View previous topic :: View next topic |
Author |
Message |
elleqq Just Arrived
Joined: 06 Nov 2004 Posts: 0
|
Posted: Sun Nov 07, 2004 2:46 pm Post subject: Iptables script |
|
|
Hi there, am putting together a script for my Linux box for "learning"/interest - single computer behind a hardware modem/router on eth0 - it's very basic at the moment - can anyone see any errors or inconsitencies in it etc - am running no servers etc, just want a basic script which only alows incoming from established connecs.
Code: |
#!/bin/bash
iptables --flush
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
(appreciate that the SPI firewall in the modem/router's doing much of the firewalling currently, however, would just like to learn something with the script, maybe eventually tailor the outbound area)
Thanks.
|
|
Back to top |
|
|
delete852 Just Arrived
Joined: 19 Nov 2002 Posts: 4 Location: Washington DC
|
Posted: Sun Nov 07, 2004 4:16 pm Post subject: |
|
|
Yea I saw a couple of problems with it. Right now as is, it wouldn't work very well. First of all you need to allow UDP traffic through for DNS resolution. Do a
iptables -A FORWARD -p udp [other flags] -j ACCEPT
iptables -A INPUT -p udp [other flags] -j ACCEPT
Here is how my script set up. I know its not the most secure script in the world, but it does the job of defending my home network pretty well, considering I am not running very many services that are offered to the wild.
iptables -F
#IPTABLES IP MASQUEARE SCRIPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Allow everything from local area network
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --syn -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
#Allow related tcp traffic
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
#Only allow ports that are needed to the server
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 139 -j ACCEPT
#Bittorrent
iptables -t nat -A PREROUTING -p tcp --dport 6881 -j DNAT --to 192.168.0.2:6881
#iptables -A FORWARD -p tcp -i eth1 --dport 6881 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 6881 -j ACCEPT
#Block everything else
iptables -P INPUT DROP
iptables -P FORWARD DROP
It is generally not a good idea to allow all outbound traffic, and it is also not a very good idea to allow ICMP forward, but I am running NAT so I need not to worry about that. BTW: Since I didn't allow input ICMP, now if you ping my machine it shows as if it is down.
Hope it helps
|
|
Back to top |
|
|
elleqq Just Arrived
Joined: 06 Nov 2004 Posts: 0
|
Posted: Tue Nov 09, 2004 5:44 am Post subject: |
|
|
Thanks for that - I'll have look through and post back if I have any questions - thanks again.
|
|
Back to top |
|
|
elleqq Just Arrived
Joined: 06 Nov 2004 Posts: 0
|
Posted: Tue Nov 09, 2004 9:51 pm Post subject: |
|
|
Thinking about the Outbound direction - rather than having the default as "accept all outbound" , presumably it could be changed to:
Code: |
iptables -P OUTPUT DROP |
so by default it blocks all outbound? - then presumably would have to explicitly create outbound rules for each service to connect to (or use the multiport module)?
So - for basic web surfing, email (pop3) and FTP could I just add:
Code: |
#Allow Outbound FTP, Web, POP3 Email
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 21,80,110,443 -j ACCEPT |
and for outbound DNS queries just add:
Code: |
#Allow Outbound DNS queries
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT |
So the full iptables script would then be:
Code: |
#!/bin/bash
#Flush
iptables --flush
#Defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Outbound FTP, Web, POP3 Email
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 21,80,110,443 -j ACCEPT
#Allow Outbound DNS queries
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
#Established
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
Appreciate if anyone could confirm whether the above would only allow Web, Email and FTP Outbound, and drop all incoming except for established connections -
Thanks.
|
|
Back to top |
|
|
delete852 Just Arrived
Joined: 19 Nov 2002 Posts: 4 Location: Washington DC
|
Posted: Wed Nov 10, 2004 2:57 am Post subject: |
|
|
Ok, first of all you are going to also need a FORWARD rule, right now you are blocking all packets that are going to be forwarded.
Also those DNS quiries will need to be answered and it don't seem like you are accepting them.
I am also not sure if your last ESTABLISHED entry will work because you don't specify pa ptorotol u are going to need a "-p tcp" in there.
Another tricky part is FTP, a lot of times in Active FTP the Server would establish a connection back to the client on a port negotiated during the session, if your firewall blocks it, the request will not go through.
Also, for that established rule you are going to want to have a same rule in the forward chain. I think you might also want to open port 20 for FTP, maybe source port. I forgot how FTP traffic works.
sorry about the order of this post, I was just writing stuff as it came to my head.
|
|
Back to top |
|
|
tutaepaki Trusted SF Member
Joined: 02 May 2002 Posts: 3 Location: New Zealand
|
Posted: Wed Nov 10, 2004 3:53 am Post subject: |
|
|
You don't need to "FORWARD" rules unless your box is acting as a router, which it doesn't sound like in your case...
Delete's right about the FTP though. Because FTP opens a second data connection, you'll need an extra rule to allow those.
Code: |
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
Should cover it. (The RELATED parameter allows for connections related to another permitted connection)
If you're wanting to be sending email, you'll need to add port 25 to your multiport OUTPUT statement.
|
|
Back to top |
|
|
elleqq Just Arrived
Joined: 06 Nov 2004 Posts: 0
|
Posted: Wed Nov 10, 2004 7:47 pm Post subject: |
|
|
Thanks guys - I'll go with:
Code: |
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
to add to the #Established section.
Thanks again.
|
|
Back to top |
|
|
|