Hello all, I have just finished my firewall for my home gateway and i would like to post it in order someone with more knowledge and experience from me to see it and advice me. I don't expect from anyone to help me to build the most secure firewall of cource.I just want to know if i have opens holes and i would like very much to see suggestions.
Thanks in advance, Pavlos #################################################################################################### # Generated by iptables-save v1.2.5 on Mon May 6 19:35:40 2002 *nat :PREROUTING ACCEPT [74:12363] :POSTROUTING ACCEPT [45:7296] :OUTPUT ACCEPT [734:46690] -A PREROUTING -d 224.0.0.0/255.255.255.0 -i ppp0 -j DROP -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on Mon May 6 19:35:40 2002 # Generated by iptables-save v1.2.5 on Mon May 6 19:35:40 2002 *mangle :PREROUTING ACCEPT [7599:5326143] :OUTPUT ACCEPT [8365:796623] COMMIT # Completed on Mon May 6 19:35:40 2002 # Generated by iptables-save v1.2.5 on Mon May 6 19:35:40 2002 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :external-firewall - [0:0] :external-internal - [0:0] :firewall-external - [0:0] :firewall-internal - [0:0] :internal-external - [0:0] :internal-firewall - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 1/min -j LOG --log-prefix "Xms Scan " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m state --state INVALID,NEW,RELATED -m limit --limit 1/min -j LOG --log-prefix "Fin Scans " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m state --state INVALID,NEW,RELATED -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -m limit --limit 1/min -j LOG --log-prefix "Open-Close Scans " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 1/min -j LOG --log-prefix "No bits set!" --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 1/min -j LOG --log-prefix "SYN,FIN bad packet " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 1/min -j LOG --log-prefix "SYN,RST bad packet " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 1/min -j LOG --log-prefix "FIN,RST bit set " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -m limit --limit 1/min -j LOG --log-prefix "PSH bad packet " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -m limit --limit 1/min -j LOG --log-prefix "URG bad packet " --log-level 6 -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j REJECT --reject-with tcp-reset -A INPUT -m state --state INVALID -m limit --limit 1/min -j LOG --log-prefix "Invalid INPUT state " --log-level 6 -A INPUT -m state --state INVALID -j DROP -A INPUT -i ppp0 -j external-firewall -A INPUT -i eth0 -j internal-firewall -A FORWARD -m state --state INVALID -m limit --limit 1/min -j LOG --log-prefix "Invalid FORWARD state " --log-level 6 -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i eth0 -o ppp0 -j internal-external -A FORWARD -i ppp0 -o eth0 -j external-internal -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o ppp0 -j firewall-external -A OUTPUT -o eth0 -j firewall-internal -A external-firewall -j LOG --log-prefix "external-firewall " -A external-firewall -s 10.0.0.0/255.0.0.0 -j DROP -A external-firewall -s 172.16.0.0/255.240.0.0 -j DROP -A external-firewall -s 192.168.0.0/255.255.0.0 -j DROP -A external-firewall -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/min -j LOG --log-prefix "Syn-flood Attack " --log-level 6 -A external-firewall -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A external-firewall -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/min -j LOG --log-prefix "NEW without syn " --log-level 6 -A external-firewall -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset -A external-firewall -p tcp -m state --state NEW -m limit --limit 1/min -j LOG --log-prefix "NEW from ppp0 " --log-level 6 -A external-firewall -p tcp -m state --state NEW -j REJECT --reject-with tcp-reset -A external-firewall -p icmp -m icmp --icmp-type 8 -m limit --limit 10/min -j ACCEPT -A external-firewall -p icmp -m icmp --icmp-type 8 -m limit --limit 1/min -j LOG --log-prefix "PoD attack! " --log-level 6 -A external-firewall -p icmp -m icmp --icmp-type 8 -j DROP -A external-firewall -p icmp -m state --state ESTABLISHED -j ACCEPT -A external-firewall -p icmp -m icmp --icmp-type 11 -j ACCEPT -A external-firewall -p icmp -m icmp --icmp-type 3 -j ACCEPT -A external-firewall -s 195.170.0.2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A external-firewall -s 195.170.2.1 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A external-internal -j LOG --log-prefix "external-internal " -A external-internal -m state --state NEW -m limit --limit 1/min -j LOG --log-prefix "NEW from ppp0 to FORWARD " --log-level 6 -A external-internal -m state --state NEW -j DROP -A external-internal -p icmp -m icmp --icmp-type 8 -m limit --limit 1/min -j LOG --log-prefix "FORWARD PoD " --log-level 6 -A external-internal -p icmp -m icmp --icmp-type 8 -j DROP -A external-internal -p icmp -m state --state ESTABLISHED -j ACCEPT -A external-internal -p icmp -m icmp --icmp-type 11 -j ACCEPT -A external-internal -p icmp -m icmp --icmp-type 3 -j ACCEPT -A external-internal -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A external-internal -p tcp -m tcp --sport 21 --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A external-internal -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A external-internal -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A external-internal -p tcp -m tcp --sport 110 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A external-internal -p tcp -m tcp --sport 25 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A external-internal -p tcp -m tcp --sport 119 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A firewall-external -j LOG --log-prefix "firewall-external " -A firewall-external -p icmp -m icmp --icmp-type 8 -j ACCEPT -A firewall-external -d 195.170.0.2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A firewall-external -d 195.170.2.1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A firewall-external -p udp -m udp --dport 33343:33868 -j ACCEPT -A firewall-internal -j LOG --log-prefix "firewall-internal " -A firewall-internal -p icmp -m icmp --icmp-type 8 -j ACCEPT -A firewall-internal -p icmp -m icmp --icmp-type 3 -j ACCEPT -A firewall-internal -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -A firewall-internal -p udp -m udp --dport 33343:33868 -j ACCEPT -A firewall-internal -p icmp -m icmp --icmp-type 11 -j ACCEPT -A firewall-internal -p icmp -m state --state ESTABLISHED -j ACCEPT -A internal-external -j LOG --log-prefix "internal-external " -A internal-external -p icmp -m icmp --icmp-type 8 -j ACCEPT -A internal-external -p udp -m udp --sport 1024:65535 --dport 33343:33868 -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 21 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state ESTABLISHED -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state ESTABLISHED -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 110 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 110 -m state --state ESTABLISHED -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 25 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 25 -m state --state ESTABLISHED -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 119 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A internal-external -p tcp -m tcp --sport 1024:65535 --dport 119 -m state --state ESTABLISHED -j ACCEPT -A internal-firewall -j LOG --log-prefix "internal-firewall " -A internal-firewall -p icmp -m icmp --icmp-type 8 -m limit --limit 10/min -j ACCEPT -A internal-firewall -p icmp -m icmp --icmp-type 8 -m limit --limit 1/min -j LOG --log-prefix "PoD from internal! " --log-level 6 -A internal-firewall -p icmp -m icmp --icmp-type 8 -j DROP -A internal-firewall -p icmp -m icmp --icmp-type 3 -j ACCEPT -A internal-firewall -p icmp -m state --state ESTABLISHED -j ACCEPT -A internal-firewall -p udp -m udp --dport 33343:33868 -j ACCEPT -A internal-firewall -s 192.168.100.2 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A internal-firewall -s 192.168.100.22 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I love having the feeling of being in control while i have the sensation of speed The surfer of life ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
