iptables Firewall for a Standalone System from Chapter 4

Previous page
Table of content
Next page

Chapter 4 covers the application protocols and firewall rules for the types of services most likely to be used on an individual, standalone Linux box. Additionally, both client and server rules are presented for services that not everyone will use. The complete iptables firewall script, as it would appear in /etc/rc.d/rc.firewall or /etc/init.d/firewall, follows:

 #!/bin/sh /sbin/modprobe ip_conntrack_ftp CONNECTION_TRACKING="1" ACCEPT_AUTH="0" SSH_SERVER="0" FTP_SERVER="0" WEB_SERVER="0" SSL_SERVER="0" DHCP_CLIENT="1" IPT="/sbin/iptables"                 # Location of iptables on your system INTERNET="eth0"                      # Internet-connected interface LOOPBACK_INTERFACE="lo"              # however your system names it IPADDR="my.ip.address"               # your IP address SUBNET_BASE="my.subnet.base"         # ISP network segment base address SUBNET_BROADCAST="my.subnet.bcast" # network segment broadcast address MY_ISP="my.isp.address.range"        # ISP server & NOC address range  NAMESERVER="isp.name.server.1"       # address of a remote name server POP_SERVER="isp.pop.server"          # address of a remote pop server MAIL_SERVER="isp.mail.server"        # address of a remote mail gateway NEWS_SERVER="isp.news.server"        # address of a remote news server TIME_SERVER="some.time.server"      # address of a remote time server DHCP_SERVER="isp.dhcp.server"        # address of your ISP dhcp server LOOPBACK="127.0.0.0/8"               # reserved loopback address range CLASS_A="10.0.0.0/8"                 # Class A private networks CLASS_B="172.16.0.0/12"              # Class B private networks CLASS_C="192.168.0.0/16"             # Class C private networks CLASS_D_MULTICAST="224.0.0.0/4"      # Class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5"   # Class E reserved addresses BROADCAST_src="/books/3/251/1/html/2/0.0.0.0"              # broadcast source address BROADCAST_DEST="255.255.255.255"     # broadcast destination address PRIVPORTS="0:1023"                   # well-known, privileged port range UNPRIVPORTS="1024:65535"             # unprivileged port range SSH_PORTS="1024:65535" NFS_PORT="2049" LOCKD_PORT="4045" SOCKS_PORT="1080" OPENWINDOWS_PORT="2000" XWINDOW_PORTS="6000:6063" SQUID_PORT="3128" ############################################################### # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do     echo 0 > $f done # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do     echo 0 > $f done # Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do     echo 0 > $f done # Drop Spoofed Packets coming in on an interface, which, if replied to, # would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do     echo 1 > $f done # Log packets with impossible addresses. for f in /proc/sys/net/ipv4/conf/*/log_martians; do     echo 1 > $f done ############################################################### # Remove any existing rules from all chains $IPT --flush $IPT -t nat --flush $IPT -t mangle --flush $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT --policy INPUT   ACCEPT $IPT --policy OUTPUT  ACCEPT $IPT --policy FORWARD ACCEPT $IPT -t nat --policy PREROUTING  ACCEPT $IPT -t nat --policy OUTPUT ACCEPT $IPT -t nat --policy POSTROUTING ACCEPT $IPT -t mangle --policy PREROUTING ACCEPT $IPT -t mangle --policy OUTPUT ACCEPT if [ "$1" = "stop" ] then echo "Firewall completely stopped!  WARNING: THIS HOST HAS NO FIREWALL RUNNING."  exit 0 fi # Unlimited traffic on the loopback interface $IPT -A INPUT  -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Set the default policy to drop $IPT --policy INPUT   DROP $IPT --policy OUTPUT  DROP $IPT --policy FORWARD DROP $IPT -t nat --policy PREROUTING  DROP $IPT -t nat --policy OUTPUT DROP $IPT -t nat --policy POSTROUTING DROP $IPT -t mangle --policy PREROUTING DROP $IPT -t mangle --policy OUTPUT DROP ############################################################### # Stealth Scans and TCP State Flags # Unclean $IPT -A INPUT -m unclean -j DROP # All of the bits are cleared $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP ############################################################### # Using Connection State to By-pass Rule Checking if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT     $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT     # Using the state module alone, INVALID will break protocols that use     # bi-directional connections or multiple connections or exchanges,     # unless an ALG is provided for the protocol. At this time, FTP and     # IRC are the only protocols with ALG support.     $IPT -A INPUT -m state --state INVALID -j LOG \              --log-prefix "INVALID input: "     $IPT -A INPUT -m state --state INVALID -j DROP     $IPT -A OUTPUT -m state --state INVALID -j LOG \              --log-prefix "INVALID output: "     $IPT -A OUTPUT -m state --state INVALID -j DROP fi ############################################################### # Source Address Spoofing and Other Bad Addresses # Refuse spoofed packets pretending to be from # the external interface's IP address $IPT -A INPUT  -i $INTERNET -s $IPADDR -j DROP # Refuse packets claiming to be from a Class A private network $IPT -A INPUT  -i $INTERNET -s $CLASS_A -j DROP # Refuse packets claiming to be from a Class B private network $IPT -A INPUT  -i $INTERNET -s $CLASS_B -j DROP # Refuse packets claiming to be from a Class C private network $IPT -A INPUT  -i $INTERNET -s $CLASS_C -j DROP # Refuse packets claiming to be from the loopback interface $IPT -A INPUT  -i $INTERNET -s $LOOPBACK -j DROP # Refuse malformed broadcast packets $IPT -A INPUT  -i $INTERNET -s $BROADCAST_DEST -j LOG $IPT -A INPUT  -i $INTERNET -s $BROADCAST_DEST -j DROP $IPT -A INPUT  -i $INTERNET -d $BROADCAST_SRC  -j LOG $IPT -A INPUT  -i $INTERNET -d $BROADCAST_SRC  -j DROP if [ "$DHCP_CLIENT" = "0" ]; then     # Refuse directed broadcasts     # Used to map networks and in Denial of Service attacks     $IPT -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP     $IPT -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP     # Refuse limited broadcasts     $IPT -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP fi # Refuse Class D multicast addresses # illegal as a source address $IPT -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP $IPT -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP $IPT -A INPUT  -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT # Refuse Class E reserved IP addresses $IPT -A INPUT  -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP if [ "$DHCP_CLIENT" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p udp \              -s $BROADCAST_SRC --sport 67 \              -d $BROADCAST_DEST --dport 68 -j ACCEPT fi # refuse addresses defined as reserved by the IANA # 0.*.*.*          - Can't be blocked unilaterally with DHCP # 169.254.0.0/16   - Link Local Networks # 192.0.2.0/24     - TEST-NET $IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP $IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP $IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP ############################################################### # Disallowing Connections to Common TCP Unprivileged Server Ports # X Window connection establishment $IPT -A OUTPUT -o $INTERNET -p tcp --syn \          --destination-port $XWINDOW_PORTS -j REJECT # X Window: incoming connection attempt $IPT -A INPUT -i $INTERNET -p tcp --syn \          --destination-port $XWINDOW_PORTS -j DROP # Establishing a connection over TCP to NFS, OpenWindows, SOCKS, or squid $IPT -A OUTPUT -o $INTERNET -p tcp \          -m multiport --destination-port \          $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT \          --syn -j REJECT $IPT -A INPUT -i $INTERNET -p tcp \          -m multiport --destination-port \          $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT \          --syn -j DROP ############################################################### # Disallowing Connections to Common UDP Unprivileged Server Ports # NFS and lockd if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p udp \              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \              -m state --state NEW -j REJECT     $IPT -A INPUT -i $INTERNET -p udp \              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \              -m state --state NEW -j DROP else     $IPT -A OUTPUT -o $INTERNET -p udp \              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \              -j REJECT     $IPT -A input -i $INTERNET -p udp \              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \              -j DROP fi ############################################################### # DNS Name Server # DNS Forwarding Name Server or client requests if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p udp \              -s $IPADDR --sport $UNPRIVPORTS \              -d $NAMESERVER --dport 53 \              -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p udp \          -s $IPADDR --sport $UNPRIVPORTS \          -d $NAMESERVER --dport 53 -j ACCEPT $IPT -A INPUT  -i $INTERNET -p udp \          -s $NAMESERVER --sport 53 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT #............................................................... # TCP is used for large responses if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              -d $NAMESERVER --dport 53 \              -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          -d $NAMESERVER --dport 53 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          -s $NAMESERVER --sport 53 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT #............................................................... # DNS Caching Name Server (local server to primary server) if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p udp \              -s $IPADDR --sport 53 \              -d $NAMESERVER --dport 53 \              -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p udp \          -s $IPADDR --sport 53 \          -d $NAMESERVER --dport 53 -j ACCEPT $IPT -A INPUT  -i $INTERNET -p udp \          -s $NAMESERVER --sport 53 \          -d $IPADDR --dport 53 -j ACCEPT ############################################################### # Filtering the AUTH User Identification Service (TCP Port 113) # Outgoing Local Client Requests to Remote Servers     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport 113 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          --dport 113 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport 113 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT #............................................................... # Incoming Remote Client Requests to Local Servers if [ "$ACCEPT_AUTH" = "1" ]; then     if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p tcp \              --sport $UNPRIVPORTS \              -d $IPADDR --dport 113 \              -m state --state NEW -j ACCEPT     fi $IPT -A INPUT  -i $INTERNET -p tcp \          --sport $UNPRIVPORTS \          -d $IPADDR --dport 113 -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \          -s $IPADDR --sport 113 \          --dport $UNPRIVPORTS -j ACCEPT else $IPT -A INPUT -i $INTERNET -p tcp \          --sport $UNPRIVPORTS \          -d $IPADDR --dport 113 -j REJECT --reject-with tcp-reset fi ############################################################### # Sending Mail to Any External Mail Server # Use "-d $MAIL_SERVER" if an ISP mail gateway is used instead if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport 25 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          --dport 25 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport 25 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ############################################################### # Retrieving Mail as a POP Client (TCP Port 110) if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              -d $POP_SERVER --dport 110 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          -d $POP_SERVER --dport 110 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          -s $POP_SERVER --sport 110 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ############################################################### # Accessing Usenet News Services (TCP NNTP Port 119) if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              -d $NEWS_SERVER --dport 119 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          -d $NEWS_SERVER --dport 119 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          -s $NEWS_SERVER --sport 119 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ############################################################### # ssh (TCP Port 22) # Outgoing Local Client Requests to Remote Servers if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $SSH_PORTS \              --dport 22 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $SSH_PORTS \          --dport 22 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport 22 \          -d $IPADDR --dport $SSH_PORTS -j ACCEPT #............................................................... # Incoming Remote Client Requests to Local Servers if [ "$SSH_SERVER" = "1" ]; then     if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p tcp \              --sport $SSH_PORTS \              -d $IPADDR --dport 22 \              -m state --state NEW -j ACCEPT     fi $IPT -A INPUT  -i $INTERNET -p tcp \          --sport $SSH_PORTS \          -d $IPADDR --dport 22 -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \          -s $IPADDR --sport 22 \          --dport $SSH_PORTS -j ACCEPT fi ############################################################### # ftp (TCP Ports 21, 20) # Outgoing Local Client Requests to Remote Servers   # Outgoing Control Connection to Port 21 if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport 21 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          --dport 21 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport 21 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT # Incoming Port Mode Data Channel Connection from Port 20 if [ "$CONNECTION_TRACKING" = "1" ]; then     # This rule is not necessary if the ip_conntrack_ftp     # module is used.     $IPT -A INPUT  -i $INTERNET -p tcp \              --sport 20 \              -d $IPADDR --dport $UNPRIVPORTS \              -m state --state NEW -j ACCEPT fi $IPT -A INPUT  -i $INTERNET -p tcp \          --sport 20 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \          -s $IPADDR --sport $UNPRIVPORTS \          --dport 20 -j ACCEPT # Outgoing Passive Mode Data Channel Connection Between Unprivileged Ports if [ "$CONNECTION_TRACKING" = "1" ]; then     # This rule is not necessary if the ip_conntrack_ftp     # module is used.     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport $UNPRIVPORTS -m state --state NEW -j ACCEPT fi     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport $UNPRIVPORTS -j ACCEPT     $IPT -A INPUT -i $INTERNET -p tcp ! --syn \              --sport $UNPRIVPORTS \              -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT #............................................................... # Incoming Remote Client Requests to Local Servers if [ "$FTP_SERVER" = "1" ]; then     # Incoming Control Connection to Port 21     if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p tcp \              --sport $UNPRIVPORTS \              -d $IPADDR --dport 21 \              -m state --state NEW -j ACCEPT     fi $IPT -A INPUT  -i $INTERNET -p tcp \          --sport $UNPRIVPORTS \          -d $IPADDR --dport 21 -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \          -s $IPADDR --sport 21 \          --dport $UNPRIVPORTS -j ACCEPT     # Outgoing Port Mode Data Channel Connection to Port 20     if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport 20\              --dport $UNPRIVPORTS -m state --state NEW -j ACCEPT     fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport 20 \          --dport $UNPRIVPORTS -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport $UNPRIVPORTS \          -d $IPADDR --dport 20 -j ACCEPT     # Incoming Passive Mode Data Channel Connection Between Unprivileged Ports if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p tcp \              --sport $UNPRIVPORTS \              -d $IPADDR --dport $UNPRIVPORTS \              -m state --state NEW -j ACCEPT     fi $IPT -A INPUT  -i $INTERNET -p tcp \          --sport $UNPRIVPORTS \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \          -s $IPADDR --sport $UNPRIVPORTS \          --dport $UNPRIVPORTS -j ACCEPT fi ############################################################### # HTTP Web Traffic (TCP Port 80) # Outgoing Local Client Requests to Remote Servers if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport 80 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          --dport 80 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport 80 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT #............................................................... # Incoming Remote Client Requests to Local Servers if [ "$WEB_SERVER" = "1" ]; then     if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p tcp \              --sport $UNPRIVPORTS \              -d $IPADDR --dport 80 \              -m state --state NEW -j ACCEPT fi $IPT -A INPUT  -i $INTERNET -p tcp \          --sport $UNPRIVPORTS \          -d $IPADDR --dport 80 -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \          -s $IPADDR --sport 80 \          --dport $UNPRIVPORTS -j ACCEPT fi ############################################################### # SSL Web Traffic (TCP Port 443) # Outgoing Local Client Requests to Remote Servers if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport 443 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          --dport 443 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport 443 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT #............................................................... # Incoming Remote Client Requests to Local Servers if [ "$SSL_SERVER" = "1" ]; then     if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p tcp \              --sport $UNPRIVPORTS \              -d $IPADDR --dport 443 \              -m state --state NEW -j ACCEPT fi $IPT -A INPUT  -i $INTERNET -p tcp \          --sport $UNPRIVPORTS \          -d $IPADDR --dport 443 -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \          -s $IPADDR --sport 443 \          --dport $UNPRIVPORTS -j ACCEPT fi ############################################################### # whois (TCP Port 43) # Outgoing Local Client Requests to Remote Servers if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p tcp \              -s $IPADDR --sport $UNPRIVPORTS \              --dport 43 -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p tcp \          -s $IPADDR --sport $UNPRIVPORTS \          --dport 43 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp ! --syn \          --sport 43 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ############################################################### # Accessing Remote Network Time Servers (UDP 123) # Note: Some client and servers use source port 123 # when querying a remote server on destination port 123. if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p udp \              -s $IPADDR --sport $UNPRIVPORTS \              -d $TIME_SERVER --dport 123 \              -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p udp \          -s $IPADDR --sport $UNPRIVPORTS \          -d $TIME_SERVER --dport 123 -j ACCEPT $IPT -A INPUT  -i $INTERNET -p udp \          -s $TIME_SERVER --sport 123 \          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT ############################################################### # Accessing Your ISP's DHCP Server (UDP Ports 67, 68) # Some broadcast packets are explicitly ignored by the firewall. # Others are dropped by the default policy. # DHCP tests must precede broadcast-related rules, as DHCP relies # on broadcast traffic initially. if [ "$DHCP_CLIENT" = "1" ]; then     # Initialization or rebinding: No lease or Lease time expired. $IPT -A OUTPUT -o $INTERNET -p udp \          -s $BROADCAST_SRC --sport 68 \          -d $BROADCAST_DEST --dport 67 -j ACCEPT     # Incoming DHCPOFFER from available DHCP servers $IPT -A INPUT  -i $INTERNET -p udp \          -s $BROADCAST_SRC --sport 67 \          -d $BROADCAST_DEST --dport 68 -j ACCEPT     # Fall back to initialization     # The client knows its server, but has either lost its lease,     # or else needs to reconfirm the IP address after rebooting. $IPT -A OUTPUT -o $INTERNET -p udp \          -s $BROADCAST_SRC --sport 68 \          -d $DHCP_SERVER --dport 67 -j ACCEPT $IPT -A INPUT  -i $INTERNET -p udp \          -s $DHCP_SERVER --sport 67 \          -d $BROADCAST_DEST --dport 68 -j ACCEPT     # As a result of the above, we're supposed to change our IP     # address with this message, which is addressed to our new     # address before the dhcp client has received the update.     # Depending on the server implementation, the destination address     # can be the new IP address, the subnet address, or the limited     # broadcast address.     # If the network subnet address is used as the destination,     # the next rule must allow incoming packets destined to the     # subnet address, and the rule must precede any general rules     # that block such incoming broadcast packets. $IPT -A INPUT  -i $INTERNET -p udp \          -s $DHCP_SERVER --sport 67 \          --dport 68 -j ACCEPT     # Lease renewal $IPT -A OUTPUT -o $INTERNET -p udp \          -s $IPADDR --sport 68 \          -d $DHCP_SERVER --dport 67 -j ACCEPT $IPT -A INPUT  -i $INTERNET -p udp \          -s $DHCP_SERVER --sport 67 \          -d $IPADDR --dport 68 -j ACCEPT     # Refuse directed broadcasts     # Used to map networks and in Denial of Service attacks     iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP     iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP     # Refuse limited broadcasts     iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP fi ############################################################### # ICMP Control and Status Messages # Log and drop initial ICMP fragments $IPT -A INPUT  -i $INTERNET --fragment -p icmp -j LOG \          --log-prefix "Fragmented ICMP: " $IPT -A INPUT  -i $INTERNET --fragment -p icmp -j DROP $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type source-quench -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type source-quench -j ACCEPT $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type parameter-problem -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type parameter-problem -j ACCEPT $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type destination-unreachable -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT # Don't log dropped outgoing ICMP error messages $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type destination-unreachable -j DROP # Intermediate traceroute responses $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type time-exceeded -d $IPADDR -j ACCEPT # allow outgoing pings to anywhere if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -o $INTERNET -p icmp \              -s $IPADDR --icmp-type echo-request \              -m state --state NEW -j ACCEPT fi $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type echo-request -j ACCEPT $IPT -A INPUT  -i $INTERNET -p icmp \          --icmp-type echo-reply -d $IPADDR -j ACCEPT # allow incoming pings from trusted hosts if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p icmp \              -s $MY_ISP --icmp-type echo-request -d $IPADDR \              -m state --state NEW -j ACCEPT fi $IPT -A INPUT  -i $INTERNET -p icmp \          -s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT $IPT -A OUTPUT -o $INTERNET -p icmp \          -s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT ############################################################### # Logging Dropped Packets # Don't log dropped incoming echo-requests $IPT -A INPUT -i $INTERNET -p icmp \          --icmp-type ! 8 -d $IPADDR -j LOG $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR -j LOG $IPT -A OUTPUT -o $INTERNET -j LOG exit 0



Previous page
Table of content
Next page
Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash
BUY ON AMAZON
Qshell for iSeries
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
MySQL Clustering
C++ How to Program (5th Edition)
Postfix: The Definitive Guide
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy