Find the answer to your Linux question:
Results 1 to 2 of 2
I just wanna consult iptables guru if my script was enough and secured for a production. The iptables will be use for a web server and with 2 private machine ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Mar 2006
    Posts
    101

    is this iptables script ok for production


    I just wanna consult iptables guru if my script was enough and secured for a production. The iptables will be use for a web server and with 2 private machine (10.0.1.2 & 10.0.1.3) that will make the web server also a gateway for those two machine to access the Internet.

    Anyone who wants to add, please let me know and please explain what is it for.

    If find no vulnerable, can anyone advise also.

    Please don't mind apache as it was not my responsibility anymore to secure it. I'm just wondering if someone try to hack,would it suffice enough?

    Thanks.

    Code:
    #!/bin/bash
    
    echo "Load Modules"
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ipt_state
    modprobe iptable_filter
    
    EXT_IF="eth0"                        # network interface to the external
    LOOPBACK_INTERFACE="lo"              # however your system names it
    EXT_IPADDR="X.X.X.X"                 # static allocated IP address
    PRIVPORTS="0:1023"                   # well-known, privileged port range
    UNPRIVPORTS="1024:65535"             # unprivileged port range
    
    ###############################################################
    echo "Enables packet forwarding by kernel"
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    echo "Enable broadcast echo Protection"
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    echo "Disable Source Routed Packets"
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done
    
    echo "Enable TCP SYN Cookie Protection"
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    
    echo "Disable ICMP Redirect Acceptance"
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done
    
    echo "Don't send Redirect Messages"
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
    done
    
    echo "Drop Spoofed Packets"
    # coming in on an interface, which if replied to,
    # would result in the reply going out a different interface.
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done
    
    echo "Do not log packets with impossible addresses"
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 0 > $f
    done
    
    echo "Disable rp_filter"
    echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter
    
    ###############################################################
    
    echo "Remove any existing rules from all chains"
    iptables --flush
    iptables -t nat --flush
    iptables -t mangle --flush
    
    echo "Unlimited traffic on the loopback interface"
    iptables -A INPUT  -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    echo "Set the default policy to drop"
    # Drop all INPUT
    iptables --policy INPUT   DROP
    # Accept any OUTPUT Connection
    iptables --policy OUTPUT  ACCEPT
    # Drop all FORWARD
    iptables --policy FORWARD DROP
    
    echo "Remove any pre-existing user-defined chains"
    iptables --delete-chain
    iptables -t nat --delete-chain
    iptables -t mangle --delete-chain
    ###############################################################
    
    # Using Connection State to By-pass Rule Checking
    iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    
    ###############################################################
    
    # Stealth Scans and TCP State Flags
    # All of the bits are cleared
    iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP
    iptables -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP
    iptables -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP
    
    ###############################################################
    
    echo "Allowing to act as a gateway"
    
    iptables --table nat --append POSTROUTING --out-interface eth0 -s 10.0.1.0/24 -j MASQUERADE
    iptables --append FORWARD --in-interface eth1 -s 10.0.1.0/24 -j ACCEPT
    
    ##############################################################
    
    # ICMP Control and Status Messages
    
    for ext_ipaddr in $EXT_IPADDR;do
    iptables -A INPUT  -p icmp --icmp-type echo-request -s 10.0.1.0/24 -d $ext_ipaddr -m state --state NEW -j ACCEPT
    done
    
    # Drop initial ICMP fragments
    iptables -A INPUT -p icmp --fragment -j DROP
    iptables -A INPUT -p icmp --icmp-type source-quench  -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
    
    # Intermediate traceroute responses
    iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    
    ###############################################################"
    #    Accept the following input requests and ports            #"
    ###############################################################"
    
    for ext_ipaddr in $EXT_IPADDR;do
    echo "Allowing Apache"
    iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    echo "Allowing Secure Apache"
    iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    done
    
    echo "Allowing all private servers to connect"
    iptables -A INPUT -p ALL -i eth1 -s 10.0.10.2 -j ACCEPT
    iptables -A INPUT -p ALL -i eth1 -s 10.0.10.3 -j ACCEPT
    iptables -A INPUT -p ALL -s 127.0.0.1 -j ACCEPT
    #!/bin/bash
    
    echo "Load Modules"
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ipt_state
    modprobe iptable_filter
    
    EXT_IF="eth0"                        # network interface to the external
    LOOPBACK_INTERFACE="lo"              # however your system names it
    EXT_IPADDR="X.X.X.X"                 # static allocated IP address
    PRIVPORTS="0:1023"                   # well-known, privileged port range
    UNPRIVPORTS="1024:65535"             # unprivileged port range
    
    ###############################################################
    echo "Enables packet forwarding by kernel"
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    echo "Enable broadcast echo Protection"
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    echo "Disable Source Routed Packets"
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done
    
    echo "Enable TCP SYN Cookie Protection"
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    
    echo "Disable ICMP Redirect Acceptance"
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done
    
    echo "Don't send Redirect Messages"
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
    done
    
    echo "Drop Spoofed Packets"
    # coming in on an interface, which if replied to,
    # would result in the reply going out a different interface.
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done
    
    echo "Do not log packets with impossible addresses"
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 0 > $f
    done
    
    echo "Disable rp_filter"
    echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter
    
    ###############################################################
    
    echo "Remove any existing rules from all chains"
    iptables --flush
    iptables -t nat --flush
    iptables -t mangle --flush
    
    echo "Unlimited traffic on the loopback interface"
    iptables -A INPUT  -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    echo "Set the default policy to drop"
    # Drop all INPUT
    iptables --policy INPUT   DROP
    # Accept any OUTPUT Connection
    iptables --policy OUTPUT  ACCEPT
    # Drop all FORWARD
    iptables --policy FORWARD DROP
    
    echo "Remove any pre-existing user-defined chains"
    iptables --delete-chain
    iptables -t nat --delete-chain
    iptables -t mangle --delete-chain
    ###############################################################
    
    # Using Connection State to By-pass Rule Checking
    iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    
    ###############################################################
    
    # Stealth Scans and TCP State Flags
    # All of the bits are cleared
    iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP
    iptables -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP
    iptables -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP
    
    ###############################################################
    
    echo "Allowing to act as a gateway"
    
    iptables --table nat --append POSTROUTING --out-interface eth0 -s 10.0.10.0/24 -j MASQUERADE
    iptables --append FORWARD --in-interface eth1 -s 10.0.10.0/24 -j ACCEPT
    
    ##############################################################
    
    # ICMP Control and Status Messages
    
    for ext_ipaddr in $EXT_IPADDR;do
    iptables -A INPUT  -p icmp --icmp-type echo-request -s 10.0.0.0/24 -d $ext_ipaddr -m state --state NEW -j ACCEPT
    done
    
    # Drop initial ICMP fragments
    iptables -A INPUT -p icmp --fragment -j DROP
    iptables -A INPUT -p icmp --icmp-type source-quench  -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
    
    # Intermediate traceroute responses
    iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    
    ###############################################################"
    #    Accept the following input requests and ports            #"
    ###############################################################"
    
    for ext_ipaddr in $EXT_IPADDR;do
    echo "Allowing Apache"
    iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    echo "Allowing Secure Apache"
    iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    done
    
    echo "Allowing all private servers to connect"
    iptables -A INPUT -p ALL -i eth1 -s 10.0.1.2 -j ACCEPT
    iptables -A INPUT -p ALL -i eth1 -s 10.0.1.3 -j ACCEPT
    iptables -A INPUT -p ALL -s 127.0.0.1 -j ACCEPT

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    The question is if this is a script you created or one you found on the internet and then just plugged in your IP Addresses?

    Do you really understand everything that is going on in his script? If not then you should really take the time to learn what is going on with this script and what each rule really does.

    Do you really understand what it is you need for your production environment? If not you need to start there. That is the basics, and without that you are going to be chasing your tail.

    Have a look at this TUTORIAL o help guide you with setting up IPTABLES.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •