2009/7/17 Dave <dave.meh...@gmail.com>: > Hello, > Can anyone good with iptables give this script a once over? It is > working, but in a very inconsistent manner, sometimes it lets traffic in, > other times not. Two things it does not have are dhcp rules as this box gets > it's address via dhcp and cifs rules, this machine mounts cifs shares, if > anyone has those i'd appreciate them. This is a single nic box, not a router > just an internal client i'd like to protect. > Adapted from: > > http://www.novell.com/coolsolutions/feature/18139.html > > Thanks. > Dave. > > #!/bin/bash > # > # Script for iptables firewall > > # define variables > IF_PUB=eth0 > IP_PUB=192.168.0.106 > NET_PRV=192.168.0.0/24 > ANYWHERE=0.0.0.0/0 > > # set up default policies > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > # remove any existing rules > iptables -F -t nat > iptables -F -t mangle > iptables -F -t filter > # Removes any user-defined chains > iptables -X > > # If the machine is a router enable the next line > #echo 1 > /proc/sys/net/ipv4/ip_forward
If you don't want to forward then echo 0, instead of 1, or instead of just commenting it out. > # forward from the public interface > #iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j > ACCEPT > > # allow everything to and from the loopback > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > # allow communications on the local network > # This allows unrestricted communications > #iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT > # This allows only established or forwarded connections > iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT Not sure that this is necessary. > # If your doing nat > #iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB > > # allow various types of ICMP > # 8 for echo request, echo response, destination unreachable, and time > exceeded > iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT > iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT > iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT > iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT > > # allow ssh > iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute > --limit-burst 1 -j ACCEPT This opens *all* tcp ports and throttles the connection (you'll be dropping packets and get an unreliable connection). I suggest that you only open the port you need; e.g. -m tcp --dport 10201, also if you only access this box via ssh from your LAN, then restrict access to it from your private subnet: -s NET_PRV and remove the --limit match completely. If you're worried about brute force attacks on your sshd, then perhaps use something like fail2ban, or better use public key authentication only (no passwd), or construct a set of rules to limit the amount of accepted attempts: ===================================== Name it something: blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --set Log the persistent attacks: blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --rcheck --seconds 60 --hitcount 4 -j LOG -m limit --limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH REJECT: ' Block them: blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset ===================================== > # mail and web server on a different host > #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j > DNAT --to 192.168.1.254 > #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j > DNAT --to 192.168.1.253 > #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p > tcp --dport http -j ACCEPT > > # send a tcp reject > iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset > > # block irc > #iptables -A INPUT -p tcp --dport irc -j DROP > #iptables -A INPUT -p udp --dport irc -j DROP > #iptables -A INPUT -p tcp --dport irc-serv -j DROP > #iptables -A INPUT -p udp --dport irc-serv -j DROP > #iptables -A INPUT -p tcp --dport ircs -j DROP > #iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC, > IRC server and Secure IRC traffic. > > # block a specific host > #iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with > icmp-host-prohibited > > # traffic from one port to another > #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j > DNAT --to 192.168.1.254:443 > #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p > tcp --dport 443 -j ACCEPT Then block anything else: iptables -A INPUT -p all -i any -j DROP Finally, run nmap from within/out your LAN on all ports and see what you get. HTH. -- Regards, Mick
