• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Iptables script

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
elleqq
Just Arrived
Just Arrived


Joined: 06 Nov 2004
Posts: 0


Offline

PostPosted: Sun Nov 07, 2004 2:46 pm    Post subject: Iptables script Reply with quote

Hi there, am putting together a script for my Linux box for "learning"/interest - single computer behind a hardware modem/router on eth0 - it's very basic at the moment - can anyone see any errors or inconsitencies in it etc - am running no servers etc, just want a basic script which only alows incoming from established connecs.

Code:
#!/bin/bash

iptables --flush

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -p all -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


(appreciate that the SPI firewall in the modem/router's doing much of the firewalling currently, however, would just like to learn something with the script, maybe eventually tailor the outbound area)

Thanks.
Back to top
View user's profile Send private message
delete852
Just Arrived
Just Arrived


Joined: 19 Nov 2002
Posts: 4
Location: Washington DC

Offline

PostPosted: Sun Nov 07, 2004 4:16 pm    Post subject: Reply with quote

Yea I saw a couple of problems with it. Right now as is, it wouldn't work very well. First of all you need to allow UDP traffic through for DNS resolution. Do a
iptables -A FORWARD -p udp [other flags] -j ACCEPT
iptables -A INPUT -p udp [other flags] -j ACCEPT
Here is how my script set up. I know its not the most secure script in the world, but it does the job of defending my home network pretty well, considering I am not running very many services that are offered to the wild.


iptables -F

#IPTABLES IP MASQUEARE SCRIPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Allow everything from local area network
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --syn -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT

#Allow related tcp traffic
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -A FORWARD -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

#Only allow ports that are needed to the server
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 139 -j ACCEPT

#Bittorrent
iptables -t nat -A PREROUTING -p tcp --dport 6881 -j DNAT --to 192.168.0.2:6881
#iptables -A FORWARD -p tcp -i eth1 --dport 6881 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 6881 -j ACCEPT

#Block everything else
iptables -P INPUT DROP
iptables -P FORWARD DROP

It is generally not a good idea to allow all outbound traffic, and it is also not a very good idea to allow ICMP forward, but I am running NAT so I need not to worry about that. BTW: Since I didn't allow input ICMP, now if you ping my machine it shows as if it is down.

Hope it helps
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
elleqq
Just Arrived
Just Arrived


Joined: 06 Nov 2004
Posts: 0


Offline

PostPosted: Tue Nov 09, 2004 5:44 am    Post subject: Reply with quote

Thanks for that - I'll have look through and post back if I have any questions - thanks again.
Back to top
View user's profile Send private message
elleqq
Just Arrived
Just Arrived


Joined: 06 Nov 2004
Posts: 0


Offline

PostPosted: Tue Nov 09, 2004 9:51 pm    Post subject: Reply with quote

Thinking about the Outbound direction - rather than having the default as "accept all outbound" , presumably it could be changed to:

Code:
iptables -P OUTPUT DROP


so by default it blocks all outbound? - then presumably would have to explicitly create outbound rules for each service to connect to (or use the multiport module)?

So - for basic web surfing, email (pop3) and FTP could I just add:

Code:
#Allow Outbound FTP, Web, POP3 Email

iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 21,80,110,443 -j ACCEPT


and for outbound DNS queries just add:

Code:
#Allow Outbound DNS queries

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT


So the full iptables script would then be:

Code:
#!/bin/bash

#Flush
iptables --flush

#Defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow Outbound FTP, Web, POP3 Email
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 21,80,110,443 -j ACCEPT

#Allow Outbound DNS queries
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT

#Established
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


Appreciate if anyone could confirm whether the above would only allow Web, Email and FTP Outbound, and drop all incoming except for established connections -

Thanks.
Back to top
View user's profile Send private message
delete852
Just Arrived
Just Arrived


Joined: 19 Nov 2002
Posts: 4
Location: Washington DC

Offline

PostPosted: Wed Nov 10, 2004 2:57 am    Post subject: Reply with quote

Ok, first of all you are going to also need a FORWARD rule, right now you are blocking all packets that are going to be forwarded.

Also those DNS quiries will need to be answered and it don't seem like you are accepting them.

I am also not sure if your last ESTABLISHED entry will work because you don't specify pa ptorotol u are going to need a "-p tcp" in there.

Another tricky part is FTP, a lot of times in Active FTP the Server would establish a connection back to the client on a port negotiated during the session, if your firewall blocks it, the request will not go through.

Also, for that established rule you are going to want to have a same rule in the forward chain. I think you might also want to open port 20 for FTP, maybe source port. I forgot how FTP traffic works.
sorry about the order of this post, I was just writing stuff as it came to my head.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
tutaepaki
Trusted SF Member
Trusted SF Member


Joined: 02 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Wed Nov 10, 2004 3:53 am    Post subject: Reply with quote

You don't need to "FORWARD" rules unless your box is acting as a router, which it doesn't sound like in your case...

Delete's right about the FTP though. Because FTP opens a second data connection, you'll need an extra rule to allow those.

Code:
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


Should cover it. (The RELATED parameter allows for connections related to another permitted connection)

If you're wanting to be sending email, you'll need to add port 25 to your multiport OUTPUT statement.
Back to top
View user's profile Send private message
elleqq
Just Arrived
Just Arrived


Joined: 06 Nov 2004
Posts: 0


Offline

PostPosted: Wed Nov 10, 2004 7:47 pm    Post subject: Reply with quote

Thanks guys - I'll go with:

Code:
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


to add to the #Established section.

Thanks again.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register