading. However,    |
#       INTERNAL_LAN must still be properly defined for other things!   |

/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_MIRROR
/sbin/modprobe ipt_LOG
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# set to your iptables location, must be set
IPTABLES="/sbin/iptables"
# TCP ports to ALLOW
TCP_ALLOW="22"  
TCP_ALLOW_LOG=""
NAPSTER_SERVER_PORTS=""
NAPSTER_PORTS=""
# TCP packets to quietly drop 
# (standard ports to prevent certain types of attacks).
TCP_DROP="0 1 7 135 136 137 138 143 500 700 777 1000 1111 4000 4464 \
4467 5555 6346 6969 9999 9340 10200 27374" 
#Drop Source Packets
TCP_SOURCE_DROP="119"
#allow in udp packets on specific ports
UDP_ALLOW=""             # UDP ports to ALLOW
UDP_ALLOW_LOG=""
# UDP packets to quietly drop
UDP_DROP="67 68 500 700"
#ICMP Packets to allow
ICMP_ALLOW=""
# the interface your internet's on (one only), must be set
INET_IFACE="eth0"  
# the interface(s) your LAN's on (currently used only as a sanity check)
LAN_IFACE=""   
# set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_SSH1="TRUE" 
# set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
USE_OPENSSH="TRUE" 
# the internal network(s), must be set
INTERNAL_LAN="192.168.16.0/24"
# What to do with packets we don't want: DROP, REJECT, LDROP (log and drop), 
# or LREJECT (log and reject)
DROP="LDROP"
#Deny from these addresses without question!
#format: IP/mask
DENY_ALL=""
# Specific hosts to deny access to specific TCP ports; format is "IP:PORT"
DENY_HOSTWISE_TCP=""  
# Specific hosts to deny access to specific UDP ports; format is "IP:PORT"
DENY_HOSTWISE_UDP=""  
# Specific hosts to allow access to specific TCP ports; format is "IP:PORT"
ALLOW_HOSTWISE_TCP=""
ALLOW_HOSTWISE_SOURCE_TCP=""
# Specific hosts allowed access to specific UDP ports; format is "IP:PORT"
ALLOW_HOSTWISE_UDP="" 

# Below here is experimental
# MAC addresses permitted to use masquerading, leave blank to not use
MAC_LAN=""  
# Set to TRUE to use masquerading (anything else is interpreted as FALSE)
USE_MASQ="TRUE"  
# If you have a static internet IP, put it here and set "USE_MASQ" above 
# to FALSE
USE_SNAT="" 
# TCP ports to forward to internal hosts (format: SPORT:DPORT>IP)
TCP_FW=""

# UDP port forwards (will pick reverse masquerading if you use 
# masquerading or snat), form is "SPORT:DPORT>IP"
UDP_FW=""

#Declaration of system variables
IPT=${IPTABLES}
IF=${INET_IFACE}
INIF=${LAN_IFACE}
IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK
STOP=${DROP}

# ----------------------------------------------------------------------|
# Do not modify configuration below here                                |
# ----------------------------------------------------------------------|
FILTER_CHAINS="INETIN INETOUT LDROP LREJECT TCPACCEPT UDPACCEPT LACCEPT"
# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here                      |
# ----------------------------------------------------------------------|

# Let's load it!
echo "Loading iptables firewall:"

# Configuration Sanity Checks
echo -n "Checking configuration..."
if [ "$USE_MASQ" = "TRUE" ] && ! [ "$USE_SNAT" = "" ] ; then
        echo
        echo "ERROR IN CONFIGURATION: Masquerading and Static NAT cannot both be used!"
        exit 1
fi
if  [ "$INET_IFACE" = "$LAN_IFACE" ] ; then
        if  [  "$USE_MASQ" = "TRUE" ] || [ "$USE_SNAT" != "" ] ; then
                # This can't happen because the whole point of my masquerading code is that we don't need to know the IP.
                # While we know the IP with SNAT, I'm too lazy to change my code other than to use SNAT :)
                echo
                echo "ERROR IN CONFIGURATION: INET interface and LAN interface cannot be the same when using masquerading or SNAT!"
                exit 1
        fi
fi
if ! [ -x $IPTABLES ] ; then
        echo
        echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!"
        exit 1
fi
echo "passed"

# Turn on IP forwarding (your kernel still needs it)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding enabled..."

# Enable TCP Syncookies (always a 'good thing') (thanks steff)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "IP SynCookies enabled..."

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max
echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time 
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
echo 1 > /proc/sys/net/ipv4/tcp_synack_retries

echo 0 >/proc/sys/net/ipv4/tcp_window_scaling 
echo 0 >/proc/sys/net/ipv4/tcp_sack 
echo 0 >/proc/sys/net/ipv4/tcp_timestamps

# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
echo -n "Flush all rules.."
#${IPTABLES} -t filter -FZ
${IPTABLES} -F
${IPTABLES} -X
#${IPTABLES} -L -n
echo -n "and delete all chains.."
${IPTABLES} -t filter -X
${IPTABLES} -t filter -F INPUT
#echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
#echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
#echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
#echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
#echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
#echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
#echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
#echo -n "OUTPUT3"
echo

# Create new chains
# Output to /dev/null in case they don't exist from a previous invocation
echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
        ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
        ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
        ${IPTABLES} -t filter -N ${chain}
        echo -n "${chain} "
done
echo

# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
# Policy can't be reject becuase of kernel limitations
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
#${IPTABLES}-A OUTPUT -m state -p icmp --state INVALID -j DROP
#echo -n "Security Patch (bugtraq issued on may 9,2002)"
echo

# Local traffic to internet or crossing subnets 
# This should cover what we need if we don't use masquerading
# Unfortunately, MAC address matching isn't bidirectional (for
#   obvious reasons), so IP based matching is done here
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
        ${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
        ${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
        echo -n "${subnet}:ACCEPT "
done
echo

# Hopefully this just blocks out private address from the external device.
echo -n "Blocking private addresses: "
#${IPTABLES} -t filter -A INPUT -i $INET_IFACE -s 192.168.16.0/16 -j DROP
${IPTABLES} -t filter -A INPUT -i $INET_IFACE -d 255.255.255.255 -j DROP
${IPTABLES} -t filter -A INPUT -i $INET_IFACE -s 10.0.0.0/8     -j DROP
${IPTABLES} -t filter -A INPUT -i $INET_IFACE -s 127.0.0.1     -j LDROP
echo -n "Done"
echo ""

# Set up basic NAT if the user wants it
if [ $USE_MASQ = TRUE ] ; then
        echo -n "Setting up NAT: "
        if [ "$MAC_LAN" = "" ] ; then
                for subnet in ${INTERNAL_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
                        echo -n "${subnet}:MASQUERADE "
                done
        else    
                for address in ${MAC_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
                        echo -n "${address}:MASQUERADE "
                done
        fi
        echo
elif [ "$USE_SNAT" != "" ] ; then #Static IP Defined 
        #(I've heard this loop doesn't work, someone look at it since I can't test it on my dialup)
        echo -n "Setting up NAT: "
        if [ "$MAC_LAN" = "" ] ; then
                for subnet in ${INTERNAL_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
                        echo -n "${subnet}:SNAT "
                done
        else
                for address in ${MAC_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
                        echo -n "${address}:SNAT "
                done
        fi  
        echo
fi

#TCP Port-Forwards
if [ "$TCP_FW" != "" ] ; then
#       echo -n "TCP Port Forwards: "
        if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
                for rule in ${TCP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
#                       echo -n "${rule} "
                done
        else
                for rule in ${TCP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
#                       echo -n "${rule} "
                done
        fi
#       echo
fi

#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
        echo -n "UDP Port Forwards: "
        if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
                for rule in ${UDP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
                        echo -n "${rule} "
                done
        else
                for rule in ${UDP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
                        echo -n "${rule} "
                done
        fi
        echo
fi

# ===============================================
# -------Chain setup before jumping to them------
# ===============================================

#Deny all traffic from these machines
# insert a file here

# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo

#These logging chains are valid to specify in DROP= above
#Set up LDROP
echo -n "Setting up logging chains: "
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j DROP #LOG --log-level 6 --log-prefix "Firewall ICMP Dropped " 
${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level 4 --log-prefix "Firewall FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "
        
#And LREJECT too
${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit 2/s -j DROP #LOG --log-level 6 --log-prefix "Firewall ICMP Dropped "
${IPTABLES} -t filter -A LREJECT -f -m limit --limit 2/s -j LOG --log-level 4 --log-prefix "Firewall FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "

# And LACCEPT
${IPTABLES} -t filter -A LACCEPT -p tcp -j LOG --log-level 6 --log-prefix "Firewall TCP Accepted "
${IPTABLES} -t filter -A LACCEPT -p udp -j LOG --log-level 6 --log-prefix "Firewall UDP Accepted "
${IPTABLES} -t filter -A LACCEPT -p icmp -j LOG --log-level 6 --log-prefix "Firewall ICMP Accepted " 
${IPTABLES} -t filter -A LACCEPT -f -j LOG --log-level 4 --log-prefix "Firewall FRAGMENT Accepted "
${IPTABLES} -t filter -A LACCEPT -j ACCEPT
echo -n "LACCEPT "

#newline
echo


# Set up the per-proto ACCEPT chains
echo -n "Setting up per-proto ACCEPT: "

# TCPACCEPT
# SYN Flood Protection
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 30/s -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since we don't know what it is
${IPTABLES} -t filter -A TCPACCEPT -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "

#UDPACCEPT
${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
# Log anything not on UDP (it shouldn't be here), and ${DROP} it since it's not supposed to be here
${IPTABLES} -t filter -A UDPACCEPT -m limit --limit 2/s -j LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "

#Done
echo

## Special Chain MANGLE_OUTPUT
## Mangle values of packets created locally.  Only TOS values are mangled right
## now.

   ## TOS stuff: (type: iptables -m tos -h)
   ## Minimize-Delay 16 (0x10)
   ## Maximize-Throughput 8 (0x08)
   ## Maximize-Reliability 4 (0x04)
   ## Minimize-Cost 2 (0x02)
   ## Normal-Service 0 (0x00)

#        $IPTABLES -t mangle -N MANGLE_OUTPUT
#        $IPTABLES -t mangle -F MANGLE_OUTPUT
#        $IPTABLES -t mangle -N MANGLE_PREROUTING
#        $IPTABLES -t mangle -F MANGLE_PREROUTING


##------------------------------------------------------------------------------##
##   - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
##   - To view mangle table, type: iptables -L -t mangle

#        $IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
#        $IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos Minimize-Cost
#        $IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Cost
#        $IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
##------------------------------------------------------------------------------##

##-------------------------------------------------------------------------------##
##   - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
##   - To view mangle table, type: iptables -L -t mangle

#        $IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
#        $IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
#        $IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos Minimize-Cost
#        $IPTABLES -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Cost
#        $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
##-------------------------------------------------------------------------------##

# -------------------------------------------------
# =================================================
# -------------------------------------------------


#Explicit denies
if [ "$DENY_ALL" != "" ] ; then
        echo -n "Denying hosts: "
        for host in ${DENY_ALL} ; do
                ${IPTABLES} -t filter -A INETIN -s ${host} -j DROP #${DROP}
                echo -n "${host} " #:${DROP}"
        done
        echo
fi

if [ "$DENY_HOSTWISE_TCP" != "" ] ; then
        echo -n "Hostwise TCP Denies: "
        for rule in ${DENY_HOSTWISE_TCP} ; do
                host=`echo $rule | sed 's/:.*//g'`
                port=`echo $rule | sed 's/.*://g'`
                ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j ${DROP}
                echo -n "${rule} "
        done
        echo
fi

if [ "$DENY_HOSTWISE_UDP" != "" ] ; then
        echo -n "Hostwise UDP Denies: "
        for rule in ${DENY_HOSTWISE_UDP} ; do
                host=`echo $rule | sed 's/:.*//g'`
                port=`echo $rule | sed 's/.*://g'`
                ${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j ${DROP}
                echo -n "${rule} "
        done
        echo
fi

#Invalid packets are always annoying
echo -n "${DROP}ing invalid packets..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"

# ================================================================
# ------------Allow stuff we have chosen to allow in--------------
# ================================================================

#Start allowing stuff

# Flood "security"
# You'll still respond to these if they comply with the limits
# Default limits are 1/sec for ICMP pings
# SYN Flood is on a per-port basis because it's a security hole to put it here!
# This is just a packet limit, you still get the packets on the interface and 
# still may experience lag if the flood is heavy enough

if [ "$ICMP_ALLOW" != "" ] ; then
        echo -n "ICMP Input Allow: "
        for port in ${ICMP_ALLOW} ; do
                ${IPTABLES} -t filter -A INETIN -p icmp -s ${port} --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
                echo -n "${port} "
        done
        echo
fi

echo -n "Flood limiting: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -j DROP #ACCEPT
echo -n "ICMP-PING "
echo

echo -n "Blocking timestamp requests: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type timestamp-request -m limit --limit 1/s -j DROP
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type timestamp-reply -m limit --limit 1/s -j DROP
echo -n "ICMP-Timestamp "
echo



echo -n "Allowing the rest of the ICMP messages in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT #DROP # DROP here blocks return pings, blah!  Fix this.
echo "done"

if [ "$TCP_ALLOW" != "" ] ; then
        echo -n "TCP Input Allow: "
        for port in ${TCP_ALLOW} ; do
                if [ "0$port" = "021" ]; then
                   ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j TCPACCEPT
                fi
                ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
                echo -n "${port} "
        done
        echo
fi

if [ "$TCP_ALLOW_LOG" != "" ] ; then
        echo -n "TCP Input Allow (Logged): "
        for port in ${TCP_ALLOW_LOG} ; do
                ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j LACCEPT
                echo -n "${port} "
        done
        echo
fi

if [ "$NAPSTER_PORTS" != "" ] ; then
        echo -n "Allowed Napster Ports: "
        for port in ${NAPSTER_PORTS} ; do
                ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
                echo -n "${port} "
        done
        echo
fi

if [ "$NAPSTER_SERVER_PORTS" != "" ] ; then
        echo -n "Allowed Napster Server Ports: "
        for port in ${NAPSTER_SERVER_PORTS} ; do
                ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
                echo -n "${port} "
        done
        echo
fi

#SSH Rulesets
if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then
         echo -n "Accounting for SSH..."
        if [ $USE_SSH1 = TRUE ]; then #SSH1
                ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j ACCEPT #TCPACCEPT
                echo -n "SSH1 "
        fi
        if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
                ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j ACCEPT #TCPACCEPT
                echo -n "OpenSSH "
        fi
        echo
fi

#Hostwise allows
if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then
        echo -n "Hostwise TCP Allows: "
        for rule in ${ALLOW_HOSTWISE_TCP} ; do
                host=`echo $rule | sed 's/:.*//g'`
                port=`echo $rule | sed 's/.*://g'`
                ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j ACCEPT
                echo -n "${rule} "
        done
        echo
fi

#Hostwise source allows
if [ "$ALLOW_HOSTWISE_SOURCE_TCP" != "" ] ; then
        echo -n "Hostwise TCP Source Allows: "
        for rule in ${ALLOW_HOSTWISE_SOURCE_TCP} ; do
                host=`echo $rule | sed 's/:.*//g'`
                port=`echo $rule | sed 's/.*://g'`
                ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --sport ${port} -j ACCEPT
                echo -n "${rule} "
        done
        echo
fi

if [ "$TCP_DROP" != "" ] ; then
        echo -n "TCP Input Silent Drops: "
        for port in ${TCP_DROP} ; do
                ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j DROP
                echo -n "${port} "
        done
        echo
fi

if [ "$TCP_SOURCE_DROP" != "" ] ; then
        echo -n "TCP Source Port Silent Drops: "
        for port in ${TCP_SOURCE_DROP} ; do
                ${IPTABLES} -t filter -A INETIN -p tcp --sport ${port} -j DROP
                echo -n "${port} "
        done
        echo
fi

if [ "$UDP_ALLOW" != "" ] ; then
        echo -n "UDP Input Allow: "
        for port in ${UDP_ALLOW} ; do
#               if [ "0$port" = "053" ]; then
#                  ${IPTABLES} -t filter -A INETIN -p udp --sport 53 --dport 1024:65535 -j LACCEPT
#               fi
                ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j ACCEPT #UDPACCEPT
                echo -n "${port} "
        done
        echo
fi

if [ "$UDP_ALLOW_LOG" != "" ] ; then
        echo -n "UDP Input Allow (Logged): "
        for port in ${UDP_ALLOW_LOG} ; do
#               if [ "0$port" = "053" ]; then
#                  ${IPTABLES} -t filter -A INETIN -p udp --sport 53 --dport 1024:65535 -j LACCEPT
#               fi
                ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j LACCEPT
                echo -n "${port} "
        done
        echo
fi

if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then
        echo -n "Hostwise UDP Allows: "
        for rule in ${ALLOW_HOSTWISE_UDP} ; do
                host=`echo $rule | sed 's/:.*//g'`
                port=`echo $rule | sed 's/.*://g'`
                ${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j ACCEPT
                echo -n "${rule} "
        done
        echo
fi

${IPTABLES} -t filter -A INETIN -p udp -s 208.235.88.101 -d 0/0 -j ACCEPT
${IPTABLES} -t filter -A INETIN -p udp -s 208.235.88.10 -d 0/0 -j ACCEPT

if [ "$UDP_DROP" != "" ] ; then
        echo -n "UDP Input Silent Drops: "
        for port in ${UDP_DROP} ; do
                ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j DROP
                echo -n "${port} "
        done
        echo
fi

#Allow port 8889 back into high ports, for nestats
 ${IPTABLES} -t filter -A INETIN -p tcp --sport 8889 --dport 30000:60000 -j TCPACCEPT

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"

#What to do on those INET chains when we hit the end
echo -n "Setting up INET policies: "
#Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

#All done!
echo "Done loading the firewall!"

#fwlogwatch -BRXa 15 -l 2d

******************************************



On Saturday 09 October 2004 09:49 am, John J. Boyer wrote:
> Thanks to all who helped with the ssh problem. There were two gotchas.
> Iptables was blocking all connections, and password authentication was
> turned off. Now I want to use the target machine to receive mail and for
> backup. When I boot the target machine, iptables is on and I have to log
> in as root to turn it off. How can I set iptables to be off at boot time?
> Or, better, to accept ssh and scp only from the source machine?
>
> Two user accounts receive mail continuously. I would like to have them
> automatically logged on at boot time. Is this possible? How?
>
> Thanks,
> John

_______________________________________________

Blinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/blinux-list

[Index of Archives]     [Linux Speakup]     [Fedora]     [Linux Kernel]     [Yosemite News]     [Big List of Linux Books]