I based my FW Script totally off of Craig McPherson's post of his firewall, then changed a few small things. anyways, what I would love for anyone to do is give me comments/suggestions on how to make it "better" or if I've done something incorrectly


echo "Starting firewall script..."
################################################## ###################
echo "Setting firewall parameters..."
IP=`ifconfig $EXT_INTERFACE | grep inet | cut -b 21-34`
echo "Firewalling: $IP"
EXT_INTERFACE="eth0" # External Interface
INT_INTERFACE="eth1" # Internal Interface
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
DHCP_SERVER="dhcp.ip" # dhcp server
NAMESERVER_1="ns1.ip" # everyone must have at least one
NAMESERVER_2="ns2.ip" # cool people have two
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
XWINDOW_PORTS="6000:6063" # (TCP) X winows
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
################################################## ###################
echo "Loading modules..."
#modprobe ip_conntrack
#modprobe ipt_MIRROR
#modprobe ipt_mac
#modprobe ipt_tos
#modprobe ip_conntrack_ftp
#modprobe ipt_REDIRECT
#modprobe ipt_mark
#modprobe ipt_unclean
#modprobe ip_nat_ftp
modprobe ipt_REJECT
#modprobe ipt_multiport
#modprobe iptable_mangle
#modprobe ipt_MARK
#modprobe ipt_TOS
#modprobe ipt_owner
#modprobe iptable_nat
#modprobe ipt_MASQUERADE
modprobe ipt_limit
#modprobe ipt_state
################################################## ###################
echo "Setting default policies..."
#Reset all firewall rules
iptables -F
#Delete all tables
iptables -X
#Reset all NAT rules
#iptables -F -t nat
#Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
################################################## ###################
# LOGGING CHAINS
################################################## ###################
iptables -N ldrop
iptables -F ldrop
iptables -A ldrop -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "DROPPED:: "
iptables -A ldrop -j DROP

iptables -N lreject
iptables -F lreject
iptables -A lreject -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "REJECTED:: "
iptables -A lreject -j REJECT
################################################## ###################
echo "Enabling IP forwarding and spoof protection..."
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/$EXT_INTERFACE/log_martians
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
################################################## ###################
echo "Locking out bad people..."
#Check and source the ban list
if [ -f /etc/firewall.ban ]; then
. /etc/firewall.ban
fi
################################################## ###################
echo "Activating basic firewall rules, set 1..."
#Unlimited traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Unlimited traffic on local interface
#iptables -A INPUT -i $INT_INTERFACE -j ACCEPT
#iptables -A OUTPUT -o $INT_INTERFACE -j ACCEPT
#iptables -A FORWARD -i $INT_INTERFACE -j ACCEPT
#iptables -A FORWARD -o $INT_INTERFACE -j ACCEPT
#echo "Activating transparent proxy server..."
#iptables -A PREROUTING -t nat -i $INT_INTERFACE --proto TCP --dport 80 -j DNAT \
# --to 192.168.1.1:8000
#echo "Activating IP masquerading..."
#iptables -A POSTROUTING -t nat -o $EXT_INTERFACE -j MASQUERADE
################################################## ###################
echo "Setting up anti-spoofing rules..."
#Drop requests from spoofed, local, or invalid IP's
iptables -A INPUT -s $IP -j ldrop
iptables -A INPUT -s $CLASS_A -j ldrop
iptables -A INPUT -s $CLASS_B -j ldrop
iptables -A INPUT -s $CLASS_C -j ldrop
iptables -A INPUT -s $BROADCAST_DEST -j ldrop
iptables -A INPUT -d $BROADCAST_SRC -j ldrop
iptables -A INPUT -s $CLASS_D_MULTICAST -j ldrop
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j ldrop
iptables -A INPUT -s 1.0.0.0/8 -j ldrop
iptables -A INPUT -s 2.0.0.0/8 -j ldrop
iptables -A INPUT -s 5.0.0.0/8 -j ldrop
iptables -A INPUT -s 7.0.0.0/8 -j ldrop
iptables -A INPUT -s 23.0.0.0/8 -j ldrop
iptables -A INPUT -s 27.0.0.0/8 -j ldrop
iptables -A INPUT -s 31.0.0.0/8 -j ldrop
iptables -A INPUT -s 37.0.0.0/8 -j ldrop
iptables -A INPUT -s 39.0.0.0/8 -j ldrop
iptables -A INPUT -s 41.0.0.0/8 -j ldrop
iptables -A INPUT -s 42.0.0.0/8 -j ldrop
iptables -A INPUT -s 58.0.0.0/7 -j ldrop
iptables -A INPUT -s 60.0.0.0/8 -j ldrop
iptables -A INPUT -s 65.0.0.0/8 -j ldrop
iptables -A INPUT -s 66.0.0.0/7 -j ldrop
iptables -A INPUT -s 68.0.0.0/6 -j ldrop
iptables -A INPUT -s 72.0.0.0/5 -j ldrop
iptables -A INPUT -s 80.0.0.0/4 -j ldrop
iptables -A INPUT -s 96.0.0.0/3 -j ldrop
iptables -A INPUT -s 169.254.0.0/16 -j ldrop
iptables -A INPUT -s 192.0.2.0/24 -j ldrop
iptables -A INPUT -s 217.0.0.0/8 -j ldrop
iptables -A INPUT -s 218.0.0.0/7 -j ldrop
iptables -A INPUT -s 220.0.0.0/6 -j ldrop
iptables -A INPUT -s 248.0.0.0/5 -j ldrop
#Drop requests addressed to impossible IP's
iptables -A INPUT -d $CLASS_A -j ldrop
iptables -A INPUT -d $CLASS_B -j ldrop
iptables -A INPUT -d $CLASS_C -j ldrop
iptables -A INPUT -d $LOOPBACK -j ldrop
#Don't let us send from impossible IP's
iptables -A OUTPUT -s $CLASS_A -j lreject
iptables -A OUTPUT -s $CLASS_B -j lreject
iptables -A OUTPUT -s $CLASS_C -j lreject
iptables -A OUTPUT -s $LOOPBACK -j lreject
#Don't let us send to impossible IP's
iptables -A OUTPUT -d $CLASS_A -j lreject
iptables -A OUTPUT -d $CLASS_B -j lreject
iptables -A OUTPUT -d $CLASS_C -j lreject
iptables -A OUTPUT -d $LOOPBACK -j lreject
################################################## ###################
echo "FIREWALL RULE: Banning external NFS"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $NFS_PORT --syn -j ldrop
iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $NFS_PORT --syn -j lreject
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport $NFS_PORT -j ldrop
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP --dport $NFS_PORT -j lreject
echo "FIREWALL RULE: Banning external X/OpenWindow"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport 2000 --syn -j ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $XWINDOW_PORTS --syn -j ldrop
iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport 2000 --syn -j lreject
iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $XWINDOW_PORTS --syn -j lreject
echo "FIREWALL RULE: Banning external SOCKS"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $SOCKS_PORT --syn -j ldrop
iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $SOCKS_PORT --syn -j lreject
echo "FIREWALL RULE: Banning UDP traceroute"
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 32769:65535 --dport 33434:33523 -j ldrop
echo "FIREWALL RULE: FTP server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 20:21 -j ACCEPT
echo "FIREWALL RULE: Secure SHell server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $SSH_REMOTE_PORTS --dport 22 -j ACCEPT
echo "FIREWALL RULE: SMTP client/server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 25 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 25 --dport 25 -j ACCEPT
echo "FIREWALL RULE: DNS client/server"
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport $UNPRIVPORTS --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 53 ! --syn -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 53 --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 53 --dport 53 ! --syn -j ACCEPT

iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $IP --sport $UNPRIVPORTS -d $NAMESERVER_1 --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $NAMESERVER_1 --sport 53 -d $IP --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP -s $IP --sport $UNPRIVPORTS -d $NAMESERVER_1 --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -s $NAMESERVER_1 --sport 53 -d $IP --dport $UNPRIVPORTS ! --syn -j ACCEPT

iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $IP --sport $UNPRIVPORTS -d $NAMESERVER_2 --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $NAMESERVER_2 --sport 53 -d $IP --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP -s $IP --sport $UNPRIVPORTS -d $NAMESERVER_2 --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -s $NAMESERVER_2 --sport 53 -d $IP --dport $UNPRIVPORTS ! --syn -j ACCEPT

echo "FIREWALL RULE: Web server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 80 -j ACCEPT
#echo "FIREWALL RULE: AUTH/IDENT requests"
#iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 113 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport $UNPRIVPORTS --dport 113 -j ACCEPT
echo "FIREWALL RULE: POP3 server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 110 -j ACCEPT
echo "FIREWALL RULE: DHCP client"
#This section probably has more than it needs to -- but I was having
#problems with DHCP, so I went ahead with this overkill just to make sure
#I'd get it to work.
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -s $DHCP_SERVER --dport 67:68 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $IP --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 68 -d $BROADCAST_DEST --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 67 -d $IP --dport 68 -j ldrop
echo "FIREWALL RULE: Logging assorted trouble ports"
#Block and log NetBUS
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 12345:12346 -j ldrop
#Block and log BackOrifice
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 31335:31339 -j ldrop
#Block and log common DDoS ports
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 27444 -j ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 27665 -j ldrop
################################################## ###################
echo "Activating Denial-of-Service protection..."
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
echo "FIREWALL RULE: Banning ICMP redirect"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 5 -j ldrop
iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 3 -j ACCEPT
echo "FIREWALL RULE: Banning incoming traceroute"
iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 11 -j lreject
echo "FIREWALL RULE: Allowing outgoing traceroute"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 11 -j ACCEPT
echo "FIREWALL RULE: Allowing bidirectional pinging"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 8 -j ACCEPT
echo "FIREWALL RULE: Disabling other ICMP messages"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP -j lreject
iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP -j lreject
################################################## ###################
echo "Activating basic firewall rules, set 2..."
#Allow established TCP connections
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -d $IP --dport $UNPRIVPORTS ! --syn -j ACCEPT
#Allow connections to unpriv UDP ports not otherwise banned
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -d $IP --dport $UNPRIVPORTS -j ACCEPT
################################################## ###################
echo "Finishing firewalling... done"

If you have based it on Craig's then I am sure it functions fine to keep the baddies out.

However, it is basically a reworked ipchains firewall which doesn't use many of the new and funky features with iptables.

Take a look at the topic I started on iptables new features in this forum. You could simplify the firewall by using some of the new stateful stuff.

Take a look at the very simple last few rules in my firewall which set up a basic "Don't speak unless spoken to" firewall. (in the "post your firewall" topic in this forum).

Please feel free to add to the new features with iptables topic if you have anything further to share.

I believe the simpler you can do things the better and less error prone the firewall will be. If you have difficulty reading it then it will be harder to adjust later on.

Ok, well the main reason I based my script off of what Craig had is because he seems like he knows what he is doing. Plus as I went through the script, I saw the changes and now I know the "basic" syntax.

I'll have to take a peek at the new features of iptables in that other thread.

Hey, don't get me wrong. I wasn't trying to knock Craig's script. I think that if anyone knows something about this stuff then it is Craig.

Look, I wanted to learn more about this stuff so I went out and bought the book written by Ziegler - check this site out: http://www.linux-firewall-tools.com/linux/

I then compiled a 2.4.1 kernel and got iptables and reworked the script that I had come up with for ipchains.

Initially I found it quite difficult reading the scripts for ipchains. I think iptables makes the reading much easier especially some of the new stuff. I really like the "-m state" stuff which really simplified things for me.

The simpler the better in my book ;)

That's what I've been doing myself. I borrowed craig's script...changed a few things to make it a tad bit easier, adding some logging and now I'm just looking at my previous ipchains ruleset, and moving the rules to use iptables.

I still don't quite understand the -m state fully, but I'm sure that after reading some more over the weekend, I'll get a better grasp.

Where can I find Craig McPherson's script that you used as the basis. I am trying to setup a squid server with minor mail port forwarding and need a starting point that is nice and secure. Any links/help will be most appreciated. Thanks...