[CLUE-Tech] a more sophisticated firewall?

Sun Dec 23 11:16:39 MST 2001

> i have looked thru the docs, and a couple of features I would like for
> my firewall still elude me.

I attached the one that I'm using (I know it sucks), but it works very 
well for me.

> Any pointers or URL's would be appreciated.

http://phpfwgen.sourceforge.net/
neat tool if you don't want to muck about in the actual syntax.

http://www.linux-firewall-tools.com/linux/
This site is by the author of Linux Firewalls (a good book) and has tons 
of links and even has a firewall setup cgi script. Very useful if you need 
a quick solution (or are lazy like me!).

JStanley
-- 
Everybody has a right to be stupid, but some people abuse the privilege.
		- Joseph Stalin
-------------- next part --------------
#!/bin/sh

#------------------------------------------------------------------------------
# IPtables Firewall Script - A Basic IP Firewall Script for 2.4.x Kernels
#
# Cobbled together by Dave "Sticks" Fitches - http://www.sticks.f2s.com/
# Project started 12th of May 2001 at some ungodly hour of the night
# Finished to a decent level of satisfaction.... ???
#
# Bits borrowed from BoingWorld - http://www.boingworld.com
# Thanks to RaverX - #linuxhelp @ oz.org for:
# - The 'echo' reports throughout the execution of the script
# - Adding syncookie protection, source address verification,
# and ICMP dead error message protection.
# - Help getting my logging working
# - advising about tcp-reset to thoroughly drop TCP packets
# and screw nmap users...
#
# But they claim absolutely NO responsibility for failures of this script...
# Come to think of it, neither do I! Use at your own risk!!
# That said, anything that does work, I'll take credit for!! :)
#
# Observant people will also recognise segments ripped from my old
# IPchains Firewall scripts... It's called recycling, and it's the
# ecologically sound thing to do... :D
#------------------------------------------------------------------------------

echo "[?] iptables.cable.firewall v.2.1 / 2001.05.16 by Sticks ..."

#------------------------------------------------------------------------------
# Change these to suit your own setup

echo -n " [.] Configuring Variables : "

# Your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0

LAN_IP_RANGE="192.168.1.0/24" # LAN IP Subnet
LAN_IP="192.168.1.1/32" # LAN IP
LAN_BCAST_ADRESS="192.168.1.255/32" # Broadcast IP for LAN
LOCALHOST_IP="127.0.0.1/32" # LocalHost IP
EXT_IF="eth1" # External Interface
INT_IF="eth0" # Internal Interface
IPTABLES="/sbin/iptables" # Path for IPTables

# EXT_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)

# Your Static Internet address goes here...
#EXT_IP="24.178.96.233/32"
#EXT_IP="24.255.190.188/32"
EXT_IP="12.253.16.5/32"

# If you use PPP, SLIP or DHCP, then best to do Dynamic IP addressing.
# You need to make this ruleset understand your IP address everytime you get a new IP.
# To do this, use the following one-line script.
# (Please note: The different single and double quote characters MATTER)
# I know there are probably easier ways to do this, but this works and looks fancy! :)
#EXT_IP="`ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"

# Write the current IP to a file (a hold over from my dial-up days)
echo $EXT_IP > ~/my.ip

echo "Done!"

echo " [?] IPtables location : $IPTABLES"
echo " [?] External Interface : $EXT_IF"
echo " [?] External IP Address : $EXT_IP"
echo " [?] LAN Interface : $INT_IF"
echo " [?] LAN IP Address : $LAN_IP"

#------------------------------------------------------------------------------
# Clear all IPtable rules.

echo -n " [!] Clearing any prior IPtable rules ... "

# Reset the default policies in the filter table.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Reset the default policies in the nat table.
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

# Flush all the rules in the filter and nat tables.
$IPTABLES -F
$IPTABLES -t nat -F

# Erase all chains that's not default in filter and nat table.
$IPTABLES -X
$IPTABLES -t nat -X

echo "Done!"

#------------------------------------------------------------------------------
# Load all required IPtables modules
#
# For some reason I have problems with modprobe - probably my own stupidity,
# so I'll be using insmod to load what I need...
# In some instances, these modules may already be loaded by the kernel,
# We'll assume NOT though to allow for everything.

echo -n " [x] Load modules required for IRC/FTP Operation through NAT .. "

# Needed to initially load modules
/sbin/depmod -a

# I didn't like loading modules that way, let the kernle do it...

# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_LOG.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_REJECT.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/iptable_nat.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_ftp.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_irc.o ports=1024,1025,1026,6666,6667,6668,6669,7000

/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc 
#ports=1024,1025,1026,6666,6667,6668,6669,7000
/sbin/modprobe ip_conntrack_irc 
#ports=1024,1025,1026,6666,6667,6668,6669,7000
/sbin/modprobe ip_conntrack_ftp

# Support for owner matching - I don't use it so it's remarked out,
# You might want to use it so I leave it here for reference.
# Owner Matching will allow only certain users to make certain connections...
#/sbin/modprobe ipt_owner

# Support for connection tracking of FTP and IRC.
# Important for allowing IRC DCC Sends to work as well as
# FTP Passive Transfers...
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ports=1024,1025,1026,6666,6667,6668,6669,7000

echo "Done!"

#------------------------------------------------------------------------------

echo -n " [x] Setting up /proc/sys/net/ipv4 rules ... "

#CRITCAL: Enable IP forwarding since it is disabled by default.
echo 1 > /proc/sys/net/ipv4/ip_forward

#Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 2 > $f
done
fi

#Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

#ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi

# Dynamic IP users:
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the connection
# with Diald and similar programs much easier.
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi

echo "Done!"

#------------------------------------------------------------------------------
# Set the default policies for the INPUT, FORWARD and OUTPUT chains
# As I've stated in previous ramblings, I use DROP (Formerly DENY in IPChains)
# because I don't want to make life EASY for crackers to h4x0r my b0x3n! :)

echo -n " [x] Drop everything while we establish the Firewall Policies ... "

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

echo "Done!"

#------------------------------------------------------------------------------
# Create separate chains for ICMP, TCP and UDP to traverse

echo " [x] Defining seperate chains for :"

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#------------------------------------------------------------------------------
# Allowed ICMP Types

echo -n " - ICMP ... "

# Allow Echo Replies - Lets us ping people and get ping replies.
# Without allowing this, pings are pretty useless :)
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

# Allow Destination Unreachable messages to reach us.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT

# Allow Redirects - Lets your system be told when a shorter route
# to a destination is available.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT

# This allows Time Exceeded ICMP packets. Without this TraceRoute will NOT work.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# NOTE: icmp-type 8 is Ping Request. I'm NOT allowing this! This will result in
# people being UNABLE to ping me via normal means. (Won't effect IRC Pings)
# If I WAS going to allow them, I'd use THIS line...
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

echo "Done!"

#------------------------------------------------------------------------------
# The allowed chain for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we kill it. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.

echo -n " - TCP ... "

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Here is where stuff that is AIMED at the allowed ports, but isn't part
# of an established or related connection get logged and killed.
# Note: We use 'REJECT --reject-with tcp-reset' to defeat nmap users!
$IPTABLES -A allowed -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
$IPTABLES -A allowed -p TCP -j REJECT --reject-with tcp-reset

#------------------------------------------------------------------------------
# Allowed TCP ports
# Defining allowed Ports
#
# This is where we tell the firewall what ports we'll allow inbound connections on.
# As I don't want to run any servers on my machine, except for identd (maybe) I
# won't allow the other connections. You might want to, so I leave them here for
# reference purposes.

echo -n "TCP Allowed Ports ... "

# This is for FTP Connectiosn
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed

# This is for SSH (Secure Shell) Connections
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed

# This is for sendmail, a big security hole but hey...
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed

# This is for HTTP (WWW Server) Connections
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

# This is for Identd and can't be blocked or IRC won't work!!
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

echo "Done!"

#------------------------------------------------------------------------------
# Allowed UDP ports
# Defining "udpincoming_packets"

echo -n " - UDP Allowed Incoming Ports ... "

# This, of course, is for DNS lookups. Kind of Essential.
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT

# This is for the NTP protocol - So I can set the time from an accurate
# remote source using ntpd.
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT

# This is for alot of Streaming Media and Audio/Video Conferencing Programs
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT

# This is required to allow ICQ to work.
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

echo "Done!"

#------------------------------------------------------------------------------
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's

echo -n " [x] Define PreRouting Chain ... "

# DROPs anything coming IN from the net using the 192.168.* IP addresses
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 192.168.0.0/16 -j DROP

# I've remarked this as my cable modem and O at H utilise these IPs... Idiots!
# Otherwise it would DROP anything coming from the net using the 10.* IP addresses
#$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 10.0.0.0/8 -j DROP

# DROPs anything coming in from the net using the 172.16.* IP addresses
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 172.16.0.0/12 -j DROP

# DROPs anything coming in from the LAN using an IP which is NOT part of the internal network
# $IPTABLES -t nat -A PREROUTING -i $INT_IF -s ! $LAN_IP_RANGE -j DROP

echo "Done!"

#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# INPUT chain
#
# Here we establish the basic INPUT chain and filter the packets
# onto the correct chains. This points to all the rules we've
# defined above. This is the heart of the firewall...

echo -n " [x] Define Input Chain ... "

# If the incoming packet from the Internet is an ICMP packet,
# check it against the rules defined in 'icmp_packets'
$IPTABLES -A INPUT -p ICMP -i $EXT_IF -j icmp_packets

# If the incoming packet from the Internet is a TCP packet,
# check it against the rules defined in 'tcp_packets'
$IPTABLES -A INPUT -p TCP -i $EXT_IF -j tcp_packets

# If the incoming packet from the Internet is a UDP packet,
# check it against the rules defined in 'udpincoming_packets'
$IPTABLES -A INPUT -p UDP -i $EXT_IF -j udpincoming_packets

# Anything that makes it through THOSE checks, then gets checked
# against these rules...

# Allow anything from the LAN to the LAN Broadcast address
$IPTABLES -A INPUT -p ALL -i $INT_IF -d $LAN_BCAST_ADRESS -j ACCEPT

# Allow DHCP internally... Ports 67 & 68 from anywhere to anywhere
$IPTABLES -A INPUT -p udp -i $INT_IF -s 0/0 -d 0/0 --dport 67:68 -j ACCEPT

# Allow anything from anywhere to the localhost (127.0.0.1)
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT

# Allow anything inbound to the Internal IP for the server
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT

# Allow anything destined for the server internet IP that is ESTABLISHED and RELATED from any other connection.
$IPTABLES -A INPUT -p ALL -d $EXT_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Done!"

# Filter out all the bullshit stuff received from Optus at Home
# This is mainly to kill them from appearing in the logs as
# they get dropped later anyway.

echo -n " [x] Filter Bullshit packets from Optus at Home ... "

# Drop before logging - Multicast Packets
$IPTABLES -A INPUT -i $EXT_IF -s 10.201.218.1 -d 224.0.0.1 -j DROP

echo "Done!"

# Log any input packets that make it this far. (ie; don't make it through
# the firewall, coz they get logged then the default policy of DROP is applied)

echo -n " [*] Initiate Logging for failed inbound packets ... "

# This sets limits on the logging. No matched event will be logged more
# than 3 times in a minute. This stops your log being filled up if someone floods you...
#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "

# DROP TCP packets thoroughly - NMap will NOT see these as 'filtered'
$IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 -d 0/0 -j REJECT --reject-with tcp-reset

# DROP UDP packets. (Not really needed, but included anyway)
$IPTABLES -A INPUT -i $EXT_IF -s 0/0 -d 0/0 -j DROP

echo "Done!"

#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# OUTPUT chain
#
# Here we establish the basic OUTPUT chain.

echo -n " [x] Define OUTPUT chain ... "

# Allow anything to go out from the localhost IP
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT

# Allow anything to go out from the LAN address
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

# Allow anything to go out from the net address
$IPTABLES -A OUTPUT -p ALL -s $EXT_IP -j ACCEPT

# Log any input packets that make it this far. (ie; don't make it through
# the firewall, coz they get logged then the default policy of DROP is applied)
#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "

echo "Done!"

#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# FORWARD chain
#
# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on eth1, and the Internet is on eth0. At least, thats how MINE works...
#
# Change this to match your own setup...

echo -n " [x] Enable IP FORWARDing and Masquerading/NAT ... "

# Allow NAT/Masquerading
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# Allow anything from the LAN to anywhere
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow everything in a state ESTABLISHED or RELATED from anywhere
$IPTABLES -A FORWARD -p ALL -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log any input packets that make it this far. (ie; don't make it through
# the firewall, coz they get logged then the default policy of DROP is applied)
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "

echo "Done!"

#------------------------------------------------------------------------------

echo "[!] Firewall in place - Operation Completed!"