Add Comment

You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.

To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.

This is the comment you were replying to, attached to the article Question: A good iptables tutorial?:

#9
Re: Question: A good iptables tutorial?
Posted by Eirik (129.177.xx.xx) on Thu 25 Aug 2005 at 16:50
I use a script similar to the following, called from /etc/network/interfaces: 
#/etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
  pre-up /etc/firewall-rules.sh eth0
  address x.x.x.x
  netmask 255.255.255.0
  gateway y.y.y.y

#!/bin/sh
#/etc/firewall-rules.sh

check() {
  if [[ ! -x "$1" ]]
  then
    echo "$1 not found or is not executable"
    exit 1
  fi
}

IPTABLES="/sbin/iptables"
check $IPTABLES

#IPTABLES=iptables_debug
rule_counter=1
function iptables_debug() {
   echo "doing ( $((rule_counter++)) ): \"/sbin/iptables $*\""
   /sbin/iptables $*
}

INTERFACE=$1
if [[ "$INTERFACE" == "" ]]
then
   echo "INTERFACE variable unset! Aborting"
   exit 1
fi

echo -n "Attempting to bring up firewall on $INTERFACE: "

#Flush old rules:
$IPTABLES -F
$IPTABLES -X

#Set DROP as standard policies. Default deny always makes
#the most sense.

$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT  DROP

#Additional rule chains:

#It's wrong, and creates all sorts of silly problems, if
#ICMP packets are dropped, so allow related ICMP traffic:
iptables -N icmp-chain
$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT 

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT 

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT 
#Drop everything else:
iptables -A icmp-chain -j DROP


#services - these are services run on the system:
#Uncomment and edit lines, to enable services. See the iptables
#documentation for various ways to specify addresses.
$IPTABLES -N services

#ssh from private lan:
#$IPTABLES -A services -p tcp -i $INTERFACE --dport 22 --#sport 1024:65535 -s x.x.x.x -m state --state NEW -j ACCEPT

#www from an ip-address
#$IPTABLES -A services -p tcp -i $INTERFACE --dport 80 --sport 1024:65535 -s y.y.y.y -m state --state NEW -j ACCEPT

#Default policy: drop
$IPTABLES -A services -j DROP

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPTABLES -A INPUT -i $INTERFACE -p ip -f -j DROP 
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP 
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 


# Allow all on loopback
$IPTABLES -A INPUT -i lo  -s 127.0.0.1 -j ACCEPT 
$IPTABLES -A OUTPUT -o lo  -d 127.0.0.1 -j ACCEPT 

#Allow established connections:
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Anti-spoofing rule
$IPTABLES -A INPUT -i $INTERFACE  -s 200.200.200.200 -j DROP 
$IPTABLES -A INPUT -i $INTERFACE  -s 192.168.0.0/24 -j DROP 
$IPTABLES -A INPUT -i $INTERFACE  -s 127.0.0.0/8 -j DROP 

# Block NEW without SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 

#Allowing all outgoing connections -- I've found this makes
#the most sense -- you could limit this ofcourse, to make it
#more difficult to download exploit code etc -- but if an
#attacker is able to type text, there are many ways to install
#exploits.
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT 

#Enable the ICMP chain
$IPTABLES -A INPUT -p icmp -j icmp-chain


#and the services chain:
$IPTABLES -A INPUT -i $INTERFACE -m state --state NEW -j services

echo "done."
If you add new rules, either do: 
/etc/init.d/networking restart

  or

/sbin/ifdown ;/sbin/ifup
The latter is usually fast enough that you won't lose ssh-connection to the server.

But always be careful when experimenting with iptables -- locking yourself out is a very real possibility.

The benefit of this approach, is that it makes it easy to add new services, as all established connections are allowed, all that is needed is to add a new rule allowing connections from a certain subnet to a certain port, and everything (should :) work.

You might want to define a few variables, such as $LAN, or $TRUSTED-HOSTS, to save some typing, and repeating addresses.

You could limit which hosts you send icmp-replies to -- but I don't recommend it. It adds very little real security to your setup; a ping flood would still eat all your upstream bandwidth, for instance, even if all you do is filter the pings.

Username:Anonymous
Title:
Your Comment:

Posting Format:
 

Inappropriate comments will be removed.

Some help on entry formatting is available

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search