Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
sample iptables firewall
#1

I'm going to show you a current set of rules I have for a firewall on a machine that is acting as a gateway.

 

eth0 is the private network with hosts that use this machine as a gateway.

eth1 is the internet access network.

 

eth0 has an interface of 192.168.10.1, static for the private network.

eth1 has an interface of 192.168.1.169, although when this goes into a production environment this will become a publicly routable address or the address assigned by a dsl/cable modem.

 

There are a lot of comments that prepend the rules that should clarify what I am doing, but if you get confused or have any questions feel free to ask.

 

This is still a work in progress so not all of my table/chain policies are exactly the way I'll have them be as I reach a final version.

 



Code:
# Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BANNED - [0:0]
:LDROP - [0:0]
# example ban, dropped but logged first
#-A PREROUTING -s 1.2.3.4 -j BANNED
# example, not logged just dropped
#-A PREROUTING -s 2.3.4.5 -j DROP
#
-A PREROUTING -p tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 53 -j ACCEPT
-A PREROUTING -i eth0 -p udp --dport 53 -j ACCEPT
#-A PREROUTING -i eth1 -p tcp --sport 0:19 -j LDROP
#-A PREROUTING -i eth1 -p tcp --dport 0:19 -j LDROP
# kill DHCP, dont even log it
-A PREROUTING -i eth1 -p udp --sport 67:68 --dport 67:68 -j DROP
# evil windows! this is actually the port ranges for windows file sharing (samba included)
# drop and dont bother logging
-A PREROUTING -i eth1 -p tcp --dport 135:139 -j DROP
-A PREROUTING -i eth1 -p udp --dport 135:139 -j DROP
# seeing some traffic hitting broadcast via udp, got tired of seeing it in the logs.
-A PREROUTING -i eth1 -p udp -d 255.255.255.255 -j DROP
# punched a hole to allow access to gkrellm for monitoring
-A PREROUTING -i eth1 -p tcp --dport 19150 -j ACCEPT
# for a very strict firewall, this would be a good place to drop anything you werent explicitly expecting.
#-A PREROUTING -i eth1 -j LDROP
# this rule is very important, if the public interface address for eth1 changes, you must update this rule
# if this is going to be a dynamic address, you should just switch to MASQ instead of SNAT
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.169
# setup the BANNED chain
-A BANNED -p tcp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (tcp) " --log-level info
-A BANNED -p udp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (udp) " --log-level info
-A BANNED -p icmp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (icmp) " --log-level info
-A BANNED -f -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (fragment) " --log-level info
-A BANNED -j DROP
# setup the LOG & DROP chain
-A LDROP -p tcp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (tcp) " --log-level info
-A LDROP -p udp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (udp) " --log-level info
-A LDROP -p icmp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (icmp) " --log-level info
-A LDROP -f -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (fragment) " --log-level info
-A LDROP -j DROP
COMMIT
# Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCPCHK - [0:0]
:ICMPCHK - [0:0]
:INETIN - [0:0]
:INETOUT - [0:0]
:LDROP - [0:0]
:MARTIAN - [0:0]
# internal network - disable this for production use (where inet interface isnt 192.168.1/24)
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j INETIN
# as per draft-manning-dsua-03.txt, IANA Special Use Address blocks and NFC (no fscking clue)
# 0.0.0.0     - 0.255.255.255    (0/8 prefix)         RESERVED-1                   IANA SUA
# 127.0.0.0   - 127.255.255.255  (127/8 prefix)       LOOPBACK                     IANA SUA
# 192.0.2.0   - 192.0.2.255      (192.0.2/24 prefix)  NET-TEST                     IANA SUA
# 10.0.0.0    - 10.255.255.255   (10/8 prefix)        CLASS A private networks     RFC1918
# 172.16.0.0  - 172.31.255.255   (172.16/12 prefix)   CLASS B private networks     RFC1918
# 192.168.0.0 - 192.168.255.255  (192.168/16 prefix)  CLASS C private networks     RFC1918
# 224.0.0.0   - 239.255.255.255  (224/4 prefix)       CLASS D multicast addresses  RFC1166
# 240.0.0.0   - 247.255.255.255  (240/5 prefix)       CLASS E reserved addresses   RFC1166
# 248.0.0.0   - 255.255.255.255  (248/5 prefix)       CLASS E reserved addresses   RFC1166
# 169.254.0.0 - 169.254.255.255  (169.254/16 prefix)  AUTOCONFIGURATION            NFC
-A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j MARTIAN
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j MARTIAN
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j MARTIAN
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 240.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 248.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth1 -j MARTIAN
#
-A INPUT -i eth1 -j INETIN
-A INPUT -i lo -j ACCEPT
# private local network (eth0)
-A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j ACCEPT
#
-A FORWARD -i eth1 -o eth0 -j INETIN
-A FORWARD -s 192.168.10.0/255.255.255.0 -o eth1 -j INETOUT
-A FORWARD -j LDROP
-A OUTPUT -o eth1 -j INETOUT
-A OUTPUT -o eth0 -j ACCEPT
-A TCPCHK -p tcp --tcp-flags ALL NONE -m limit --limit 30/min -j LOG --log-prefix "NULL scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 30/min -j LOG --log-prefix "XMAS scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 30/min -j LOG --log-prefix "FIN scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "SYN/FIN scan " --log-level info
-A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN/RST scan " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "FIN/RST scan " --log-level info
-A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 10/sec -j ACCEPT
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "possible SYN scan/flood " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -m limit --limit 30/min -j LOG --log-prefix "PSH,ACK w/ RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ALL -m limit --limit 30/min -j LOG --log-prefix "ALL tcp-flags " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ALL -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 30/min -j LOG --log-prefix "SYN,FIN " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN,RST " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -m limit --limit 30/min -j LOG --log-prefix "RST,FIN " --log-level info
-A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -m limit --limit 30/min -j LOG --log-prefix "SYN,URG " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
-A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "PSH,SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH w/o ACK" --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG w/o ACK" --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, RST, or SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RST w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, no SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -m limit --limit 30/min -j LOG --log-prefix "SYN w/ ESTABLISHED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,SYN w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,RST w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,RST w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN,PSH w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp -m state --state INVALID -m limit --limit 30/min -j LOG --log-prefix "INVALID state " --log-level info
-A TCPCHK -p tcp -m state --state INVALID -j DROP
#
-A ICMPCHK -p icmp --icmp-type 5 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP redirect " --log-level info
-A ICMPCHK -p icmp --icmp-type 5 -j DROP
-A ICMPCHK -p icmp --icmp-type 9 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP router advertisment " --log-level info
-A ICMPCHK -p icmp --icmp-type 9 -j DROP
-A ICMPCHK -p icmp --icmp-type 10 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP route solicitation " --log-level info
-A ICMPCHK -p icmp --icmp-type 10 -j DROP
-A ICMPCHK -p icmp --icmp-type 13 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp request " --log-level info
-A ICMPCHK -p icmp --icmp-type 13 -j DROP
-A ICMPCHK -p icmp --icmp-type 14 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp reply " --log-level info
-A ICMPCHK -p icmp --icmp-type 14 -j DROP
-A ICMPCHK -p icmp --icmp-type 15 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info request " --log-level info
-A ICMPCHK -p icmp --icmp-type 15 -j DROP
-A ICMPCHK -p icmp --icmp-type 16 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info reply " --log-level info
-A ICMPCHK -p icmp --icmp-type 16 -j DROP
-A ICMPCHK -p icmp --icmp-type 17 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask request " --log-level info
-A ICMPCHK -p icmp --icmp-type 17 -j DROP
-A ICMPCHK -p icmp --icmp-type 18 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask reply " --log-level info
-A ICMPCHK -p icmp --icmp-type 18 -j DROP
-A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP excessive pings " --log-level info --log-tcp-sequence
-A ICMPCHK -p icmp --icmp-type 8 -j DROP
-A ICMPCHK -p icmp ! --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP allowed " --log-level info
-A ICMPCHK -p icmp ! --icmp-type 8 -j ACCEPT
-A INETIN -p tcp -j TCPCHK
-A INETIN -p icmp -j ICMPCHK
-A INETIN -m state --state ESTABLISHED -j ACCEPT
-A INETIN -p tcp -m state --state RELATED --dport 1024:65535 -j ACCEPT
-A INETIN -p udp -m state --state RELATED --dport 1024:65535 -j ACCEPT
# allow dns
-A INETIN -p tcp --dport 53 -j ACCEPT
-A INETIN -p udp --dport 53 -j ACCEPT
# allow ssh
-A INETIN -p tcp --dport 22 -j ACCEPT
# gkrellm
-A INETIN -p tcp --dport 19150 -j ACCEPT
#
# default policy = log and drop
-A INETIN -p tcp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (tcp) " --log-level info
-A INETIN -p udp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (udp) " --log-level info
-A INETIN -p icmp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (icmp) " --log-level info
-A INETIN -f -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (fragment) " --log-level info
# this effectively sets the policy to DROP, we could remove this and set it in the chain creation rule
-A INETIN -j DROP
# example drop in INETOUT chain
#-A INETOUT -d 1.2.3.4 -p tcp -j DROP
-A INETOUT -j ACCEPT
-A LDROP -p tcp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (tcp) " --log-level info
-A LDROP -p udp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (udp) " --log-level info
-A LDROP -p icmp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (icmp) " --log-level info
-A LDROP -f -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (fragment) " --log-level info
-A LDROP -j DROP
-A MARTIAN -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "martian network " --log-level info
-A MARTIAN -j DROP
COMMIT




Reply
#2

looks a wee bit complicated to me

 

would you mind explaining how it all works ? so that us noobs can learn :P

 

cheers

 

anyweb

Reply
#3

This steps in and out of some of Ritters comments.. hopefully my comments are good? also this will allow direct import into a rc.firewall script (well you'll need to reorder the chains.. but hey.. 1/2 there!)

 



Code:
iptables -F
iptables -X

## prerouting == the first steps into your system

# Pass known bad IP (1.2.3.4) into the ruleset BANNED to be logged then dropped
#iptables -A PREROUTING -s 1.2.3.4 -j BANNED

# Dont bother logging just drop
#iptables -A PREROUTING -s 2.3.4.5 -j DROP

# accept ports 22 (ssh), 53 (domain), 53 udp (domain) on internal eth0
iptables -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A PREROUTING -i eth0 -p udp --dport 53 -j ACCEPT

# pass to "log and drop" chain.. all attempts FROM ports 0 through 19 .. from external
iptables -A PREROUTING -i eth1 -p tcp --sport 0:19 -j LDROP

# same to ports 0 - 19 again from external
#iptables -A PREROUTING -i eth1 -p tcp --dport 0:19 -j LDROP

# kill DHCP, dont even log it (re external)
iptables -A PREROUTING -i eth1 -p udp --sport 67:68 --dport 67:68 -j DROP

# evil windows! this is actually the port ranges for windows file sharing (samba included)
# drop and dont bother logging (again bad from external)
iptables -A PREROUTING -i eth1 -p tcp --dport 135:139 -j DROP
iptables -A PREROUTING -i eth1 -p udp --dport 135:139 -j DROP

# seeing some traffic hitting broadcast via udp, got tired of seeing it in the logs.
iptables -A PREROUTING -i eth1 -p udp -d 255.255.255.255 -j DROP

# punched a hole to allow access to gkrellm for monitoring
iptables -A PREROUTING -i eth1 -p tcp --dport 19150 -j ACCEPT

# for a very strict firewall, this would be a good place to drop anything you werent explicitly expecting.
#iptables -A PREROUTING -i eth1 -j LDROP

## postrouting == the last step...

# this rule is very important, if the public interface address for eth1 changes, you must update this rule
# if this is going to be a dynamic address, you should just switch to MASQ instead of SNAT
iptables -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.169


# setup the BANNED chain
# (basically a log and drop.. but does so with the pre-BANNED prefix.. so you can grep your logs)
# the limits are to ensure your logs arent overflowing...
iptables -N BANNED
iptables -A BANNED -p tcp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (tcp) " --log-level info
iptables -A BANNED -p udp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (udp) " --log-level info
iptables -A BANNED -p icmp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (icmp) " --log-level info
iptables -A BANNED -f -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (fragment) " --log-level info
iptables -A BANNED -j DROP

# setup the LOG & DROP chain
# the same as above.. but this time a friendly prefix
iptables -N LDROP
iptables -A LDROP -p tcp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (tcp) " --log-level info
iptables -A LDROP -p udp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (udp) " --log-level info
iptables -A LDROP -p icmp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (icmp) " --log-level info
iptables -A LDROP -f -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (fragment) " --log-level info
iptables -A LDROP -j DROP


## input == after pre..

# internal network - disable this for production use (where inet interface isnt 192.168.1/24)
# this throws all input on the external interface (eth1) from 192.168.1.0 to the INETIN chain (which is
# a chain to test all the input).. this effective skips this source so that the next batch of entries dont
# mark is (correctly) as a martian .... YOU WILL NOT WANT THIS!
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j INETIN

# as per draft-manning-dsua-03.txt, IANA Special Use Address blocks and NFC (no fscking clue)
# 0.0.0.0     - 0.255.255.255    (0/8 prefix)         RESERVED-1                   IANA SUA
# 127.0.0.0   - 127.255.255.255  (127/8 prefix)       LOOPBACK                     IANA SUA
# 192.0.2.0   - 192.0.2.255      (192.0.2/24 prefix)  NET-TEST                     IANA SUA
# 10.0.0.0    - 10.255.255.255   (10/8 prefix)        CLASS A private networks     RFC1918
# 172.16.0.0  - 172.31.255.255   (172.16/12 prefix)   CLASS B private networks     RFC1918
# 192.168.0.0 - 192.168.255.255  (192.168/16 prefix)  CLASS C private networks     RFC1918
# 224.0.0.0   - 239.255.255.255  (224/4 prefix)       CLASS D multicast addresses  RFC1166
# 240.0.0.0   - 247.255.255.255  (240/5 prefix)       CLASS E reserved addresses   RFC1166
# 248.0.0.0   - 255.255.255.255  (248/5 prefix)       CLASS E reserved addresses   RFC1166
# 169.254.0.0 - 169.254.255.255  (169.254/16 prefix)  AUTOCONFIGURATION            NFC
# ... basically nothing from external sources should be these.. because the powers that be have assigned
# them to private networks/etc
iptables -A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 240.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 248.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
iptables -A INPUT -s 169.254.0.0/255.255.0.0 -i eth1 -j MARTIAN

# now you see heres the real check..
iptables -A INPUT -i eth1 -j INETIN

# accept all loopback..
iptables -A INPUT -i lo -j ACCEPT

# private local network (eth0) so accept all, lets hope nothing bad comes from internal ;)
iptables -A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j ACCEPT


## forward == anything that isnt going in.. but just passing through

# again confirm good with the INETIN checks
iptables -A FORWARD -i eth1 -o eth0 -j INETIN

# only forward stuff out (via eth1) if it comes from the internal ip
iptables -A FORWARD -s 192.168.10.0/255.255.255.0 -o eth1 -j INETOUT

# otherwise log and drop others
iptables -A FORWARD -j LDROP

## output == stuff going out.. no really !

# test output with INETOUT chain
iptables -A OUTPUT -o eth1 -j INETOUT

# accept all output on eth0
iptables -A OUTPUT -o eth0 -j ACCEPT


# checks to see whats bad (these are basically to stop most of nmap's 'features')
iptables -N TCPCHK

# these are tests to look for unusual flags combos ... note these are duplicate becuase..
# one logs, one drops
iptables -A TCPCHK -p tcp --tcp-flags ALL NONE -m limit --limit 30/min -j LOG --log-prefix "NULL scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL NONE -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 30/min -j LOG --log-prefix "XMAS scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 30/min -j LOG --log-prefix "FIN scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "SYN/FIN scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN/RST scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "FIN/RST scan " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 10/sec -j ACCEPT
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "possible SYN scan/flood " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -m limit --limit 30/min -j LOG --log-prefix "PSH,ACK w/ RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ALL -m limit --limit 30/min -j LOG --log-prefix "ALL tcp-flags " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 30/min -j LOG --log-prefix "SYN,FIN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN,RST " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -m limit --limit 30/min -j LOG --log-prefix "RST,FIN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -m limit --limit 30/min -j LOG --log-prefix "SYN,URG " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "PSH,SYN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,SYN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH w/o ACK" --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG w/o ACK" --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, RST, or SYN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RST w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, no SYN " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -m limit --limit 30/min -j LOG --log-prefix "SYN w/ ESTABLISHED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,SYN w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,RST w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,RST w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state ESTABLISHED -j RETURN
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN,PSH w/ NEW,RELATED " --log-level info
iptables -A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -j DROP
iptables -A TCPCHK -p tcp -m state --state INVALID -m limit --limit 30/min -j LOG --log-prefix "INVALID state " --log-level info
iptables -A TCPCHK -p tcp -m state --state INVALID -j DROP

# now do checks for icmp.. again this is in a bid to drop malicious looking packets
# again duplicate.. log+drop
iptables -N ICMPCHK
iptables -A ICMPCHK -p icmp --icmp-type 5 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP redirect " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 5 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 9 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP router advertisment " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 9 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 10 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP route solicitation " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 10 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 13 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp request " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 13 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 14 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp reply " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 14 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 15 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info request " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 15 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 16 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info reply " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 16 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 17 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask request " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 17 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 18 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask reply " --log-level info
iptables -A ICMPCHK -p icmp --icmp-type 18 -j DROP
iptables -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
iptables -A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP excessive pings " --log-level info --log-tcp-sequence
iptables -A ICMPCHK -p icmp --icmp-type 8 -j DROP
iptables -A ICMPCHK -p icmp ! --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP allowed " --log-level info
iptables -A ICMPCHK -p icmp ! --icmp-type 8 -j ACCEPT

## ok lets use them...

iptables -N INETIN

# test against the above rules
iptables -A INETIN -p tcp -j TCPCHK
iptables -A INETIN -p icmp -j ICMPCHK

# stuff that is already established has to be good..
iptables -A INETIN -m state --state ESTABLISHED -j ACCEPT

# accept everything on the 'higher' ports 1024 >  (can use 1024: instead of 1024:65535) if it is related
# to another already connected (tcp and udp)
iptables -A INETIN -p tcp -m state --state RELATED --dport 1024:65535 -j ACCEPT
iptables -A INETIN -p udp -m state --state RELATED --dport 1024:65535 -j ACCEPT

# allow dns
iptables -A INETIN -p tcp --dport 53 -j ACCEPT
iptables -A INETIN -p udp --dport 53 -j ACCEPT

# allow ssh (do you run ssh?)
iptables -A INETIN -p tcp --dport 22 -j ACCEPT

# gkrellm (do you want gkrellm available?)
iptables -A INETIN -p tcp --dport 19150 -j ACCEPT


# default policy = log and drop
iptables -A INETIN -p tcp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (tcp) " --log-level info
iptables -A INETIN -p udp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (udp) " --log-level info
iptables -A INETIN -p icmp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (icmp) " --log-level info
iptables -A INETIN -f -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (fragment) " --log-level info

# this effectively sets the policy to DROP, we could remove this and set it in the chain creation rule
iptables -A INETIN -j DROP


## test outgoing traffic
iptables -N INETOUT

# example drop in INETOUT chain
#iptables -A INETOUT -d 1.2.3.4 -p tcp -j DROP

# accept everything..
iptables -A INETOUT -j ACCEPT


## log and drop chain... with limit to protect the log file
iptables -N LDROP
iptables -A LDROP -p tcp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (tcp) " --log-level info
iptables -A LDROP -p udp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (udp) " --log-level info
iptables -A LDROP -p icmp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (icmp) " --log-level info
iptables -A LDROP -f -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (fragment) " --log-level info
iptables -A LDROP -j DROP

# log and drop the martians.. (see above)
iptables -N MARTIAN
iptables -A MARTIAN -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "martian network " --log-level info
iptables -A MARTIAN -j DROP




 

phew.. well i hope the info helped.. note the order would need a little jigging to get this working..

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)