eddedwards Posted May 5, 2007 Share Posted May 5, 2007 ok ive been googling SH and IPtables for about 4 days and been writing the following script for my firewall. im going to put the file in my startup so its loaded automaticly. ive tested the script and it works but i would like to know about insecurities + ive got basic services running and ive hopefully restricted the comptuers that can use certain ports but have i done it right? i have 2 other machines, a flatmates winxp machine and another ubuntu machine. Both linux machines are runnning apache and thats the main reason i would like someone more experienced to check it over. The start / stop stuff i borrowed from another startup script. i assumed the lib/lsb functions were required. #!/bin/sh # # Notes: # # echo "Starting Firewall..." $ipt -F # Flush All Tables $ipt -Z # Zero All Counters . /lib/lsb/init-functions # Import init functions. do_start () { ipt="/sbin/iptables" # Set Program Directory + Variable safe1="192.168.0.4" # Safe IP Address' (For samba, ssh, xdmcp) safe2="192.168.0.2" myself="192.168.0.3" $ipt -P INPUT DROP # Set Policy of INPUT to DROP $ipt -P FORWARD DROP # Set Policy of FORWARD to DROP $ipt -P OUTPUT ACCEPT # Set Policy of OUTPUT to ACCEPT # CHAIN, TARGET, PROT+OPTIONS, IN/OUT, SOURCE, DESTINATION, MODULES $ipt -A INPUT -j ACCEPT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED $ipt -A INPUT -j ACCEPT -p udp -i eth0 -m state --state ESTABLISHED,RELATED $ipt -A INPUT -j ACCEPT -p tcp --destination-port 22 -i eth0 -s 192.168.0.4 # tcp port 22: ssh Sources: ubuntu2 $ipt -A INPUT -j ACCEPT -p tcp --destination-port 80 --tcp-flags FIN,SYN,ACK,RST SYN -i eth0 # tcp port 80: www $ipt -A INPUT -j ACCEPT -p tcp --destination-port 137:139 -s $safe2 # tcp port 139: samba1 Sources: winxp $ipt -A INPUT -j ACCEPT -p tcp --destination-port 137:139 -s $safe1 # tcp port 139: samba2 Sources: ubuntu2 $ipt -A INPUT -j ACCEPT -p tcp --destination-port 137:139 -s $myself # tcp port 139: samba2 Sources: myself $ipt -A INPUT -j ACCEPT -p udp --destination-port 137:139 -s $safe2 # udp port 139: samba1 Sources: winxp $ipt -A INPUT -j ACCEPT -p udp --destination-port 137:139 -s $safe1 # udp port 139: samba2 Sources: ubuntu2 $ipt -A INPUT -j ACCEPT -p udp --destination-port 137:139 -s $myself # udp port 139: samba2 Sources: myself $ipt -A INPUT -j ACCEPT -p udp --destination-port 177 -i eth0 -s $safe1 # udp port 177: xdmcp $ipt -A INPUT -j ACCEPT -p tcp --destination-port 445 -i eth0 -s $safe2 # tcp port 445: MS-Directory Share Source: winxp $ipt -A INPUT -j ACCEPT -p tcp --destination-port 3306 -i lo # tcp port 3306: Mysql $ipt -A INPUT -j ACCEPT -p tcp --destination-port 6000 -i eth0 -s $safe2 # tcp port 6000: xdmcp Sources: ubuntu2 $ipt -A INPUT -j ACCEPT -p ALL -i lo # loopback $ipt -A INPUT -j LOG --log-level 3 --log-prefix '[ FW_INPUT_FAILURE ]' # log anything that fails to pass through. echo "Firewall Loaded." } case "$1" in start) do_start ;; restart|reload|force-reload) echo "Error: argument '$1' not supported" >&2 exit 3 ;; stop) echo "Stopping Firewall" ;; *) echo "Usage: $0 start" >&2 exit 3 ;; esac Quote Link to comment Share on other sites More sharing options...
the_oliver Posted May 8, 2007 Share Posted May 8, 2007 Looks alright but theres realy no need to do all that. you can simply add the rules in to the iptables file and thus it will automaticaly be loaded every time you boot. No need for an extra script. Also meens that if for some resion you have to restart the firewall then you dont have to run that again. On RH the file is normaly: /etc/sysconfig/iptables You can just eddit that. Enjoy! Quote Link to comment Share on other sites More sharing options...
eddedwards Posted May 8, 2007 Author Share Posted May 8, 2007 thanks for the comments. i had a look for a file that you was on about but couldnt find anything other than the iptables programs and loads of random stuff in a /sys/ip_tables/ but im on ubuntu so mine might be different. ill do some more googling to see if i can understand the ubuntu /sys/ folder a bit better and i may find it. ill use this for now as my iptables does nothing otherwise and i want a purely homebrew firewall so i understand it better, and i didnt like way lokkit / firestarter configured it (too much junk). thanks again. Quote Link to comment Share on other sites More sharing options...
trq Posted May 8, 2007 Share Posted May 8, 2007 You really ought to implement the stop() method, its as simple as reseting your tables to ACCEPT. A good trick Ive picked while building firewalls on remote systems is to use cron to run the stop() command every 10 mins or so so you wont get locked out. Also, creating your own rc-script (as you have) for a firewall is a good idea, it makes it allot more portable across different distros. One thing I would say is you might want to look up some tutorials on preventing stealth scans and address spoofing.At the moment your not doing alot to protect against such attacks. Another tip. DO NOT use port 22 for ssh. Quote Link to comment Share on other sites More sharing options...
eddedwards Posted May 9, 2007 Author Share Posted May 9, 2007 cheers thorpe. ill change my ssh and ive found some snippits of code for some protection too although i think some more reading is needed. ill mark this solved but thought i might post the snippits i found for anyone looking. #Protect against Address Spoofing: iptables -A INPUT -s localhost -i eth0 -j DROP #Protect against Smurf Attack: iptables -A INPUT -p icmp -d 192.168.0.255 -j DENY # broadcast address # Protect against Syn-Flood Attack: iptables -A INPUT -p tcp -syn -m limit --limit 1/s -j ACCEPT # Protect against Ping Flooding Attack: iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT Quote Link to comment Share on other sites More sharing options...
trq Posted May 9, 2007 Share Posted May 9, 2007 This is part of what I use to prevent stealth scans. $IPT -A INPUT -m unclean - DROP $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,FYN SYN,FIN -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP There is allot to building and administering an iptables firewall. I also have some 30 odd rules just related to address spoofing. Quote Link to comment Share on other sites More sharing options...
eddedwards Posted May 10, 2007 Author Share Posted May 10, 2007 I can sort of see what your doing there. I think i might modify my design quite a bit now with some new chains and stuff to accomodate checks. thanks again for the help, i know where i need to go now. Quote Link to comment Share on other sites More sharing options...
the_oliver Posted May 19, 2007 Share Posted May 19, 2007 I realise that you marked this as solved but thought you may be intrested in this: http://www.geocities.com/steve93138/ its called 'Kiss My Firewall', and is fairly bomb proof! Quote Link to comment Share on other sites More sharing options...
eddedwards Posted June 22, 2007 Author Share Posted June 22, 2007 cheers for that. you got some good bits in there. ill have good studying session on that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.