|
I took a stab at writing my own firewall script using iptables based on code snippets here and there on the internet and some ideas of my own. My linode is mostly a hobby/learning tool with several small websites, may use phplist, asterisk, wordpress, drupal, on some of them. I am running Debian Squeeze.
Any comments on this? Actual or potential problems? Things to keep in mind? Etc. Thanks in advance!
I block any attempts to ftp, ssh (std port) and telnet for one day. And I have a catchall at the end of the input chain that locks out anyone that attempts 10 connections that fall through to the catchall. Any comments, suggestions on this in particular?
I put this in a file call firewall.conf and call it from rc.local so the firewall can be automatically configured on linode boot. As I understand it there is a way to make sure it is started immediately after the network services to minimize any vulnerability. How would I do that?
Any other ideas, suggestions?
# iptables configuration
# Insert in /etc/rc.local so that firewall is enabled at startup
# KEY PARAMETERS
# NONSTANDARD SSH PORT
NEWSSH=XXXXX (insert port number for XXXXX)
# Enter the designation for the Internal Interface's
EXTIFA="eth0"
EXTIFB="eth0:0"
INTIF="eth0:1"
# Enter the NETWORK address the Internal Interface is on
INTNET='192.168.1.0/24'
# Enter the IP address of the Internal Interface
INTIP="192.168.XX.Y"
#Static IP Addresses
EXTIPA="12.34.56.78"
EXTIPB="34.67.89.12"
#LINODE RESOLVERS
RSVRA="74.207.241.5"
RSVRB="74.207.242.5"
##################################
# CLEAR ANY EXISTING CONFIGURATION
iptables -F
# Flush the user chain.. if it exists
if [ "`iptables -L | grep DROPLOG`" ]; then
iptables -F DROPLOG
fi
# Flush the user chain.. if it exists
if [ "`iptables -L | grep PSCAN`" ]; then
iptables -F PSCAN
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N LOGDROP
iptables -A LOGDROP -j LOG --log-level info
iptables -A LOGDROP -j DROP
# Creating a PSCAN chain FOR SCAN THAT QUALIFIES FOR LOCKOUT
iptables -N PSCAN
iptables -A PSCAN -m recent --set --name intrusion
iptables -A PSCAN -j LOG --log-level info
iptables -A PSCAN -j DROP
# DEFAULT POLICY FOR PACKETS
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# INCOMING TRAFFIC RULES
# DROP INVALID packets
iptables -A INPUT -m state --state INVALID -j LOGDROP
# LOCAL RESOLVER
iptables -A INPUT -i $EXTIFA -s $RSVRA -j ACCEPT
iptables -A INPUT -i $EXTIFA -s $RSVRB -j ACCEPT
iptables -A INPUT -i $EXTIFB -s $RSVRA -j ACCEPT
iptables -A INPUT -i $EXTIFB -s $RSVRB -j ACCEPT
# loopback interfaces are valid.
iptables -A INPUT -i lo -j ACCEPT
# Include port 22 initially and drop after non-standard ssh port nnnnn is tested
#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# 1 DAY LOCKOUT FOR CONNECT TO FTP, SSH, OR TELNET STD PORTS OR QUALIFIED PSCAN
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name intrusion
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name intrusion
iptables -A INPUT -p tcp --dport 23 -m state --state NEW -m recent --set --name intrusion
iptables -A INPUT -m recent --update --seconds 86400 --rttl --name intrusion -j LOGDROP
# local interface, my private ip address, going anywhere is valid
# DISABLED - AREN'T USING MY PRIVATE IP ADDRESS
#iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT
# remote interfaces, claiming to be local machines, IP spoofing, reject it
iptables -A INPUT -i $EXTIFA -s $INTNET -j LOGDROP
iptables -A INPUT -i $EXTIFB -s $INTNET -j LOGDROP
# outgoing to local net on remote interfaces, stuffed routing, deny
iptables -A OUTPUT -o $EXTIFA -d $INTNET -j LOGDROP
iptables -A OUTPUT -o $EXTIFB -d $INTNET -j LOGDROP
# NON-STANDARD SSH PORT
iptables -A INPUT -p tcp -m tcp --dport $NEWSSH -j ACCEPT
# Accept established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept www including ssl connections
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#Accept smtp and secure smtp
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
# Network Time Protocol to synchronize time
iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT
# Internet Control Message Protocol including pings
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Can add this section when telephony apps are installed
# For SIP
# iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT
# For Asterisk 4569 and 5036
# iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
# Port for telephony and video conferencing apps
# iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
# CATCHALL - >10 UNAUTHORIZED CONNECTION ATTEMPTS IN 1 HOUR PROBABLY AN INTRUDER SCAN -> 1 DAY LOCKOUT
iptables -A INPUT -m state --state NEW -m recent --set --name portscan
iptables -A INPUT -m state --state NEW -m recent --update --seconds 3600 --hitcount 10 --name portscan -j PSCAN
iptables -A INPUT -j LOGDROP
# List packets and save
iptables -L
iptables-save
|
FAQ
Search
Members
Register
Login [ Anonymous ]
