"Felix Tilley" <ftilley@localhost.localdomain> said:
>#!/bin/bash
># Must be run by root
>#@(#) 25 JUN 2004
.... [140 or so lines of iptables script snipped]

Ok,

could you now describe
- for which kind of host this is intended for?
- what are the benefits for this set-up?
- what are the risks/problems of this set-up?

For the last I have some comments:
- lets thrhough everything not specifically prohibited
(actually depends on chain default policies, which are not
explicitly set by the script)
- prohibits some host internal traffic that might be needed
- the logdrop rule chain makes the host using this script
a potential target for a DOS attack
- large amount of unneeded specific rules (f.ex. HTTP does not
utilize UDP under any circumstances)


Below is my "starting point" - which prohibits _all_ connection attempts
from external systems (except ping), makes some sanity checks to
the packets, and explicitly passes through all return traffic for
connections originated from the machine itself (and also doesn't
prohibit any host-internal traffic). So, as such this is usable for
a end-user workstation. For f.ex. a web server, incoming TCP traffic
on port 80 needs to be allowed (perhaps along with blacklisting some
address ranges).


#! /bin/bash -
PATH=/sbin; export PATH

# Set default policies to drop all traffic -- anything that is desired
# needs to be specifically allowed
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Common: rules common for both incoming and outgoing sessions;
# - acceptance of return packets for allowed sessions
# - dropping of packets in nonsense session states
# - acceptance of all localhost traffic
iptables -N common
iptables -A common -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A common -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "New not SYN:"
iptables -A common -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
iptables -A common -m state --state INVALID -j LOG --log-prefix "Invalid state:"
iptables -A common -m state --state INVALID -j DROP
iptables -A common -i lo -j ACCEPT
iptables -A common -o lo -j ACCEPT
iptables -A common -j RETURN

# Blacklist: list here the IP addresses/ranges from which no traffic
# is desired
iptables -N blacklist
# iptables -A blacklist -s #.#.#.# -j DROP
iptables -A blacklist -j RETURN

# Incoming:
#
# Handle IP-based blacklisting
iptables -A INPUT -j blacklist
# Sanity check; allow return packets
iptables -A INPUT -j common
# Allow incoming ICMP echo (ping) requests
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
# Specify here the accepted incoming sessions;
# example: allow ssh in
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# example: allow all traffic from a trusted interface
# iptables -A INPUT -i ethX -j ACCEPT
#
# Specify here the incoming requests you want to actively reject
# and not log (f.ex. ident queries from upstream SMTP servers)
# iptables -A INPUT -p tcp -m tcp --dport 113 -s #.#.#.# -j REJECT --reject-with tcp-reset
# For a workstation, just rejecting everything w/o logging makes most
# sense in majority of cases
iptables -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
#
# Log&drop all the rest
iptables -A INPUT -j LOG --log-prefix "Forbidden incoming session:"
#
# Specify here the incoming requests you want to actively reject
# after they've been logged -- the rest will just be DROPped
#
###
#
# Outgoing:
#
# Sanity check; allow return packets
iptables -A OUTPUT -j common
# Workstation use -- allow all outgoing traffic after sanity check
iptables -A OUTPUT -j ACCEPT
#
# For a more secure/restricted set-up, comment out the above and
# just accept the desired outbound traffic
#
# Accept ICMP echo (ping) requests and responses
# iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
# Specify here the accepted outgoing sessions; example: allow pop3 out
# iptables -A OUTPUT -d #.#.#.# -p tcp -m tcp --dport 110 -j ACCEPT
# Allow DNS out; fill in the provider DNS serv ip
# iptables -A OUTPUT -d #.#.#.# -p tcp -m tcp --dport 53 -j ACCEPT
# iptables -A OUTPUT -d #.#.#.# -p udp -m udp --dport 53 -j ACCEPT
#
# Log all the rest
#
# iptables -A OUTPUT -j LOG --log-prefix "Forbidden outbound session:"
#
# Actively reject all the rest
# (no "DROP" here; it'd just cause a delay; REJECT terminates the
# session immediately)
#
# iptables -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
# iptables -A OUTPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable

--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)