All, was wondering if someone would be so kind as to check out my iptables
firewall script below. I'm interested in hearing what people think about
it. Is it secure enough? Where are the holes? What can I do to make it
more secure? I've read a lot of scripts and combined them all into this
one. It's much "simpler" then the ones I've read but since I'm new at
this I'm afraid I've missed something glaring.
Thanks for any advice!
----- CUT HERE
#!/bin/sh
/sbin/insmod ip_tables
###############################################################################
#
# Configuration
#
IPTABLES="/sbin/iptables"
LOOPBACK="lo"
EXTERNAL="ppp0"
INTERNAL="eth1"
EXTERNAL_NET="0/0"
INTERNAL_NET="192.168.104.0/24"
UNPRIV_PORTS="1024:65535"
###############################################################################
###############################################################################
#
# Kernel parameters
#
#
# Allow forwarding between multiple interfaces.
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Don't respond to ping.
#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Don't accept source routed packets, they can be used to make it seem
# like traffic has been generated from inside the network.
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Don't allow for ICMP redirect acceptance.
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#
# Enable bad error message protection.
#
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
# Log spoofed packets, source routed packets, redirect packets.
#
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
###############################################################################
###############################################################################
#
# Flush chains and set default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT
###############################################################################
###############################################################################
#
# Special chain for ports to allow.
#
TCP_ALLOWED_PORTS="25 7876"
$IPTABLES -N ALLOW_PORTS
$IPTABLES -F ALLOW_PORTS
for PORT in $TCP_ALLOWED_PORTS ;
do
#
# Allow new connections to the specified port.
#
$IPTABLES -A ALLOW_PORTS -m state --state ESTABLISHED,NEW -p tcp \
--dport $PORT -j ACCEPT
done
###############################################################################
###############################################################################
#
# ICMP
#
#
# Drop all ICMP packets inbound.
#
$IPTABLES -A INPUT -p icmp -j DROP
#
# Allow all ICMP packets outbound.
#
$IPTABLES -A OUTPUT -p icmp -j DROP
###############################################################################
###############################################################################
#
# UDP - the rules below are required for name server look ups
#
#
# Allow all UDP packets inbound on unprivileged ports only that belong to
# an established connection.
#
$IPTABLES -A INPUT -i $EXTERNAL -p udp --dport $UNPRIV_PORTS \
-m state --state ESTABLISHED -j ACCEPT
#
# Allow all UDP packets outbound that are new connections on unprivileged
# ports only.
#
$IPTABLES -A OUTPUT -o $EXTERNAL -p udp --sport $UNPRIV_PORTS \
-m state --state NEW -j ACCEPT
###############################################################################
###############################################################################
#
# LOOPBACK
#
# Allow everything from the loopback device.
#
#
# Allow all input to loopback.
#
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
#
# Allow all output from loopback.
#
$IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT
###############################################################################
###############################################################################
#
# External Interface (ppp0/eth0)
#
#
# Pass all TCP packets inbound on the external interface to a special
# chain that allows only certain ports.
#
$IPTABLES -A INPUT -i $EXTERNAL -p tcp -j ALLOW_PORTS
#
# Allow all TCP packets inbound on the external interface that are bound
# for an unprivileged port. This is required for all outbound connections
# made from the external interface.
#
$IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport $UNPRIV_PORTS \
-m state --state ESTABLISHED -j ACCEPT
#
# Allow all TCP packets outbound on the external interface.
#
$IPTABLES -A OUTPUT -o $EXTERNAL -p tcp -j ACCEPT
###############################################################################
###############################################################################
#
# Internal Interface (eth1)
#
#
# Allow all TCP packets inbound from the internal interface that
# originate from the internal network.
#
$IPTABLES -A INPUT -i $INTERNAL -s $INTERNAL_NET -p tcp -j ACCEPT
#
# Drop all TCP packets inbound from the internal interface that are not
# from the internal network.
#
$IPTABLES -A INPUT -i $INTERNAL -s ! $INTERNAL_NET -p tcp -j DROP
#
# Allow all TCP packets outbound on the internal interface that are
# destined for the internal network.
#
$IPTABLES -A OUTPUT -o $INTERNAL -d $INTERNAL_NET -p tcp -j ACCEPT
#
# Drop all TCP packets outbound on the internal interface that are not
# destined for the internal network.
#
$IPTABLES -A OUTPUT -o $INTERNAL -d ! $INTERNAL_NET -p tcp -j DROP
###############################################################################
###############################################################################
#
# Masquerading rules.
#
#
# Perform masquerading for internal network.
#
$IPTABLES -A POSTROUTING -t nat -o $EXTERNAL -j MASQUERADE
#
# Forward all packets inbound on the internal interface.
#
$IPTABLES -A FORWARD -i $INTERNAL -j ACCEPT
###############################################################################
###############################################################################
#
# NAT rules.
#
$IPTABLES -A PREROUTING -t nat -i $EXTERNAL -p tcp --dport 25 -j DNAT \
--to 192.168.104.3:25
$IPTABLES -A FORWARD -i $EXTERNAL -p tcp -d 192.168.104.3 --dport 25 -j ACCEPT
###############################################################################
