RFC: firewall-hint_v1.3

Henning Rohde Rohde.Henning at gmx.net
Mon Aug 13 01:15:33 PDT 2001


Hi Paul, hi everybody else,

Paul, tell me, if you want via private mail, what went wrong?

One thing I have to confess: the hint is NOT aimed to secure one server 
for himself! It's meant to secure either your 'surfing terminal',
or your 'masquerading gateway/router', with additional services.

If you'd like me to outline a setup for your server itself, tell me,
I thing Jeff, if he liked to collaborate, and I could give you some for 
your server, for a preview have a look at PS.


The reason why I did not want to provide such a setup is, that on a 
server you are the man who restricts the services that are running.
And if there are no daemons running besides openSSH and Apache, secured 
on themselves, the chances for a cracker to succeed seem quite unlucky.

If there are more services being offered, distributors install and 
activate them quite generously, personally I say recklessly, you could 
prevent anyone to access them with a firewall.

But, do you expect me to know which services you'd like to offer and 
which to restrict?

OK, I'll append a script that allows anyone to access your server via 
http on port 80, and a limited source, (ADAPT IT!) to ping it and to 
access port 22, for openSSH.


Have a nice day,

Henning



PS: the Script:

Take care to clean the table with the short firewall.stop-script I put 
into the hint.

#!/bin/sh
##/etc/init.d/firewall

# Insert connection-tracking modules
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ipt_state
modprobe ipt_LOG

# special chain for service-access
iptables -N srvc_in
iptables -N srvc_out

# allow local-only-connections
iptables -A INPUT	-i lo		-j ACCEPT
iptables -A OUTPUT	-o lo		-j ACCEPT

# drop malformed packets
iptables -I INPUT	-p tcp	-m state --state INVALID -j DROP
# Packets from/to reserved/assigned IPs
iptables -A INPUT	-s 127.0.0.0/8			-j DROP
iptables -A INPUT	-d 127.0.0.0/8			-j DROP
iptables -A INPUT	-s 10.0.0.0/8			-j DROP
iptables -A OUTPUT	-d 10.0.0.0/8			-j DROP
iptables -A INPUT	-s 172.16.0.0/12		-j DROP
iptables -A OUTUT	-d 172.16.0.0/12		-j DROP
iptables -A INPUT	-s 192.168.0.0/16		-j DROP
iptables -A OUTUT	-d 192.168.0.0/16		-j DROP
iptables -A INPUT	-s 224.0.0.0/4			-j DROP
iptables -A OUTPUT	-d 224.0.0.0/4			-j DROP
iptables -A INPUT	-s 240.0.0.0/5			-j DROP
iptables -A OUTPUT	-d 240.0.0.0/5			-j DROP
iptables -A INPUT	-s 0.0.0.0/32			-j DROP
iptables -A INPUT	-d 0.0.0.0/32			-j DROP
iptables -A OUTPUT	-s 0.0.0.0/32			-j DROP
iptables -A OUTPUT	-d 0.0.0.0/32			-j DROP
iptables -A INPUT	-s 255.255.255.255/32		-j DROP
iptables -A INPUT	-d 255.255.255.255/32		-j DROP
iptables -A OUTPUT	-s 255.255.255.255/32		-j DROP
iptables -A OUTPUT	-d 255.255.255.255/32		-j DROP
# The following packets are nothing legitimate:
## XMAS packets
iptables -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN	-j DROP
## NULL packets
iptables -A INPUT	-p tcp --tcp-flags ALL NONE	-j DROP
## Drop FIN packets: scans
iptables -A INPUT	-p tcp --tcp-flags FIN,ACK FIN	-j DROP
## Packets to reserved Ports
iptables -A INPUT	-p tcp --dport 0		-j DROP
iptables -A INOUT	-p udp --dport 0		-j DROP
## drop critical ICMP-Packets
iptables -A INPUT    -p icmp --icmp-type router-advertisement	-j DROP
iptables -A INPUT    -p icmp --icmp-type parameter-problem	-j DROP
iptables -A INPUT    -p icmp --icmp-type timestamp-request	-j DROP
iptables -A INPUT    -p icmp --icmp-type address-mask-request	-j DROP

# allow anyone to browse your server
iptables -A INPUT	-p tcp --dport 80		-j ACCEPT
# allow corresponding traffice
iptables -A OUTPUT	-p tcp --sport 80	\
	-m state --state ESTABLISHED			-j ACCEPT

# Jump to special-chain for service-access
## adapt to your IP/subnet
iptables -A INPUT	-s 132.180.0.0/16      		-j srvc_in
iptables -A OUTPUT	-d 132.180.0.0/16      		-j srvc_out

# service-chain
iptables -A srvc_in	-p tcp --dport 22		-j ACCEPT
iptables -A srvc_out	-p tcp --sport 22	\
	-m state --state ESTABLISHED			-j ACCEPT
iptables -A srvc_in	-p icmp			\
	-m icmp --icmp-type echo-request		-j ACCEPT
iptables -A srvc_out	-p icmp			\
	-m icmp --icmp-type echo-reply			-j ACCEPT

# Log everything that's dropped by policy
iptables -A INPUT       -j LOG --log-prefix "FIREWALL:INPUT  "
iptables -A OUTPUT      -j LOG --log-prefix "FIREWALL:OUTPUT "

# set a sane policy:    everything not accepted > /dev/nul
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      DROP

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $f
     done
# activate Route-Verification = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $f
     done
# no Source-routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $f
     done
# mad Packets are logged: Spoofed P, Source Routed P, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 1 > $f
     done
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable always-defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# TCPsyncookie support
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# no answer to Broadcast-Pings
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# time trying to finish closing a connection
echo 30 >/proc/sys/net/ipv4/tcp_fin_timeout
# time before killing a stale connection
echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time
# turn off some IP extensions that aren't needed
echo 0  >/proc/sys/net/ipv4/tcp_window_scaling
echo 0  >/proc/sys/net/ipv4/tcp_sack
echo 0  >/proc/sys/net/ipv4/tcp_timestamps
# disable ExplicitCongestionNotification
echo 0 > /proc/sys/net/ipv4/tcp_ecn




More information about the blfs-book mailing list