Iptables and Logins at boot-up
technomage
technomage-hawke at cox.net
Sun Oct 10 08:12:41 UTC 2004
you don't want iptables turned off.
without it, you leave the risk that eventually, someone will "root" the box
and then it will no longer be yours.
in most default installs these days, you shouldn't even be allowed to login as
root (excessively dangerous!!!) and should only be allowed to login as user.
something is up of you are getting the other way around....
I am not sure that is an iptables issues per se.
I do have a script. how there is a way to disable iptables on boot (the
command is: chkconfig --level 2345 iptables off).
I would then edit the rc.local script in the /etc/rc.d directory and add the
following lines (pointed to the following script)
************************
in rc.local add:
#firewall script
/etc/rc.d/firewall.tables
#end
************************
the lines above have to be at the very end of the file.
here is my firewall tables script that I use on a mandrake 10 installation (as
a firewall):
******************************
#!/bin/sh
# ----------------------------------------------------------------------|
# This is it...MonMotha's Firewall 2.3.1-pre2! |
#
# Notes about configuration: |
# Some things take more than one option; separate with spaces. |
# You probably don't want all the ports I have under here open, portscan|
# yourself to find what you want open. |
# For SSH you need port 22 in TCP_ALLOW, and set the appropriate SSH |
# system(s) to "TRUE". |
# If you want to used host-based identd allowing, do NOT put 113 in |
# TCP_ALLOW and DO set ALLOW_TCP_HOSTWISE (using 113 as the port).|
# Of course, you can also put 113 in TCP_ALLOW to allow anyone. |
# The same applies to DNS (only use port 53 and UDP). |
# MAC_LAN is ONLY used to the purposes of masquerading and it will |
# override the INTERNAL_LAN setting for masquerading. However, |
# INTERNAL_LAN must still be properly defined for other things! |
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_MIRROR
/sbin/modprobe ipt_LOG
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# set to your iptables location, must be set
IPTABLES="/sbin/iptables"
# TCP ports to ALLOW
TCP_ALLOW="22"
TCP_ALLOW_LOG=""
NAPSTER_SERVER_PORTS=""
NAPSTER_PORTS=""
# TCP packets to quietly drop
# (standard ports to prevent certain types of attacks).
TCP_DROP="0 1 7 135 136 137 138 143 500 700 777 1000 1111 4000 4464 \
4467 5555 6346 6969 9999 9340 10200 27374"
#Drop Source Packets
TCP_SOURCE_DROP="119"
#allow in udp packets on specific ports
UDP_ALLOW="" # UDP ports to ALLOW
UDP_ALLOW_LOG=""
# UDP packets to quietly drop
UDP_DROP="67 68 500 700"
#ICMP Packets to allow
ICMP_ALLOW=""
# the interface your internet's on (one only), must be set
INET_IFACE="eth0"
# the interface(s) your LAN's on (currently used only as a sanity check)
LAN_IFACE=""
# set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_SSH1="TRUE"
# set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
USE_OPENSSH="TRUE"
# the internal network(s), must be set
INTERNAL_LAN="192.168.16.0/24"
# What to do with packets we don't want: DROP, REJECT, LDROP (log and drop),
# or LREJECT (log and reject)
DROP="LDROP"
#Deny from these addresses without question!
#format: IP/mask
DENY_ALL=""
# Specific hosts to deny access to specific TCP ports; format is "IP:PORT"
DENY_HOSTWISE_TCP=""
# Specific hosts to deny access to specific UDP ports; format is "IP:PORT"
DENY_HOSTWISE_UDP=""
# Specific hosts to allow access to specific TCP ports; format is "IP:PORT"
ALLOW_HOSTWISE_TCP=""
ALLOW_HOSTWISE_SOURCE_TCP=""
# Specific hosts allowed access to specific UDP ports; format is "IP:PORT"
ALLOW_HOSTWISE_UDP=""
# Below here is experimental
# MAC addresses permitted to use masquerading, leave blank to not use
MAC_LAN=""
# Set to TRUE to use masquerading (anything else is interpreted as FALSE)
USE_MASQ="TRUE"
# If you have a static internet IP, put it here and set "USE_MASQ" above
# to FALSE
USE_SNAT=""
# TCP ports to forward to internal hosts (format: SPORT:DPORT>IP)
TCP_FW=""
# UDP port forwards (will pick reverse masquerading if you use
# masquerading or snat), form is "SPORT:DPORT>IP"
UDP_FW=""
#Declaration of system variables
IPT=${IPTABLES}
IF=${INET_IFACE}
INIF=${LAN_IFACE}
IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK
STOP=${DROP}
# ----------------------------------------------------------------------|
# Do not modify configuration below here |
# ----------------------------------------------------------------------|
FILTER_CHAINS="INETIN INETOUT LDROP LREJECT TCPACCEPT UDPACCEPT LACCEPT"
# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here |
# ----------------------------------------------------------------------|
# Let's load it!
echo "Loading iptables firewall:"
# Configuration Sanity Checks
echo -n "Checking configuration..."
if [ "$USE_MASQ" = "TRUE" ] && ! [ "$USE_SNAT" = "" ] ; then
echo
echo "ERROR IN CONFIGURATION: Masquerading and Static NAT cannot both be used!"
exit 1
fi
if [ "$INET_IFACE" = "$LAN_IFACE" ] ; then
if [ "$USE_MASQ" = "TRUE" ] || [ "$USE_SNAT" != "" ] ; then
# This can't happen because the whole point of my masquerading code is that we don't need to know the IP.
# While we know the IP with SNAT, I'm too lazy to change my code other than to use SNAT :)
echo
echo "ERROR IN CONFIGURATION: INET interface and LAN interface cannot be the same when using masquerading or SNAT!"
exit 1
fi
fi
if ! [ -x $IPTABLES ] ; then
echo
echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!"
exit 1
fi
echo "passed"
# Turn on IP forwarding (your kernel still needs it)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding enabled..."
# Enable TCP Syncookies (always a 'good thing') (thanks steff)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "IP SynCookies enabled..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max
echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
echo 1 > /proc/sys/net/ipv4/tcp_synack_retries
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
echo 0 >/proc/sys/net/ipv4/tcp_sack
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
echo -n "Flush all rules.."
#${IPTABLES} -t filter -FZ
${IPTABLES} -F
${IPTABLES} -X
#${IPTABLES} -L -n
echo -n "and delete all chains.."
${IPTABLES} -t filter -X
${IPTABLES} -t filter -F INPUT
#echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
#echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
#echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
#echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
#echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
#echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
#echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
#echo -n "OUTPUT3"
echo
# Create new chains
# Output to /dev/null in case they don't exist from a previous invocation
echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
echo -n "${chain} "
done
echo
# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
# Policy can't be reject becuase of kernel limitations
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
#${IPTABLES}-A OUTPUT -m state -p icmp --state INVALID -j DROP
#echo -n "Security Patch (bugtraq issued on may 9,2002)"
echo
# Local traffic to internet or crossing subnets
# This should cover what we need if we don't use masquerading
# Unfortunately, MAC address matching isn't bidirectional (for
# obvious reasons), so IP based matching is done here
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
echo -n "${subnet}:ACCEPT "
done
echo
# Hopefully this just blocks out private address from the external device.
echo -n "Blocking private addresses: "
#${IPTABLES} -t filter -A INPUT -i $INET_IFACE -s 192.168.16.0/16 -j DROP
${IPTABLES} -t filter -A INPUT -i $INET_IFACE -d 255.255.255.255 -j DROP
${IPTABLES} -t filter -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j DROP
${IPTABLES} -t filter -A INPUT -i $INET_IFACE -s 127.0.0.1 -j LDROP
echo -n "Done"
echo ""
# Set up basic NAT if the user wants it
if [ $USE_MASQ = TRUE ] ; then
echo -n "Setting up NAT: "
if [ "$MAC_LAN" = "" ] ; then
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
else
for address in ${MAC_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
echo -n "${address}:MASQUERADE "
done
fi
echo
elif [ "$USE_SNAT" != "" ] ; then #Static IP Defined
#(I've heard this loop doesn't work, someone look at it since I can't test it on my dialup)
echo -n "Setting up NAT: "
if [ "$MAC_LAN" = "" ] ; then
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
echo -n "${subnet}:SNAT "
done
else
for address in ${MAC_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
echo -n "${address}:SNAT "
done
fi
echo
fi
#TCP Port-Forwards
if [ "$TCP_FW" != "" ] ; then
# echo -n "TCP Port Forwards: "
if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
for rule in ${TCP_FW} ; do
ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
# echo -n "${rule} "
done
else
for rule in ${TCP_FW} ; do
ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
# echo -n "${rule} "
done
fi
# echo
fi
#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
echo -n "UDP Port Forwards: "
if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
for rule in ${UDP_FW} ; do
ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
echo -n "${rule} "
done
else
for rule in ${UDP_FW} ; do
ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
echo -n "${rule} "
done
fi
echo
fi
# ===============================================
# -------Chain setup before jumping to them------
# ===============================================
#Deny all traffic from these machines
# insert a file here
# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo
#These logging chains are valid to specify in DROP= above
#Set up LDROP
echo -n "Setting up logging chains: "
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j DROP #LOG --log-level 6 --log-prefix "Firewall ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level 4 --log-prefix "Firewall FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "
#And LREJECT too
${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit 2/s -j LOG --log-level 6 --log-prefix "Firewall UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit 2/s -j DROP #LOG --log-level 6 --log-prefix "Firewall ICMP Dropped "
${IPTABLES} -t filter -A LREJECT -f -m limit --limit 2/s -j LOG --log-level 4 --log-prefix "Firewall FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "
# And LACCEPT
${IPTABLES} -t filter -A LACCEPT -p tcp -j LOG --log-level 6 --log-prefix "Firewall TCP Accepted "
${IPTABLES} -t filter -A LACCEPT -p udp -j LOG --log-level 6 --log-prefix "Firewall UDP Accepted "
${IPTABLES} -t filter -A LACCEPT -p icmp -j LOG --log-level 6 --log-prefix "Firewall ICMP Accepted "
${IPTABLES} -t filter -A LACCEPT -f -j LOG --log-level 4 --log-prefix "Firewall FRAGMENT Accepted "
${IPTABLES} -t filter -A LACCEPT -j ACCEPT
echo -n "LACCEPT "
#newline
echo
# Set up the per-proto ACCEPT chains
echo -n "Setting up per-proto ACCEPT: "
# TCPACCEPT
# SYN Flood Protection
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 30/s -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since we don't know what it is
${IPTABLES} -t filter -A TCPACCEPT -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "
#UDPACCEPT
${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
# Log anything not on UDP (it shouldn't be here), and ${DROP} it since it's not supposed to be here
${IPTABLES} -t filter -A UDPACCEPT -m limit --limit 2/s -j LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "
#Done
echo
## Special Chain MANGLE_OUTPUT
## Mangle values of packets created locally. Only TOS values are mangled right
## now.
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
# $IPTABLES -t mangle -N MANGLE_OUTPUT
# $IPTABLES -t mangle -F MANGLE_OUTPUT
# $IPTABLES -t mangle -N MANGLE_PREROUTING
# $IPTABLES -t mangle -F MANGLE_PREROUTING
##------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
# $IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
# $IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos Minimize-Cost
# $IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Cost
# $IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
##------------------------------------------------------------------------------##
##-------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
# $IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
# $IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
# $IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos Minimize-Cost
# $IPTABLES -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Cost
# $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
##-------------------------------------------------------------------------------##
# -------------------------------------------------
# =================================================
# -------------------------------------------------
#Explicit denies
if [ "$DENY_ALL" != "" ] ; then
echo -n "Denying hosts: "
for host in ${DENY_ALL} ; do
${IPTABLES} -t filter -A INETIN -s ${host} -j DROP #${DROP}
echo -n "${host} " #:${DROP}"
done
echo
fi
if [ "$DENY_HOSTWISE_TCP" != "" ] ; then
echo -n "Hostwise TCP Denies: "
for rule in ${DENY_HOSTWISE_TCP} ; do
host=`echo $rule | sed 's/:.*//g'`
port=`echo $rule | sed 's/.*://g'`
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j ${DROP}
echo -n "${rule} "
done
echo
fi
if [ "$DENY_HOSTWISE_UDP" != "" ] ; then
echo -n "Hostwise UDP Denies: "
for rule in ${DENY_HOSTWISE_UDP} ; do
host=`echo $rule | sed 's/:.*//g'`
port=`echo $rule | sed 's/.*://g'`
${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j ${DROP}
echo -n "${rule} "
done
echo
fi
#Invalid packets are always annoying
echo -n "${DROP}ing invalid packets..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"
# ================================================================
# ------------Allow stuff we have chosen to allow in--------------
# ================================================================
#Start allowing stuff
# Flood "security"
# You'll still respond to these if they comply with the limits
# Default limits are 1/sec for ICMP pings
# SYN Flood is on a per-port basis because it's a security hole to put it here!
# This is just a packet limit, you still get the packets on the interface and
# still may experience lag if the flood is heavy enough
if [ "$ICMP_ALLOW" != "" ] ; then
echo -n "ICMP Input Allow: "
for port in ${ICMP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p icmp -s ${port} --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
echo -n "${port} "
done
echo
fi
echo -n "Flood limiting: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -j DROP #ACCEPT
echo -n "ICMP-PING "
echo
echo -n "Blocking timestamp requests: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type timestamp-request -m limit --limit 1/s -j DROP
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type timestamp-reply -m limit --limit 1/s -j DROP
echo -n "ICMP-Timestamp "
echo
echo -n "Allowing the rest of the ICMP messages in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT #DROP # DROP here blocks return pings, blah! Fix this.
echo "done"
if [ "$TCP_ALLOW" != "" ] ; then
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
if [ "0$port" = "021" ]; then
${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j TCPACCEPT
fi
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
echo -n "${port} "
done
echo
fi
if [ "$TCP_ALLOW_LOG" != "" ] ; then
echo -n "TCP Input Allow (Logged): "
for port in ${TCP_ALLOW_LOG} ; do
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j LACCEPT
echo -n "${port} "
done
echo
fi
if [ "$NAPSTER_PORTS" != "" ] ; then
echo -n "Allowed Napster Ports: "
for port in ${NAPSTER_PORTS} ; do
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
echo -n "${port} "
done
echo
fi
if [ "$NAPSTER_SERVER_PORTS" != "" ] ; then
echo -n "Allowed Napster Server Ports: "
for port in ${NAPSTER_SERVER_PORTS} ; do
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
echo -n "${port} "
done
echo
fi
#SSH Rulesets
if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then
echo -n "Accounting for SSH..."
if [ $USE_SSH1 = TRUE ]; then #SSH1
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j ACCEPT #TCPACCEPT
echo -n "SSH1 "
fi
if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j ACCEPT #TCPACCEPT
echo -n "OpenSSH "
fi
echo
fi
#Hostwise allows
if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then
echo -n "Hostwise TCP Allows: "
for rule in ${ALLOW_HOSTWISE_TCP} ; do
host=`echo $rule | sed 's/:.*//g'`
port=`echo $rule | sed 's/.*://g'`
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j ACCEPT
echo -n "${rule} "
done
echo
fi
#Hostwise source allows
if [ "$ALLOW_HOSTWISE_SOURCE_TCP" != "" ] ; then
echo -n "Hostwise TCP Source Allows: "
for rule in ${ALLOW_HOSTWISE_SOURCE_TCP} ; do
host=`echo $rule | sed 's/:.*//g'`
port=`echo $rule | sed 's/.*://g'`
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --sport ${port} -j ACCEPT
echo -n "${rule} "
done
echo
fi
if [ "$TCP_DROP" != "" ] ; then
echo -n "TCP Input Silent Drops: "
for port in ${TCP_DROP} ; do
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j DROP
echo -n "${port} "
done
echo
fi
if [ "$TCP_SOURCE_DROP" != "" ] ; then
echo -n "TCP Source Port Silent Drops: "
for port in ${TCP_SOURCE_DROP} ; do
${IPTABLES} -t filter -A INETIN -p tcp --sport ${port} -j DROP
echo -n "${port} "
done
echo
fi
if [ "$UDP_ALLOW" != "" ] ; then
echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
# if [ "0$port" = "053" ]; then
# ${IPTABLES} -t filter -A INETIN -p udp --sport 53 --dport 1024:65535 -j LACCEPT
# fi
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j ACCEPT #UDPACCEPT
echo -n "${port} "
done
echo
fi
if [ "$UDP_ALLOW_LOG" != "" ] ; then
echo -n "UDP Input Allow (Logged): "
for port in ${UDP_ALLOW_LOG} ; do
# if [ "0$port" = "053" ]; then
# ${IPTABLES} -t filter -A INETIN -p udp --sport 53 --dport 1024:65535 -j LACCEPT
# fi
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j LACCEPT
echo -n "${port} "
done
echo
fi
if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then
echo -n "Hostwise UDP Allows: "
for rule in ${ALLOW_HOSTWISE_UDP} ; do
host=`echo $rule | sed 's/:.*//g'`
port=`echo $rule | sed 's/.*://g'`
${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j ACCEPT
echo -n "${rule} "
done
echo
fi
${IPTABLES} -t filter -A INETIN -p udp -s 208.235.88.101 -d 0/0 -j ACCEPT
${IPTABLES} -t filter -A INETIN -p udp -s 208.235.88.10 -d 0/0 -j ACCEPT
if [ "$UDP_DROP" != "" ] ; then
echo -n "UDP Input Silent Drops: "
for port in ${UDP_DROP} ; do
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j DROP
echo -n "${port} "
done
echo
fi
#Allow port 8889 back into high ports, for nestats
${IPTABLES} -t filter -A INETIN -p tcp --sport 8889 --dport 30000:60000 -j TCPACCEPT
echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"
#What to do on those INET chains when we hit the end
echo -n "Setting up INET policies: "
#Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo
#All done!
echo "Done loading the firewall!"
#fwlogwatch -BRXa 15 -l 2d
******************************************
On Saturday 09 October 2004 09:49 am, John J. Boyer wrote:
> Thanks to all who helped with the ssh problem. There were two gotchas.
> Iptables was blocking all connections, and password authentication was
> turned off. Now I want to use the target machine to receive mail and for
> backup. When I boot the target machine, iptables is on and I have to log
> in as root to turn it off. How can I set iptables to be off at boot time?
> Or, better, to accept ssh and scp only from the source machine?
>
> Two user accounts receive mail continuously. I would like to have them
> automatically logged on at boot time. Is this possible? How?
>
> Thanks,
> John
More information about the Blinux-list
mailing list