# /etc/init.d/max_iptables -- 02-05-25 # based on the script presented in Linux User 05/2002 # # Home: http://homex.subnet.at/~max/ # # eth0: local network # ippp0: isdn based internet access # # remember: outgoing traffic is filtered too... # # iptables-HOWTO: # http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-7.html PATH=/usr/sbin:/sbin:/usr/bin:/bin export PATH IPT=/sbin/iptables /usr/bin/test -x $IPT || exit 1 /bin/echo Setting up IPTABLES... ##### DNS ################################################################## # the following function returns the nameservers entered in /etc/resolv.conf NameServers () { if [ -r /etc/resolv.conf ]; then set -- `grep -i nameserver /etc/resolv.conf` fi while [ $# -ge 2 ]; do echo $2 shift 2 done } # alternatively, you can select trustworthy nameservers statically # (! remember to change the actual setting of the iptables entry # later on in the script if you set the servers here statically !) #nslist="$nslist 145.253.2.11 145.253.2.75" # arcor #nslist="$nslist 195.212.44.225" # callino #nslist="$nslist 195.222.195.222 195.222.195.223" # callpop #nslist="$nslist 212.82.225.7 212.82.225.12" # claranet #nslist="$nslist 193.227.195.130" # drillisch #nslist="$nslist 192.76.144.66" # knuut #nslist="$nslist 212.125.36.1 212.125.37.1" # ln #nslist="$nslist 129.187.10.25 129.187.16.1" # lrz #nslist="$nslist 213.21.51.250 213.21.0.218" # nochmal lrz, auch mds #nslist="$nslist 194.231.255.1 194.231.164.4" # mirado RO #nslist="$nslist 194.77.97.10 194.77.97.12" # mirado SB #nslist="$nslist 62.104.196.134" # mobilcom #nslist="$nslist 193.159.187.130" # ngi #nslist="$nslist 194.25.2.129 212.185.252.201" # ngi AUTO #nslist="$nslist 195.71.233.3 193.189.224.4" # ngi neu AUTO #nslist="$nslist 212.122.128.10 212.122.129.10" # nikoma #nslist="$nslist 195.50.149.33 195.50.140.6" # otelo #nslist="$nslist 195.252.128.53" # talkline #nslist="$nslist 195.182.96.28 195.182.96.126" # viag #nslist="$nslist 195.226.96.131 195.226.96.132" # yello #nslist="$nslist 172.16.45.13" # nathan.not-for-mail ##### Kernel-Tuning ########################################################### # we don't want packets with source-routing set (the sender decided which route the packet should go) # we don't allow somebody else to change our routing table # (we don't try to change somebody else's one) # ignore ping's to all machines at once via sending request to broadcast address # activate syncookie safety mechanism (must be activated in kernel at compile-time, section "net"). # activate general ip-packet forwarding for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; do echo 0 >$i done echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 >/proc/sys/net/ipv4/tcp_syncookies echo 1 >/proc/sys/net/ipv4/ip_forward ##### POLICIES ################################################################ # flush (delete) all currently existing rules $IPT -F # set the policy to DROP everything which does not match a rule $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP ##### INPUT-Chain ############################################################# # # FOR TESTING ONLY: allow nameserver-answers from everywhere # $IPT -A INPUT -p udp --sport 53 -j ACCEPT # # FOR TESTING ONLY: allow _everything_ incoming! # $IPT -A INPUT -j ACCEPT # # FOR TESTING ONLY: log all packets # $IPT -A INPUT -j LOG # allow everything from loopback device $IPT -A INPUT -i lo -j ACCEPT # allow everything from local network (in my case eth0) $IPT -A INPUT -i eth0 -j ACCEPT # if -m state is to be used: allow recognized connections # (using this, the "accept non-SYN-packets on ports >1023" are NOT needed # anymore for normal networking traffic such as mail, web and everything else) $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## DNS: # three versions for DNS: # # (1) DNS-packets from just one nameserver (you have to define $nameserver above!) #$IPT -A INPUT -p tcp -s $nameserver --sport domain -j ACCEPT #$IPT -A INPUT -p udp -s $nameserver --sport domain -j ACCEPT # # (2) DNS-packets from the servers found in /etc/resolv.conf for i in `NameServers`; do # TCP (for big packets): just for outgoing connections $IPT -A INPUT -p tcp -s $i --sport domain ! --syn -j ACCEPT $IPT -A INPUT -p udp -s $i --sport domain -j ACCEPT done # # (3) UDP-DNS-packets from everywhere to our DNS-cache. we don't need a # TCP-rule, as BIND uses an unprivileged port for TCP-queries. #$IPT -A INPUT -p udp --sport domain --dport 7531 -j ACCEPT # lock X11 (5999:6020) and X-Font-Server (7100) $IPT -A INPUT -p tcp --dport 5999:6020 --syn -j LOG $IPT -A INPUT -p tcp --dport 5999:6020 --syn -j DROP $IPT -A INPUT -p tcp --dport 7100 --syn -j LOG $IPT -A INPUT -p tcp --dport 7100 --syn -j DROP # lock NFS and SOCKS $IPT -A INPUT -p tcp -m multiport --dport 1080,2049 --syn -j LOG $IPT -A INPUT -p tcp -m multiport --dport 1080,2049 --syn -j DROP $IPT -A INPUT -p udp -m multiport --dport 2049,4045 -j LOG $IPT -A INPUT -p udp -m multiport --dport 2049,4045 -j DROP # lock MS-SQL (1433) $IPT -A INPUT -p tcp --dport 1433 -j LOG $IPT -A INPUT -p tcp --dport 1433 -j DROP # lock Back Orifice (31337) $IPT -A INPUT -p tcp --dport 31337 -j LOG $IPT -A INPUT -p tcp --dport 31337 -j DROP # allow local client-programmes to use ACTIVE-FTP # (this is already possible when using "-m state"!) #$IPT -A INPUT -p tcp --sport 20 -j ACCEPT # allow local ICQ clients #icqservers="205.188.153.97 205.188.153.98 205.188.153.99 205.188.153.100 205.188.153.101 205.188.153.102 205.188.153.103 205.188.153.104 205.188.153.105 205.188.153.106 205.188.153.107 205.188.153.108 205.188.153.109 205.188.153.110 205.188.153.111 205.188.153.112 205.188.153.113 205.188.153.114 205.188.153.115 205.188.153.116" #for icqserver in $icqservers; do # $IPT -A INPUT -p udp -s $icqserver --sport 4000 --dport 1024: -j ACCEPT #done # enable direct connections (messages, file transfers, ...) confdirectportrange="40000:40020" $IPT -A INPUT -p tcp --dport $confdirectportrange -j ACCEPT $IPT -A INPUT -p udp --dport $confdirectportrange -j ACCEPT # (WARNING!) allow DCC data transfers within IRC #$IPT -A INPUT -p tcp --dport 1024: -j ACCEPT # allow already set up connections to non-privileged ports # this is not needed if we use "-m state" above! #$IPT -A INPUT -p tcp --dport 1024: ! --syn -j ACCEPT # single server-ports are allowed too: #$IPT -A INPUT -p tcp --dport 21 -j ACCEPT # ftp #$IPT -A INPUT -p tcp --dport 1024: -j ACCEPT # (WARNING!) being server for PASSIVE-FTP $IPT -A INPUT -p tcp --dport 22 -j ACCEPT # ssh #$IPT -A INPUT -p tcp --dport 25 -j ACCEPT # smtp #$IPT -A INPUT -p tcp --dport 80 -j ACCEPT # www (http) #$IPT -A INPUT -p udp -s 172.16.45.0/24 --dport 514 -j ACCEPT # syslog from LAN #$IPT -A INPUT -p udp --dport 6970 -j ACCEPT # RealPlayer / nautilus #$IPT -A INPUT -p tcp --dport 6346 -j ACCEPT # Gnutella # auth-queries are rejected (with a message to the sender). # this makes logins much faster to servers which do an ident-lookup # (most IRC-servers for example). $IPT -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset # lock fragmented ICMP-packets $IPT -A INPUT -p icmp --fragment -j LOG $IPT -A INPUT -p icmp --fragment -j DROP # allow specific ICMP-packets $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A INPUT -p icmp --icmp-type source-quench -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # some things happen too often to be logged... $IPT -A INPUT -p igmp -s 195.3.93.72 -d 224.0.0.1 -j DROP # multicast request #$IPT -A INPUT -p udp --dport netbios-ns -j DROP #$IPT -A INPUT -p udp --dport netbios-dgm -j DROP #$IPT -A INPUT -p tcp --dport netbios-ssn -j DROP # log and afterwards lock the rest $IPT -A INPUT -j LOG $IPT -A INPUT -j DROP ##### OUTPUT-Chain ############################################################ # FOR TESTING ONLY: allow all outgoing packets # $IPT -A OUTPUT -j ACCEPT # allow packets to loopback device $IPT -A OUTPUT -o lo -j ACCEPT # allow packets to eth0 $IPT -A OUTPUT -o eth0 -j ACCEPT # explicitly drop Windows' network traffic $IPT -A OUTPUT -p udp -m multiport --dport 137,138,139,445 -j DROP $IPT -A OUTPUT -p tcp -m multiport --dport 137,138,139,445 -j DROP $IPT -A OUTPUT -p udp -m multiport --sport 137,138,139,445 -j DROP $IPT -A OUTPUT -p tcp -m multiport --sport 137,138,139,445 -j DROP # the alternative: the state-module allows active and passive FTP # (mind the corresponding rule in the INPUT-chain!) $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # specific UDP-packets $IPT -A OUTPUT -p udp --sport 1024: --dport 53 -j ACCEPT # domain/udp #$IPT -A OUTPUT -p udp --dport 7091 -j ACCEPT # nautilus # tcp-packets from local client-programmes $IPT -A OUTPUT -p tcp --sport 1024: --dport 21 -j ACCEPT # ftp $IPT -A OUTPUT -p tcp --sport 1024: --dport 22 -j ACCEPT # ssh $IPT -A OUTPUT -p tcp --sport 1024: --dport 23 -j ACCEPT # telnet $IPT -A OUTPUT -p tcp --dport 25 -j ACCEPT # smtp $IPT -A OUTPUT -p tcp --sport 1024: --dport 37 -j ACCEPT # time $IPT -A OUTPUT -p tcp --sport 1024: --dport 43 -j ACCEPT # whois $IPT -A OUTPUT -p tcp --sport 1024: --dport 53 -j ACCEPT # domain/tcp $IPT -A OUTPUT -p tcp --sport 1024: --dport 79 -j ACCEPT # finger $IPT -A OUTPUT -p tcp --sport 1024: --dport 80 -j ACCEPT # www $IPT -A OUTPUT -p tcp --sport 1024: --dport 110 -j ACCEPT # pop-3 $IPT -A OUTPUT -p udp --dport 123 -j ACCEPT # ntp $IPT -A OUTPUT -p tcp --sport 1024: --dport 119 -j ACCEPT # nntp $IPT -A OUTPUT -p tcp --sport 1024: --dport 143 -j ACCEPT # imap2 $IPT -A OUTPUT -p tcp --sport 1024: --dport 443 -j ACCEPT # https $IPT -A OUTPUT -p tcp --sport 1024: --dport 554 -j ACCEPT # Real G2 $IPT -A OUTPUT -p tcp --sport 1024: --dport 888 -j ACCEPT # CDDB $IPT -A OUTPUT -p tcp --sport 1024: --dport 995 -j ACCEPT # pop3s $IPT -A OUTPUT -p tcp --sport 1024: --dport 5190 -j ACCEPT # icq $IPT -A OUTPUT -p tcp --sport 1024: --dport 6667 -j ACCEPT # irc # outgoing tcp-connections are allowed if only unprivileged ports # are used at both ends. these are necessary for "passive FTP" # as long as "-m state" is not used. # this is also necessary for clients using services such as "icq" # or "irc" (if they were not explicitly allowed above already) #$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -j ACCEPT # we have a few servers... $IPT -A OUTPUT -p tcp --sport 22 -j ACCEPT # our sshd #$IPT -A OUTPUT -p tcp --sport 80 -j ACCEPT # our httpd #$IPT -A OUTPUT -p tcp --sport 113 -j ACCEPT # our authd # allow specific ICMP-packets $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT # the rest is logged and locked. # for TCP-connections, we send an error-message to our own programme in # order not to have to wait for a delaying timeout $IPT -A OUTPUT -j LOG $IPT -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset $IPT -A OUTPUT -j DROP ##### FORWARD-Chain ########################################################### # FOR TESTING ONLY: log all packets #$IPT -A FORWARD -j LOG ### OUTGOING ### # outgoing packets (allow everything) (this rule was the default in this script) #$IPT -A FORWARD -o ippp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ########## # WARNING! # this section until "incoming" should probabely basically be the same as the # "OUTGOING-chain" generally looks like. # (this chain handles all forwarded packages, including the masqueraded ones!) # (REMEMBER to replace "-A OUTPUT" with "-A FORWARD -o ippp0") # explicitly drop Windows' network traffic $IPT -A FORWARD -o ippp0 -p udp -m multiport --dport 137,138,139,445 -j DROP $IPT -A FORWARD -o ippp0 -p tcp -m multiport --dport 137,138,139,445 -j DROP $IPT -A FORWARD -o ippp0 -p udp -m multiport --sport 137,138,139,445 -j DROP $IPT -A FORWARD -o ippp0 -p tcp -m multiport --sport 137,138,139,445 -j DROP # the alternative: the state-module allows active and passive FTP # (mind the corresponding rule in the INPUT-chain!) $IPT -A FORWARD -o ippp0 -m state --state ESTABLISHED,RELATED -j ACCEPT # specific UDP-packets $IPT -A FORWARD -o ippp0 -p udp --sport 1024: --dport 53 -j ACCEPT # domain/udp #$IPT -A FORWARD -o ippp0 -p udp --dport 7091 -j ACCEPT # nautilus # tcp-packets from local client-programmes $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 21 -j ACCEPT # ftp $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 22 -j ACCEPT # ssh $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 23 -j ACCEPT # telnet $IPT -A FORWARD -o ippp0 -p tcp --dport 25 -j ACCEPT # smtp $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 37 -j ACCEPT # time $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 43 -j ACCEPT # whois $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 53 -j ACCEPT # domain/tcp $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 79 -j ACCEPT # finger $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 80 -j ACCEPT # www $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 110 -j ACCEPT # pop-3 $IPT -A FORWARD -o ippp0 -p udp --dport 123 -j ACCEPT # ntp $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 119 -j ACCEPT # nntp $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 143 -j ACCEPT # imap2 $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 443 -j ACCEPT # https $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 554 -j ACCEPT # Real G2 $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 995 -j ACCEPT # pop3s $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 5190 -j ACCEPT # icq $IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 6667 -j ACCEPT # irc # outgoing tcp-connections are allowed if only unprivileged ports # are used at both ends. these are necessary for "passive FTP" # as long as "-m state" is not used. # this is also necessary for clients using services such as "icq" # or "irc" (if they were not explicitly allowed above already) #$IPT -A FORWARD -o ippp0 -p tcp --sport 1024: --dport 1024: -j ACCEPT # we don't have and definitely don't want any servers which need masquerading # allow specific ICMP-packets $IPT -A FORWARD -o ippp0 -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A FORWARD -o ippp0 -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A FORWARD -o ippp0 -p icmp --icmp-type echo-request -j ACCEPT # the rest is logged and locked. # for TCP-connections, we send an error-message to our own programme in # order not to have to wait for a delaying timeout $IPT -A FORWARD -o ippp0 -j LOG $IPT -A FORWARD -o ippp0 -p tcp -j REJECT --reject-with tcp-reset $IPT -A FORWARD -o ippp0 -j DROP ### INCOMING ### # incoming packets $IPT -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # enable masquerading: nat-table! $IPT -t nat -A POSTROUTING -o ippp0 -j MASQUERADE # other forwarding except ippp0 <--> eth0 should not be allowed by this script