| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Joshua SS Miller
Guest
Posts: n/a
|
Hello,
I am trying to migrate from ipchains to tables and thought it would be easy,, boy was I wrong! When I run the firewall script below it locks me out completely. Any help is much appreciated. It was a ipchains script created with a java apt. Joshua joshua@sunlap:~$ cat firewall.iptables #!/bin/sh # Script generated Sun Nov 10 09:46:17 2002 # Script converted to iptables Mon Feb 03 00:10:17 2003 # ---------------------------------------------------------------------------- # Copyright (C) 1997, 1998, 1999, 2000 Robert L. Ziegler # # ---------------------------------------------------------------------------- # /etc/rc.d/rc.firewall # Invoked from /etc/rc.d/rc.local. echo "Starting firewalling... " # ---------------------------------------------------------------------------- # Some definitions for easy maintenance. # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth0" # Internet connected interface LOOPBACK_INTERFACE="lo" # or your local naming convention IPADDR2=`ifconfig $EXTERNAL_INTERFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` IPADDR="$IPADDR2/24"; ANYWHERE="any/0" # match any IP address NAMESERVER_1="any/0" # everyone must have at least one SMTP_SERVER="any/0" # Your ISP mail gateway. Your relay. LOOPBACK="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks #CLASS_C="192.168.0.0/16" # class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well known, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range # ---------------------------------------------------------------------------- NFS_PORT="2049" # (TCP/UDP) NFS SOCKS_PORT="1080" # (TCP) Socks # X Windows port allocation begins at 6000 and increments to 6063 # for each additional server running. XWINDOW_PORTS="6000:6063" # (TCP) X windows # The SSH client starts at 1023 and works down to 513 for each # additional simultaneous connection originating from a privileged port. # Clients can optionally be configured to use only unprivileged ports. SSH_LOCAL_PORTS="1022:65535" # port range for local clients SSH_REMOTE_PORTS="513:65535" # port range for remote clients # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # ---------------------------------------------------------------------------- # Default policy is DROP # Explicitly accept desired INCOMING & OUTGOING connections # Remove all existing rules belonging to this filter iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t nat # Set the default policy of the filter to drop. iptables -P INPUT DROP iptables -P OUTPUT REJECT iptables -P FORWARD DROP # ---------------------------------------------------------------------------- # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable always defragging Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable bad error message Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT # ---------------------------------------------------------------------------- # ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse incoming packets pretending to be from the external address. iptables -A INPUT -s $IPADDR -j LOG iptables -A INPUT -s $IPADDR -j DROP # Refuse incoming packets claiming to be from a Class A, B or C private network iptables -A INPUT -s $CLASS_A -j DROP iptables -A INPUT -s $CLASS_B -j DROP iptables -A INPUT -s $CLASS_C -j DROP # Refuse broadcast address SOURCE packets iptables -A INPUT -s $BROADCAST_DEST -j LOG iptables -A INPUT -s $BROADCAST_DEST -j DROP iptables -A INPUT -d $BROADCAST_SRC -j LOG iptables -A INPUT -d $BROADCAST_SRC -j DROP # Refuse Class D multicast addresses # Multicast is illegal as a source address. # Multicast uses UDP. iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP # Refuse Class E reserved IP addresses iptables -A INPUT -s $CLASS_E_RESERVED_NET -j LOG iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP # Refuse special addresses defined as reserved by the IANA. # Note: The remaining reserved addresses are not included. # Filtering them causes problems as reserved blocks are # being allocated more often now. # Note: this list includes the loopback, multicast, & reserved addresses. # 0.*.*.* - Can't be blocked for DHCP users. # 127.*.*.* - LoopBack # 169.254.*.* - Link Local Networks # 192.0.2.* - TEST-NET # 224-255.*.*.* - Classes D & E, plus unallocated. iptables -A INPUT -s 0.0.0.0/8 -j LOG iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -s 127.0.0.0/8 -j LOG iptables -A INPUT -s 127.0.0.0/8 -j DROP iptables -A INPUT -s 169.254.0.0/16 -j LOG iptables -A INPUT -s 169.254.0.0/16 -j DROP iptables -A INPUT -s 192.0.2.0/24 -j LOG iptables -A INPUT -s 192.0.2.0/24 -j DROP iptables -A INPUT -s 224.0.0.0/3 -j LOG iptables -A INPUT -s 224.0.0.0/3 -j DROP # ---------------------------------------------------------------------------- # NOTE: # The symbolic names used in /etc/services for the port numbers vary by # supplier. Using them is less error prone and more meaningful, though. # ---------------------------------------------------------------------------- # TCP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. # NFS: establishing a TCP connection iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $NFS_PORT -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $NFS_PORT -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $NFS_PORT -j REJECT # Xwindows: establishing a connection iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $XWINDOW_PORTS -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $XWINDOW_PORTS -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $XWINDOW_PORTS -j REJECT # SOCKS: establishing a connection iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $SOCKS_PORT -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $SOCKS_PORT -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $SOCKS_PORT -j REJECT # ---------------------------------------------------------------------------- # UDP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $NFS_PORT -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $NFS_PORT -j DROP # UDP INCOMING TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --source-port $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --source-port $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j DROP # DNS server (53) # --------------- # DNS: full server # ---------------- # server/client to server query or response iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --source-port $UNPRIVPORTS \ -d $IPADDR 53 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 53 \ --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 53 \ --destination-port 53 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --source-port 53 \ -d $IPADDR 53 -j ACCEPT # DNS client (53) # --------------- iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTP server (80) # ---------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 80 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 80 \ --destination-port $UNPRIVPORTS -j ACCEPT # HTTP client (80) # ---------------- iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 80 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 80 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTPS server (443) # ------------------ iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 443 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 443 \ --destination-port $UNPRIVPORTS -j ACCEPT # HTTPS client (443) # ------------------ iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 443 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 443 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # POP server (110) # ---------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 110 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 110 \ --destination-port $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # SMTP server (25) # ---------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 25 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 25 \ --destination-port $UNPRIVPORTS -j ACCEPT # SMTP client (25) # ---------------- iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $SMTP_SERVER 25 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $SMTP_SERVER 25 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # SSH server (22) # --------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $SSH_REMOTE_PORTS \ -d $IPADDR 22 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 22 \ --destination-port $SSH_REMOTE_PORTS -j ACCEPT # SSH client (22) # --------------- iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $SSH_LOCAL_PORTS \ --destination-port 22 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 22 \ -d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT # ------------------------------------------------------------------ # AUTH server (113) # ----------------- # Reject, rather than drop, the incoming auth port. (NET-3-HOWTO) iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 113 -j REJECT # AUTH client (113) # ----------------- iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 113 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 113 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # WHOIS client (43) # ----------------- iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 43 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 43 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # FTP server (21) # --------------- # incoming request iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 21 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 21 \ --destination-port $UNPRIVPORTS -j ACCEPT # PORT MODE data channel responses iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR 20 \ --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port $UNPRIVPORTS \ -d $IPADDR 20 -j ACCEPT # PASSIVE MODE data channel responses iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR $UNPRIVPORTS \ --destination-port $UNPRIVPORTS -j ACCEPT # FTP client (21) # --------------- # outgoing request iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 21 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 21 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # PORT mode data channel iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --source-port 20 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR $UNPRIVPORTS \ --destination-port 20 -j ACCEPT # PASSIVE mode data channel creation iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port $UNPRIVPORTS \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ---------------------------------------------------------------------------- # UDP accept only on selected ports # --------------------------------- # ------------------------------------------------------------------ # OUTGOING TRACEROUTE # ------------------- iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j LOG iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT # ---------------------------------------------------------------------------- # ICMP # To prevent denial of service attacks based on ICMP bombs, filter # incoming Redirect (5) and outgoing Destination Unreachable (3). # Note, however, disabling Destination Unreachable (3) is not # advisable, as it is used to negotiate packet fragment size. # For bi-directional ping. # Message Types: Echo_Reply (0), Echo_Request (8) # To prevent attacks, limit the src addresses to your ISP range. # # For outgoing traceroute. # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11) # default UDP base: 33434 to base+nhops-1 # # For incoming traceroute. # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11) # To block this, drop OUTGOING 3 and 11 # 0: echo-reply (pong) # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc. # 4: source-quench # 5: redirect # 8: echo-request (ping) # 11: time-exceeded # 12: parameter-problem iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type echo-reply \ -d $IPADDR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type destination-unreachable \ -d $IPADDR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type source-quench \ -d $IPADDR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type time-exceeded \ -d $IPADDR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type parameter-problem \ -d $IPADDR -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR fragmentation-needed -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR source-quench -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR echo-request -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR parameter-problem -j ACCEPT # ---------------------------------------------------------------------------- # Enable logging for selected denied packets iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $PRIVPORTS -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $PRIVPORTS -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $UNPRIVPORTS -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $UNPRIVPORTS -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 5 -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 5 -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 13:255 -j LOG iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 13:255 -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j LOG iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT # ---------------------------------------------------------------------------- echo "done" exit 0 |
|
|
|
|
|||
|
|||
|
|
|
| |
|
Jeroen Geilman
Guest
Posts: n/a
|
Joshua SS Miller wrote:
> Hello, Hi there, and welcome > I am trying to migrate from ipchains to tables and thought it would be > easy,, boy was I wrong! When I run the firewall script below it locks > me out completely. Wow - another one of those "hey! I'll post my complete /etc directory and they'll figure it all out for me"-kind of "requests"... > Any help is much appreciated. Indeed - starting with YOU. WHAT doesn't work ? WHERE does it fail ? Have you tested it - thoroughly ? Describe what you want and what it does, post error messages and *relevant* snippets of code - NOT entire machine-generated scripts, it only annoys and most people WILL NOT even read it - what do you think we all are ? Masochists ? Did you notice the *relevant* bit above ? > echo "done" > > exit 0 Ah - I think I know this one ! -- Jeroen Geilman Gentoo 1.4 rc4 |
|
|
|
|
|||
|
|
|||
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| HEC Errors | Roger Cain | Broadband | 1 | 03-05-2006 07:13 PM |
| Looking for iptables applications code (iptables.c) to run some rules to forward packets | tvnaidu@yahoo.com | Linux Networking | 2 | 01-17-2005 05:01 PM |
| MN-740 Errors | W. Nunn | Broadband Hardware | 1 | 08-28-2004 04:30 AM |
| Errors | sandy | Windows Networking | 0 | 04-22-2004 04:46 AM |
| iptables "can't initialize iptables table `filter'" | pete | Linux Networking | 1 | 10-10-2003 03:44 AM |
Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc. |
Linear Mode
