Results 1 to 3 of 3

Thread: rc.firewall

  1. #1
    Senior Member
    Join Date
    Nov 2001


    Hello everybody. I just finished this rc.firewall tonight and I thought I would ask those of you familiar with it what you think about it. Constructive criticism is welcome. It appears to work quite well, nmap, SATAN, SARA, Nessus all gave came up with nada, so it is doing it's job as far as I can tell. My experience has been with ipfilter on Free/OpenBSD and this is my first serious crack at a comprehensive rc.firewall for iptables v1.2.2.

    The system I am using here is Slackware Linux 8.0 running the 2.4.16 kernel with the grsecurity patch grsecurity-1.9.2-2.4.16 and all of the security goodness options turned on.

    I consider this rc.firewall to be BETA and would appreciate feedback on any issues you come across.

    //note: This rc.firewall is built for my system, I do not use modules as they *can* pose a security risk as they are capable of being trojaned. A section to enable modules is included but commented out. If you have iptables load as a module but not at boot time, you will need to uncomment that section for this to be effective.

    ##################### and away we go
    # rc.firewall iptable packet filtering script by UberC0der
    # Place this in /etc and chmod 700 it then run /etc/rc.firewall
    # This script should flush your existing rules, so be sure and know what
    # they were before you use this script. My personal suggestion is to
    # to put them in a file named something like tables.rules under /etc.
    # That way if you really *hate* this script you can always run
    # `iptables --flush; iptables-restore /etc/tables.rules' and get your
    # old rules back.
    # My hope for this script is to be both a learning experience and
    # perhaps, if all goes well, an outstanding rc.firewall. Enjoy, and
    # remember, all comments, concerns, questions and suggestions are
    # welcome.


    #set up the variables
    EXT_IF=eth0 # for obvious reasons I left out my IP # ditto
    LOCAL_ADDRS= # ditto again

    #Turn on IP forwarding
    echo Turining on IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # The next section will load the ip_tables module if your kernel does not

    # do it at boot. As mentioned previously I do not use modules, however
    # I included it for those of you who may. Just uncomment the middle two
    # lines if you need the modules loaded.

    # Load the ip_tables module
    #echo Loading ip_tables module. #uncomment me to use me.
    #/sbin/modprobe ip_tables || exit 1 #uncomment me to use me.
    # I let the kernel dynamically load the other modules

    echo Flush standard tables
    iptables --flush INPUT
    iptables --flush OUTPUT
    iptables --flush FORWARD
    echo Deny everything until firewall setup is complete
    iptables --policy INPUT DROP
    iptables --policy OUTPUT DROP
    iptables --policy FORWARD DROP

    CHAINS=`iptables -n -L |perl -n -e '/Chains\s+(\S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "'`
    echo Remove remaining chains:
    echo $CHAINS
    for chain in $CHAINS; do
    iptbles --flush $chain

    for chain in $CHAINS; do
    iptables --delete-chain $chain

    for net in $MASQ_NETS; do
    # we delete all the rules so you can rerun the scripts without bloating your nat
    # entries.
    iptables -D POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE 2>/dev/null
    iptables -A POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE || exit 1

    iptables --policy FORWARD ACCEPT

    # Create a target for logging and dropping packets
    iptables --new LDROP 2>/dev/null
    iptables -A LDROP --proto tcp -j LOG --log-level info
    iptables -A LDROP --proto udp -j LOG --log-level info
    iptables -A LDROP --proto icmp -j LOG --log-level info
    iptables -A LDROP -f -j LOG --log-level emerg
    iptables -A LDROP -j DROP

    # Create a table for watching some accepted rules
    iptables --new WATCH 2>/dev/null
    iptables -A WATCH -m limit -j LOG --log-level warn
    iptables -A WATCH -j ACCEPT

    echo Special target for local addresses
    iptables --new LOCAL 2>/dev/null
    echo $LOCAL_ADDRS
    for ip in $LOCAL_ADDRS; do
    iptables -A INPUT --dst $ip -j LOCAL
    iptables -A INPUT --src $ip -i ! lo -j DROP # some spoof protection

    echo Drop and log every other incoming tcp connection attempts
    iptables -A LOCAL -i ! lo --proto tcp --syn --j LDROP

    echo Enforcing up ICMP policies, use iptables -L ICMP to check.
    # note: we do not deny all ICMP messages as we may break some
    # tcp/ip stuff along the way.
    iptables --new ICMP 2>/dev/null
    iptables -A INPUT --proto icmp -j LDROP
    iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
    iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
    iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
    iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
    iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
    iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
    iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
    iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
    iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
    iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
    iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
    iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
    iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
    iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
    iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
    iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
    iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
    iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
    iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
    iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
    iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
    iptables -A ICMP -p icmp --icmp-type router-advertisement -j LDROP
    iptables -A ICMP -p icmp --icmp-type router-solicitation -j LDROP
    iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
    iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
    iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
    iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
    iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
    iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
    iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
    iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
    iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
    iptables -A ICMP -p icmp -j LDROP

    echo Authorize tcp traffic.
    iptables -A INPUT --proto tcp -j ACCEPT

    # The following are my specific rules, please be sure and modify these
    # to match whatever your box is set up for. example: if you run a mail
    # server you don't want to drop all tcp to port 25.

    # Here I am blocking specific ports for my needs.
    iptables -A INPUT -i ! lo -p 255 -j DROP # no connections to raw sockets allowed
    iptables -A INPUT -i ! lo -p tcp -m tcp --dport 1:6660 -j LDROP
    iptables -A INPUT -i ! lo -p tcp -m tcp --dport 6680:27900 -j LDROP

    echo Authorize packet output.
    iptables --policy OUTPUT ACCEPT

    # Here again, these are my rules, normally you will be safe blocking udp
    # below 1024.

    echo Drop and log all udp below 27900.
    iptables -A INPUT -i ! lo --proto udp --dport :27899 -j LDROP

    # imho rpc is Evil! I don't like it, comment this out or remove it if you feel
    # that you must have rpc.
    echo Drop rpc dynamic udp port:
    RPC_UDP=`rpcinfo -p localhost|perl -n -e '/.*udp\s+(\d+)\s+/ && print $1, ~\n |sort -u`
    echo $RPC_UDP
    for port in $RPC_UDP; do
    iptables -A LOCAL -i ! lo --proto udp --dport $port -j LDROP

    # I play Quake and other games so I need udp +29700 to be allowed to
    # accept connections. Once again please modify this to suite your
    # needs.

    echo Authorize udp above 27900.
    iptables -A INPUT --proto udp --dport 27900: -j ACCEPT

    # Disclaimer: the formatting in vi was more clean, once I pasted it in here
    # it did't look so nice.
    Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

    Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.

  2. #2
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    That's pretty good, only thing I saw wrong was your first variable for the ethernet card was declaring it as 'eht0' and not 'eth0' hehe...other than that, it seems you've done your homework and have read the other web pages on securing a firewall.

    Good job!
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Right you are, I guess since i did not call the variable EXT_IF the script didn't choke.

    Thanks, Vorlin.

    btw I changed it to eth0 incase anyone does want to build functionality into the script and they call EXT_IF...especially if they didn't catch my mistake.
    Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

    Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts