You are not logged in.
- Topics: Active | Unanswered
#1 2009-06-18 17:39:35
- lamnk
- Member
- Registered: 2008-01-30
- Posts: 65
- Website
Please review my firewall script
This script is for my server, please don't laugh 
I'm a beginner in this area
My policy is to close everything and open needed ports only. Authentic pinging should be allowed
#!/usr/bin/bash
#--------------------------------------------------
# Please check for iptables path first.
#--------------------------------------------------
IPTABLES="/sbin/iptables"
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
#--------------------------------------------------
# Flush the old tables
#--------------------------------------------------
$IPTABLES -F
$IPTABLES -X
#--------------------------------------------------
# Set default dropping policy
#--------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#--------------------------------------------------
# Rules
#--------------------------------------------------
# Allows incoming connections that are related to outgoing connection
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block invalid ICMP packets
$IPTABLES -A INPUT -m state -p icmp --state INVALID -j DROP
$IPTABLES -A FORWARD -m state -p icmp --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPTABLES -A FORWARD -m state -p icmp --state INVALID -j DROP
# Block NEW without SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Block fragments and Xmas tree as well as SYN,FIN, and SYN,RST
$IPTABLES -A INPUT -p ip -f -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Allow ping
$IPTABLES -A INPUT -p icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 22,80,443 -m state --state NEW -j ACCEPT
# Allow unlimited traffic on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Allow all outgoing connections
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
# Make sure nothing comes or goes out of this box
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j DROPAre the seperating DROP rules redundant ? Setting standard dropping policy is enough, right ?
Offline
#2 2009-06-18 20:53:36
- .:B:.
- Forum Fellow
- Registered: 2006-11-26
- Posts: 5,819
- Website
Re: Please review my firewall script
To my knowledge a package that does not match any rules will be matched against the default policy, so you do not have to drop everything explicitly.
And you have a double
# Block invalid ICMP packets
$IPTABLES -A FORWARD -m state -p icmp --state INVALID -j DROP
$IPTABLES -A FORWARD -m state -p icmp --state INVALID -j DROPWhich - if my previous statement is correct - you shouldn't need at all (the DROP rules, that is).
I don't get why you're specifying this again either:
# Make sure nothing comes or goes out of this box
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j DROPYou already set policies, to me this looks like twice the work...
Also, keep in mind iptables will treat the rules chronologically. So first you define what's allowed, then you define what's blocked. It will work its way down the rules until it finds a match, if not, it will resort to the default policy.
Edit: Bash is in /bin on Arch, not /usr/bin.
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
#3 2009-06-20 13:53:15
- lamnk
- Member
- Registered: 2008-01-30
- Posts: 65
- Website
Re: Please review my firewall script
To my knowledge a package that does not match any rules will be matched against the default policy, so you do not have to drop everything explicitly.
Thank you B, i knew it but saw many scripts on net do drop packets explicitly like that, hence the question.
Btw is allowing all outgoing connection a dangerous rule ? On my server i'd like to download/update things and ping other addresses.
Offline
#4 2009-06-20 20:12:20
- .:B:.
- Forum Fellow
- Registered: 2006-11-26
- Posts: 5,819
- Website
Re: Please review my firewall script
That depends on how locked down you want it. My mom's box for example has everything denied by default and only a few things (DNS, FTP, NTP, SSH, HTTP, HTTPS, IMAP, ... allowed explicitly).
As for dropping packets explicitly: what you might want to do is log everything that's dropped during the setup phase, so you can see what gets blocked and what not, so you can easily diagnose any misconfigurations (e.g. what ports need opening etc.).
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline