Find the answer to your Linux question:
Results 1 to 2 of 2
Hello all, I was using arnos-iptables-firewall previously, and decided to switch to a script so I could block out users and customize my firewall a bit better. When I run ...
  1. 04-20-2009 #1
    sorressean
    sorressean is offline
    Just Joined!
    Join Date
    Apr 2009
    Posts
    5

    iptables question



    Hello all,
    I was using arnos-iptables-firewall previously, and decided to switch to a script so I could block out users and customize my firewall a bit better.
    When I run the following script though, I get blocked out; any idea why?
    Also, any other tips on what needs changing would be great. I'm rather new to bash scripting, and am just trying to get a decently secure firewall, or as much as possible, anyway.

    Code:
    #!/bin/sh
#a quick and dirty firewall script
#most of the code taken from the arnos scripts
#allows for easier customization
INTERFACE=eth0
HOST="tds-solutions.net"
TPORTS="22 80 6000 5000 3784 3306"
UPORTS="3784"
      echo " Enabling anti-spoof with rp_filter"
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $i
done
    echo " Blocking all ICMP echo-requests"
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
      echo " Enabling SYN-flood protection via SYN-cookies"
      echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo " Enabling the logging of martians"
    echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    echo " Disabling the acception of ICMP-redirect messages"
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo setting default contrack
        echo 4096 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
        echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
echo setting default timeouts
    echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
    echo 180 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
    for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
      echo 0 > $interface
done
    echo " Enabling protection against source routed packets"
    for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do
      echo 0 > $interface
    done
echo ignoring ICMP broadcasts
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo ignoring error responses:
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
      echo " Disabling the LOOSE_UDP_PATCH (more secure)"
      echo 0 > /proc/sys/net/ipv4/ip_masq_udp_dloose
echo disabling IPforwarding
      echo 0 > /proc/sys/net/ipv4/ip_forward
echo enabling window scaling:
  echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo setting connection max to 1024
  echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
    echo " Enabling reduction of the DoS'ing ability"
    echo 0 > /proc/sys/net/ipv4/tcp_sack
    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
    echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo setting TTL:
        echo 40 > /proc/sys/net/ipv4/ip_default_ttl
      echo " Enabling ECN (Explicit Congestion Notification)"
      echo 1 > /proc/sys/net/ipv4/tcp_ecn
echo disabling support for Dynamic IP
    echo 0 > /proc/sys/net/ipv4/ip_dynaddr
  echo " Flushing route table"
  echo 1 >/proc/sys/net/ipv4/route/flush
echo configuring iptables:
echo flushing:
iptables -F
iptables -X
iptables -Z
iptables -F input
iptables -F output
iptables -F forward
echo default policies:
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -N BLOCKED
iptables -N LOGS
echo enabling logging:
iptables -A LOG -p tcp --tcp-flags ALL FIN,URG,PSH \
      -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth  
iptables -A LOG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
      -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-PSH scan: "
iptables -A LOG -p tcp --tcp-flags ALL ALL \
      -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-ALL scan: "
iptables -A LOG -p tcp --tcp-flags ALL FIN \
      -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth FIN scan: "
iptables -A LOG -p tcp --tcp-flags SYN,RST SYN,RST \
      -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/RST scan: "
iptables -A LOG -p tcp --tcp-flags SYN,FIN SYN,FIN \
      -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): "
iptables -A LOG -p tcp --tcp-flags ALL NONE \
      -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth Null scan: "
echo dropping all stealth packets:
iptables -A LOG -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A LOG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A LOG -p tcp --tcp-flags ALL ALL -j DROP
iptables -A LOG -p tcp --tcp-flags ALL FIN -j DROP
iptables -A LOG -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A LOG -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A LOG -p tcp --tcp-flags ALL NONE -j DROP
iptables -A LOG -p tcp --dport 0 -j DROP
echo logging packets with invalid flags:
iptables -A LOG -p tcp --tcp-option 64 \
      -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Bad TCP flag(64): "
iptables -A LOG -p tcp --tcp-option 128 \
      -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Bad TCP flag(128): "
iptables -A INPUT -p tcp --dport 0 \
      -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "TCP port 0 OS fingerprint: "
iptables -A INPUT -p udp --dport 0 \
      -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "UDP port 0 OS fingerprint: "
echo dropping packets with invalid flags:
iptables -A LOG -p tcp --tcp-option 64 -j DROP
iptables -A LOG -p tcp --tcp-option 128 -j DROP
echo dropping invalid packets:
iptables -A LOG -m state --state INVALID -j DROP
iptables -A LOG -f -j DROP
echo dropping packets from invalid addresses:
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
echo enabling ports:
iptables -A INPUT -p tcp --dport $TPORTS -J ACCEPT
iptables -A INPUT -p udp --dport $UPORTS -J ACCEPT
echo Blocking hosts:
for host in $(cut -f2 -d: /etc/hosts.deny)
echo blocking access from $host
iptables -A INPUT -s host -J DROP
done
echo dropping ICMPpackets:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
    Reply With Quote Reply With Quote
  2. 04-21-2009 #2
    iwanabeguru
    iwanabeguru is offline
    Linux User
    Join Date
    Feb 2006
    Posts
    484
    in $TPORTS list the elements is separated by "," instead of white spaces

    and maybe you disable somethig which must be enabled.
    and add this line to your config

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    this line enables all the returning packages for connections which started from the machine
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules