Find the answer to your Linux question:
Results 1 to 2 of 2
I'm a bit of a newb and this is my first go at creating an iptables / nat script. however I'm not sure if this is secure enough... i really ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 07-14-2007 #1
    jimbo7
    jimbo7 is offline
    Just Joined!
    Join Date
    Aug 2006
    Posts
    4

    How secure is this IPTABLES setup?

    I'm a bit of a newb and this is my first go at creating an iptables / nat script. however I'm not sure if this is secure enough...
    i really want to make my config as secure as possible, so any suggestions/comments are greatly appreciated

    notes:
    • the script is run on my gateway machine
    • eth0 is my local (hopefully secure) network
    • wlan0 is my connection to the internet


    Code:
    #!/bin/sh
#
# Created by James Sullivan
# Last updated 13/07/07
#
#


PATH=/usr/sbin:/sbin:/bin:/usr/bin

# temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Delete/Flush old iptables rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addr [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
iptables -A INPUT   -i wlan0 -d 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP

# Anything coming from/going to Internet should not
# use private addresses [OPTIONAL]
iptables -A FORWARD -i wlan0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i wlan0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i wlan0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i wlan0 -s 10.0.0.0/8 -j DROP

# Block outgoing NetBios [OPTIONAL]
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

# Allow local loopback [NEEDED]
iptables -A INPUT -i lo -j ACCEPT

# Allow pings [OPTIONAL]
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT


############ STATE STUFF ############
# Accept existing connections [NEEDED]
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
#iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
#####################################

# Allow inbound services [OPTIONAL - DNS NEEDED]
iptables -A INPUT -p tcp -i wlan0 --dport 44444 -j ACCEPT #SSH
iptables -A INPUT -p tcp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i eth0  --dport 53 -j ACCEPT #DNS cache
iptables -A INPUT -p tcp -i eth0  --dport 53 -j ACCEPT #DNS cache
iptables -A INPUT -p udp -i eth0  --dport 137:139 -j ACCEPT #SAMBA
iptables -A INPUT -p tcp -i eth0  --dport 445 -j ACCEPT #SAMBA


# Allow forwarding of essential services [NEEDED]
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS

# Don't forward from the outside to the inside [OPTIONAL]
iptables -A FORWARD -i wlan0 -o eth0 -j REJECT


# Masquerade [NEEDED]
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
    Reply With Quote Reply With Quote
  2. 07-16-2007 #2
    jimbo7
    jimbo7 is offline
    Just Joined!
    Join Date
    Aug 2006
    Posts
    4
    Ok i have hardened this script further, here is the latest version:

    please provide some feedback lads!

    Code:
    #!/bin/sh
#
# Created by James Sullivan
# Last updated 16/07/07
#
#


PATH=/usr/sbin:/sbin:/bin:/usr/bin

# temporarily disable routing
echo 0 > /proc/sys/net/ipv4/ip_forward

# temporarily block all traffic
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Delete/Flush old iptables rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addresses [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 127.0.0.1 -j DROP
iptables -A INPUT   -i wlan0 -d 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP

# Anything coming from/going to Internet should not
# use private addresses [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 172.16.0.0/12  -j DROP
iptables -A INPUT   -i wlan0 -s 10.0.0.0/8     -j DROP
iptables -A INPUT   -i wlan0 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -i wlan0 -s 172.16.0.0/12  -j DROP
iptables -A FORWARD -i wlan0 -s 10.0.0.0/8     -j DROP
iptables -A FORWARD -i wlan0 -s 192.168.0.0/24 -j DROP

# Block outgoing NetBios [OPTIONAL]
iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j DROP
iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j DROP
iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j DROP

# Allow local loopback [NEEDED]
iptables -A INPUT -i lo -j ACCEPT

# Allow pings [OPTIONAL]
iptables -A INPUT   -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT


############ STATE STUFF ############
# Accept existing connections [NEEDED]
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
#iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
#####################################

# Externally accessable inbound services [OPTIONAL]
iptables -A INPUT -p tcp --dport 44444 -m state --state NEW -j ACCEPT #SSH
iptables -A INPUT -p tcp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent

# Internal inbound services [OPTIONAL - DNS NEEDED]
iptables -A INPUT -p udp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p tcp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p udp -i eth0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
iptables -A INPUT -p tcp -i eth0 --dport 445     -m state --state NEW -j ACCEPT #SAMBA

# Allow forwarding of essential services [NEEDED]
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS

# Masquerade [NEEDED]
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules