Linode Forum :: IPTABLES and Firewall startup on boot

Linode Forum https://forum.linode.com/

IPTABLES and Firewall startup on boot https://forum.linode.com/viewtopic.php?f=19&t=6827	Page 1 of 1

Author:	awitko [ Tue Mar 15, 2011 3:25 pm ]
Post subject:	IPTABLES and Firewall startup on boot
I took a stab at writing my own firewall script using iptables based on code snippets here and there on the internet and some ideas of my own. My linode is mostly a hobby/learning tool with several small websites, may use phplist, asterisk, wordpress, drupal, on some of them. I am running Debian Squeeze. Any comments on this? Actual or potential problems? Things to keep in mind? Etc. Thanks in advance! I block any attempts to ftp, ssh (std port) and telnet for one day. And I have a catchall at the end of the input chain that locks out anyone that attempts 10 connections that fall through to the catchall. Any comments, suggestions on this in particular? I put this in a file call firewall.conf and call it from rc.local so the firewall can be automatically configured on linode boot. As I understand it there is a way to make sure it is started immediately after the network services to minimize any vulnerability. How would I do that? Any other ideas, suggestions? # iptables configuration # Insert in /etc/rc.local so that firewall is enabled at startup # KEY PARAMETERS # NONSTANDARD SSH PORT NEWSSH=XXXXX (insert port number for XXXXX) # Enter the designation for the Internal Interface's EXTIFA="eth0" EXTIFB="eth0:0" INTIF="eth0:1" # Enter the NETWORK address the Internal Interface is on INTNET='192.168.1.0/24' # Enter the IP address of the Internal Interface INTIP="192.168.XX.Y" #Static IP Addresses EXTIPA="12.34.56.78" EXTIPB="34.67.89.12" #LINODE RESOLVERS RSVRA="74.207.241.5" RSVRB="74.207.242.5" ################################## # CLEAR ANY EXISTING CONFIGURATION iptables -F # Flush the user chain.. if it exists if [ "`iptables -L \| grep DROPLOG`" ]; then iptables -F DROPLOG fi # Flush the user chain.. if it exists if [ "`iptables -L \| grep PSCAN`" ]; then iptables -F PSCAN fi # Delete all User-specified chains iptables -X # Reset all IPTABLES counters iptables -Z # Creating a DROP chain iptables -N LOGDROP iptables -A LOGDROP -j LOG --log-level info iptables -A LOGDROP -j DROP # Creating a PSCAN chain FOR SCAN THAT QUALIFIES FOR LOCKOUT iptables -N PSCAN iptables -A PSCAN -m recent --set --name intrusion iptables -A PSCAN -j LOG --log-level info iptables -A PSCAN -j DROP # DEFAULT POLICY FOR PACKETS iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # INCOMING TRAFFIC RULES # DROP INVALID packets iptables -A INPUT -m state --state INVALID -j LOGDROP # LOCAL RESOLVER iptables -A INPUT -i $EXTIFA -s $RSVRA -j ACCEPT iptables -A INPUT -i $EXTIFA -s $RSVRB -j ACCEPT iptables -A INPUT -i $EXTIFB -s $RSVRA -j ACCEPT iptables -A INPUT -i $EXTIFB -s $RSVRB -j ACCEPT # loopback interfaces are valid. iptables -A INPUT -i lo -j ACCEPT # Include port 22 initially and drop after non-standard ssh port nnnnn is tested #iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # 1 DAY LOCKOUT FOR CONNECT TO FTP, SSH, OR TELNET STD PORTS OR QUALIFIED PSCAN iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name intrusion iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name intrusion iptables -A INPUT -p tcp --dport 23 -m state --state NEW -m recent --set --name intrusion iptables -A INPUT -m recent --update --seconds 86400 --rttl --name intrusion -j LOGDROP # local interface, my private ip address, going anywhere is valid # DISABLED - AREN'T USING MY PRIVATE IP ADDRESS #iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT # remote interfaces, claiming to be local machines, IP spoofing, reject it iptables -A INPUT -i $EXTIFA -s $INTNET -j LOGDROP iptables -A INPUT -i $EXTIFB -s $INTNET -j LOGDROP # outgoing to local net on remote interfaces, stuffed routing, deny iptables -A OUTPUT -o $EXTIFA -d $INTNET -j LOGDROP iptables -A OUTPUT -o $EXTIFB -d $INTNET -j LOGDROP # NON-STANDARD SSH PORT iptables -A INPUT -p tcp -m tcp --dport $NEWSSH -j ACCEPT # Accept established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept www including ssl connections iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #Accept smtp and secure smtp iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT # Network Time Protocol to synchronize time iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT # Internet Control Message Protocol including pings iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Can add this section when telephony apps are installed # For SIP # iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT # For Asterisk 4569 and 5036 # iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT # Port for telephony and video conferencing apps # iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT # CATCHALL - >10 UNAUTHORIZED CONNECTION ATTEMPTS IN 1 HOUR PROBABLY AN INTRUDER SCAN -> 1 DAY LOCKOUT iptables -A INPUT -m state --state NEW -m recent --set --name portscan iptables -A INPUT -m state --state NEW -m recent --update --seconds 3600 --hitcount 10 --name portscan -j PSCAN iptables -A INPUT -j LOGDROP # List packets and save iptables -L iptables-save

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/