Find the answer to your Linux question:
Results 1 to 2 of 2
I'm a bit of a newb and this is my first go at creating an iptables / nat script. however I'm not sure if this is secure enough... i really ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2006
    Posts
    4

    How secure is this IPTABLES setup?


    I'm a bit of a newb and this is my first go at creating an iptables / nat script. however I'm not sure if this is secure enough...
    i really want to make my config as secure as possible, so any suggestions/comments are greatly appreciated

    notes:
    • the script is run on my gateway machine
    • eth0 is my local (hopefully secure) network
    • wlan0 is my connection to the internet


    Code:
    #!/bin/sh
    #
    # Created by James Sullivan
    # Last updated 13/07/07
    #
    #
    
    
    PATH=/usr/sbin:/sbin:/bin:/usr/bin
    
    # temporarily block all traffic.
    iptables -P OUTPUT DROP
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    
    # Delete/Flush old iptables rules
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    
    # Set default policies
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    
    # Prevent external packets from using loopback addr [OPTIONAL]
    iptables -A INPUT   -i wlan0 -s 127.0.0.1 -j DROP
    iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
    iptables -A INPUT   -i wlan0 -d 127.0.0.1 -j DROP
    iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP
    
    # Anything coming from/going to Internet should not
    # use private addresses [OPTIONAL]
    iptables -A FORWARD -i wlan0 -s 172.16.0.0/12 -j DROP
    iptables -A FORWARD -i wlan0 -s 10.0.0.0/8 -j DROP
    iptables -A INPUT -i wlan0 -s 172.16.0.0/12 -j DROP
    iptables -A INPUT -i wlan0 -s 10.0.0.0/8 -j DROP
    
    # Block outgoing NetBios [OPTIONAL]
    iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
    iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
    iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
    iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
    
    # Allow local loopback [NEEDED]
    iptables -A INPUT -i lo -j ACCEPT
    
    # Allow pings [OPTIONAL]
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
    
    
    ############ STATE STUFF ############
    # Accept existing connections [NEEDED]
    iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow any new conections from internal network
    # [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
    #iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
    #####################################
    
    # Allow inbound services [OPTIONAL - DNS NEEDED]
    iptables -A INPUT -p tcp -i wlan0 --dport 44444 -j ACCEPT #SSH
    iptables -A INPUT -p tcp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
    iptables -A INPUT -p udp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
    iptables -A INPUT -p udp -i eth0  --dport 53 -j ACCEPT #DNS cache
    iptables -A INPUT -p tcp -i eth0  --dport 53 -j ACCEPT #DNS cache
    iptables -A INPUT -p udp -i eth0  --dport 137:139 -j ACCEPT #SAMBA
    iptables -A INPUT -p tcp -i eth0  --dport 445 -j ACCEPT #SAMBA
    
    
    # Allow forwarding of essential services [NEEDED]
    iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
    iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
    
    # Don't forward from the outside to the inside [OPTIONAL]
    iptables -A FORWARD -i wlan0 -o eth0 -j REJECT
    
    
    # Masquerade [NEEDED]
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    
    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward

  2. #2
    Just Joined!
    Join Date
    Aug 2006
    Posts
    4
    Ok i have hardened this script further, here is the latest version:

    please provide some feedback lads!

    Code:
    #!/bin/sh
    #
    # Created by James Sullivan
    # Last updated 16/07/07
    #
    #
    
    
    PATH=/usr/sbin:/sbin:/bin:/usr/bin
    
    # temporarily disable routing
    echo 0 > /proc/sys/net/ipv4/ip_forward
    
    # temporarily block all traffic
    iptables -P OUTPUT DROP
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    
    # Delete/Flush old iptables rules
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    
    # Set default policies
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    
    # Prevent external packets from using loopback addresses [OPTIONAL]
    iptables -A INPUT   -i wlan0 -s 127.0.0.1 -j DROP
    iptables -A INPUT   -i wlan0 -d 127.0.0.1 -j DROP
    iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
    iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP
    
    # Anything coming from/going to Internet should not
    # use private addresses [OPTIONAL]
    iptables -A INPUT   -i wlan0 -s 172.16.0.0/12  -j DROP
    iptables -A INPUT   -i wlan0 -s 10.0.0.0/8     -j DROP
    iptables -A INPUT   -i wlan0 -s 192.168.0.0/24 -j DROP
    iptables -A FORWARD -i wlan0 -s 172.16.0.0/12  -j DROP
    iptables -A FORWARD -i wlan0 -s 10.0.0.0/8     -j DROP
    iptables -A FORWARD -i wlan0 -s 192.168.0.0/24 -j DROP
    
    # Block outgoing NetBios [OPTIONAL]
    iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
    iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j DROP
    iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
    iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j DROP
    iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
    iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j DROP
    iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
    iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j DROP
    
    # Allow local loopback [NEEDED]
    iptables -A INPUT -i lo -j ACCEPT
    
    # Allow pings [OPTIONAL]
    iptables -A INPUT   -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
    
    
    ############ STATE STUFF ############
    # Accept existing connections [NEEDED]
    iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow any new conections from internal network
    # [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
    #iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
    #####################################
    
    # Externally accessable inbound services [OPTIONAL]
    iptables -A INPUT -p tcp --dport 44444 -m state --state NEW -j ACCEPT #SSH
    iptables -A INPUT -p tcp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
    iptables -A INPUT -p udp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
    
    # Internal inbound services [OPTIONAL - DNS NEEDED]
    iptables -A INPUT -p udp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
    iptables -A INPUT -p tcp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
    iptables -A INPUT -p udp -i eth0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
    iptables -A INPUT -p tcp -i eth0 --dport 445     -m state --state NEW -j ACCEPT #SAMBA
    
    # Allow forwarding of essential services [NEEDED]
    iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
    iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
    
    # Masquerade [NEEDED]
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    
    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •