Any holes in this firewall script?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have a pretty standard setup.  A linux gateway connects to Internet 
through cable modem and a subnet behind it.  I run web server, sendmail 
and sshd on the gateway machine.

So far I have been using ipchains and it seems to be OK so far.
I now want to move to redhat 9 and I probably have to use iptables. 
After looking around the net, I come up with the following firewall 
rules.  See the attachment.

I wonder if some security experts here can take a look, just to make sure 
there are no obvious mistakes or holes? 

Thanks in advanced.

Cheers.

Jun
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#

# JSUN :
# 	I like all allowed ports to be grouped together, easier to modify
#	later
#

###########################################################################
#
# 1. Configuration options.
#

# debugs
set -x
DEBUG_LEVEL=INFO
# $DEBUG_LEVEL_LEVEL=DEBUG

# interfaces
EXTIF="eth0"
EXTIP=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
EXTBROAD=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3
}'`
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`

echo External IP: $EXTIP
echo External broadcast: $EXTBROAD
echo Default GW: $EXTGW
echo " --- "

INTIP="192.168.0.2"
INTLAN="192.168.0.0/16"
#INTIF="eth1"
INTIF="wlan0"

echo Internal Interface: $INTIF
echo Internal IP: $INTIP
echo Internal LAN: $INTLAN
echo " --- "

LOIF="lo"
LOIP="127.0.0.1"

BROADCAST="255.255.255.255"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/sbin/iptables"


# JSUN: are these necessary?

# /sbin/depmod -a

# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe iptable_nat
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_state

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

#
# Cleanup and set initial policies
#

# Set policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

# flush old chains
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# delete user defined chains
$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X


#
# 4.1.4 INPUT chain
#

# $IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# we trust INTIF and LOIF, to a large degree
$IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT

# we take broadcast packages from INTIF
$IPTABLES -A INPUT -p ALL -i $INTIF -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT

# JSUN: can we just use a simplified version?
#$IPTABLES -A INPUT -p ALL -i $INTIF -j ACCEPT
#$IPTABLES -A INPUT -p ALL -i $LOIF -j ACCEPT


# established connections can go through
$IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED \
	-j ACCEPT

# initiation packets are allowed on selected TCP ports
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport smtp -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport http -j ACCEPT
#$IPTABLES -A INPUT -p TCP --sync -s 0/0 --dport https -j allowed

# JSUN: do we need to worry about ntp port?  We will see

# only take echo-request(8), echo-reply(0) and time-exceeded(11) for icmp
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type time-exceeded -j ACCEPT

#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#
#$IPTABLES -A INPUT -i $EXTIF -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

# exclude some annoying packets from logging
$IPTABLES -A INPUT -d $EXTBROAD -j DROP 
$IPTABLES -A INPUT -d $BROADCAST -j DROP 

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
	--log-level $DEBUG_LEVEL --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

# Accept the packets we actually want to forward
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
	--log-level $DEBUG_LEVEL --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LOIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INTIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
	--log-level $DEBUG_LEVEL --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux