Jump to content
Ritter

sample iptables firewall

Recommended Posts

I'm going to show you a current set of rules I have for a firewall on a machine that is acting as a gateway.

 

eth0 is the private network with hosts that use this machine as a gateway.

eth1 is the internet access network.

 

eth0 has an interface of 192.168.10.1, static for the private network.

eth1 has an interface of 192.168.1.169, although when this goes into a production environment this will become a publicly routable address or the address assigned by a dsl/cable modem.

 

There are a lot of comments that prepend the rules that should clarify what I am doing, but if you get confused or have any questions feel free to ask.

 

This is still a work in progress so not all of my table/chain policies are exactly the way I'll have them be as I reach a final version.

 

# Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BANNED - [0:0]
:LDROP - [0:0]
# example ban, dropped but logged first
#-A PREROUTING -s 1.2.3.4 -j BANNED
# example, not logged just dropped
#-A PREROUTING -s 2.3.4.5 -j DROP
#
-A PREROUTING -p tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 53 -j ACCEPT
-A PREROUTING -i eth0 -p udp --dport 53 -j ACCEPT
#-A PREROUTING -i eth1 -p tcp --sport 0:19 -j LDROP
#-A PREROUTING -i eth1 -p tcp --dport 0:19 -j LDROP
# kill DHCP, dont even log it
-A PREROUTING -i eth1 -p udp --sport 67:68 --dport 67:68 -j DROP
# evil windows! this is actually the port ranges for windows file sharing (samba included)
# drop and dont bother logging
-A PREROUTING -i eth1 -p tcp --dport 135:139 -j DROP
-A PREROUTING -i eth1 -p udp --dport 135:139 -j DROP
# seeing some traffic hitting broadcast via udp, got tired of seeing it in the logs.
-A PREROUTING -i eth1 -p udp -d 255.255.255.255 -j DROP
# punched a hole to allow access to gkrellm for monitoring
-A PREROUTING -i eth1 -p tcp --dport 19150 -j ACCEPT
# for a very strict firewall, this would be a good place to drop anything you werent explicitly expecting.
#-A PREROUTING -i eth1 -j LDROP
# this rule is very important, if the public interface address for eth1 changes, you must update this rule
# if this is going to be a dynamic address, you should just switch to MASQ instead of SNAT
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.169
# setup the BANNED chain
-A BANNED -p tcp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (tcp) " --log-level info
-A BANNED -p udp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (udp) " --log-level info
-A BANNED -p icmp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (icmp) " --log-level info
-A BANNED -f -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (fragment) " --log-level info
-A BANNED -j DROP
# setup the LOG & DROP chain
-A LDROP -p tcp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (tcp) " --log-level info
-A LDROP -p udp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (udp) " --log-level info
-A LDROP -p icmp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (icmp) " --log-level info
-A LDROP -f -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (fragment) " --log-level info
-A LDROP -j DROP 
COMMIT
# Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCPCHK - [0:0]
:ICMPCHK - [0:0]
:INETIN - [0:0]
:INETOUT - [0:0]
:LDROP - [0:0]
:MARTIAN - [0:0]
# internal network - disable this for production use (where inet interface isnt 192.168.1/24)
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j INETIN
# as per draft-manning-dsua-03.txt, IANA Special Use Address blocks and NFC (no fscking clue)
# 0.0.0.0     - 0.255.255.255    (0/8 prefix)         RESERVED-1                   IANA SUA
# 127.0.0.0   - 127.255.255.255  (127/8 prefix)       LOOPBACK                     IANA SUA
# 192.0.2.0   - 192.0.2.255      (192.0.2/24 prefix)  NET-TEST                     IANA SUA
# 10.0.0.0    - 10.255.255.255   (10/8 prefix)        CLASS A private networks     RFC1918
# 172.16.0.0  - 172.31.255.255   (172.16/12 prefix)   CLASS B private networks     RFC1918
# 192.168.0.0 - 192.168.255.255  (192.168/16 prefix)  CLASS C private networks     RFC1918
# 224.0.0.0   - 239.255.255.255  (224/4 prefix)       CLASS D multicast addresses  RFC1166
# 240.0.0.0   - 247.255.255.255  (240/5 prefix)       CLASS E reserved addresses   RFC1166
# 248.0.0.0   - 255.255.255.255  (248/5 prefix)       CLASS E reserved addresses   RFC1166
# 169.254.0.0 - 169.254.255.255  (169.254/16 prefix)  AUTOCONFIGURATION            NFC
-A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j MARTIAN
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j MARTIAN
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j MARTIAN
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 240.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 248.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth1 -j MARTIAN 
#
-A INPUT -i eth1 -j INETIN 
-A INPUT -i lo -j ACCEPT 
# private local network (eth0)
-A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j ACCEPT 
#
-A FORWARD -i eth1 -o eth0 -j INETIN 
-A FORWARD -s 192.168.10.0/255.255.255.0 -o eth1 -j INETOUT 
-A FORWARD -j LDROP 
-A OUTPUT -o eth1 -j INETOUT
-A OUTPUT -o eth0 -j ACCEPT
-A TCPCHK -p tcp --tcp-flags ALL NONE -m limit --limit 30/min -j LOG --log-prefix "NULL scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL NONE -j DROP 
-A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 30/min -j LOG --log-prefix "XMAS scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
-A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 30/min -j LOG --log-prefix "FIN scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -j DROP 
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP 
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP 
-A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "SYN/FIN scan " --log-level info
-A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN/RST scan " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "FIN/RST scan " --log-level info
-A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 10/sec -j ACCEPT 
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "possible SYN scan/flood " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -j DROP 
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -m limit --limit 30/min -j LOG --log-prefix "PSH,ACK w/ RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ALL -m limit --limit 30/min -j LOG --log-prefix "ALL tcp-flags " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ALL -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 30/min -j LOG --log-prefix "SYN,FIN " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN,RST " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -m limit --limit 30/min -j LOG --log-prefix "RST,FIN " --log-level info
-A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -m limit --limit 30/min -j LOG --log-prefix "SYN,URG " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
-A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "PSH,SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH w/o ACK" --log-level info 
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG w/o ACK" --log-level info 
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, RST, or SYN " --log-level info 
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RST w/ NEW,RELATED " --log-level info 
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, no SYN " --log-level info 
-A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -m limit --limit 30/min -j LOG --log-prefix "SYN w/ ESTABLISHED " --log-level info 
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,SYN w/ NEW,RELATED " --log-level info 
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN w/ NEW,RELATED " --log-level info 
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,RST w/ NEW,RELATED " --log-level info 
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,RST w/ NEW,RELATED " --log-level info 
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN,PSH w/ NEW,RELATED " --log-level info 
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp -m state --state INVALID -m limit --limit 30/min -j LOG --log-prefix "INVALID state " --log-level info 
-A TCPCHK -p tcp -m state --state INVALID -j DROP
#
-A ICMPCHK -p icmp --icmp-type 5 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP redirect " --log-level info 
-A ICMPCHK -p icmp --icmp-type 5 -j DROP 
-A ICMPCHK -p icmp --icmp-type 9 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP router advertisment " --log-level info 
-A ICMPCHK -p icmp --icmp-type 9 -j DROP 
-A ICMPCHK -p icmp --icmp-type 10 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP route solicitation " --log-level info 
-A ICMPCHK -p icmp --icmp-type 10 -j DROP 
-A ICMPCHK -p icmp --icmp-type 13 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp request " --log-level info 
-A ICMPCHK -p icmp --icmp-type 13 -j DROP 
-A ICMPCHK -p icmp --icmp-type 14 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp reply " --log-level info 
-A ICMPCHK -p icmp --icmp-type 14 -j DROP 
-A ICMPCHK -p icmp --icmp-type 15 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info request " --log-level info 
-A ICMPCHK -p icmp --icmp-type 15 -j DROP 
-A ICMPCHK -p icmp --icmp-type 16 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info reply " --log-level info 
-A ICMPCHK -p icmp --icmp-type 16 -j DROP 
-A ICMPCHK -p icmp --icmp-type 17 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask request " --log-level info
-A ICMPCHK -p icmp --icmp-type 17 -j DROP 
-A ICMPCHK -p icmp --icmp-type 18 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask reply " --log-level info
-A ICMPCHK -p icmp --icmp-type 18 -j DROP 
-A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT 
-A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP excessive pings " --log-level info --log-tcp-sequence
-A ICMPCHK -p icmp --icmp-type 8 -j DROP 
-A ICMPCHK -p icmp ! --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP allowed " --log-level info 
-A ICMPCHK -p icmp ! --icmp-type 8 -j ACCEPT 
-A INETIN -p tcp -j TCPCHK
-A INETIN -p icmp -j ICMPCHK
-A INETIN -m state --state ESTABLISHED -j ACCEPT
-A INETIN -p tcp -m state --state RELATED --dport 1024:65535 -j ACCEPT 
-A INETIN -p udp -m state --state RELATED --dport 1024:65535 -j ACCEPT 
# allow dns
-A INETIN -p tcp --dport 53 -j ACCEPT 
-A INETIN -p udp --dport 53 -j ACCEPT 
# allow ssh
-A INETIN -p tcp --dport 22 -j ACCEPT
# gkrellm
-A INETIN -p tcp --dport 19150 -j ACCEPT
#
# default policy = log and drop
-A INETIN -p tcp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (tcp) " --log-level info 
-A INETIN -p udp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (udp) " --log-level info 
-A INETIN -p icmp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (icmp) " --log-level info 
-A INETIN -f -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (fragment) " --log-level info 
# this effectively sets the policy to DROP, we could remove this and set it in the chain creation rule
-A INETIN -j DROP
# example drop in INETOUT chain
#-A INETOUT -d 1.2.3.4 -p tcp -j DROP 
-A INETOUT -j ACCEPT 
-A LDROP -p tcp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (tcp) " --log-level info 
-A LDROP -p udp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (udp) " --log-level info 
-A LDROP -p icmp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (icmp) " --log-level info 
-A LDROP -f -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (fragment) " --log-level info 
-A LDROP -j DROP 
-A MARTIAN -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "martian network " --log-level info 
-A MARTIAN -j DROP 
COMMIT

Share this post


Link to post
Share on other sites

looks a wee bit complicated to me

 

would you mind explaining how it all works ? so that us noobs can learn :P

 

cheers

 

anyweb

Share this post


Link to post
Share on other sites

This steps in and out of some of Ritters comments.. hopefully my comments are good? also this will allow direct import into a rc.firewall script (well you'll need to reorder the chains.. but hey.. 1/2 there!)

 

iptables -F
iptables -X

## prerouting == the first steps into your system

# Pass known bad IP (1.2.3.4) into the ruleset BANNED to be logged then dropped
#iptables -A PREROUTING -s 1.2.3.4 -j BANNED

# Dont bother logging just drop
#iptables -A PREROUTING -s 2.3.4.5 -j DROP

# accept ports 22 (ssh), 53 (domain), 53 udp (domain) on internal eth0
iptables -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A PREROUTING -i eth0 -p udp --dport 53 -j ACCEPT

# pass to "log and drop" chain.. all attempts FROM ports 0 through 19 .. from external
iptables -A PREROUTING -i eth1 -p tcp --sport 0:19 -j LDROP

# same to ports 0 - 19 again from external
#iptables -A PREROUTING -i eth1 -p tcp --dport 0:19 -j LDROP

# kill DHCP, dont even log it (re external)
iptables -A PREROUTING -i eth1 -p udp --sport 67:68 --dport 67:68 -j DROP

# evil windows! this is actually the port ranges for windows file sharing (samba included)
# drop and dont bother logging (again bad from external)
iptables -A PREROUTING -i eth1 -p tcp --dport 135:139 -j DROP
iptables -A PREROUTING -i eth1 -p udp --dport 135:139 -j DROP

# seeing some traffic hitting broadcast via udp, got tired of seeing it in the logs.
iptables -A PREROUTING -i eth1 -p udp -d 255.255.255.255 -j DROP

# punched a hole to allow access to gkrellm for monitoring
iptables -A PREROUTING -i eth1 -p tcp --dport 19150 -j ACCEPT

# for a very strict firewall, this would be a good place to drop anything you werent explicitly expecting.
#iptables -A PREROUTING -i eth1 -j LDROP

## postrouting == the last step...

# this rule is very important, if the public interface address for eth1 changes, you must update this rule
# if this is going to be a dynamic address, you should just switch to MASQ instead of SNAT
iptables -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.169


# setup the BANNED chain
# (basically a log and drop.. but does so with the pre-BANNED prefix.. so you can grep your logs)
# the limits are to ensure your logs arent overflowing...
iptables -N BANNED
iptables -A BANNED -p tcp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (tcp) " --log-level info
iptables -A BANNED -p udp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (udp) " --log-level info
iptables -A BANNED -p icmp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (icmp) " --log-level info
iptables -A BANNED -f -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (fragment) " --log-level info
iptables -A BANNED -j DROP

# setup the LOG & DROP chain
# the same as above.. but this time a friendly prefix
iptables -N LDROP
iptables -A LDROP -p tcp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (tcp) " --log-level info
iptables -A LDROP -p udp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (udp) " --log-level info
iptables -A LDROP -p icmp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (icmp) " --log-level info
iptables -A LDROP -f -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (fragment) " --log-level info
iptables -A LDROP -j DROP 


## input == after pre.. 

# internal network - disable this for production use (where inet interface isnt 192.168.1/24)
# this throws all input on the external interface (eth1) from 192.168.1.0 to the INETIN chain (which is
# a chain to test all the input).. this effective skips this source so that the next batch of entries dont
# mark is (correctly) as a martian .... YOU WILL NOT WANT THIS!
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j INETIN

# as per draft-manning-dsua-03.txt, IANA Special Use Address blocks and NFC (no fscking clue)
# 0.0.0.0     - 0.255.255.255    (0/8 prefix)         RESERVED-1                   IANA SUA
# 127.0.0.0   - 127.255.255.255  (127/8 prefix)       LOOPBACK                     IANA SUA
# 192.0.2.0   - 192.0.2.255      (192.0.2/24 prefix)  NET-TEST                     IANA SUA
# 10.0.0.0    - 10.255.255.255   (10/8 prefix)        CLASS A private networks     RFC1918
# 172.16.0.0  - 172.31.255.255   (172.16/12 prefix)   CLASS B private networks     RFC1918
# 192.168.0.0 - 192.168.255.255  (192.168/16 prefix)  CLASS C private networks     RFC1918
# 224.0.0.0   - 239.255.255.255  (224/4 prefix)       CLASS D multicast addresses  RFC1166
# 240.0.0.0   - 247.255.255.255  (240/5 prefix)       CLASS E reserved addresses   RFC1166
# 248.0.0.0   - 255.255.255.255  (248/5 prefix)       CLASS E reserved addresses   RFC1166
# 169.254.0.0 - 169.254.255.255  (169.254/16 prefix)  AUTOCONFIGURATION            NFC
# ... basically nothing from external sources should be these.. because the powers that be have assigned
# them to private networks/etc
iptables -A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 240.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 248.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 169.254.0.0/255.255.0.0 -i eth1 -j MARTIAN 

# now you see heres the real check.. 
iptables -A INPUT -i eth1 -j INETIN 

# accept all loopback.. 
iptables -A INPUT -i lo -j ACCEPT 

# private local network (eth0) so accept all, lets hope nothing bad comes from internal ;) 
iptables -A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j ACCEPT 


## forward == anything that isnt going in.. but just passing through

# again confirm good with the INETIN checks
iptables -A FORWARD -i eth1 -o eth0 -j INETIN 

# only forward stuff out (via eth1) if it comes from the internal ip
iptables -A FORWARD -s 192.168.10.0/255.255.255.0 -o eth1 -j INETOUT 

# otherwise log and drop others
iptables -A FORWARD -j LDROP

## output == stuff going out.. no really !

# test output with INETOUT chain
iptables -A OUTPUT -o eth1 -j INETOUT

# accept all output on eth0
iptables -A OUTPUT -o eth0 -j ACCEPT


# checks to see whats bad (these are basically to stop most of nmap's 'features')
iptables -N TCPCHK

# these are tests to look for unusual flags combos ... note these are duplicate becuase..
# one logs, one drops
iptables -A TCPCHK -p tcp --tcp-flags ALL NONE -m limit --limit 30/min -j LOG --log-prefix "NULL scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL NONE -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 30/min -j LOG --log-prefix "XMAS scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 30/min -j LOG --log-prefix "FIN scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "SYN/FIN scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN/RST scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "FIN/RST scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 10/sec -j ACCEPT 
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "possible SYN scan/flood " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -j DROP 
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -m limit --limit 30/min -j LOG --log-prefix "PSH,ACK w/ RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ALL -m limit --limit 30/min -j LOG --log-prefix "ALL tcp-flags " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 30/min -j LOG --log-prefix "SYN,FIN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN,RST " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -m limit --limit 30/min -j LOG --log-prefix "RST,FIN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -m limit --limit 30/min -j LOG --log-prefix "SYN,URG " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "PSH,SYN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,SYN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH w/o ACK" --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG w/o ACK" --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, RST, or SYN " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RST w/ NEW,RELATED " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, no SYN " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -m limit --limit 30/min -j LOG --log-prefix "SYN w/ ESTABLISHED " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,SYN w/ NEW,RELATED " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN w/ NEW,RELATED " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,RST w/ NEW,RELATED " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,RST w/ NEW,RELATED " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN,PSH w/ NEW,RELATED " --log-level info 
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp -m state --state INVALID -m limit --limit 30/min -j LOG --log-prefix "INVALID state " --log-level info 
iptables -A TCPCHK -p tcp -m state --state INVALID -j DROP

# now do checks for icmp.. again this is in a bid to drop malicious looking packets
# again duplicate.. log+drop
iptables -N ICMPCHK
iptables -A ICMPCHK -p icmp --icmp-type 5 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP redirect " --log-level info 
iptables -A ICMPCHK -p icmp --icmp-type 5 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 9 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP router advertisment " --log-level info 
iptables -A ICMPCHK -p icmp --icmp-type 9 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 10 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP route solicitation " --log-level info 
iptables -A ICMPCHK -p icmp --icmp-type 10 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 13 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp request " --log-level info 
iptables -A ICMPCHK -p icmp --icmp-type 13 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 14 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp reply " --log-level info 
iptables -A ICMPCHK -p icmp --icmp-type 14 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 15 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info request " --log-level info 
iptables -A ICMPCHK -p icmp --icmp-type 15 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 16 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info reply " --log-level info 
iptables -A ICMPCHK -p icmp --icmp-type 16 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 17 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask request " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 17 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 18 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask reply " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 18 -j DROP 
iptables -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT 
iptables -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP excessive pings " --log-level info --log-tcp-sequence
iptables -A ICMPCHK -p icmp --icmp-type 8 -j DROP 
iptables -A ICMPCHK -p icmp ! --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP allowed " --log-level info 
iptables -A ICMPCHK -p icmp ! --icmp-type 8 -j ACCEPT

## ok lets use them...

iptables -N INETIN

# test against the above rules
iptables -A INETIN -p tcp -j TCPCHK
iptables -A INETIN -p icmp -j ICMPCHK

# stuff that is already established has to be good.. 
iptables -A INETIN -m state --state ESTABLISHED -j ACCEPT

# accept everything on the 'higher' ports 1024 >  (can use 1024: instead of 1024:65535) if it is related
# to another already connected (tcp and udp)
iptables -A INETIN -p tcp -m state --state RELATED --dport 1024:65535 -j ACCEPT
iptables -A INETIN -p udp -m state --state RELATED --dport 1024:65535 -j ACCEPT

# allow dns
iptables -A INETIN -p tcp --dport 53 -j ACCEPT 
iptables -A INETIN -p udp --dport 53 -j ACCEPT 

# allow ssh (do you run ssh?)
iptables -A INETIN -p tcp --dport 22 -j ACCEPT

# gkrellm (do you want gkrellm available?)
iptables -A INETIN -p tcp --dport 19150 -j ACCEPT


# default policy = log and drop
iptables -A INETIN -p tcp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (tcp) " --log-level info 
iptables -A INETIN -p udp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (udp) " --log-level info 
iptables -A INETIN -p icmp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (icmp) " --log-level info 
iptables -A INETIN -f -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (fragment) " --log-level info 

# this effectively sets the policy to DROP, we could remove this and set it in the chain creation rule
iptables -A INETIN -j DROP


## test outgoing traffic
iptables -N INETOUT

# example drop in INETOUT chain
#iptables -A INETOUT -d 1.2.3.4 -p tcp -j DROP

# accept everything.. 
iptables -A INETOUT -j ACCEPT


## log and drop chain... with limit to protect the log file
iptables -N LDROP
iptables -A LDROP -p tcp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (tcp) " --log-level info 
iptables -A LDROP -p udp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (udp) " --log-level info 
iptables -A LDROP -p icmp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (icmp) " --log-level info 
iptables -A LDROP -f -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (fragment) " --log-level info 
iptables -A LDROP -j DROP 

# log and drop the martians.. (see above)
iptables -N MARTIAN
iptables -A MARTIAN -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "martian network " --log-level info 
iptables -A MARTIAN -j DROP

 

phew.. well i hope the info helped.. note the order would need a little jigging to get this working..

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...