Fwd: need some tipps for iptable-konfiguration
Hi,
I need some help to fix some missconfiguration in the following
iptables-script.
---------- Forwarded Message ----------
This is actualy the content of /usr/local/bin/firewallscript:
-----------------------------------------------------------------------------
-- BROADCAST="x.x.x.255"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0/24"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
TCP_SERVER_OUT_INT_IF="80"
TCP_SERVER_IN_INT_IF="80"
#einige Regelungen außerhalb iptables
#some rules outside from iptables
#SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Don't accesp source routed packets
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/send_redirects
#Disable ICMP redirect acceptance
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
/bin/echo "1"> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter;do
/bin/echo "1" > ${interface}
done
#Log spoofed packets, source routed packets, redirect packets
/bin/echo "1"> /proc/sys/net/ipv4/conf/all/log_martians
#alle bestehenden Regeln löschen
#flush all existing rules
iptables -F
#alle Pakete, egal woher verwerfen
#drop packages which comes from anywhere
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Pakete nach state-Status behandeln
#check packages with the state-status
# the following line would allow access by machines in Helms group
#iptables -A INPUT -s x.x.x.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#ICMP-Pakete (z. B. Ping) generell verbieten (rein u. raus)
#generally drop all ICMP-packages - DOS-Protection
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
#Stealth-Scans z. B. durch Tools wie nmap verwerfen
#Stealth-Scans f. e. with tools like nmap should be dropped and logged
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "Stealth scan"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "Stealth scan"
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
#syn-flood and port-scan-protection
#iptables -N syn-flood_eth0
#iptables -F sys-flood_eth0
#Block incoming fragments eth0
iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS eth0:"
iptables -A INPUT -i eth0 -f -j DROP
#Trojanprotection
iptables -A INPUT -i eth0 -p tcp -m multiport --dport $TROJAN_PORTS_TCP
-j DROP
iptables -A INPUT -i eth0 -p udp -m multiport --dport $TROJAN_PORTS_UDP
-j DROP
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport $TROJAN_PORTS_TCP
-j DROP
iptables -A OUTPUT -o eth0 -p udp -m multiport --dport $TROJAN_PORTS_UDP
-j DROP
#Drop broadcast packets
iptables -A INPUT -i eth0 -d $BROADCAST -j DROP
#INPUT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport ! --dport 80 -j DROP
iptables -A INPUT -i eth0 -p tcp -m multiport ! --sport 80 -j DROP
#OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --dport 80 -j DROP
iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --sport 80 -j DROP
iptables -A OUTPUT -o etho -p tcp -m multiport ! --dport 53 -j DROP
iptables -A OUTPUT -j DROP
#HTTP-Client
iptables -A OUTPUT -o eth0 -p tcp -s <hostip> --sport 1024:65535 -d
any/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 80 -d <hostip>
--dport 1024:65535 -j ACCEPT
#DNS-Client
iptables -A OUTPUT -o eth0 -p udp -s <hostip> --sport 53 -d
<nameserver> --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s <nameserver> --sport 53 -d
<hostip> --dport 53 -j ACCEPT
#iptables -A OUPTUT -o eth0 -p udp -s <hostip> --sport 1024:65535 -d
<nameserver> --dport 53 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp -s
On Monday 09 June 2003 21:31, Ruprecht Helms wrote:
Hi,
I need some help to fix some missconfiguration in the following iptables-script.
...
#INPUT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
This IMHO allows all connections to your box (except icmp, which is dropped above).
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m multiport ! --dport 80 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport ! --sport 80 -j DROP
#OUTPUT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT This IMHO allows all connections from your box (except icmp, which is dropped above).
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --dport 80 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --sport 80 -j DROP iptables -A OUTPUT -o etho -p tcp -m multiport ! --dport 53 -j DROP iptables -A OUTPUT -j DROP
..
The problem is that users in the internal lansegment can connect to the host. This should be not possible. Also not possible should the connection to outside expect of http and the dns-client-part. Please see my comments above.
Andreas Baetz
participants (2)
-
Andreas Baetz
-
Ruprecht Helms