Fwd: need some tipps for iptable-konfiguration

9 Jun 2003

      Hi,

I need some help to fix some missconfiguration in the following
iptables-script.

----------  Forwarded Message  ----------

This is actualy the content of /usr/local/bin/firewallscript:
-----------------------------------------------------------------------------
-- BROADCAST="x.x.x.255"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0/24"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
TCP_SERVER_OUT_INT_IF="80"
TCP_SERVER_IN_INT_IF="80"

#einige Regelungen außerhalb iptables
#some rules outside from iptables

#SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Don't accesp source routed packets
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/send_redirects

#Disable ICMP redirect acceptance
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
/bin/echo "1"> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter;do
/bin/echo "1" > ${interface}
done

#Log spoofed packets, source routed packets, redirect packets
/bin/echo "1"> /proc/sys/net/ipv4/conf/all/log_martians

#alle bestehenden Regeln löschen
#flush all existing rules

iptables -F

#alle Pakete, egal woher verwerfen
#drop packages which comes from anywhere

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Pakete nach state-Status behandeln
#check packages with the state-status
# the following line would allow access by machines in Helms group
#iptables -A INPUT -s x.x.x.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#ICMP-Pakete (z. B. Ping) generell verbieten (rein u. raus)
#generally drop all ICMP-packages  - DOS-Protection
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP

#Stealth-Scans z. B. durch Tools wie nmap verwerfen
#Stealth-Scans f. e. with tools like nmap should be dropped and logged

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "Stealth scan"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "Stealth scan"
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

#syn-flood and port-scan-protection
#iptables -N syn-flood_eth0
#iptables -F sys-flood_eth0

#Block incoming fragments eth0
iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS eth0:"
iptables -A INPUT -i eth0 -f -j DROP

#Trojanprotection
iptables -A INPUT -i eth0 -p tcp -m multiport --dport $TROJAN_PORTS_TCP
-j DROP
iptables -A INPUT -i eth0 -p udp -m multiport --dport $TROJAN_PORTS_UDP
-j DROP
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport $TROJAN_PORTS_TCP
-j DROP
iptables -A OUTPUT -o eth0 -p udp -m multiport --dport $TROJAN_PORTS_UDP
-j DROP

#Drop broadcast packets
iptables -A INPUT -i eth0 -d $BROADCAST -j DROP

#INPUT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport ! --dport 80 -j DROP
iptables -A INPUT -i eth0 -p tcp -m multiport ! --sport 80 -j DROP

#OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --dport 80 -j DROP
iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --sport 80 -j DROP
iptables -A OUTPUT -o etho -p tcp -m multiport ! --dport 53 -j DROP
iptables -A OUTPUT -j DROP

#HTTP-Client
iptables -A OUTPUT -o eth0 -p tcp -s <hostip> --sport 1024:65535 -d
any/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 80 -d <hostip>
--dport 1024:65535 -j ACCEPT

#DNS-Client
iptables -A OUTPUT -o eth0 -p udp -s <hostip> --sport 53 -d
<nameserver> --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s <nameserver> --sport 53 -d
<hostip> --dport 53 -j ACCEPT
#iptables -A OUPTUT -o eth0 -p udp -s <hostip> --sport 1024:65535 -d
<nameserver> --dport 53 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp -s 

Fwd: need some tipps for iptable-konfiguration

Ruprecht Helms