iptables - newbie

Bear with me if I'm not using the terminology correctly, but I'm new to
linux and firewalls.
I have been using Linux Firewalls, 3rd Edition. Good book, not good to
copy the iptables scripts, lots of missing or in correct info.

I have an internal lan that I'd like to protect with iptables.
eth0=internet and eth1 connects to my LAN. I'd like to default the
routing to pass only specific ports. Lets say 80. Masquerading with
NAT passes everything. Can someone point me to a resource that
explains the code in plain english?

Here is what I have, it appears using TCPDump, data is passed from eth0
to eth1, but not back to the workstation that requested it. I assume
this is called a choke firewall, per the book....


#!/bin/bash

IPT="/sbin/iptables" #location of iptables

INTERNET="eth0"
DMZ_INTERFACE="eth0"
DMZ_IPADDR="xxx.xxx.xxx.xxx" #eth0, Internet NIC
EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="127.0.0.1"
LAN_INTERFACE="192.168.0.253"
IPADDR="xxx.xxx.xxx.xxx" #eth0, Internet NIC

MY_ISP="my.isp.address.range"
SUBNET_BASE="255.255.255.248"
SUBNET_BROADCAST="xxx.xxx.xxx.xxx" #eth0, Internet
NIC broadcast address
LOOPBACK="127.0.0.1/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/4"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
NAMESERVER="xxx.xxx.xxx.xxx" #eth0 ISP DNS server
LAN_GATEWAY="192.168.0.253"
LAN_ADDRESSES="192.168.0.0/24"
CONNECTION_TRACKING="1"

#SETUP BUILTIN KERNEL PROTECTION
##

# Ignore broadcast ICMP echo requests to prevent
# becoming a Smurf attack amplifier
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

# Disable Source Routed Packets
if [ -f /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f; done
fi

# Enable flood protection
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# Disable ICMP redirects
if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi

# Don't send Re-Direct Messages
if [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi

# Drop SPOOFED Packets
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f; done
fi

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done


# Delete and flush. Default table is "filter". Others like "nat" must
be explicitly stated.
# Flush all the rules in filter and nat tables
iptables --flush
iptables --table nat --flush
iptables --table mangle --flush

# Delete all chains that are not in default filter and nat table
iptables --delete-chain
iptables --table nat --delete-chain

# Lose the user defined chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

#Policy Settings - Drop all connections not defined.
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT

if [ "$1" = "stop" ]
then
echo "Firewall completely stopped! WARNING: THIS HOS DOES NOT HAVE A
FIREWALL RUNNING."
exit 0
fi

#NEED LOOPBACK ACCESS
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Set Default Policy to DROP

$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP

$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
$IPT -t nat --policy POSTROUTING DROP

$IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy OUTPUT DROP

#Stealth Scans and TCP STATE Flags
##
# iptables -A INPUT -m unclean -j DROP

# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

#FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

#FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP


#LOGING
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID
input: "
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID
output: "
$IPT -A OUTPUT -m state --state INVALID -j DROP

fi

#Refuse SPOOFed Packets pretending to be from the internal IP from the
External Interface
$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP

#REFUSE packets from private IPs
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -A INPUT -i $INTERNET -s $LOOPBACK_INTERFACE -j DROP

#Refuse malformed broadcast packets
$IPT -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG
$IPT -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
$IPT -A INPUT -i $INTERNET -d $BROADCAST_SRC -j LOG
$IPT -A INPUT -i $INTERNET -d $BROADCAST_SRC -j DROP

# Refuse directed broadcasts
# Used to map networks and in DoS attacks
$IPT -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
$IPT -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP

#Refuse limited broadcasts
$IPT -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP

#Refuse Class D multicast address
$IPT -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP

$IPT -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP

$IPT -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT

#Block IANA Reserved Addresses
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP



$IPT -A FORWARD -i eth1 -o eth0 -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
-m state --state NEW -j ACCEPT

# -s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 80 \

$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 443 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 443 \
-m state --state NEW -j ACCEPT

On 2006-01-06, (E-Mail Removed) <(E-Mail Removed)> wrote:
> Bear with me if I'm not using the terminology correctly, but I'm new to
> linux and firewalls.
> I have been using Linux Firewalls, 3rd Edition. Good book, not good to
> copy the iptables scripts, lots of missing or in correct info.


It's a good book - hang in there and give it some time -- it will all
come together soon enough...


> I have an internal lan that I'd like to protect with iptables.
> eth0=internet and eth1 connects to my LAN. I'd like to default the
> routing to pass only specific ports. Lets say 80. Masquerading with
> NAT passes everything. Can someone point me to a resource that
> explains the code in plain english?


I would normally direct you to Oskar Andreasson's tutorial at frozentux,
but it's been down for a few weeks. I have a mirror of an older version
at http://iptables.rlworkman.net - read through it completely.


> Here is what I have, it appears using TCPDump, data is passed from eth0
> to eth1, but not back to the workstation that requested it. I assume
> this is called a choke firewall, per the book.... <SNIPPED>


I would suggest starting with something simple, with very little actual
filtering - get that working properly, and then you can worry about
tightening it.
What you're wanting will require filtering in the FORWARD chain of the
filter table.

Try this:

#!/bin/bash

# Set variables
IPT=/usr/sbin/iptables
INT_IF=eth0 # Internet-facing NIC
LAN_IF=eth1 # LAN-facing NIC
LAN_IPRANGE=192.168.0.0/24 # IP Range of LAN
PRIV_IP=x.x.x.x # Private IP address (LAN) of gateway
PUBLIC_IP=x.x.x.x # Public IP Address of gateway

# Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Turn off packet forwarding until all rules are applied
echo 0 > /proc/sys/net/ipv4/ip_forward

# Allow all traffic on loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow all packets of established connections and those related to
# established connections
$IPT -A INPUT -i $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from LAN
$IPT -A INPUT -i $LAN_IF -s $LAN_IPRANGE --sport 1024:65535 \
-d $PRIV_IP --dport 22 -m state --state NEW --syn -j ACCEPT

# Allow all traffic destined for the internet to leave the LAN
# (goes through FORWARD chain)
$IPT -A FORWARD -i $LAN_IF -s $LAN_IPRANGE -o $INT_IP -j ACCEPT

# Allow all valid return traffic for the LAN
$IPT -A FORWARD -i $INT_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# SNAT the traffic leaving the LAN
$IPT -t nat -A POSTROUTING -s $LAN_IPRANGE -j SNAT --to-source $PUBLIC_IP

# Turn on packet forwarding now that all rules are applied
echo 1 > /proc/sys/net/ipv4/ip_forward


I did this from memory, so if I missed something obvious, please excuse
me - I'm sure someone will point it out :-)

RW

On Fri, 06 Jan 2006 06:20:25 +0000, Robby Workman wrote:

> Try this:
>
> #!/bin/bash
>
> # Set variables
> IPT=/usr/sbin/iptables
> INT_IF=eth0 # Internet-facing NIC
> LAN_IF=eth1 # LAN-facing NIC
> LAN_IPRANGE=192.168.0.0/24 # IP Range of LAN
> PRIV_IP=x.x.x.x # Private IP address (LAN) of gateway
> PUBLIC_IP=x.x.x.x # Public IP Address of gateway
>
> # Set default policies
> $IPT -P INPUT DROP
> $IPT -P FORWARD DROP
> $IPT -P OUTPUT ACCEPT
>
> # Turn off packet forwarding until all rules are applied
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> # Allow all traffic on loopback interface
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT
>
> # Allow all packets of established connections and those related to
> # established connections
> $IPT -A INPUT -i $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow SSH from LAN
> $IPT -A INPUT -i $LAN_IF -s $LAN_IPRANGE --sport 1024:65535 \
> -d $PRIV_IP --dport 22 -m state --state NEW --syn -j ACCEPT
>
> # Allow all traffic destined for the internet to leave the LAN
> # (goes through FORWARD chain)
> $IPT -A FORWARD -i $LAN_IF -s $LAN_IPRANGE -o $INT_IP -j ACCEPT
>
> # Allow all valid return traffic for the LAN
> $IPT -A FORWARD -i $INT_IP -m state --state ESTABLISHED,RELATED \
> -j ACCEPT

Change INT_IP to INT_IF

> # SNAT the traffic leaving the LAN
> $IPT -t nat -A POSTROUTING -s $LAN_IPRANGE -j SNAT --to-source $PUBLIC_IP
>
> # Turn on packet forwarding now that all rules are applied
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> I did this from memory, so if I missed something obvious, please excuse
> me - I'm sure someone will point it out :-)

Looks good. Should get him going


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

On 2006-01-08, Robert <(E-Mail Removed)> wrote:
> On Fri, 06 Jan 2006 06:20:25 +0000, Robby Workman wrote:
>
>> # Allow all valid return traffic for the LAN
>> $IPT -A FORWARD -i $INT_IP -m state --state ESTABLISHED,RELATED \
>> -j ACCEPT
>
> Change INT_IP to INT_IF

Thanks; da*n typos... :-)

RW

Robby Workman wrote:
> On 2006-01-08, Robert <(E-Mail Removed)> wrote:
> > On Fri, 06 Jan 2006 06:20:25 +0000, Robby Workman wrote:
> >
> >> # Allow all valid return traffic for the LAN
> >> $IPT -A FORWARD -i $INT_IP -m state --state ESTABLISHED,RELATED \
> >> -j ACCEPT
> >
> > Change INT_IP to INT_IF
>
> Thanks; da*n typos... :-)
>
> RW

I want to Thank You very much!!! Without your help, I was totally dead
in the water. I did fix the typos, but thats easy work. It was enough
to help learn what I was looking at. You have allowed a newbie to get
started!

I have my firewall lockedown, out and in, exactly what I was looking
for. I can leave it connected to the real world now.

I'm trying to figure out how to let http traffic inbound to my server.

Thank You, Thank You!!

On 2006-01-10, (E-Mail Removed) <(E-Mail Removed)> wrote:
>
> Robby Workman wrote:
>> On 2006-01-08, Robert <(E-Mail Removed)> wrote:
>> > On Fri, 06 Jan 2006 06:20:25 +0000, Robby Workman wrote:
>> >
>> >> # Allow all valid return traffic for the LAN
>> >> $IPT -A FORWARD -i $INT_IP -m state --state ESTABLISHED,RELATED \
>> >> -j ACCEPT
>> >
>> > Change INT_IP to INT_IF
>>
>> Thanks; da*n typos... :-)
>>
>> RW
>
> I want to Thank You very much!!! Without your help, I was totally dead
> in the water. I did fix the typos, but thats easy work. It was enough
> to help learn what I was looking at. You have allowed a newbie to get
> started!


Glad to help - it's arguably difficult to get started with iptables, but
once you get started, it's not so bad... Glad to be of assistance...


> I have my firewall lockedown, out and in, exactly what I was looking
> for. I can leave it connected to the real world now.
>
> I'm trying to figure out how to let http traffic inbound to my server.


If your webserver is *inside* the LAN, you can do it inside the nat
table's PREROUTING chain:
iptables -t nat -A PREROUTING -p tcp --dport 80 -DNAT --to-destination
\ $webserver_lan_ip:80

You'll also need a rule in the FORWARD chain of the filter table to
accept those PREROUTED packets - I'll leave the details for you to
work out; it's good for you... :-)

If your webserver is actually on the firewall box (not recommended,
but sometimes necessary due to hardware availability), then this:
iptables -A INPUT -p tcp --sport 1024:65535 --dport 80 -m state \
--state NEW --syn -j ACCEPT

If your webserver is inside the LAN, then I'd suggest using
iptables on it to filter in a similar manner to what you would
do on the INPUT chain above (or just do it in the FORWARD chain
on the firewall)

Anyway, if you run into trouble, stop in at #iptables (freenode).
Good luck...

RW

--

http://rlworkman.net