Linux-Noob Forums Linux Server Administration Security and Firewalls v
sample iptables firewall

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
sample iptables firewall
Ritter Offline
Member
***
Posts: 65
Threads: 18
Joined: Dec 2003
Reputation: 0
#1
2005-04-19, 11:17 PM

I'm going to show you a current set of rules I have for a firewall on a machine that is acting as a gateway.

 

eth0 is the private network with hosts that use this machine as a gateway.

eth1 is the internet access network.

 

eth0 has an interface of 192.168.10.1, static for the private network.

eth1 has an interface of 192.168.1.169, although when this goes into a production environment this will become a publicly routable address or the address assigned by a dsl/cable modem.

 

There are a lot of comments that prepend the rules that should clarify what I am doing, but if you get confused or have any questions feel free to ask.

 

This is still a work in progress so not all of my table/chain policies are exactly the way I'll have them be as I reach a final version.

 



Code:
# Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :BANNED - [0:0] :LDROP - [0:0] # example ban, dropped but logged first #-A PREROUTING -s 1.2.3.4 -j BANNED # example, not logged just dropped #-A PREROUTING -s 2.3.4.5 -j DROP # -A PREROUTING -p tcp --dport 22 -j ACCEPT -A PREROUTING -i eth0 -p tcp --dport 53 -j ACCEPT -A PREROUTING -i eth0 -p udp --dport 53 -j ACCEPT #-A PREROUTING -i eth1 -p tcp --sport 0:19 -j LDROP #-A PREROUTING -i eth1 -p tcp --dport 0:19 -j LDROP # kill DHCP, dont even log it -A PREROUTING -i eth1 -p udp --sport 67:68 --dport 67:68 -j DROP # evil windows! this is actually the port ranges for windows file sharing (samba included) # drop and dont bother logging -A PREROUTING -i eth1 -p tcp --dport 135:139 -j DROP -A PREROUTING -i eth1 -p udp --dport 135:139 -j DROP # seeing some traffic hitting broadcast via udp, got tired of seeing it in the logs. -A PREROUTING -i eth1 -p udp -d 255.255.255.255 -j DROP # punched a hole to allow access to gkrellm for monitoring -A PREROUTING -i eth1 -p tcp --dport 19150 -j ACCEPT # for a very strict firewall, this would be a good place to drop anything you werent explicitly expecting. #-A PREROUTING -i eth1 -j LDROP # this rule is very important, if the public interface address for eth1 changes, you must update this rule # if this is going to be a dynamic address, you should just switch to MASQ instead of SNAT -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.169 # setup the BANNED chain -A BANNED -p tcp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (tcp) " --log-level info -A BANNED -p udp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (udp) " --log-level info -A BANNED -p icmp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (icmp) " --log-level info -A BANNED -f -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (fragment) " --log-level info -A BANNED -j DROP # setup the LOG & DROP chain -A LDROP -p tcp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (tcp) " --log-level info -A LDROP -p udp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (udp) " --log-level info -A LDROP -p icmp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (icmp) " --log-level info -A LDROP -f -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (fragment) " --log-level info -A LDROP -j DROP COMMIT # Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :TCPCHK - [0:0] :ICMPCHK - [0:0] :INETIN - [0:0] :INETOUT - [0:0] :LDROP - [0:0] :MARTIAN - [0:0] # internal network - disable this for production use (where inet interface isnt 192.168.1/24) -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j INETIN # as per draft-manning-dsua-03.txt, IANA Special Use Address blocks and NFC (no fscking clue) # 0.0.0.0     - 0.255.255.255    (0/8 prefix)         RESERVED-1                   IANA SUA # 127.0.0.0   - 127.255.255.255  (127/8 prefix)       LOOPBACK                     IANA SUA # 192.0.2.0   - 192.0.2.255      (192.0.2/24 prefix)  NET-TEST                     IANA SUA # 10.0.0.0    - 10.255.255.255   (10/8 prefix)        CLASS A private networks     RFC1918 # 172.16.0.0  - 172.31.255.255   (172.16/12 prefix)   CLASS B private networks     RFC1918 # 192.168.0.0 - 192.168.255.255  (192.168/16 prefix)  CLASS C private networks     RFC1918 # 224.0.0.0   - 239.255.255.255  (224/4 prefix)       CLASS D multicast addresses  RFC1166 # 240.0.0.0   - 247.255.255.255  (240/5 prefix)       CLASS E reserved addresses   RFC1166 # 248.0.0.0   - 255.255.255.255  (248/5 prefix)       CLASS E reserved addresses   RFC1166 # 169.254.0.0 - 169.254.255.255  (169.254/16 prefix)  AUTOCONFIGURATION            NFC -A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j MARTIAN -A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j MARTIAN -A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j MARTIAN -A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j MARTIAN -A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j MARTIAN -A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j MARTIAN -A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j MARTIAN -A INPUT -s 240.0.0.0/248.0.0.0 -i eth1 -j MARTIAN -A INPUT -s 248.0.0.0/248.0.0.0 -i eth1 -j MARTIAN -A INPUT -s 169.254.0.0/255.255.0.0 -i eth1 -j MARTIAN # -A INPUT -i eth1 -j INETIN -A INPUT -i lo -j ACCEPT # private local network (eth0) -A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j ACCEPT # -A FORWARD -i eth1 -o eth0 -j INETIN -A FORWARD -s 192.168.10.0/255.255.255.0 -o eth1 -j INETOUT -A FORWARD -j LDROP -A OUTPUT -o eth1 -j INETOUT -A OUTPUT -o eth0 -j ACCEPT -A TCPCHK -p tcp --tcp-flags ALL NONE -m limit --limit 30/min -j LOG --log-prefix "NULL scan " --log-level info -A TCPCHK -p tcp --tcp-flags ALL NONE -j DROP -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 30/min -j LOG --log-prefix "XMAS scan " --log-level info -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 30/min -j LOG --log-prefix "FIN scan " --log-level info -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -j DROP -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG scan " --log-level info -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH scan " --log-level info -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "SYN/FIN scan " --log-level info -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN/RST scan " --log-level info -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "FIN/RST scan " --log-level info -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -j DROP -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 10/sec -j ACCEPT -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "possible SYN scan/flood " --log-level info -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -j DROP -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK w/ NEW,RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -m limit --limit 30/min -j LOG --log-prefix "PSH,ACK w/ RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP -A TCPCHK -p tcp --tcp-flags ALL ALL -m limit --limit 30/min -j LOG --log-prefix "ALL tcp-flags " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ALL -j DROP -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 30/min -j LOG --log-prefix "SYN,FIN " --log-level info -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN,RST " --log-level info -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -m limit --limit 30/min -j LOG --log-prefix "RST,FIN " --log-level info -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -j DROP -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -m limit --limit 30/min -j LOG --log-prefix "SYN,URG " --log-level info -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -j DROP -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "PSH,SYN " --log-level info -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -j DROP -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,SYN " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -j DROP -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH w/o ACK" --log-level info -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG w/o ACK" --log-level info -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, RST, or SYN " --log-level info -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -j DROP -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RST w/ NEW,RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, no SYN " --log-level info -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -j DROP -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -m limit --limit 30/min -j LOG --log-prefix "SYN w/ ESTABLISHED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,SYN w/ NEW,RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP -A TCPCHK -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN w/ NEW,RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW -j RETURN -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,RST w/ NEW,RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state RELATED -j DROP -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,RST w/ NEW,RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state ESTABLISHED -j RETURN -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN,PSH w/ NEW,RELATED " --log-level info -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -j DROP -A TCPCHK -p tcp -m state --state INVALID -m limit --limit 30/min -j LOG --log-prefix "INVALID state " --log-level info -A TCPCHK -p tcp -m state --state INVALID -j DROP # -A ICMPCHK -p icmp --icmp-type 5 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP redirect " --log-level info -A ICMPCHK -p icmp --icmp-type 5 -j DROP -A ICMPCHK -p icmp --icmp-type 9 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP router advertisment " --log-level info -A ICMPCHK -p icmp --icmp-type 9 -j DROP -A ICMPCHK -p icmp --icmp-type 10 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP route solicitation " --log-level info -A ICMPCHK -p icmp --icmp-type 10 -j DROP -A ICMPCHK -p icmp --icmp-type 13 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp request " --log-level info -A ICMPCHK -p icmp --icmp-type 13 -j DROP -A ICMPCHK -p icmp --icmp-type 14 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp reply " --log-level info -A ICMPCHK -p icmp --icmp-type 14 -j DROP -A ICMPCHK -p icmp --icmp-type 15 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info request " --log-level info -A ICMPCHK -p icmp --icmp-type 15 -j DROP -A ICMPCHK -p icmp --icmp-type 16 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info reply " --log-level info -A ICMPCHK -p icmp --icmp-type 16 -j DROP -A ICMPCHK -p icmp --icmp-type 17 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask request " --log-level info -A ICMPCHK -p icmp --icmp-type 17 -j DROP -A ICMPCHK -p icmp --icmp-type 18 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask reply " --log-level info -A ICMPCHK -p icmp --icmp-type 18 -j DROP -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP excessive pings " --log-level info --log-tcp-sequence -A ICMPCHK -p icmp --icmp-type 8 -j DROP -A ICMPCHK -p icmp ! --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP allowed " --log-level info -A ICMPCHK -p icmp ! --icmp-type 8 -j ACCEPT -A INETIN -p tcp -j TCPCHK -A INETIN -p icmp -j ICMPCHK -A INETIN -m state --state ESTABLISHED -j ACCEPT -A INETIN -p tcp -m state --state RELATED --dport 1024:65535 -j ACCEPT -A INETIN -p udp -m state --state RELATED --dport 1024:65535 -j ACCEPT # allow dns -A INETIN -p tcp --dport 53 -j ACCEPT -A INETIN -p udp --dport 53 -j ACCEPT # allow ssh -A INETIN -p tcp --dport 22 -j ACCEPT # gkrellm -A INETIN -p tcp --dport 19150 -j ACCEPT # # default policy = log and drop -A INETIN -p tcp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (tcp) " --log-level info -A INETIN -p udp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (udp) " --log-level info -A INETIN -p icmp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (icmp) " --log-level info -A INETIN -f -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (fragment) " --log-level info # this effectively sets the policy to DROP, we could remove this and set it in the chain creation rule -A INETIN -j DROP # example drop in INETOUT chain #-A INETOUT -d 1.2.3.4 -p tcp -j DROP -A INETOUT -j ACCEPT -A LDROP -p tcp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (tcp) " --log-level info -A LDROP -p udp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (udp) " --log-level info -A LDROP -p icmp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (icmp) " --log-level info -A LDROP -f -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (fragment) " --log-level info -A LDROP -j DROP -A MARTIAN -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "martian network " --log-level info -A MARTIAN -j DROP COMMIT




Find
Reply
anyweb Offline
Administrator
*******
Posts: 3,631
Threads: 899
Joined: Dec 2003
Reputation: 0
#2
2005-04-21, 07:11 AM

looks a wee bit complicated to me

 

would you mind explaining how it all works ? so that us noobs can learn :P

 

cheers

 

anyweb

Find
Reply
znx Offline
Posting Freak
*****
Posts: 1,229
Threads: 45
Joined: Mar 2005
Reputation: 0
#3
2005-04-22, 09:48 PM

This steps in and out of some of Ritters comments.. hopefully my comments are good? also this will allow direct import into a rc.firewall script (well you'll need to reorder the chains.. but hey.. 1/2 there!)

 



Code:
iptables -F iptables -X ## prerouting == the first steps into your system # Pass known bad IP (1.2.3.4) into the ruleset BANNED to be logged then dropped #iptables -A PREROUTING -s 1.2.3.4 -j BANNED # Dont bother logging just drop #iptables -A PREROUTING -s 2.3.4.5 -j DROP # accept ports 22 (ssh), 53 (domain), 53 udp (domain) on internal eth0 iptables -A PREROUTING -p tcp --dport 22 -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A PREROUTING -i eth0 -p udp --dport 53 -j ACCEPT # pass to "log and drop" chain.. all attempts FROM ports 0 through 19 .. from external iptables -A PREROUTING -i eth1 -p tcp --sport 0:19 -j LDROP # same to ports 0 - 19 again from external #iptables -A PREROUTING -i eth1 -p tcp --dport 0:19 -j LDROP # kill DHCP, dont even log it (re external) iptables -A PREROUTING -i eth1 -p udp --sport 67:68 --dport 67:68 -j DROP # evil windows! this is actually the port ranges for windows file sharing (samba included) # drop and dont bother logging (again bad from external) iptables -A PREROUTING -i eth1 -p tcp --dport 135:139 -j DROP iptables -A PREROUTING -i eth1 -p udp --dport 135:139 -j DROP # seeing some traffic hitting broadcast via udp, got tired of seeing it in the logs. iptables -A PREROUTING -i eth1 -p udp -d 255.255.255.255 -j DROP # punched a hole to allow access to gkrellm for monitoring iptables -A PREROUTING -i eth1 -p tcp --dport 19150 -j ACCEPT # for a very strict firewall, this would be a good place to drop anything you werent explicitly expecting. #iptables -A PREROUTING -i eth1 -j LDROP ## postrouting == the last step... # this rule is very important, if the public interface address for eth1 changes, you must update this rule # if this is going to be a dynamic address, you should just switch to MASQ instead of SNAT iptables -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.169 # setup the BANNED chain # (basically a log and drop.. but does so with the pre-BANNED prefix.. so you can grep your logs) # the limits are to ensure your logs arent overflowing... iptables -N BANNED iptables -A BANNED -p tcp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (tcp) " --log-level info iptables -A BANNED -p udp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (udp) " --log-level info iptables -A BANNED -p icmp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (icmp) " --log-level info iptables -A BANNED -f -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (fragment) " --log-level info iptables -A BANNED -j DROP # setup the LOG & DROP chain # the same as above.. but this time a friendly prefix iptables -N LDROP iptables -A LDROP -p tcp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (tcp) " --log-level info iptables -A LDROP -p udp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (udp) " --log-level info iptables -A LDROP -p icmp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (icmp) " --log-level info iptables -A LDROP -f -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (fragment) " --log-level info iptables -A LDROP -j DROP ## input == after pre.. # internal network - disable this for production use (where inet interface isnt 192.168.1/24) # this throws all input on the external interface (eth1) from 192.168.1.0 to the INETIN chain (which is # a chain to test all the input).. this effective skips this source so that the next batch of entries dont # mark is (correctly) as a martian .... YOU WILL NOT WANT THIS! iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j INETIN # as per draft-manning-dsua-03.txt, IANA Special Use Address blocks and NFC (no fscking clue) # 0.0.0.0     - 0.255.255.255    (0/8 prefix)         RESERVED-1                   IANA SUA # 127.0.0.0   - 127.255.255.255  (127/8 prefix)       LOOPBACK                     IANA SUA # 192.0.2.0   - 192.0.2.255      (192.0.2/24 prefix)  NET-TEST                     IANA SUA # 10.0.0.0    - 10.255.255.255   (10/8 prefix)        CLASS A private networks     RFC1918 # 172.16.0.0  - 172.31.255.255   (172.16/12 prefix)   CLASS B private networks     RFC1918 # 192.168.0.0 - 192.168.255.255  (192.168/16 prefix)  CLASS C private networks     RFC1918 # 224.0.0.0   - 239.255.255.255  (224/4 prefix)       CLASS D multicast addresses  RFC1166 # 240.0.0.0   - 247.255.255.255  (240/5 prefix)       CLASS E reserved addresses   RFC1166 # 248.0.0.0   - 255.255.255.255  (248/5 prefix)       CLASS E reserved addresses   RFC1166 # 169.254.0.0 - 169.254.255.255  (169.254/16 prefix)  AUTOCONFIGURATION            NFC # ... basically nothing from external sources should be these.. because the powers that be have assigned # them to private networks/etc iptables -A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j MARTIAN iptables -A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 240.0.0.0/248.0.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 248.0.0.0/248.0.0.0 -i eth1 -j MARTIAN iptables -A INPUT -s 169.254.0.0/255.255.0.0 -i eth1 -j MARTIAN # now you see heres the real check.. iptables -A INPUT -i eth1 -j INETIN # accept all loopback.. iptables -A INPUT -i lo -j ACCEPT # private local network (eth0) so accept all, lets hope nothing bad comes from internal ;) iptables -A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j ACCEPT ## forward == anything that isnt going in.. but just passing through # again confirm good with the INETIN checks iptables -A FORWARD -i eth1 -o eth0 -j INETIN # only forward stuff out (via eth1) if it comes from the internal ip iptables -A FORWARD -s 192.168.10.0/255.255.255.0 -o eth1 -j INETOUT # otherwise log and drop others iptables -A FORWARD -j LDROP ## output == stuff going out.. no really ! # test output with INETOUT chain iptables -A OUTPUT -o eth1 -j INETOUT # accept all output on eth0 iptables -A OUTPUT -o eth0 -j ACCEPT # checks to see whats bad (these are basically to stop most of nmap's 'features') iptables -N TCPCHK # these are tests to look for unusual flags combos ... note these are duplicate becuase.. # one logs, one drops iptables -A TCPCHK -p tcp --tcp-flags ALL NONE -m limit --limit 30/min -j LOG --log-prefix "NULL scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL NONE -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 30/min -j LOG --log-prefix "XMAS scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 30/min -j LOG --log-prefix "FIN scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "SYN/FIN scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN/RST scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "FIN/RST scan " --log-level info iptables -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 10/sec -j ACCEPT iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "possible SYN scan/flood " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK w/ NEW,RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -m limit --limit 30/min -j LOG --log-prefix "PSH,ACK w/ RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL ALL -m limit --limit 30/min -j LOG --log-prefix "ALL tcp-flags " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ALL -j DROP iptables -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 30/min -j LOG --log-prefix "SYN,FIN " --log-level info iptables -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN,RST " --log-level info iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -m limit --limit 30/min -j LOG --log-prefix "RST,FIN " --log-level info iptables -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -j DROP iptables -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -m limit --limit 30/min -j LOG --log-prefix "SYN,URG " --log-level info iptables -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "PSH,SYN " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,SYN " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH w/o ACK" --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG w/o ACK" --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, RST, or SYN " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RST w/ NEW,RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, no SYN " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -m limit --limit 30/min -j LOG --log-prefix "SYN w/ ESTABLISHED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,SYN w/ NEW,RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN w/ NEW,RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,RST w/ NEW,RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state RELATED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,RST w/ NEW,RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state ESTABLISHED -j RETURN iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN,PSH w/ NEW,RELATED " --log-level info iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -j DROP iptables -A TCPCHK -p tcp -m state --state INVALID -m limit --limit 30/min -j LOG --log-prefix "INVALID state " --log-level info iptables -A TCPCHK -p tcp -m state --state INVALID -j DROP # now do checks for icmp.. again this is in a bid to drop malicious looking packets # again duplicate.. log+drop iptables -N ICMPCHK iptables -A ICMPCHK -p icmp --icmp-type 5 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP redirect " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 5 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 9 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP router advertisment " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 9 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 10 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP route solicitation " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 10 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 13 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp request " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 13 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 14 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp reply " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 14 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 15 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info request " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 15 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 16 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info reply " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 16 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 17 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask request " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 17 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 18 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask reply " --log-level info iptables -A ICMPCHK -p icmp --icmp-type 18 -j DROP iptables -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT iptables -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP excessive pings " --log-level info --log-tcp-sequence iptables -A ICMPCHK -p icmp --icmp-type 8 -j DROP iptables -A ICMPCHK -p icmp ! --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP allowed " --log-level info iptables -A ICMPCHK -p icmp ! --icmp-type 8 -j ACCEPT ## ok lets use them... iptables -N INETIN # test against the above rules iptables -A INETIN -p tcp -j TCPCHK iptables -A INETIN -p icmp -j ICMPCHK # stuff that is already established has to be good.. iptables -A INETIN -m state --state ESTABLISHED -j ACCEPT # accept everything on the 'higher' ports 1024 >  (can use 1024: instead of 1024:65535) if it is related # to another already connected (tcp and udp) iptables -A INETIN -p tcp -m state --state RELATED --dport 1024:65535 -j ACCEPT iptables -A INETIN -p udp -m state --state RELATED --dport 1024:65535 -j ACCEPT # allow dns iptables -A INETIN -p tcp --dport 53 -j ACCEPT iptables -A INETIN -p udp --dport 53 -j ACCEPT # allow ssh (do you run ssh?) iptables -A INETIN -p tcp --dport 22 -j ACCEPT # gkrellm (do you want gkrellm available?) iptables -A INETIN -p tcp --dport 19150 -j ACCEPT # default policy = log and drop iptables -A INETIN -p tcp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (tcp) " --log-level info iptables -A INETIN -p udp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (udp) " --log-level info iptables -A INETIN -p icmp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (icmp) " --log-level info iptables -A INETIN -f -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (fragment) " --log-level info # this effectively sets the policy to DROP, we could remove this and set it in the chain creation rule iptables -A INETIN -j DROP ## test outgoing traffic iptables -N INETOUT # example drop in INETOUT chain #iptables -A INETOUT -d 1.2.3.4 -p tcp -j DROP # accept everything.. iptables -A INETOUT -j ACCEPT ## log and drop chain... with limit to protect the log file iptables -N LDROP iptables -A LDROP -p tcp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (tcp) " --log-level info iptables -A LDROP -p udp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (udp) " --log-level info iptables -A LDROP -p icmp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (icmp) " --log-level info iptables -A LDROP -f -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (fragment) " --log-level info iptables -A LDROP -j DROP # log and drop the martians.. (see above) iptables -N MARTIAN iptables -A MARTIAN -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "martian network " --log-level info iptables -A MARTIAN -j DROP




 

phew.. well i hope the info helped.. note the order would need a little jigging to get this working..

Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)