I just don't see any firewalling (blocking) in the script. You are simply allowing everything. Define clear rule like block all and allow only wanted ports.
Regards
Dharmu
On Wed, 2003-06-04 at 06:38, Jun Sun wrote:
Hi, I have a pretty standard setup. A linux gateway connects to Internet through cable modem and a subnet behind it. I run web server, sendmail and sshd on the gateway machine. So far I have been using ipchains and it seems to be OK so far. I now want to move to redhat 9 and I probably have to use iptables. After looking around the net, I come up with the following firewall rules. See the attachment. I wonder if some security experts here can take a look, just to make sure there are no obvious mistakes or holes? Thanks in advanced. Cheers. Jun
#!/bin/sh # # rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet> # # JSUN : # I like all allowed ports to be grouped together, easier to modify # later # ########################################################################### # # 1. Configuration options. # # debugs set -x DEBUG_LEVEL=INFO # $DEBUG_LEVEL_LEVEL=DEBUG # interfaces EXTIF="eth0" EXTIP=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'` EXTBROAD=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3 }'` EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'` echo External IP: $EXTIP echo External broadcast: $EXTBROAD echo Default GW: $EXTGW echo " --- " INTIP="192.168.0.2" INTLAN="192.168.0.0/16" #INTIF="eth1" INTIF="wlan0" echo Internal Interface: $INTIF echo Internal IP: $INTIP echo Internal LAN: $INTLAN echo " --- " LOIF="lo" LOIP="127.0.0.1" BROADCAST="255.255.255.255" # # 1.5 IPTables Configuration. # IPTABLES="/sbin/iptables" # JSUN: are these necessary? # /sbin/depmod -a # /sbin/modprobe ip_tables # /sbin/modprobe ip_conntrack # /sbin/modprobe iptable_filter # /sbin/modprobe iptable_mangle # /sbin/modprobe iptable_nat # /sbin/modprobe ipt_LOG # /sbin/modprobe ipt_limit # /sbin/modprobe ipt_state #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc ########################################################################### # # 3. /proc set up. # # # 3.1 Required proc configuration # echo "1" > /proc/sys/net/ipv4/ip_forward # # 3.2 Non-Required proc configuration # #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### # # 4. rules set up. # # # Cleanup and set initial policies # # Set policies $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P OUTPUT DROP $IPTABLES -t filter -P FORWARD DROP $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # flush old chains $IPTABLES -t filter -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # delete user defined chains $IPTABLES -t filter -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # # 4.1.4 INPUT chain # # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # we trust INTIF and LOIF, to a large degree $IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT # we take broadcast packages from INTIF $IPTABLES -A INPUT -p ALL -i $INTIF -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT # JSUN: can we just use a simplified version? #$IPTABLES -A INPUT -p ALL -i $INTIF -j ACCEPT #$IPTABLES -A INPUT -p ALL -i $LOIF -j ACCEPT # established connections can go through $IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED \ -j ACCEPT # initiation packets are allowed on selected TCP ports $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport ssh -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport smtp -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport http -j ACCEPT #$IPTABLES -A INPUT -p TCP --sync -s 0/0 --dport https -j allowed # JSUN: do we need to worry about ntp port? We will see # only take echo-request(8), echo-reply(0) and time-exceeded(11) for icmp $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-reply -j ACCEPT $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type time-exceeded -j ACCEPT # # If you have a Microsoft Network on the outside of your firewall, you may # also get flooded by Multicasts. We drop them so we do not get flooded by # logs # #$IPTABLES -A INPUT -i $EXTIF -d 224.0.0.0/8 -j DROP # # Log weird packets that don't match the above. # # exclude some annoying packets from logging $IPTABLES -A INPUT -d $EXTBROAD -j DROP $IPTABLES -A INPUT -d $BROADCAST -j DROP $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level $DEBUG_LEVEL --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # # Accept the packets we actually want to forward $IPTABLES -A FORWARD -i $INTIF -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level $DEBUG_LEVEL --log-prefix "IPT FORWARD packet died: " # # 4.1.6 OUTPUT chain # # Special OUTPUT rules to decide which IP's to allow. $IPTABLES -A OUTPUT -p ALL -s $LOIP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INTIP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level $DEBUG_LEVEL --log-prefix "IPT OUTPUT packet died: " ###### # 4.2 nat table # $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
-- Regards Dharmendra.T This message is intended for the addressee only. It may contain privileged or Confidential information. If you have received this message in error,please notify the sender and destroy the message immediately.Unauthorised use or reproduction of this message is strictly prohibited. |
