firewalling...

Daniel Roethlisberger daniel at roe.ch
Sun Oct 7 11:44:49 PDT 2001


Ian Molton <imolton at clara.net> wrote:
> so, heres my script... discuss?

> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT

Those are actually unnecessary. You don't want to drop anything in
the nat table anyway, and default policy is accept anyway.


> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -X
> $IPTABLES -t nat -X

You forget the mangle table. You wanna flush/zero that too :)


> /sbin/modprobe ip_conntrack_ftp
> #/sbin/modprobe ip_conntrack_irc

If this is a dedicated firewall I recommend compiling this stuff
into the kernel, as it will be loaded 24/7 anyway. No point in
modules then, is there.


> $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
> echo "1" > /proc/sys/net/ipv4/ip_forward

> # A 'logging' /dev/null */
> $IPTABLES -N log_and_drop
> $IPTABLES -A log_and_drop -p udp --sport 138 -j DROP
> $IPTABLES -A log_and_drop -p udp --sport 631 -j DROP
> $IPTABLES -A log_and_drop -j LOG --log-prefix "Firewall:"
> $IPTABLES -A log_and_drop -j DROP

Uh, you almost definately want to rate limit the LOG rule. Add a
"-m limit" there, and read up on rate limiting and additional
parameters in the HOWTO. Otherwise port scans will flood your
logs, and in the worst case completely DoS your box. Ugly.


> # Protect us from source routed packets */
> $IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j log_and_drop
> $IPTABLES -A INPUT -i eth0 -s 10.0.0.0/8     -j log_and_drop
> $IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12  -j log_and_drop

Watch out, you only drop packets with bogus (private range) source
addresses, not source routed packets in general with that.

This will make the kernel ignore source routed packets on eth0:
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route

Then you want to block -all- illegal source address ranges from
the Internet, which are currently:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 169.254.0.0/16
0.0.0.0/7 2.0.0.0/8 5.0.0.0/189.0.0.0 23.0.0.0/8 27.0.0.0/251.0.0.0
36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 58.0.0.0/7 60.0.0.0/8
70.0.0.0/8 72.0.0.0/232.0.0.0 82.0.0.0/7 84.0.0.0/6 96.0.0.0/3
197.0.0.0/8 201.0.0.0/8 219.0.0.0/8 220.0.0.0/6 240.0.0.0/4

BTW I never log those, there's no point, the source addresses are
bogus, you cannot determine who sent it anyway.

Then, you might want to do some more kernel tuning (hope there are
no typos):

# turn return path filtering on, which filters out obviously
# spoofed source addresses (ie. if an answer to a packet would be
# routed out through a different interface than it came in on,
# drop it)
echo "2" > /proc/sys/net/ipv4/conf/eth0/rp_filter
# don't log martians, just drop them (my preference)
echo "0" > /proc/sys/net/ipv4/conf/eth0/log_martians

# ignore smurf ICMP echo requests
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ignore bogus ICMP messages
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# ignore ICMP Redirects
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects

# ignore TCP Timestamp option
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
# use TCP SYN cookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies


> # Allow all on loopback, and icmp in general */
> $IPTABLES -A INPUT -i lo -p all -j ACCEPT
> $IPTABLES -A INPUT -p icmp -j ACCEPT

You probably don't want to allow ICMP types 6, 9, 10, 15, 16, 18
and 18 in.


> # Enable masquerading
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

> # Some select services */
> $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT

> # Allow DNS replies in
> $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
> #$IPTABLES -A INPUT -p tcp --sport 20 -j ACCEPT

> # Dont accept connections from outside */
> $IPTABLES -A INPUT -p tcp ! --syn -j ACCEPT

Well, these look like relics from old times, with non-stateful
firewalls. Have you converted old ipchains rules? With netfilter,
you could do something like this (watch out for typos, I write
those out from memory):

# let in stuff belonging to already established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# from here only packets initiating a new connection

# TCP, but not SYN (actually, state invalid should catch this too)
$IPTABLES -A INPUT -p tcp ! --syn -j DROP

# now allow some ports you want to be open for new connections
# from the outside
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# drop everything else
$IPTABLES -A INPUT -j DROP

This way, you will let in everything that belongs to connections
initiated from your box, including DNS queries and FTP data
connections. You will not let in Null/FIN/Xmas scan crap, and only
selected ports are accessible from the outside.


> # Dump anything that wasnt accepted into the log */
> $IPTABLES -A INPUT -p icmp -j log_and_drop
> $IPTABLES -A INPUT -p tcp  -j log_and_drop
> $IPTABLES -A INPUT -p udp  -j log_and_drop

This is almost the same as:

$IPTABLES -A INPUT -j log_and_drop

As there's not just icmp, tcp and udp, there are other protocols
on top of IP too (igmp, esp, ah, and many many more), and you
don't generally want them all in, I expect.

Cheers,
Dan


-- 
   Daniel Roethlisberger <daniel at roe.ch>
   PGP Key ID 0x8DE543ED with fingerprint
   6C10 83D7 2BB8 D908 10AE  7FA3 0779 0355 8DE5 43ED

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list