firewall stuff

Gregory Nowak gnowak1 at uic.edu
Wed Dec 26 12:29:15 EST 2001 

Sorry I can't help you, since I know next to nothing about iptables.
However, Raul had recommended a good firewall script to me a while back, and I'm very happy with it.
You can find it at:
http://endoshield.sourceforge.net
. Hth.
Greg


On Wed, Dec 26, 2001 at 09:51:29AM -0500, Deedra Waters wrote:
>      My current firewall script is causing some problems with some things
> that I'm trying to do.... do to the fact that I don't know enough about
> linux and iptables, I thought I'd try another firewall script that someone
> had posted to the list.
> 
> the problem I'm having with the script is this..... when I try and run it
> I get this error...
> ./firewall: /proc/sys/net/ipv4/ip_foward: No such file or directory
> but the file appears to be there, so not really sure what I'm doing
> wrong, if I could get some help off list with this I'd appreciate it...
> I've attached the firewall script I'm trying to use to this message.
> 

> #!/bin/bash
> 
> iptables -F
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -F -t mangle
> iptables -F -t nat
> iptables -X
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> 
> #This enables ip forwarding, and thus by extension, NAT
> #Turn this on if you're going to be doing NAT or Masquerading
> echo 1 > /proc/sys/net/ipv4/ip_foward
> 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> #This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
> #the server will be redirected invisibly to port 80 on 192.168.1.1
> 
> #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.60
> iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j ACCEPT
> 
> #These four redirect a block of ports, in both udp and tcp.
> 
> iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074:2076 -j DNAT --to 192.168.1.69
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074:2076 -j DNAT --to 192.168.1.69
> iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4074:4076 -j DNAT --to 192.168.1.69
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4074:4076 -j DNAT --to 192.168.1.69
> 
> #Now, our firewall chain
> #We use the limit commands to cap the rate at which it alerts to 15
> #log messages per minute
> iptables -N firewall
> #iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
> iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix "fp=Firewall:1 a=DROP " 
> iptables -A firewall -j DROP
> 
> #Now, our dropwall chain, for the final catchall filter
> iptables -N dropwall
> # iptables -A dropwall -m limit --limit 15/minute -j LOG \
> # --log-level 1 --log-prefix "fp=Dropwall:2 a=DROP "
> iptables -A dropwall -i eth0 -p tcp --dport 80 -j ACCEPT
> iptables -A dropwall -j DROP
> 
> #Our "hey, them's some bad tcp flags!" chain
> iptables -N badflags
> #iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
> iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix "fp=Badflags:3 a=DROP "
> iptables -A badflags -j DROP
>  
> #And our silent logging chain
> iptables -N silent
> iptables -A silent -j DROP
> 
> 
> #Accept ourselves (loopback interface), 'cause we're all warm and friendly
> iptables -A INPUT -i lo -j ACCEPT
> 
> #Drop those nasty packets!
> #These are all TCP flag combinations that should never, ever occur in the
> #wild. All of these are illegal combinations that are used to attack a box
> #in various ways, so we just drop them and log them here.
> iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
> iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
> iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
> iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
> iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
> 
> #Drop icmp, but only after letting certain types through
> iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
> iptables -A INPUT -p icmp -j firewall
> 
> #Accept SSH connections from everywhere.
> #Uncomment this if you're running SSH and want to be able to access it
> #from the outside world.
> #
> iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -i eth1 -d 0/0 -j ACCEPT
> 
> # We should not accept any datagrams with a source address matching ours
> # from the outside, so we deny them.
> iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
>  
> #Lets do some basic state-matching
> #This allows us to accept related and established connections, so
> #client-side things like ftp work properly, for example.
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> 
> #Uncomment to drop port 137 netbios packets silently. We don't like
> #that netbios stuff, and it's #way too spammy with windows machines on
> #the network.
> #
> # iptables -A INPUT -p udp --sport 137 --dport 137 -j silent
> iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT
> iptables -A INPUT -p udp --sport 138 --dport 138 -j ACCEPT
> iptables -A INPUT -p udp --sport 139 --dport 139 -j ACCEPT
> 
> #Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
> iptables -A INPUT -j dropwall

More information about the Speakup mailing list