blackrax
03-04-2004, 04:23 PM
greetings fellow comrades,
i've recently managed to setup my first iptables firewall; everything works the way it should, however - i am not wholly pleased with the logging: to reduce clutter, i've set the limit burst to 1 (as i don't care about every single packet) - is there however a way to confine the --limit-burst to packet & source level? the current logging isn't very functional, as the limit burst value effectively makes extended port scans impossible to detect et cetera.
also, as this is my first firewall attempt using iptables, i'm sure it contains a lot of nasty and superfluous rules; in other words, i'd appreciate any pointers and general feedback.
cheers,
//blackrax
INET_IFACE="eth1"
LAN_IFACE="eth0"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LO_IFACE="lo"
LO_IP="127.0.0.1"
# flush any old rules
/etc/init.d/iptables start
/etc/init.d/iptables stop
# enable port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# drop all incoming packets
#iptables -P INPUT DROP
# drop all forwarded packets
#iptables -P FORWARD DROP
# drop all locally created packets
#iptables -P OUTPUT DROP
# creating new chains
iptables -N bad_tcp_packets
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N log_stealth
## iptables -N icmp_packets
# --- setting rules for allowed
# accept new connections
iptables -A allowed -p TCP --syn -j ACCEPT
# accept existing connections
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop all other - log them all
iptables -A allowed -p TCP -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A allowed -p TCP -j DROP
# --- logging and dropping stealth scans
iptables -A log_stealth -i $LAN_IFACE -p tcp -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:synflood_stealhscan "
iptables -A log_stealth -i $LAN_IFACE -p tcp -j DROP
# --- setting rules for bad_tcp_packets - implement logging for each
# drop packtes that are malformed
iptables -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP:malformed "
iptables -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP:malformed "
iptables -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j DROP
# drop syn floods and scans
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags ACK,FIN FIN -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags ACK,URG URG -j log_stealth
# --- setting rules for tcp packets and ports
# granting tomcat
iptables -A tcp_packets -p TCP -s 0/0 --dport 8080 -j allowed
# wolfenstein et server port
iptables -A tcp_packets -p TCP -s 0/0 --dport 27960 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 27950 -j allowed
# --- setting rules for udp packets and ports
# wolfenstein et server port
iptables -A udp_packets -p UDP -s 0/0 --dport 27960 -j allowed
iptables -A udp_packets -p UDP -s 0/0 --dport 27950 -j allowed
# destroy m$oft packets
iptables -A udp_packets -p UDP -i $INET_IFACE --dport 135:139 -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A udp_packets -p UDP -i $INET_IFACE --dport 135:139 -j DROP
# drop dhcp requests
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --dport 67:68 -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --dport 67:68 -j DROP
# --- setting rules for icmp_packets and services
# accept pings
## iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# accepts traceroute
## iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# --- setting metarules for INPUT
iptables -A INPUT -p TCP -j bad_tcp_packets
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
#iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packetss
iptables -A INPUT -p ALL -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A INPUT -p ALL -j DROP
# --- setting metarules for OUTPUT
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# log - this shouln't happen
#iptables -A OUTPUT -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix "IPTABLES - CRITICAL: "
# enables internet sharing
iptables -A POSTROUTING -t nat -o $INET_IFACE -j MASQUERADE
i've recently managed to setup my first iptables firewall; everything works the way it should, however - i am not wholly pleased with the logging: to reduce clutter, i've set the limit burst to 1 (as i don't care about every single packet) - is there however a way to confine the --limit-burst to packet & source level? the current logging isn't very functional, as the limit burst value effectively makes extended port scans impossible to detect et cetera.
also, as this is my first firewall attempt using iptables, i'm sure it contains a lot of nasty and superfluous rules; in other words, i'd appreciate any pointers and general feedback.
cheers,
//blackrax
INET_IFACE="eth1"
LAN_IFACE="eth0"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LO_IFACE="lo"
LO_IP="127.0.0.1"
# flush any old rules
/etc/init.d/iptables start
/etc/init.d/iptables stop
# enable port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# drop all incoming packets
#iptables -P INPUT DROP
# drop all forwarded packets
#iptables -P FORWARD DROP
# drop all locally created packets
#iptables -P OUTPUT DROP
# creating new chains
iptables -N bad_tcp_packets
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N log_stealth
## iptables -N icmp_packets
# --- setting rules for allowed
# accept new connections
iptables -A allowed -p TCP --syn -j ACCEPT
# accept existing connections
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop all other - log them all
iptables -A allowed -p TCP -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A allowed -p TCP -j DROP
# --- logging and dropping stealth scans
iptables -A log_stealth -i $LAN_IFACE -p tcp -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:synflood_stealhscan "
iptables -A log_stealth -i $LAN_IFACE -p tcp -j DROP
# --- setting rules for bad_tcp_packets - implement logging for each
# drop packtes that are malformed
iptables -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP:malformed "
iptables -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP:malformed "
iptables -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j DROP
# drop syn floods and scans
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags ACK,FIN FIN -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags ACK,URG URG -j log_stealth
# --- setting rules for tcp packets and ports
# granting tomcat
iptables -A tcp_packets -p TCP -s 0/0 --dport 8080 -j allowed
# wolfenstein et server port
iptables -A tcp_packets -p TCP -s 0/0 --dport 27960 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 27950 -j allowed
# --- setting rules for udp packets and ports
# wolfenstein et server port
iptables -A udp_packets -p UDP -s 0/0 --dport 27960 -j allowed
iptables -A udp_packets -p UDP -s 0/0 --dport 27950 -j allowed
# destroy m$oft packets
iptables -A udp_packets -p UDP -i $INET_IFACE --dport 135:139 -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A udp_packets -p UDP -i $INET_IFACE --dport 135:139 -j DROP
# drop dhcp requests
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --dport 67:68 -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --dport 67:68 -j DROP
# --- setting rules for icmp_packets and services
# accept pings
## iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# accepts traceroute
## iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# --- setting metarules for INPUT
iptables -A INPUT -p TCP -j bad_tcp_packets
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
#iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packetss
iptables -A INPUT -p ALL -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A INPUT -p ALL -j DROP
# --- setting metarules for OUTPUT
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# log - this shouln't happen
#iptables -A OUTPUT -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix "IPTABLES - CRITICAL: "
# enables internet sharing
iptables -A POSTROUTING -t nat -o $INET_IFACE -j MASQUERADE