This section is part of a larger install-script I'm working on, and my knowledge of iptables stinks (still learning it), so what I need is for this to be in the right order, with the right options enabled.

Basically I want: - to allow in what need be, to drop (not reject - what I don't want) - to have separation of the info into the appropriate custom log files in /var/log - to be as safe as possible and secure against probes, attacks etc, yet still usable - to allow NAT port forwarding (I have a router like many people do) (I use SSH and VNC in/out)

This is intended to be used on an Ubuntu desktop machine (Lucid Lynx or later)

Again... I know this stinks, but I need some serious help with it. Some options are in there, just not enabled, and that's fine.

I've updated the script on 08/13/10.

#! /bin/bash
#
# #######################################################################################################################
# iptables setup and configuration
# #######################################################################################################################
#
# The following is a script for setting up and configuring iptables on a desktop computer running Ubuntu.
#
iptables -F
#
# #######################################################################################################################
# Logging
# #######################################################################################################################
#
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
#
#
# #######################################################################################################################
# iptables-rules-input-policies
# #######################################################################################################################
#
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# #######################################################################################################################
# Allow unlimited outbound traffic
# #######################################################################################################################
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# #######################################################################################################################
# icmp, INPUT and ports setup
# #######################################################################################################################
#
iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5500 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5800 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
#
# #######################################################################################################################
# Securing INPUT
# #######################################################################################################################
#
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
#
# #######################################################################################################################
# Allow freenode to talk to gidentd
# #######################################################################################################################
#
iptables -A INPUT -s chat.freenode.net -p tcp --dport 113 -j ACCEPT
#
# #######################################################################################################################
# Enable IP Forwarding
# #######################################################################################################################
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# #######################################################################################################################
# IP Masquerading
# #######################################################################################################################
#
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
#
# #######################################################################################################################
# iptables-anti-attack-measures-policies
# #######################################################################################################################
#
# In the following section set it 1 to enable the feature or 0 to disable the feature
#
# TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#
# #######################################################################################################################
# Lockdown INPUT
# #######################################################################################################################
#
iptables -A INPUT -j DROP
iptables -P INPUT DROP
#
# #######################################################################################################################
# iptables-save workaround
# #######################################################################################################################
#
iptables-save -c > /etc/iptables.rules
iptables-restore 

asked 11 Aug '10, 23:02

Ron's gravatar image

Ron ♦
9361618
accept rate: 13%

edited 13 Aug '10, 22:50

Please accept an answer so the question/answer can be finished. Or provide more details so we can help.

(20 Apr '11, 14:08) rfelsburg ♦



I'm not an iptables expert, but I can give a few pointers. With iptables order is important as the first commands executed will be the first rules in the chains. I would start the file with a --flush command to make sure that other rules won't get in the way. Then, I like to set the default policy (-P). Since you say in your file that you want unlimited outbound traffic, I would give OUTPUT a default of ACCEPT. All others I would set to DROP. Then, I would allow for internal packets to be accpeted.

With this as a starting place, I would go through first finding the things that I don't want to allow out and then things that I do want to allow in. Remember that once a packet is dropped, it won't be able to be logged, so do the logging before dropping. Usually, I put the rules together in the file so that it is logged right before it is dropped. At the very end of the file, I would then allow all remaining ESTABLISHED,RELATED packets to INPUT to ACCEPT. However, right before that, I would DROP all NEW tcp packets not marked with SYN (iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP).

You may note that this is more of a whitelist, but you really want some sort of a whitelist for security reasons. You can allays give certain protocols and ACCEPT rule at the end to make it a blacklist. These are mostly very broad and vague suggestions, but perhaps they show the method that I use to write my iptables script.

link

answered 12 Aug '10, 05:52

kainosnous's gravatar image

kainosnous
3243
accept rate: 18%

Can you post yur layout / code on how you setup your tables please?

(13 Aug '10, 15:03) Ron ♦

Hi

Hi,

at the end, how is your /etc/iptables.rules look like? If i am not in mistake... ..you are doing nat & ip forwarding, but you are dropping all forwarding packets. Also, whole your firewall is oriented only for INPUT. It's not good way to drop ICMP type 8 packets (ping), especially for routers. Here is some notes, from the way I saw how it's done (copy from configuration file - i'am using fedora):

-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -j DROP

It's good to accept everything ESTABLISHED and RELATED, so after that rule, everything else should be with state NEW, right? So it doesn't sense to put : -m state --state NEW.

I saw, that you are using SSH. My suggestion is to use separate chain for that port. With that chain you can manage more precision way.:

:IN_proto_SSH - [0:0]
-A INPUT -p tcp --dport 22 -j IN_proto_SSH
-A IN_proto_SSH -s 192.168.100.1 -j ACCEPT
-A IN_proto_SSH -j REJECT_unr_PORT

Note, that i use separate chain for dropping. (When i drop, i want to be SURE that it's drop, no matter how ;) ). First it's good to be done friendly. If it's just DROP-ing, the sender will try AGAIN shortly. But if you reject and say "man, there is nothing there", the sender stop sending that requests:

:REJECT_unr_PORT - [0:0]
-A REJECT_unr_PORT -p tcp -j REJECT --reject-with tcp-reset
-A REJECT_unr_PORT -p udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT_unr_PORT -j DROP

Also, you can find useful to work with '-m limit --limit 20/minute -j ACCEPT' and '-j LOG --log-level debug --log-prefix ":note: " '

link

answered 17 Aug '10, 10:54

mitio's gravatar image

mitio
11
accept rate: 0%

edited 17 Aug '10, 12:09

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×81
×5
×3
×2

Asked: 11 Aug '10, 23:02

Seen: 4,088 times

Last updated: 20 Apr '11, 14:08

powered by OSQA