firewall stuff

public inbox for speakup@linux-speakup.org
 help / color / mirror / Atom feed

* firewall stuff
@  Deedra Waters
   ` Gregory Nowak
  0 siblings, 1 reply; 2+ messages in thread
From: Deedra Waters @  UTC (permalink / raw)
  To: speakup

[-- Attachment #1: Type: TEXT/PLAIN, Size: 618 bytes --]

     My current firewall script is causing some problems with some things
that I'm trying to do.... do to the fact that I don't know enough about
linux and iptables, I thought I'd try another firewall script that someone
had posted to the list.

the problem I'm having with the script is this..... when I try and run it
I get this error...
./firewall: /proc/sys/net/ipv4/ip_foward: No such file or directory
but the file appears to be there, so not really sure what I'm doing
wrong, if I could get some help off list with this I'd appreciate it...
I've attached the firewall script I'm trying to use to this message.

[-- Attachment #2: Type: TEXT/PLAIN, Size: 4720 bytes --]

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_foward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1

#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.60
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j ACCEPT

#These four redirect a block of ports, in both udp and tcp.

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074:2076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074:2076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4074:4076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4074:4076 -j DNAT --to 192.168.1.69

#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
iptables -N firewall
#iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix "fp=Firewall:1 a=DROP " 
iptables -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
iptables -N dropwall
# iptables -A dropwall -m limit --limit 15/minute -j LOG \
# --log-level 1 --log-prefix "fp=Dropwall:2 a=DROP "
iptables -A dropwall -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
iptables -N badflags
#iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix "fp=Badflags:3 a=DROP "
iptables -A badflags -j DROP

#And our silent logging chain
iptables -N silent
iptables -A silent -j DROP

#Accept ourselves (loopback interface), 'cause we're all warm and friendly
iptables -A INPUT -i lo -j ACCEPT

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j firewall

#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -d 0/0 -j ACCEPT

# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP

#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
# iptables -A INPUT -p udp --sport 137 --dport 137 -j silent
iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT
iptables -A INPUT -p udp --sport 138 --dport 138 -j ACCEPT
iptables -A INPUT -p udp --sport 139 --dport 139 -j ACCEPT

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
iptables -A INPUT -j dropwall

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: firewall stuff
   firewall stuff Deedra Waters
@  ` Gregory Nowak
  0 siblings, 0 replies; 2+ messages in thread
From: Gregory Nowak @  UTC (permalink / raw)
  To: speakup

Sorry I can't help you, since I know next to nothing about iptables.
However, Raul had recommended a good firewall script to me a while back, and I'm very happy with it.
You can find it at:
http://endoshield.sourceforge.net
. Hth.
Greg


On Wed, Dec 26, 2001 at 09:51:29AM -0500, Deedra Waters wrote:
>      My current firewall script is causing some problems with some things
> that I'm trying to do.... do to the fact that I don't know enough about
> linux and iptables, I thought I'd try another firewall script that someone
> had posted to the list.
> 
> the problem I'm having with the script is this..... when I try and run it
> I get this error...
> ./firewall: /proc/sys/net/ipv4/ip_foward: No such file or directory
> but the file appears to be there, so not really sure what I'm doing
> wrong, if I could get some help off list with this I'd appreciate it...
> I've attached the firewall script I'm trying to use to this message.
> 

> #!/bin/bash
> 
> iptables -F
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -F -t mangle
> iptables -F -t nat
> iptables -X
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> 
> #This enables ip forwarding, and thus by extension, NAT
> #Turn this on if you're going to be doing NAT or Masquerading
> echo 1 > /proc/sys/net/ipv4/ip_foward
> 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> #This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
> #the server will be redirected invisibly to port 80 on 192.168.1.1
> 
> #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.60
> iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j ACCEPT
> 
> #These four redirect a block of ports, in both udp and tcp.
> 
> iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074:2076 -j DNAT --to 192.168.1.69
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074:2076 -j DNAT --to 192.168.1.69
> iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4074:4076 -j DNAT --to 192.168.1.69
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4074:4076 -j DNAT --to 192.168.1.69
> 
> #Now, our firewall chain
> #We use the limit commands to cap the rate at which it alerts to 15
> #log messages per minute
> iptables -N firewall
> #iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
> iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix "fp=Firewall:1 a=DROP " 
> iptables -A firewall -j DROP
> 
> #Now, our dropwall chain, for the final catchall filter
> iptables -N dropwall
> # iptables -A dropwall -m limit --limit 15/minute -j LOG \
> # --log-level 1 --log-prefix "fp=Dropwall:2 a=DROP "
> iptables -A dropwall -i eth0 -p tcp --dport 80 -j ACCEPT
> iptables -A dropwall -j DROP
> 
> #Our "hey, them's some bad tcp flags!" chain
> iptables -N badflags
> #iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
> iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix "fp=Badflags:3 a=DROP "
> iptables -A badflags -j DROP
>  
> #And our silent logging chain
> iptables -N silent
> iptables -A silent -j DROP
> 
> 
> #Accept ourselves (loopback interface), 'cause we're all warm and friendly
> iptables -A INPUT -i lo -j ACCEPT
> 
> #Drop those nasty packets!
> #These are all TCP flag combinations that should never, ever occur in the
> #wild. All of these are illegal combinations that are used to attack a box
> #in various ways, so we just drop them and log them here.
> iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
> iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
> iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
> iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
> iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
> 
> #Drop icmp, but only after letting certain types through
> iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
> iptables -A INPUT -p icmp -j firewall
> 
> #Accept SSH connections from everywhere.
> #Uncomment this if you're running SSH and want to be able to access it
> #from the outside world.
> #
> iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -i eth1 -d 0/0 -j ACCEPT
> 
> # We should not accept any datagrams with a source address matching ours
> # from the outside, so we deny them.
> iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
>  
> #Lets do some basic state-matching
> #This allows us to accept related and established connections, so
> #client-side things like ftp work properly, for example.
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> 
> #Uncomment to drop port 137 netbios packets silently. We don't like
> #that netbios stuff, and it's #way too spammy with windows machines on
> #the network.
> #
> # iptables -A INPUT -p udp --sport 137 --dport 137 -j silent
> iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT
> iptables -A INPUT -p udp --sport 138 --dport 138 -j ACCEPT
> iptables -A INPUT -p udp --sport 139 --dport 139 -j ACCEPT
> 
> #Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
> iptables -A INPUT -j dropwall



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~ UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
 firewall stuff Deedra Waters
 ` Gregory Nowak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).