Ask for opinions to my IPTABLES script.

[Diegom31]

Hi All,

I'm newbie in Linux and I try to make my script for my linux firewall IPTABLE
Waiting your opinions and reviews

My Linux is Debian Etch
Postfix mail relay ( to Exchange server 2003 )
SSH server

Thanks
diego


#! /bin/sh
#
# firewall setting up IPTables firewalling
# this is a debian startscript (/etc/init.d/firewall)
# other distributions may need slight modifications
#

IPTABLES="/sbin/iptables"

set -e

case "$1" in
restart|start)
echo "Starting firewall: "
modprobe ip_conntrack
echo -n "setting default policy: "
# syncookies and NO ip-forwarding
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -N in_icmp
$IPTABLES -N in_tcp
$IPTABLES -N in_udp
$IPTABLES -A INPUT -p tcp -j in_tcp
$IPTABLES -A INPUT -p udp -j in_udp
$IPTABLES -A INPUT -p icmp -j in_icmp
echo "done"
echo -n "spoofing, redirect and broadcast protection/logging: "
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "done"
echo -n "enabling scan detection: "
if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_psd.o ]; then
$IPTABLES -A INPUT -m psd -m limit --limit 5/minute -j LOG --log-prefix '#### Port Scan ####'
echo "psd enabled"
else
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-prefix '#### Ping Scan ####'
# high rate for stealth scans, since they could be legitimate connection
# attempts as well
$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j LOG --log-level info --log-prefix '#### Stealth Scan ####'
$IPTABLES -A in_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### XMAS Scan ####'
$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/RST Scan ####'
$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/FIN Scan ####'
echo "limited detection enabled (no ipt_psd module)"
fi
echo -n "flood, fragment and various other protections: "
# we allow 10 TCP connects per second, no more
#$IPTABLES -N syn-flood
#$IPTABLES -A INPUT -p tcp --syn -j syn-flood
#$IPTABLES -A syn-flood -m limit --limit 3/s --limit-burst 10 -j RETURN
#$IPTABLES -A syn-flood -j DROP
# new connections that have no syn set are most probably evil
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# invalid packets
$IPTABLES -A INPUT -p tcp -m state --state INVALID -m limit --limit 10/m -j LOG --log-level info --log-prefix "### Invalid Packet ###"
$IPTABLES -A INPUT -p tcp --tcp-option 64 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(64) ###"
$IPTABLES -A INPUT -p tcp --tcp-option 128 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(12 ###"
echo "done"
echo -n "setting up ICMP: "
# we allow echo requests and replies
# could limit replies to could limit replies to related, but since we
# answer ping requests, where would be the point in that?
$IPTABLES -A in_icmp -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A in_icmp -p icmp --icmp-type 8 -j ACCEPT
# we need destination unreachable
$IPTABLES -A in_icmp -p icmp --icmp-type 3 -j ACCEPT
# we are nice and allow traceroute, though it is not required
$IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT
echo "done"
echo -n "enabling local and outgoing traffic: "
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -I in_tcp -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
# we are nice and reject instead of drop ident traffic
$IPTABLES -I in_tcp -p tcp --dport auth --j REJECT
echo "done"
echo -n "enabling selected services:"
$IPTABLES -I in_tcp -p tcp --dport https -m state --state NEW,ESTABLISHED -j ACCEPT
echo -n " https"
# $IPTABLES -I in_tcp -p tcp --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
# echo -n " http"
$IPTABLES -I in_tcp -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
echo -n " ssh"
# $IPTABLES -I in_tcp -p tcp --dport rsync -m state --state NEW,ESTABLISHED -j ACCEPT
# echo -n " rsync"
$IPTABLES -I in_tcp -p tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
echo -n " smtp"
# $IPTABLES -I in_tcp -p tcp --dport ssmtp -m state --state NEW,ESTABLISHED -j ACCEPT
# echo -n " ssmtp"
# $IPTABLES -I in_tcp -p tcp --dport pop3 -m state --state NEW,ESTABLISHED -j ACCEPT
# echo -n " pop3"
# $IPTABLES -I in_tcp -p tcp --dport imap -m state --state NEW,ESTABLISHED -j ACCEPT
# echo -n " imap"
# $IPTABLES -I in_tcp -p tcp --dport pop3s -m state --state NEW,ESTABLISHED -j ACCEPT
# echo -n " pop3s"
# $IPTABLES -I in_tcp -p tcp --dport imaps -m state --state NEW,ESTABLISHED -j ACCEPT
# echo -n " imaps"
$IPTABLES -I in_tcp -p tcp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -I in_udp -p udp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -I in_udp -p udp --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
echo -n " dns"
# $IPTABLES -I in_tcp -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
# active ftp
# $IPTABLES -I in_tcp -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
# echo -n " ftp"

# finally setting up catch-all to log for debugging:
#$IPTABLES -A OUTPUT -m limit --limit 60/minute --limit-burst 3 -j LOG \
# --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#$IPTABLES -A INPUT -m limit --limit 60/minute --limit-burst 3 -j LOG \
# --log-level DEBUG --log-prefix "IPT INPUT packet died: "

echo " - all done"
echo "Firewall setup complete."
;;
stop)
echo -n "Shutting down firewall: "
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "done"
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac

exit 0

[Diegom31]

Someone can help me please?

[cyberinstru]

Hey,

your FORWARD chain is DROP when ur FIREWALL is up and running.

And cud not see any rules in that chain to forward traffic.

I wonder if ur traffic is fine with Firewall enabled and ur FORWARD chain DROP (with no rules)

Also while adding rules in ur INPUT chain, try appending to the chain based on priorities... like
1. ESTABLISHED, RELATED -- ACCEPT
2. TCP multi port - smtp, rsync, etc... NEW -- ACCEPT

You have used -I option while creating rules in your INPUT chain. As you u hve -I option without place of insertion, the rules get inserted on top of the old rules in INPUT chain....