Find the answer to your Linux question:
Results 1 to 3 of 3
Hi All, I'm newbie in Linux and I try to make my script for my linux firewall IPTABLE Waiting your opinions and reviews My Linux is Debian Etch Postfix mail ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    2

    Ask for opinions to my IPTABLES script.


    Hi All,

    I'm newbie in Linux and I try to make my script for my linux firewall IPTABLE
    Waiting your opinions and reviews

    My Linux is Debian Etch
    Postfix mail relay ( to Exchange server 2003 )
    SSH server

    Thanks
    diego


    #! /bin/sh
    #
    # firewall setting up IPTables firewalling
    # this is a debian startscript (/etc/init.d/firewall)
    # other distributions may need slight modifications
    #

    IPTABLES="/sbin/iptables"

    set -e

    case "$1" in
    restart|start)
    echo "Starting firewall: "
    modprobe ip_conntrack
    echo -n "setting default policy: "
    # syncookies and NO ip-forwarding
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo 0 > /proc/sys/net/ipv4/ip_forward
    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -Z
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -N in_icmp
    $IPTABLES -N in_tcp
    $IPTABLES -N in_udp
    $IPTABLES -A INPUT -p tcp -j in_tcp
    $IPTABLES -A INPUT -p udp -j in_udp
    $IPTABLES -A INPUT -p icmp -j in_icmp
    echo "done"
    echo -n "spoofing, redirect and broadcast protection/logging: "
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "done"
    echo -n "enabling scan detection: "
    if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_psd.o ]; then
    $IPTABLES -A INPUT -m psd -m limit --limit 5/minute -j LOG --log-prefix '#### Port Scan ####'
    echo "psd enabled"
    else
    $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-prefix '#### Ping Scan ####'
    # high rate for stealth scans, since they could be legitimate connection
    # attempts as well
    $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j LOG --log-level info --log-prefix '#### Stealth Scan ####'
    $IPTABLES -A in_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### XMAS Scan ####'
    $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/RST Scan ####'
    $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/FIN Scan ####'
    echo "limited detection enabled (no ipt_psd module)"
    fi
    echo -n "flood, fragment and various other protections: "
    # we allow 10 TCP connects per second, no more
    #$IPTABLES -N syn-flood
    #$IPTABLES -A INPUT -p tcp --syn -j syn-flood
    #$IPTABLES -A syn-flood -m limit --limit 3/s --limit-burst 10 -j RETURN
    #$IPTABLES -A syn-flood -j DROP
    # new connections that have no syn set are most probably evil
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    # invalid packets
    $IPTABLES -A INPUT -p tcp -m state --state INVALID -m limit --limit 10/m -j LOG --log-level info --log-prefix "### Invalid Packet ###"
    $IPTABLES -A INPUT -p tcp --tcp-option 64 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(64) ###"
    $IPTABLES -A INPUT -p tcp --tcp-option 128 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(12 ###"
    echo "done"
    echo -n "setting up ICMP: "
    # we allow echo requests and replies
    # could limit replies to could limit replies to related, but since we
    # answer ping requests, where would be the point in that?
    $IPTABLES -A in_icmp -p icmp --icmp-type 0 -j ACCEPT
    $IPTABLES -A in_icmp -p icmp --icmp-type 8 -j ACCEPT
    # we need destination unreachable
    $IPTABLES -A in_icmp -p icmp --icmp-type 3 -j ACCEPT
    # we are nice and allow traceroute, though it is not required
    $IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
    $IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT
    echo "done"
    echo -n "enabling local and outgoing traffic: "
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -I in_tcp -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT -j ACCEPT
    # we are nice and reject instead of drop ident traffic
    $IPTABLES -I in_tcp -p tcp --dport auth --j REJECT
    echo "done"
    echo -n "enabling selected services:"
    $IPTABLES -I in_tcp -p tcp --dport https -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -n " https"
    # $IPTABLES -I in_tcp -p tcp --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
    # echo -n " http"
    $IPTABLES -I in_tcp -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -n " ssh"
    # $IPTABLES -I in_tcp -p tcp --dport rsync -m state --state NEW,ESTABLISHED -j ACCEPT
    # echo -n " rsync"
    $IPTABLES -I in_tcp -p tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -n " smtp"
    # $IPTABLES -I in_tcp -p tcp --dport ssmtp -m state --state NEW,ESTABLISHED -j ACCEPT
    # echo -n " ssmtp"
    # $IPTABLES -I in_tcp -p tcp --dport pop3 -m state --state NEW,ESTABLISHED -j ACCEPT
    # echo -n " pop3"
    # $IPTABLES -I in_tcp -p tcp --dport imap -m state --state NEW,ESTABLISHED -j ACCEPT
    # echo -n " imap"
    # $IPTABLES -I in_tcp -p tcp --dport pop3s -m state --state NEW,ESTABLISHED -j ACCEPT
    # echo -n " pop3s"
    # $IPTABLES -I in_tcp -p tcp --dport imaps -m state --state NEW,ESTABLISHED -j ACCEPT
    # echo -n " imaps"
    $IPTABLES -I in_tcp -p tcp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -I in_udp -p udp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -I in_udp -p udp --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -n " dns"
    # $IPTABLES -I in_tcp -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
    # active ftp
    # $IPTABLES -I in_tcp -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
    # echo -n " ftp"

    # finally setting up catch-all to log for debugging:
    #$IPTABLES -A OUTPUT -m limit --limit 60/minute --limit-burst 3 -j LOG \
    # --log-level DEBUG --log-prefix "IPT INPUT packet died: "
    #$IPTABLES -A INPUT -m limit --limit 60/minute --limit-burst 3 -j LOG \
    # --log-level DEBUG --log-prefix "IPT INPUT packet died: "

    echo " - all done"
    echo "Firewall setup complete."
    ;;
    stop)
    echo -n "Shutting down firewall: "
    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    echo "done"
    ;;
    *)
    N=/etc/init.d/$NAME
    echo "Usage: $N {start|stop}" >&2
    exit 1
    ;;
    esac

    exit 0

  2. #2
    Just Joined!
    Join Date
    Jan 2007
    Posts
    2
    Someone can help me please?

  3. #3
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Hey,

    your FORWARD chain is DROP when ur FIREWALL is up and running.

    And cud not see any rules in that chain to forward traffic.

    I wonder if ur traffic is fine with Firewall enabled and ur FORWARD chain DROP (with no rules)

    Also while adding rules in ur INPUT chain, try appending to the chain based on priorities... like
    1. ESTABLISHED, RELATED -- ACCEPT
    2. TCP multi port - smtp, rsync, etc... NEW -- ACCEPT

    You have used -I option while creating rules in your INPUT chain. As you u hve -I option without place of insertion, the rules get inserted on top of the old rules in INPUT chain....

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •