Firewalls
For a brief introduction see Filtering Firewalls in Linux.ppt
If you are using Ubuntu, you should look at the ubuntul Iptables Howto. Take special note of the iptables-apply script that you should use to test your connection.
This page includes firewall examples that were used on an actual (although now non-existent) network. It successfully protected some 16 static IPs for six years. At one time I recorded a 3-way coordinated attack from university networks in Italy, France and Germany. Through all this time, the bridging firewall was used successfully to protect a small business with several computers. The script that follows is final form.
Bridge Setup
# /etc/rc.d/init.d/bridge
#
return=$rc_done
case "$1" in
start)
echo "Starting service bridge br0"
ifconfig eth0 0.0.0.0 promisc
ifconfig eth1 0.0.0.0 promisc
brctl addbr br0 || return=$rc_failed
brctl addif br0 eth0 || return=$rc_failed
brctl addif br0 eth1 || return=$rc_failed
brctl sethello br0 1 || return=$rc_failed
brctl setmaxage br0 4 || return=$rc_failed
brctl setfd br0 4 || return=$rc_failed
ifconfig br0 promisc up 209.50.17.211 netmask 255.255.255.240 broadcast 209.50.17.223 || return=$rc_failed
route add default gw 209.50.17.209
echo -e "$return"
;;
stop)
echo "Shutting down service bridge br0"
ifconfig br0 down || return=$rc_failed
brctl delif br0 eth0 || return=$rc_failed
brctl delif br0 eth1 || return=$rc_failed
brctl delbr br0 || return=$rc_failed
ifconfig eth0 down || return=$rc_failed
ifconfig eth1 down || return=$rc_failed
route del default
echo -e "$return"
;;
status)
ifconfig br0
brctl show br0
;;
restart)
$0 stop && $0 start || return=$rc_failed
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac
test "$return" = "$rc_done" || exit 1
exit 0
Firewall Setup
# /etc/init.d/firewall
#
return=$rc_done
case "$1" in
start)
###############################################################################
#SETUP INFORMATION
INTERNET="eth0"
DMZ="eth1"
LOOPBACK_INTERFACE="lo"
CONNECTION_TRACKING="1"
ICMP_STRICT="1"
L2TP="0"
INET_SSH="0"
BRAIN="209.50.17.210"
BRAIN2="209.50.17.212"
CISCO="209.50.17.209"
YAKKO="209.50.17.215"
CSE="129.93.165.2"
TIMESERVER1="132.163.4.101"
TIMESERVER2="132.163.4.102"
TIMESERVER3="132.163.4.103"
DMZ_NETWORK="209.50.17.213-222"
SUBNET_BROADCAST="209.50.17.223"
SUBNET_NETWORK="209.50.17.208"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
###############################################################################
# in /proc/sys/net/ipv4 protections available
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don't Send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets with impossible addresses. (Do we really want to do this?)
#for f in /proc/sys/net/ipv4/conf/*/log_martians; do
# echo 1 > $f
#done
###############################################################################
#FLUSH EVERYTHING AND DELETE CHAINS
echo "Flushing all rules and chains ..."
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables --delete-chain
/sbin/iptables -t nat --delete-chain
/sbin/iptables -t mangle --delete-chain
#DEFAULT POLICIES
#default filter policy
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
#default nat policy
/sbin/iptables -t nat --policy PREROUTING ACCEPT
/sbin/iptables -t nat --policy OUTPUT ACCEPT
/sbin/iptables -t nat --policy POSTROUTING ACCEPT
#default mangle policy
/sbin/iptables -t mangle --policy PREROUTING ACCEPT
/sbin/iptables -t mangle --policy OUTPUT ACCEPT
#Allow loopback
/sbin/iptables -A INPUT -m physdev --physdev-in lo -j ACCEPT
/sbin/iptables -A OUTPUT -m physdev --physdev-out lo -j ACCEPT
###############################################################################
#CREATE VALIDATION CHAINS
iptables -N TCP-STF
iptables -N CON-TRK
iptables -N SRC-CHK
iptables -N FWL-OUT
#CREATE TRAFFIC CHAINS
iptables -N INET-SVRS
iptables -N SVRS-INET
#CREATE ICMP CHAINS
iptables -N passicmp
###############################################################################
echo "Creating firewall rules..."
#INSERT A PACKET INTO THE APPROPRIATE CHAIN
## Allow SSH to DMZ
/sbin/iptables -A INPUT -m physdev --physdev-in $DMZ -p tcp --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -m physdev --physdev-in $DMZ -p udp --destination-port 22 -j ACCEPT
if [ $INET_SSH = 1 ] ; then
/sbin/iptables -A INPUT -m physdev --physdev-in $INTERNET -p tcp --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -m physdev --physdev-in $INTERNET -p udp --destination-port 22 -j ACCEPT
fi
/sbin/iptables -A INPUT -d $SUBNET_BROADCAST -j DROP
/sbin/iptables -A INPUT -p icmp -j passicmp
/sbin/iptables -A INPUT -j TCP-STF
/sbin/iptables -A INPUT -j CON-TRK
/sbin/iptables -A INPUT -j SRC-CHK
#/sbin/iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
################################################################################
# On 9/28/03 we denied these idiots who are just hammering our site!
/sbin/iptables -A INPUT -s 216.39.48.0/24 -j DROP
/sbin/iptables -A FORWARD -s 216.39.48.0/24 -j DROP
/sbin/iptables -A FORWARD -s 68.116.156.85 -j DROP
/sbin/iptables -A FORWARD -s 213.37.82.0/24 -j DROP
/sbin/iptables -A FORWARD -s 63.107.252.0/24 -p tcp --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -s 63.107.252.0/24 -p udp --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -s 65.212.41.0/24 -p tcp --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -s 65.212.41.0/24 -p udp --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -s 65.186.8.0/24 -j DROP
#
################################################################################
/sbin/iptables -A FORWARD -p icmp -j passicmp
/sbin/iptables -A FORWARD -j TCP-STF
/sbin/iptables -A FORWARD -j CON-TRK
/sbin/iptables -A FORWARD -j SRC-CHK
/sbin/iptables -A FORWARD -m physdev --physdev-in $INTERNET --physdev-out $DMZ -j INET-SVRS
/sbin/iptables -A FORWARD -m physdev --physdev-in $DMZ --physdev-out $INTERNET -j SVRS-INET
# Allow the firewall to talk to the DMZ
/sbin/iptables -A OUTPUT -m physdev --physdev-out $DMZ -j ACCEPT
# Otherwise do the normal check
/sbin/iptables -A OUTPUT -p icmp -j passicmp
/sbin/iptables -A OUTPUT -j TCP-STF
/sbin/iptables -A OUTPUT -j CON-TRK
/sbin/iptables -A OUTPUT -j SRC-CHK
/sbin/iptables -A OUTPUT -m physdev --physdev-out $INTERNET -j FWL-OUT
##############################################################################
# FWL-OUT What we allow the firewall to talk to
# Allow this machine to talk to the internet over SSH
/sbin/iptables -A FWL-OUT -p tcp --destination-port 22 -j ACCEPT
/sbin/iptables -A FWL-OUT -p tcp -d 209.50.17.209 -j ACCEPT
/sbin/iptables -A FWL-OUT -j DROP
###############################################################################
# the ICMP chain
# strict version:
if [ $ICMP_STRICT = 1 ] ; then
/sbin/iptables -A passicmp -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A passicmp -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A passicmp -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A passicmp -p icmp -j DROP
else
/sbin/iptables -A passicmp -p icmp -j ACCEPT
fi
###############################################################################
#TCP-STATE-FLAGES
# All of the bits are cleared
iptables -A TCP-STF -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A TCP-STF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
iptables -A TCP-STF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
iptables -A TCP-STF -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
iptables -A TCP-STF -p tcp --tcp-flags ACK,FIN FIN -j DROP
#PSH is the only bit set, without the expected accompanying ACK
iptables -A TCP-STF -p tcp --tcp-flags ACK,PSH PSH -j DROP
#URG is the only bit set, without the expected accompanyin
iptables -A TCP-STF -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################################
# Allows established and related connections through
if [ $CONNECTION_TRACKING = 1 ] ; then
iptables -A CON-TRK -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A CON-TRK -m state --state INVALID -j LOG --log-level info --log-prefix "CS"
iptables -A CON-TRK -m state --state INVALID -j DROP
fi
###############################################################################
#Refuse various invalid sources
# Refuse spoofed packets pretending to be from the external interface’s IP address
iptables -A SRC-CHK -m physdev --physdev-in $INTERNET -s $BRAIN -j DROP
#Refuse packets claiming to be from a Class A,B,C private network
iptables -A SRC-CHK -s $CLASS_A -j DROP
iptables -A SRC-CHK -s $CLASS_B -j DROP
iptables -A SRC-CHK -s $CLASS_C -j DROP
#Refuse multicast packets
iptables -A SRC-CHK -s $CLASS_D_MULTICAST -j DROP
iptables -A SRC-CHK -s $CLASS_E_RESERVED_NET -j DROP
iptables -A SRC-CHK -d $BROADCAST_DEST -j DROP
#Refuse packets claiming to be from loopback
iptables -A SRC-CHK -m physdev --physdev-in $INTERNET -s $LOOPBACK -j DROP
#Refuse malformed broadcast packests
iptables -A SRC-CHK -s $BROADCAST_DEST -j DROP
iptables -A SRC-CHK -s $BROADCAST_SRC -j DROP
#Refuse directed broadcasts
iptables -A SRC-CHK -m physdev --physdev-in $INTERNET -s $SUBNET_NETWORK -j DROP
iptables -A SRC-CHK -m physdev --physdev-in $INTERNET -s $SUBNET_BROADCAST -j DROP
###############################################################################
# Brain/Gateway Server Table
# Currently we accept FTP, SMTP, DNS, WWW, POP3, NTP*
# We have also added the private forwards at the bottom
# this is for servers that on the private IP range
# SMTP
/sbin/iptables -A INET-SVRS -d $BRAIN -p tcp --destination-port 25 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p udp --destination-port 25 -j ACCEPT
# Domain/Nameserver as of 9/28 this service is not available - no longer serving Inviationsource.com
/sbin/iptables -A INET-SVRS -d $BRAIN -p tcp --destination-port 42 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p udp --destination-port 42 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p tcp --destination-port 53 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p udp --destination-port 53 -j ACCEPT
# WWW
/sbin/iptables -A INET-SVRS -d $BRAIN -p tcp --destination-port 80 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p udp --destination-port 80 -j ACCEPT
# WWW/SSL
/sbin/iptables -A INET-SVRS -d $BRAIN -p tcp --destination-port 443 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p udp --destination-port 443 -j ACCEPT
# Allow time server to gateway
/sbin/iptables -A INET-SVRS -s $TIMESERVER1 -d $BRAIN -p udp --destination-port 123 -j ACCEPT
/sbin/iptables -A INET-SVRS -s $TIMESERVER2 -d $BRAIN -p udp --destination-port 123 -j ACCEPT
/sbin/iptables -A INET-SVRS -s $TIMESERVER3 -d $BRAIN -p udp --destination-port 123 -j ACCEPT
/sbin/iptables -A INET-SVRS -s $TIMESERVER1 -d $BRAIN2 -p udp --destination-port 123 -j ACCEPT
/sbin/iptables -A INET-SVRS -s $TIMESERVER2 -d $BRAIN2 -p udp --destination-port 123 -j ACCEPT
/sbin/iptables -A INET-SVRS -s $TIMESERVER3 -d $BRAIN2 -p udp --destination-port 123 -j ACCEPT
# PPTP
# /sbin/iptables -A INET-SVRS -d $BRAIN -p 47 -j ACCEPT
# /sbin/iptables -A INET-SVRS -d $BRAIN -p tcp --destination-port 1723 -j ACCEPT
# /sbin/iptables -A INET-SVRS -d $BRAIN2 -p 47 -j ACCEPT
# /sbin/iptables -A INET-SVRS -d $BRAIN2 -p tcp --destination-port 1723 -j ACCEPT
# L2TP/IPSec
if [ $L2TP = 1 ] ; then
/sbin/iptables -A INET-SVRS -d $BRAIN -p 50 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p 51 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN2 -p 50 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN2 -p 51 -j ACCEPT
/sbin/iptables -A INET-SVRS -d $BRAIN2 -p udp --destination-port 500 -j ACCEPT
fi
# ALLOW X Apps from cse.unl.edu to yakko
/sbin/iptables -A INET-SVRS -s $CSE -d $YAKKO -p tcp --destination-port 6000 -j ACCEPT
#/sbin/iptables -A INET-SVRS -s $CSE -d $YAKKO -p udp --destination-port 6000 -j ACCEPT
# PACKETS THAT MAKE IT THIS FAR ARE LOGGED AND DROPPED BY POLICY
/sbin/iptables -A INET-SVRS -j LOG --log-level info --log-prefix "SC: "
/sbin/iptables -A INET-SVRS -j DROP
###############################################################################
# SVRS-INET'
# Allow out SMTP
/sbin/iptables -A SVRS-INET -s $BRAIN -p tcp --source-port 25 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -p udp --source-port 25 -j ACCEPT
# Allow out nameserver
/sbin/iptables -A SVRS-INET -s $BRAIN -p tcp --source-port 42 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -p udp --source-port 42 -j ACCEPT
# Allow out Domain (DNS)
/sbin/iptables -A SVRS-INET -s $BRAIN -p tcp --source-port 53 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -p udp --source-port 53 -j ACCEPT
# Allow out HTTP(s)
/sbin/iptables -A SVRS-INET -s $BRAIN -p tcp --source-port 80 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -p udp --source-port 80 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -p tcp --source-port 443 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -p udp --source-port 443 -j ACCEPT
# Allow NTP requests out
/sbin/iptables -A SVRS-INET -s $BRAIN -d $TIMESERVER1 -p udp --source-port 123 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -d $TIMESERVER2 -p udp --source-port 123 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -d $TIMESERVER3 -p udp --source-port 123 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN2 -d $TIMESERVER1 -p udp --source-port 123 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN2 -d $TIMESERVER2 -p udp --source-port 123 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN2 -d $TIMESERVER3 -p udp --source-port 123 -j ACCEPT
# PPTP Is currently not allowed instead use L2TP
# /sbin/iptables -A SVRS-INET -s $BRAIN -p 47 -j ACCEPT
# /sbin/iptables -A SVRS-INET -s $BRAIN -p tcp --destination-port 1723 -j ACCEPT
# /sbin/iptables -A SVRS-INET -s $BRAIN2 -p 47 -j ACCEPT
# /sbin/iptables -A SVRS-INET -s $BRAIN2 -p tcp --destination-port 1723 -j ACCEPT
# Next four lines stop anyone except our mail server from sending mail
/sbin/iptables -A SVRS-INET -s $BRAIN -p tcp --destination-port 25 -j ACCEPT
/sbin/iptables -A SVRS-INET -s $BRAIN -p udp --destination-port 25 -j ACCEPT
/sbin/iptables -A SVRS-INET -s 0.0.0.0 -p tcp --destination-port 25 -j DROP
/sbin/iptables -A SVRS-INET -s 0.0.0.0 -p udp --destination-port 25 -j DROP
# These lines allow any activity outbound on unprivileged ports all
# other outbound traffic is denied by policy
/sbin/iptables -A SVRS-INET -p tcp --source-port 1024:65535 -j ACCEPT
/sbin/iptables -A SVRS-INET -p udp --source-port 1024:65535 -j ACCEPT
echo "Finished Firewall setup."
;;
stop)
echo "Flushing all rules and chains ..."
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables --delete-chain
/sbin/iptables -t nat --delete-chain
/sbin/iptables -t mangle --delete-chain
/sbin/iptables --policy INPUT ACCEPT
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT
#default nat policy
/sbin/iptables -t nat --policy PREROUTING ACCEPT
/sbin/iptables -t nat --policy OUTPUT ACCEPT
/sbin/iptables -t nat --policy POSTROUTING ACCEPT
#default mangle policy
/sbin/iptables -t mangle --policy PREROUTING ACCEPT
/sbin/iptables -t mangle --policy OUTPUT ACCEPT
;;
restart)
/etc/init.d/firewall stop && /etc/init.d/firewall start
;;
*)
echo "use firewall [start|stop]"
exit 1
esac
test "$return" = "$rc_done" || exit 1
exit 0
At times, I have also used NAT
In this extremely simple NAT setup I do not forward anthing to the interior of the network, although I have some commented lines that had been used to do that. This too is from a long since dead network.
#Postrouting nat stuff from 10.0.0.0 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source x.y.z.21 # DON'T DO IT ANYMORE BECAUSE WE GOT A REGUALR IP FOR PINKY 220 - 5/30/03 #Pre routing stuff to Pinky #iptables -t nat -A PREROUTING -i eth0 -p tcp -d x.y.z.22 --sport 1024:65535 --dport 80 -j DNAT --to-destination 10.0.0.2 #iptables -t nat -A PREROUTING -i eth1 -p tcp -d x.y.z.22 --sport 1024:65535 --dport 80 -j DNAT --to-destination 10.0.0.2
Once you have NAT setup, there really isn't much difference in how the firewall is setup. You can use the one listed above.
= Blocking SSH repeated login attempts =
Obviously a person should use a package where appropriate, like fail2ban. But if you want to play with the nuts and bolts of your iptables firewall a bit, you might try the following:
First: Configure /etc/ssh/sshd_config to contain MaxAuthTries 1.
Second: Add a new chain to your firewall:
iptables -N SSHDENY iptables -A SSHDENY -j LOG --log-prefix "Possible ssh attack. " --log-level 7 iptables -A SSHDENY -j DROP
You also need to put an entry point for your new chain.
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 7 -j SSHDENY
Third: watch /var/log/syslog for entries that include your log line.
Fourth: If you see some idiot just killing your machine with logs, consider adding the IP or range of IPs to your block list.