[CS-FSLUG] Firewall fights

Stephen J. McCracken smccracken at hcjb.org.ec
Wed Jan 25 00:21:33 CST 2006 

Here's a quick stab at things for now.  I assume you just have one
network card in this box (it's not acting like a router or gateway, is
it?).

> --------------- firewall ---------------
> #!/bin/sh
> #
> # generated by ./quicktables-2.3 on 2006.01.24.16
> #
> 
> # set a few variables
> echo ""
> echo "  setting global variables"
> echo ""
> export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
> iptables="/sbin/iptables"
> 
> # adjust /proc
> echo "  applying general security settings to /proc filesystem"
> echo ""
> if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > 
> /proc/sys/net/ipv4/tcp_syncookies; fi
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > 
> /proc/sys/net/ipv4/conf/all/rp_filter; fi
> 
> # flush any existing chains and set default policies
> $iptables -F INPUT
> $iptables -F OUTPUT
> $iptables -P INPUT DROP
> $iptables -P OUTPUT ACCEPT

Looks good, so far, though some also lock down the OUTPUT table, but you
already say that's it's too tight, so leave it for now.  From this I
would also assume you are not doing NAT (using the nat or mangle tables)
or you might want to flush them too.
> 
> # allow all packets on the loopback interface
> $iptables -A INPUT -i lo -j ACCEPT
> $iptables -A OUTPUT -o lo -j ACCEPT
> 
> # allow established and related packets back in
> $iptables -A INPUT -i lan0 -m state --state ESTABLISHED,RELATED -j ACCEPT

If you only have one interface, I would probably just drop the -i stuff.
> 
> # blocked hosts
> echo "  dropping all packets from blocked hosts"
> echo ""
> $iptables -I INPUT -s no -j DROP

This is where things get a little confusing.  First the -A is used for
appending rules in a top down order, then a -I to insert it at the top.
 It would probably be easier to understand if you only used -A or -I,
but it can be useful if you know where things are being placed (at the
end or beginning).

Also the -s requires a source spec.  So, I hope "no" is defined by DNS
(not really a good idea) or a host file or somewhere.  It might be
better to use IP addresses.  Understand also, that this "DROP" rule is
inserted at the top, so anything matching source "no" is blocked even
before getting to the "allow established or related packets back in rule".
> 
> # icmp
> echo "  applying icmp rules"
> echo ""
> $iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
> $iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

This is already covered in your more general "established/related" rule
above.  You may want to modify the OUTPUT rule to allow
ESTABLISHED,RELATED packets out (though the replies to the requests
allowed just below should be allowed through your default OUTPUT chain
policy of ACCEPT).

> $iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s 
> -i lan0 -j ACCEPT

You may also want to allow time-exceeded and destination-unreachable
types, depending on your
> 
> # apply icmp type match blocking
> echo "  applying icmp type match blocking"
> echo ""
> $iptables -I INPUT -p icmp --icmp-type redirect -j DROP
> $iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
> $iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
> $iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
> $iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

Not really needed with a default DROP policy on the INPUT chain, except
to DROP them early (-I inserts them at the top) rather than at the end.
> 
> # open ports to the firewall
> echo "  applying the open port(s) to the firewall rules"
> echo ""
> $iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> 
> # drop all other packets
> echo "  applying default drop policies"
> echo ""
> $iptables -A INPUT -i lan0 -p tcp --dport 0:65535 -j DROP
> $iptables -A INPUT -i lan0 -p udp --dport 0:65535 -j DROP

Once again, not needed with the default DROP policy on the INPUT chain.
> 
> echo "### quicktables is loaded ###"
> echo ""
> --------------- end ---------------
> 

I would probably explicitly add in rules to allow DNS and DHCP (if you
use it) rather than relying on the default OUTPUT ACCEPT policy.

Two things I would think about, would be to comment out the rule
blocking "-s no" hosts.  That could cause problems as stated above.  I
would also think about using the rules from the CentOS or BSD box, if
they work.

It would also help to know a little more how the box is used and where
it is (on a LAN behind a gateway or exposed to the Internet) to know
better what you might need.

sjm

More information about the Christiansource mailing list