Find the answer to your Linux question:
Results 1 to 2 of 2
I just wanna consult iptables guru if my script was enough and secured for a production. The iptables will be use for a web server and with 2 private machine ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 06-22-2010 #1
    packets
    packets is offline
    Linux Newbie
    Join Date
    Mar 2006
    Posts
    101

    is this iptables script ok for production

    I just wanna consult iptables guru if my script was enough and secured for a production. The iptables will be use for a web server and with 2 private machine (10.0.1.2 & 10.0.1.3) that will make the web server also a gateway for those two machine to access the Internet.

    Anyone who wants to add, please let me know and please explain what is it for.

    If find no vulnerable, can anyone advise also.

    Please don't mind apache as it was not my responsibility anymore to secure it. I'm just wondering if someone try to hack,would it suffice enough?

    Thanks.

    Code:
    #!/bin/bash

echo "Load Modules"
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter

EXT_IF="eth0"                        # network interface to the external
LOOPBACK_INTERFACE="lo"              # however your system names it
EXT_IPADDR="X.X.X.X"                 # static allocated IP address
PRIVPORTS="0:1023"                   # well-known, privileged port range
UNPRIVPORTS="1024:65535"             # unprivileged port range

###############################################################
echo "Enables packet forwarding by kernel"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Enable broadcast echo Protection"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "Disable Source Routed Packets"
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

echo "Enable TCP SYN Cookie Protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo "Disable ICMP Redirect Acceptance"
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

echo "Don't send Redirect Messages"
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

echo "Drop Spoofed Packets"
# coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

echo "Do not log packets with impossible addresses"
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 0 > $f
done

echo "Disable rp_filter"
echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter

###############################################################

echo "Remove any existing rules from all chains"
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

echo "Unlimited traffic on the loopback interface"
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "Set the default policy to drop"
# Drop all INPUT
iptables --policy INPUT   DROP
# Accept any OUTPUT Connection
iptables --policy OUTPUT  ACCEPT
# Drop all FORWARD
iptables --policy FORWARD DROP

echo "Remove any pre-existing user-defined chains"
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################

# Using Connection State to By-pass Rule Checking
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

###############################################################

# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP

###############################################################

echo "Allowing to act as a gateway"

iptables --table nat --append POSTROUTING --out-interface eth0 -s 10.0.1.0/24 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -s 10.0.1.0/24 -j ACCEPT

##############################################################

# ICMP Control and Status Messages

for ext_ipaddr in $EXT_IPADDR;do
iptables -A INPUT  -p icmp --icmp-type echo-request -s 10.0.1.0/24 -d $ext_ipaddr -m state --state NEW -j ACCEPT
done

# Drop initial ICMP fragments
iptables -A INPUT -p icmp --fragment -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench  -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

# Intermediate traceroute responses
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

###############################################################"
#    Accept the following input requests and ports            #"
###############################################################"

for ext_ipaddr in $EXT_IPADDR;do
echo "Allowing Apache"
iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allowing Secure Apache"
iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

done

echo "Allowing all private servers to connect"
iptables -A INPUT -p ALL -i eth1 -s 10.0.10.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 10.0.10.3 -j ACCEPT
iptables -A INPUT -p ALL -s 127.0.0.1 -j ACCEPT
#!/bin/bash

echo "Load Modules"
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter

EXT_IF="eth0"                        # network interface to the external
LOOPBACK_INTERFACE="lo"              # however your system names it
EXT_IPADDR="X.X.X.X"                 # static allocated IP address
PRIVPORTS="0:1023"                   # well-known, privileged port range
UNPRIVPORTS="1024:65535"             # unprivileged port range

###############################################################
echo "Enables packet forwarding by kernel"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Enable broadcast echo Protection"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "Disable Source Routed Packets"
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

echo "Enable TCP SYN Cookie Protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo "Disable ICMP Redirect Acceptance"
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

echo "Don't send Redirect Messages"
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

echo "Drop Spoofed Packets"
# coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

echo "Do not log packets with impossible addresses"
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 0 > $f
done

echo "Disable rp_filter"
echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter

###############################################################

echo "Remove any existing rules from all chains"
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

echo "Unlimited traffic on the loopback interface"
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "Set the default policy to drop"
# Drop all INPUT
iptables --policy INPUT   DROP
# Accept any OUTPUT Connection
iptables --policy OUTPUT  ACCEPT
# Drop all FORWARD
iptables --policy FORWARD DROP

echo "Remove any pre-existing user-defined chains"
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################

# Using Connection State to By-pass Rule Checking
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

###############################################################

# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP

###############################################################

echo "Allowing to act as a gateway"

iptables --table nat --append POSTROUTING --out-interface eth0 -s 10.0.10.0/24 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -s 10.0.10.0/24 -j ACCEPT

##############################################################

# ICMP Control and Status Messages

for ext_ipaddr in $EXT_IPADDR;do
iptables -A INPUT  -p icmp --icmp-type echo-request -s 10.0.0.0/24 -d $ext_ipaddr -m state --state NEW -j ACCEPT
done

# Drop initial ICMP fragments
iptables -A INPUT -p icmp --fragment -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench  -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

# Intermediate traceroute responses
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

###############################################################"
#    Accept the following input requests and ports            #"
###############################################################"

for ext_ipaddr in $EXT_IPADDR;do
echo "Allowing Apache"
iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allowing Secure Apache"
iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

done

echo "Allowing all private servers to connect"
iptables -A INPUT -p ALL -i eth1 -s 10.0.1.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 10.0.1.3 -j ACCEPT
iptables -A INPUT -p ALL -s 127.0.0.1 -j ACCEPT
    Reply With Quote Reply With Quote
  2. 06-23-2010 #2
    Lazydog
    Lazydog is offline
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,613
    The question is if this is a script you created or one you found on the internet and then just plugged in your IP Addresses?

    Do you really understand everything that is going on in his script? If not then you should really take the time to learn what is going on with this script and what each rule really does.

    Do you really understand what it is you need for your production environment? If not you need to start there. That is the basics, and without that you are going to be chasing your tail.

    Have a look at this TUTORIAL o help guide you with setting up IPTABLES.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules