[CLUE-Tech] a more sophisticated firewall?

Sun Dec 16 01:00:21 MST 2001

Could try bastile firewall.  Mandrake uses it as default.  It is easy 
and help protact my Linux cluster last summer.

Jeremiah Stanley wrote:

>>i have looked thru the docs, and a couple of features I would like for
>>my firewall still elude me.
>>
>
>I attached the one that I'm using (I know it sucks), but it works very 
>well for me.
>
>>Any pointers or URL's would be appreciated.
>>
>
>http://phpfwgen.sourceforge.net/
>neat tool if you don't want to muck about in the actual syntax.
>
>http://www.linux-firewall-tools.com/linux/
>This site is by the author of Linux Firewalls (a good book) and has tons 
>of links and even has a firewall setup cgi script. Very useful if you need 
>a quick solution (or are lazy like me!).
>
>JStanley
>
>
>------------------------------------------------------------------------
>
>#!/bin/sh
>
>#------------------------------------------------------------------------------
># IPtables Firewall Script - A Basic IP Firewall Script for 2.4.x Kernels
>#
># Cobbled together by Dave "Sticks" Fitches - http://www.sticks.f2s.com/
># Project started 12th of May 2001 at some ungodly hour of the night
># Finished to a decent level of satisfaction.... ???
>#
># Bits borrowed from BoingWorld - http://www.boingworld.com
># Thanks to RaverX - #linuxhelp @ oz.org for:
># - The 'echo' reports throughout the execution of the script
># - Adding syncookie protection, source address verification,
># and ICMP dead error message protection.
># - Help getting my logging working
># - advising about tcp-reset to thoroughly drop TCP packets
># and screw nmap users...
>#
># But they claim absolutely NO responsibility for failures of this script...
># Come to think of it, neither do I! Use at your own risk!!
># That said, anything that does work, I'll take credit for!! :)
>#
># Observant people will also recognise segments ripped from my old
># IPchains Firewall scripts... It's called recycling, and it's the
># ecologically sound thing to do... :D
>#------------------------------------------------------------------------------
>
>echo "[?] iptables.cable.firewall v.2.1 / 2001.05.16 by Sticks ..."
>
>#------------------------------------------------------------------------------
># Change these to suit your own setup
>
>echo -n " [.] Configuring Variables : "
>
># Your LAN's IP range and localhost IP. /24 means to only use the first 24
># bits of the 32 bit IP adress. the same as netmask 255.255.255.0
>
>LAN_IP_RANGE="192.168.1.0/24" # LAN IP Subnet
>LAN_IP="192.168.1.1/32" # LAN IP
>LAN_BCAST_ADRESS="192.168.1.255/32" # Broadcast IP for LAN
>LOCALHOST_IP="127.0.0.1/32" # LocalHost IP
>EXT_IF="eth1" # External Interface
>INT_IF="eth0" # Internal Interface
>IPTABLES="/sbin/iptables" # Path for IPTables
>
># EXT_IP is used by me to allow myself to do anything to myself, might
># be a security risc but sometimes I want this. If you don't have a static
># IP, I suggest not using this option at all for now but it's still
># enabled per default and will add some really nifty security bugs for all
># those who skips reading the documentation=)
>
># Your Static Internet address goes here...
>#EXT_IP="24.178.96.233/32"
>#EXT_IP="24.255.190.188/32"
>EXT_IP="12.253.16.5/32"
>
># If you use PPP, SLIP or DHCP, then best to do Dynamic IP addressing.
># You need to make this ruleset understand your IP address everytime you get a new IP.
># To do this, use the following one-line script.
># (Please note: The different single and double quote characters MATTER)
># I know there are probably easier ways to do this, but this works and looks fancy! :)
>#EXT_IP="`ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"
>
># Write the current IP to a file (a hold over from my dial-up days)
>echo $EXT_IP > ~/my.ip
>
>echo "Done!"
>
>echo " [?] IPtables location : $IPTABLES"
>echo " [?] External Interface : $EXT_IF"
>echo " [?] External IP Address : $EXT_IP"
>echo " [?] LAN Interface : $INT_IF"
>echo " [?] LAN IP Address : $LAN_IP"
>
>#------------------------------------------------------------------------------
># Clear all IPtable rules.
>
>echo -n " [!] Clearing any prior IPtable rules ... "
>
># Reset the default policies in the filter table.
>$IPTABLES -P INPUT ACCEPT
>$IPTABLES -P FORWARD ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>
># Reset the default policies in the nat table.
>$IPTABLES -t nat -P PREROUTING ACCEPT
>$IPTABLES -t nat -P POSTROUTING ACCEPT
>$IPTABLES -t nat -P OUTPUT ACCEPT
>
># Flush all the rules in the filter and nat tables.
>$IPTABLES -F
>$IPTABLES -t nat -F
>
>
># Erase all chains that's not default in filter and nat table.
>$IPTABLES -X
>$IPTABLES -t nat -X
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
># Load all required IPtables modules
>#
># For some reason I have problems with modprobe - probably my own stupidity,
># so I'll be using insmod to load what I need...
># In some instances, these modules may already be loaded by the kernel,
># We'll assume NOT though to allow for everything.
>
>echo -n " [x] Load modules required for IRC/FTP Operation through NAT .. "
>
># Needed to initially load modules
>/sbin/depmod -a
>
># I didn't like loading modules that way, let the kernle do it...
>
># Adds some iptables targets like LOG, REJECT and MASQUARADE.
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_LOG.o
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_REJECT.o
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/iptable_nat.o
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_ftp.o
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_irc.o ports=1024,1025,1026,6666,6667,6668,6669,7000
>
>/sbin/modprobe ipt_LOG
>/sbin/modprobe ipt_REJECT
>/sbin/modprobe ipt_MASQUERADE
>/sbin/modprobe iptable_nat
>/sbin/modprobe ip_nat_ftp
>/sbin/modprobe ip_nat_irc 
>#ports=1024,1025,1026,6666,6667,6668,6669,7000
>/sbin/modprobe ip_conntrack_irc 
>#ports=1024,1025,1026,6666,6667,6668,6669,7000
>/sbin/modprobe ip_conntrack_ftp
>
># Support for owner matching - I don't use it so it's remarked out,
># You might want to use it so I leave it here for reference.
># Owner Matching will allow only certain users to make certain connections...
>#/sbin/modprobe ipt_owner
>
># Support for connection tracking of FTP and IRC.
># Important for allowing IRC DCC Sends to work as well as
># FTP Passive Transfers...
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
>#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ports=1024,1025,1026,6666,6667,6668,6669,7000
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
>
>echo -n " [x] Setting up /proc/sys/net/ipv4 rules ... "
>
>#CRITCAL: Enable IP forwarding since it is disabled by default.
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>#Turn on source address verification in kernel
>if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
>then
>for f in /proc/sys/net/ipv4/conf/*/rp_filter
>do
>echo 2 > $f
>done
>fi
>
>#Turn on syn cookies protection in kernel
>if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
>then
>echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>fi
>
>#ICMP Dead Error Messages protection
>if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
>then
>echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>fi
>
># Dynamic IP users:
># If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
># option. This enables dynamic-ip address hacking in IP MASQ, making the connection
># with Diald and similar programs much easier.
>if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
>then
>echo 1 > /proc/sys/net/ipv4/ip_dynaddr
>fi
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
># Set the default policies for the INPUT, FORWARD and OUTPUT chains
># As I've stated in previous ramblings, I use DROP (Formerly DENY in IPChains)
># because I don't want to make life EASY for crackers to h4x0r my b0x3n! :)
>
>echo -n " [x] Drop everything while we establish the Firewall Policies ... "
>
>$IPTABLES -P INPUT DROP
>$IPTABLES -P OUTPUT DROP
>$IPTABLES -P FORWARD DROP
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
># Create separate chains for ICMP, TCP and UDP to traverse
>
>echo " [x] Defining seperate chains for :"
>
>$IPTABLES -N icmp_packets
>$IPTABLES -N tcp_packets
>$IPTABLES -N udpincoming_packets
>
>#------------------------------------------------------------------------------
># Allowed ICMP Types
>
>echo -n " - ICMP ... "
>
># Allow Echo Replies - Lets us ping people and get ping replies.
># Without allowing this, pings are pretty useless :)
>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
>
># Allow Destination Unreachable messages to reach us.
>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
>
># Allow Redirects - Lets your system be told when a shorter route
># to a destination is available.
>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
>
># This allows Time Exceeded ICMP packets. Without this TraceRoute will NOT work.
>$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>
># NOTE: icmp-type 8 is Ping Request. I'm NOT allowing this! This will result in
># people being UNABLE to ping me via normal means. (Won't effect IRC Pings)
># If I WAS going to allow them, I'd use THIS line...
># $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
># The allowed chain for TCP connections
>#
># This chain will be utilised if someone tries to connect to an allowed
># port from the internet. If they are opening the connection, or if it's
># already established we ACCEPT the packages, if not we kill it. This is
># where the state matching is performed also, we allow ESTABLISHED and
># RELATED packets.
>
>echo -n " - TCP ... "
>
>$IPTABLES -N allowed
>$IPTABLES -A allowed -p TCP --syn -j ACCEPT
>$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
>
># Here is where stuff that is AIMED at the allowed ports, but isn't part
># of an established or related connection get logged and killed.
># Note: We use 'REJECT --reject-with tcp-reset' to defeat nmap users!
>$IPTABLES -A allowed -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
>$IPTABLES -A allowed -p TCP -j REJECT --reject-with tcp-reset
>
>#------------------------------------------------------------------------------
># Allowed TCP ports
># Defining allowed Ports
>#
># This is where we tell the firewall what ports we'll allow inbound connections on.
># As I don't want to run any servers on my machine, except for identd (maybe) I
># won't allow the other connections. You might want to, so I leave them here for
># reference purposes.
>
>echo -n "TCP Allowed Ports ... "
>
># This is for FTP Connectiosn
># $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
>
># This is for SSH (Secure Shell) Connections
>$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
>
># This is for sendmail, a big security hole but hey...
>$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
>
># This is for HTTP (WWW Server) Connections
># $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
>
># This is for Identd and can't be blocked or IRC won't work!!
>$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
># Allowed UDP ports
># Defining "udpincoming_packets"
>
>echo -n " - UDP Allowed Incoming Ports ... "
>
># This, of course, is for DNS lookups. Kind of Essential.
>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
>
># This is for the NTP protocol - So I can set the time from an accurate
># remote source using ntpd.
>#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
>
># This is for alot of Streaming Media and Audio/Video Conferencing Programs
>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
>
># This is required to allow ICQ to work.
>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
># PREROUTING chain.
>#
># Do some checks for obviously spoofed IP's
>
>echo -n " [x] Define PreRouting Chain ... "
>
># DROPs anything coming IN from the net using the 192.168.* IP addresses
>$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 192.168.0.0/16 -j DROP
>
># I've remarked this as my cable modem and O at H utilise these IPs... Idiots!
># Otherwise it would DROP anything coming from the net using the 10.* IP addresses
>#$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 10.0.0.0/8 -j DROP
>
># DROPs anything coming in from the net using the 172.16.* IP addresses
>$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 172.16.0.0/12 -j DROP
>
># DROPs anything coming in from the LAN using an IP which is NOT part of the internal network
># $IPTABLES -t nat -A PREROUTING -i $INT_IF -s ! $LAN_IP_RANGE -j DROP
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
>#------------------------------------------------------------------------------
># INPUT chain
>#
># Here we establish the basic INPUT chain and filter the packets
># onto the correct chains. This points to all the rules we've
># defined above. This is the heart of the firewall...
>
>echo -n " [x] Define Input Chain ... "
>
># If the incoming packet from the Internet is an ICMP packet,
># check it against the rules defined in 'icmp_packets'
>$IPTABLES -A INPUT -p ICMP -i $EXT_IF -j icmp_packets
>
># If the incoming packet from the Internet is a TCP packet,
># check it against the rules defined in 'tcp_packets'
>$IPTABLES -A INPUT -p TCP -i $EXT_IF -j tcp_packets
>
># If the incoming packet from the Internet is a UDP packet,
># check it against the rules defined in 'udpincoming_packets'
>$IPTABLES -A INPUT -p UDP -i $EXT_IF -j udpincoming_packets
>
># Anything that makes it through THOSE checks, then gets checked
># against these rules...
>
># Allow anything from the LAN to the LAN Broadcast address
>$IPTABLES -A INPUT -p ALL -i $INT_IF -d $LAN_BCAST_ADRESS -j ACCEPT
>
># Allow DHCP internally... Ports 67 & 68 from anywhere to anywhere
>$IPTABLES -A INPUT -p udp -i $INT_IF -s 0/0 -d 0/0 --dport 67:68 -j ACCEPT
>
># Allow anything from anywhere to the localhost (127.0.0.1)
>$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
>
># Allow anything inbound to the Internal IP for the server
>$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
>
># Allow anything destined for the server internet IP that is ESTABLISHED and RELATED from any other connection.
>$IPTABLES -A INPUT -p ALL -d $EXT_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>echo "Done!"
>
># Filter out all the bullshit stuff received from Optus at Home
># This is mainly to kill them from appearing in the logs as
># they get dropped later anyway.
>
>echo -n " [x] Filter Bullshit packets from Optus at Home ... "
>
># Drop before logging - Multicast Packets
>$IPTABLES -A INPUT -i $EXT_IF -s 10.201.218.1 -d 224.0.0.1 -j DROP
>
>echo "Done!"
>
># Log any input packets that make it this far. (ie; don't make it through
># the firewall, coz they get logged then the default policy of DROP is applied)
>
>echo -n " [*] Initiate Logging for failed inbound packets ... "
>
># This sets limits on the logging. No matched event will be logged more
># than 3 times in a minute. This stops your log being filled up if someone floods you...
>#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
>
># DROP TCP packets thoroughly - NMap will NOT see these as 'filtered'
>$IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 -d 0/0 -j REJECT --reject-with tcp-reset
>
># DROP UDP packets. (Not really needed, but included anyway)
>$IPTABLES -A INPUT -i $EXT_IF -s 0/0 -d 0/0 -j DROP
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
>#------------------------------------------------------------------------------
># OUTPUT chain
>#
># Here we establish the basic OUTPUT chain.
>
>echo -n " [x] Define OUTPUT chain ... "
>
># Allow anything to go out from the localhost IP
>$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
>
># Allow anything to go out from the LAN address
>$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
>
># Allow anything to go out from the net address
>$IPTABLES -A OUTPUT -p ALL -s $EXT_IP -j ACCEPT
>
># Log any input packets that make it this far. (ie; don't make it through
># the firewall, coz they get logged then the default policy of DROP is applied)
>#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
>#------------------------------------------------------------------------------
># FORWARD chain
>#
># Enable simple IP FORWARDing and Masquerading
>#
># NOTE: The following is an example for an internal LAN, where the lan
># runs on eth1, and the Internet is on eth0. At least, thats how MINE works...
>#
># Change this to match your own setup...
>
>echo -n " [x] Enable IP FORWARDing and Masquerading/NAT ... "
>
># Allow NAT/Masquerading
>$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
>
># Allow anything from the LAN to anywhere
>$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
>
># Allow everything in a state ESTABLISHED or RELATED from anywhere
>$IPTABLES -A FORWARD -p ALL -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT
>
># Log any input packets that make it this far. (ie; don't make it through
># the firewall, coz they get logged then the default policy of DROP is applied)
>$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
>
>echo "Done!"
>
>#------------------------------------------------------------------------------
>
>echo "[!] Firewall in place - Operation Completed!"
>