iptables Firewall for a Choke Firewall from Chapter 6

Previous page
Table of content
Next page

Chapter 6 built on the standalone firewall example to develop either a gateway or a choke firewall. The gateway separated the Internet from the DMZ. The choke separated the DMZ from the LAN. The two firewalls were largely identical in terms of what they forwarded. They differed in that the gateway host didn't host any services, whereas the choke firewall did for the LAN.

NAT wasn't used in the Chapter 6 sample scripts. A private Class C network block was divided between the DMZ and LAN as a demonstration, and the assumption was made that both networks' address spaces were not within the private address space. The forward rules perform the actual firewall filtering. The nat table is used to perform NAT. To adapt the script to perform NAT, a single rule must be added:

 $IPT -t nat -A POSTROUTING -o $DMZ_INTERFACE \          -j SNAT --to-source $DMZ_IPADDR

Following is the Chapter 6 choke firewall script. The fallback rules for the case where the connection state is lost are not included.

 #!/bin/sh /sbin/modprobe ip_conntrack_ftp CONNECTION_TRACKING="1" ACCEPT_AUTH="0" DHCP_SERVER="1" IPT="/sbin/iptables"                 # Location of iptables on your system DMZ_INTERFACE="eth0"                 # network interface to the DMZ LAN_INTERFACE="eth1"                 # network interface to the LAN LOOPBACK_INTERFACE="lo"              # however your system names it DMZ_IPADDR="192.168.1.126"           # DMZ IP address GATEWAY_IPADDR="192.168.1.65"        # gateway firewall - the router DMZ_ADDRESSES="192.168.1.64/26"      # DMZ IP address range DMZ_NETWORK="192.168.1.64"           # DMZ subnet base address DMZ_BROADCAST="192.168.1.127"        # DMZ broadcast address LAN_IPADDR="192.168.1.129"           # LAN IP address LAN_ADDRESSES="192.168.1.128/26"     # LAN IP address range LAN_NETWORK="192.168.1.128"          # DMZ subnet base address LAN_BROADCAST="192.168.1.191"        # DMZ broadcast address LAN_NETMASK="255.255.255.192" NAMESERVER="isp.name.server.1"       # address of a remote name server POP_SERVER="isp.pop.server"          # address of a remote pop server MAIL_SERVER="isp.mail.server"        # address of a remote mail gateway NEWS_SERVER="isp.news.server"        # address of a remote news server TIME_SERVER="some.timne.server"      # address of a remote time server DHCP_SERVER="isp.dhcp.server"        # address of your ISP dhcp server SSH_CLIENT="some.ssh.client" PRINTER_ADDRESS="local networked printer" LOOPBACK="127.0.0.0/8"               # reserved loopback address range CLASS_A="10.0.0.0/8"                 # Class A private networks CLASS_B="172.16.0.0/12"              # Class B private networks CLASS_C="192.168.0.0/16"             # Class C private networks CLASS_D_MULTICAST="224.0.0.0/4"      # Class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5"   # Class E reserved addresses BROADCAST_src="/books/3/251/1/html/2/0.0.0.0"              # broadcast source address BROADCAST_DEST="255.255.255.255"     # broadcast destination address PRIVPORTS="0:1023"                   # well-known, privileged port range UNPRIVPORTS="1024:65535"             # unprivileged port range ############################################################### # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do     echo 0 > $f done # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do     echo 0 > $f done # Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do     echo 0 > $f done # Drop Spoofed Packets coming in on an interface, which, if replied to, # would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do     echo 1 > $f done # Log packets with impossible addresses. for f in /proc/sys/net/ipv4/conf/*/log_martians; do     echo 1 > $f done ############################################################### # Remove any existing rules from all chains $IPT --flush $IPT -t nat --flush $IPT -t mangle --flush $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT --policy INPUT   ACCEPT $IPT --policy OUTPUT  ACCEPT $IPT --policy FORWARD ACCEPT $IPT -t nat --policy PREROUTING  ACCEPT $IPT -t nat --policy OUTPUT ACCEPT $IPT -t nat --policy POSTROUTING ACCEPT $IPT -t mangle --policy PREROUTING ACCEPT $IPT -t mangle --policy OUTPUT ACCEPT if [ "$1" = "stop" ] then echo "Firewall completely stopped!  WARNING: THIS HOST HAS NO FIREWALL RUNNING." exit 0 fi  # Unlimited traffic on the loopback interface $IPT -A INPUT  -i $LOOPBACK_INTERFACE -j ACCEPT $IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT # Set the default policy to drop $IPT --policy INPUT REJECT $IPT --policy OUTPUT REJECT $IPT --policy FORWARD REJECT ############################################################### # Stealth Scans and TCP State Flags # All of the bits are cleared $IPT -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP $IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set $IPT -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set $IPT -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set $IPT -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPT -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK $IPT -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK $IPT -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK $IPT -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP ############################################################### # Using Connection State to By-pass Rule Checking # Using the state module alone, INVALID will break protocols that use # bidirectional connections or multiple connections or exchanges, # unless an ALG is provided for the protocol. At this time, FTP is the # only protocol with ALG support.     $IPT -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT     $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT     $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT     $IPT -A INPUT -m state --state INVALID -j LOG \              --log-prefix "INVALID input: "     $IPT -A INPUT -m state --state INVALID -j DROP       $IPT -A OUTPUT -m state --state INVALID -j LOG \              --log-prefix "INVALID output: "     $IPT -A OUTPUT -m state --state INVALID -j DROP     $IPT -A FORWARD -m state --state INVALID -j LOG \              --log-prefix "INVALID forward: "     $IPT -A FORWARD -m state --state INVALID -j DROP ############################################################### # Source Address Spoofing and Other Bad Addresses # Refuse spoofed packets pretending to be from you $IPT -A INPUT -s $DMZ_IPADDR -j DROP $IPT -A INPUT -s $LAN_IPADDR -j DROP $IPT -A FORWARD -s $DMZ_IPADDR -j DROP $IPT -A FORWARD -s $LAN_IPADDR -j DROP $IPT -A INPUT -i $DMZ_INTERFACE \          -s $LAN_ADDRESSES -j DROP $IPT -A FORWARD -i $DMZ_INTERFACE \          -s $LAN_ADDRESSES -j DROP $IPT -A FORWARD  -i $LAN_INTERFACE \          -s ! $LAN_ADDRESSES -j DROP $IPT -A OUTPUT -o $DMZ_INTERFACE -s ! $DMZ_IPADDR -j DROP $IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP if [ "$DHCP_SERVER" = "1" ]; then     $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \              -s $BROADCAST_SRC --sport 67 \              -d $BROADCAST_DEST --dport 68 -j ACCEPT fi $IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP # Refuse malformed broadcast packets $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \          -d $BROADCAST_SRC  -j DROP $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \          -d $BROADCAST_SRC  -j DROP # Don't forward directed broadcasts $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \          -d $DMZ_NETWORK -j DROP $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \          -d $DMZ_BROADCAST -j DROP # Don't forward limited broadcasts in either direction $IPT -A FORWARD -d $BROADCAST_DEST -j DROP $IPT -A INPUT   -p ! udp -d $CLASS_D_MULTICAST -j DROP $IPT -A FORWARD -p ! udp -d $CLASS_D_MULTICAST -j DROP ############################################################### # ICMP Control and Status Messages # Log and drop initial ICMP fragments $IPT -A INPUT --fragment -p icmp -j LOG \          --log-prefix "Fragmented incoming ICMP: " $IPT -A INPUT --fragment -p icmp -j DROP $IPT -A OUTPUT --fragment -p icmp -j LOG \          --log-prefix "Fragmented outgoing ICMP: " $IPT -A OUTPUT --fragment -p icmp -j DROP $IPT -A FORWARD --fragment -p icmp -j LOG \          --log-prefix "Fragmented forwarded ICMP: " $IPT -A FORWARD --fragment -p icmp -j DROP $IPT -A INPUT -p icmp \          --icmp-type source-quench -d $DMZ_IPADDR -j ACCEPT $IPT -A OUTPUT -p icmp \          --icmp-type source-quench -j ACCEPT $IPT -A FORWARD -p icmp \          --icmp-type source-quench -j ACCEPT $IPT -A INPUT -p icmp \          --icmp-type parameter-problem -j ACCEPT $IPT -A OUTPUT -p icmp \          --icmp-type parameter-problem -j ACCEPT $IPT -A FORWARD -p icmp \          --icmp-type parameter-problem -j ACCEPT $IPT -A INPUT -p icmp \          --icmp-type destination-unreachable -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p icmp \          --icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT $IPT -A FORWARD -o $LAN_INTERFACE -p icmp \          --icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT $IPT -A OUTPUT -p icmp \          --icmp-type fragmentation-needed -j ACCEPT $IPT -A FORWARD -p icmp \          --icmp-type fragmentation-needed -j ACCEPT # Don't log dropped outgoing ICMP error messages $IPT -A OUTPUT  -p icmp \          --icmp-type destination-unreachable -j DROP $IPT -A FORWARD -o $DMZ_INTERFACE -p icmp \          --icmp-type destination-unreachable -j DROP # Intermediate traceroute responses $IPT -A INPUT -p icmp \          --icmp-type time-exceeded -j ACCEPT $IPT -A FORWARD -o $LAN_INTERFACE -p icmp \          --icmp-type time-exceeded -d $LAN_ADDRESSES -j ACCEPT # allow outgoing pings to anywhere if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A OUTPUT -p icmp \              --icmp-type echo-request \              -m state --state NEW -j ACCEPT       $IPT -A FORWARD -o $DMZ_INTERFACE -p icmp \              --icmp-type echo-request -s $LAN_ADDRESSES \              -m state --state NEW -j ACCEPT fi # allow incoming pings from trusted hosts if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A INPUT  -i $DMZ_INTERFACE -p icmp \              -s $GATEWAY_IPADDR --icmp-type echo-request -d $DMZ_IPADDR \              -m state --state NEW -j ACCEPT     $IPT -A INPUT  -i $LAN_INTERFACE -p icmp \              -s $LAN_ADDRESSES --icmp-type echo-request -d $LAN_IPADDR \              -m state --state NEW -j ACCEPT fi ############################################################### # DNS Name Server # DNS LAN clients to private server (53) $IPT -A INPUT  -i $LAN_INTERFACE -p udp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS \          -d $LAN_IPADDR --dport 53 \          -m state --state NEW -j ACCEPT $IPT -A INPUT  -i $LAN_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS \          -d $LAN_IPADDR --dport 53 \          -m state --state NEW -j ACCEPT $IPT -A INPUT  -i $DMZ_INTERFACE -p udp \          -s $DMZ_ADDRESSES --sport $UNPRIVPORTS \          -d $DMZ_IPADDR --dport 53 \          -m state --state NEW -j ACCEPT # DNS caching & forwarding name server (53) $IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \          -s $DMZ_IPADDR --sport 53 \          -d $NAMESERVER --dport 53 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \          -s $DMZ_IPADDR --sport $UNPRIVPORTS \          -d $NAMESERVER --dport 53 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \          -s $DMZ_IPADDR --sport $UNPRIVPORTS \          -d $NAMESERVER --dport 53 \          -m state --state NEW -j ACCEPT ############################################################### # Filtering the AUTH User Identification Service (TCP Port 113) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 113 \          -m state --state NEW -j ACCEPT $IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \          --sport $UNPRIVPORTS -d $LAN_ADDRESSES --dport 113 \          -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS -d $LAN_IPADDR --dport 113 \          -m state --state NEW -j ACCEPT $IPT -A INPUT -i $DMZ_INTERFACE -p tcp \          -s $DMZ_ADDRESSES --sport $UNPRIVPORTS -d $DMZ_IPADDR --dport 113 \          -m state --state NEW -j ACCEPT ############################################################### # Sending Mail to the Mail Gateway Server (TCP Port 25) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS \          -d $MAIL_SERVER --dport 25 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \          -s $DMZ_IPADDR --sport $UNPRIVPORTS \          -d $MAIL_SERVER --dport 25 \          -m state --state NEW -j ACCEPT ############################################################### # Retrieving Mail as a POP Client (TCP Port 110) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS \          -d $POP_SERVER --dport 110 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \          -s $DMZ_IPADDR --sport $UNPRIVPORTS \          -d $POP_SERVER --dport 110 \          -m state --state NEW -j ACCEPT   ############################################################### # Accessing Usenet News Services (TCP NNTP Port 119) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS \          -d $NEWS_SERVER --dport 119 \          -m state --state NEW -j ACCEPT ############################################################### # ssh (TCP Port 22) $IPT -A OUTPUT  -o $DMZ_INTERFACE -p tcp \          -s $DMZ_IPADDR --sport $UNPRIVPORTS \          -d $DMZ_ADDRESSES --dport  22 \          -m state --state NEW -j ACCEPT $IPT -A FORWARD  -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \          -m state --state NEW -j ACCEPT $IPT -A FORWARD  -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \          -s $SSH_CLIENT --sport $UNPRIVPORTS \          -d $SSH_CLIENT --dport 22 \          -m state --state NEW -j ACCEPT ############################################################### # ftp (TCP Ports 21, 20) # Outgoing Local Client Requests to Remote Servers $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 21 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp  \          -s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 21 \          -m state --state NEW -j ACCEPT ############################################################### # HTTP Web Traffic (TCP Port 80) $IPT -A FORWARD  -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport  $UNPRIVPORTS --dport 80 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT  -o $DMZ_INTERFACE -p tcp \          -s $DMZ_IPADDR --sport  $UNPRIVPORTS --dport 80 \          -m state --state NEW -j ACCEPT ############################################################### # SSL Web Traffic (TCP Port 443) $IPT -A FORWARD  -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport  $UNPRIVPORTS --dport 443 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT  -o $DMZ_INTERFACE -p tcp \          -s $DMZ_IPADDR --sport  $UNPRIVPORTS --dport 443 \          -m state --state NEW -j ACCEPT ############################################################### # whois (TCP Port 43) $IPT -A FORWARD  -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 43 \          -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp  \          -s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 43 \          -m state --state NEW -j ACCEPT ############################################################### # Networked Printer (TCP Port 515) $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp  \          -s $LAN_IPADDR --sport $PRIVPORTS \          -d $PRINTER_ADDRESS --dport 515 \          -m state --state NEW -j ACCEPT $IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \          -s $DMZ_ADDRESSES --sport $UNPRIVPORTS \          -d $PRINTER_ADDRESS --dport 515 \          -m state --state NEW -j ACCEPT ############################################################### # Accessing Network Time Server (UDP 123) # Note: Some client and servers use source port 123 # when querying a remote server on destination port 123. $IPT -A OUTPUT  -o $DMZ_INTERFACE -p udp \          -s $DMZ_IPADDR --sport $UNPRIVPORTS \          -d $GATEWAY_IPADDR --dport 123 \          -m state --state NEW -j ACCEPT $IPT -A INPUT  -i $LAN_INTERFACE -p udp \          -s $LAN_ADDRESSES --sport $UNPRIVPORTS \          -d $LAN_IPADDR --dport 123 \          -m state --state NEW -j ACCEPT $IPT -A INPUT  -i $LAN_INTERFACE -p udp \          -s $LAN_ADDRESSES --sport 123 \          -d $LAN_IPADDR --dport 123 \          -m state --state NEW -j ACCEPT ############################################################### # Accessing a Local DHCP Server (UDP Ports 67, 68) $IPT -A INPUT  -i $LAN_INTERFACE -p udp \          -s $BROADCAST_SRC --sport 68 \          -d $BROADCAST_DEST --dport 67 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \          -s $BROADCAST_SRC --sport 67 \          -d $BROADCAST_DEST --dport 68 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \          -s $LAN_IPADDR --sport 67 \          -d $BROADCAST_DEST --dport 68 -j ACCEPT $IPT -A INPUT  -i $LAN_INTERFACE -p udp \          -s $BROADCAST_SRC --sport 68 \          -d $LAN_IPADDR --dport 67 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \          -s $LAN_IPADDR --sport 67 \          -d $LAN_ADDRESSES --dport 68 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \          -s $LAN_IPADDR --sport 67 \          -d $LAN_ADDRESSES --dport 68 -j ACCEPT $IPT -A INPUT  -i $LAN_INTERFACE -p udp \          -s $LAN_ADDRESSES --sport 68 \          -d $LAN_IPADDR --dport 67 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE  -j LOG ############################################################### # Logging Dropped Packets $IPT -A INPUT  -i $LAN_INTERFACE -j LOG $IPT -A OUTPUT -o $LAN_INTERFACE -j LOG  $IPT -A FORWARD  -i $LAN_INTERFACE -o $DMZ_INTERFACE -j LOG $IPT -A FORWARD  -i $DMZ_INTERFACE -o $LAN_INTERFACE -j LOG exit 0



Previous page
Table of content
Next page
Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash
BUY ON AMAZON
MySQL Stored Procedure Programming
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
File System Forensic Analysis
Cultural Imperative: Global Trends in the 21st Century
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy