[nflug] IPTables Help
Joshua Ronne Altemoos
joshua at wolfnix.net
Tue Apr 18 17:33:52 EDT 2006
Hello,
I have a server I need to place a firewall on, and I need some help. I found
a basic firewall I was going to use, but it does not allow ping's or
traceroutes thru it. Per regs you should allow pings, but pings can often
led to attacks. So I am wondering how can you trottle connections, and how
would you allow unix traceroutes when you block all ports but the ones you
want (unix traceroutes uses udp) I have my fw script below.
TIA
Josh
root at atlantis:~# cat fw/primary_fw
#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT
#The Mangle portion of the ruleset. Here is where unwanted packet types get
dropped.
#This helps in making port scans against your server a bit more time
consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
#The FILTER section of the ruleset is where we initially drop all packets
and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]
#First, we cover the INPUT rules, or the rules for incoming requests.
#Note how at the end we log any incoming packets that are not accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 65.23.128.127 -j ACCEPT
-A INPUT -p tcp -m tcp -d MAINip --dport 20 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp -d MAINip --dport 21 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp -d MAINip --dport 22 -j LOG_ACCEPT
-A INPUT -p udp -m udp -d MAINip --dport 53 -j ACCEPT
-A INPUT -p udp -m udp -d IP1 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -d MAINip --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -d MAINip --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp -d MAINip --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 6970 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 7029 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 6969 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 6900 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 7000 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 6669 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 6668 -j ACCEPT
-A INPUT -p tcp -m tcp -d IP1 --dport 6667 -j ACCEPT
-A INPUT -p tcp -m tcp -d MAINIP --dport 10020 -j ACCEPT
-A INPUT -p tcp -m tcp -d MAINIP --dport 10021 -j ACCEPT
#Allows any proto41akaipv6
-A INPUT -p 41 -j LOG_ACCEPT
#Fracking MSSEEK on my subnet >.>
-A INPUT -d 65.23.154.255 -j DROP
#ALLOW any local packets
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP
#Here we have 2 sets of logging rules. One for dropped packets to log all
dropped requests and one for accepted packets, should we wish to log any
#accepted requesets.
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options
--log-ip-options
-A LOG_DROP -j DROP
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options
--log-ip-options
-A LOG_ACCEPT -j ACCEPT
#And finally, a rule to deal with ICMP requests. We drop all ping requests
except from our own server.
# Make sure you replace 1.2.3.4 with the IP address of your server.
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
#Destination Unreachable
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
#Time Exceeded
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
#Traceroute
-A icmp_packets -p icmp -m icmp --icmp-type 30 -j ACCEPT
#IPv6 Where-Are-You
-A icmp_packets -p icmp -m icmp --icmp-type 33 -j ACCEPT
#IPv6 I-Am-Here
-A icmp_packets -p icmp -m icmp --icmp-type 34 -j ACCEPT
COMMIT
root at atlantis:~#
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
More information about the nflug
mailing list