iptables script

#!/bin/bash
# Must be run by root
#@(#) 25 JUN 2004

/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG --log-level 4
/sbin/iptables -A LOGDROP -j DROP


# Stuff from LACNIC, RIPE and broadband

# /sbin/iptables -A INPUT -s 200.0.0.0/8 -j LOG --log-level debug # LACNIC whois servers are in this range
/sbin/iptables -A INPUT -s 201.0.0.0/8 -j LOGDROP
/sbin/iptables -A INPUT -s 4.0.0.0/8 -j LOGDROP
# /sbin/iptables -A INPUT -s 12.0.0.0/8 -j LOGDROP # www.latimes.com is in this range
/sbin/iptables -A INPUT -s 24.0.0.0/8 -j LOGDROP
/sbin/iptables -A INPUT -s 80.0.0.0/8 -j LOGDROP
/sbin/iptables -A INPUT -s 81.0.0.0/8 -j LOGDROP
/sbin/iptables -A INPUT -s 82.0.0.0/8 -j LOGDROP
/sbin/iptables -A INPUT -s 83.0.0.0/8 -j LOGDROP
/sbin/iptables -A INPUT -s 84.0.0.0/8 -j LOGDROP


# telus hosted spammers /intopamail.com/fltn.net

/sbin/iptables -A INPUT -s 207.134.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 209.89.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 64.180.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 216.232.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 137.186.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 207.81.0.0/16 -j LOGDROP

# telus dynamic ranges
/sbin/iptables -A INPUT -s 142.179.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 206.116.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 66.222.128.0/17 -j LOGDROP
/sbin/iptables -A INPUT -s 207.6.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 209.121.0.0/16 -j LOGDROP
/sbin/iptables -A INPUT -s 209.202.64.0/18 -j LOGDROP


# FTP DATA
/sbin/iptables -A INPUT -p TCP --dport 20 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 20 -j LOGDROP
# FTP CONTROL
/sbin/iptables -A INPUT -p TCP --dport 21 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 21 -j LOGDROP

# TELNET
/sbin/iptables -A INPUT -p TCP --dport 23 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 23 -j LOGDROP

# SMTP
/sbin/iptables -A INPUT -p TCP --dport 25 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 25 -j LOGDROP

# HTTP
/sbin/iptables -A INPUT -p TCP --dport 80 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 80 -j LOGDROP
/sbin/iptables -A INPUT -p TCP --dport 8080 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 8080 -j LOGDROP

# POP3
/sbin/iptables -A INPUT -p TCP --dport 110 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 110 -j LOGDROP


# NNTP Network News
/sbin/iptables -A INPUT -p TCP --dport 119 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 119 -j LOGDROP


# Port 123 Network Time
/sbin/iptables -A INPUT -p TCP --dport 123 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 123 -j LOGDROP


# Microsoft
/sbin/iptables -A INPUT -p TCP --dport 135:139 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 135:139 -j LOGDROP

# RPC Commented out. Generates false hits on 127.0.0.1

#/sbin/iptables -A INPUT -p TCP --dport 111 -j LOGDROP
#/sbin/iptables -A INPUT -p UDP --dport 111 -j LOGDROP

# IMAP
/sbin/iptables -A INPUT -p TCP --dport 143 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 143 -j LOGDROP

# Microsoft
/sbin/iptables -A INPUT -p TCP --dport 445 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 445 -j LOGDROP

# Print spooler
/sbin/iptables -A INPUT -p TCP --dport 515 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 515 -j LOGDROP

# Port 1026
/sbin/iptables -A INPUT -p TCP --dport 1026 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 1026 -j LOGDROP

# X Windows
/sbin/iptables -A INPUT -p TCP --dport 6000:6063 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 6000:6063 -j LOGDROP

# X Windows Commented out. This generates an error message.
#/sbin/iptables -A OUPUT -p UDP --dport 6000:6063 -j LOGDROP

#xdmcp 177 X Display Manager Control Protocol
/sbin/iptables -A INPUT -p TCP --dport 177 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 177 -j LOGDROP

# open proxy port address
/sbin/iptables -A INPUT -p TCP --dport 65506 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 65506 -j LOGDROP

# UNKNOWN
/sbin/iptables -A INPUT -p TCP --dport 8640 -j LOGDROP
/sbin/iptables -A INPUT -p UDP --dport 8640 -j LOGDROP

Felix Tilley wrote:
> #!/bin/bash
{snipped long script}

That's kind of going about it the wrong way. Your script blocks individual
sites (well, IP ranges) and ports. Why not set the policy to drop absolutely
everything, then selectively open the firewall to the services that you want
to allow?

"Felix Tilley" <ftilley@localhost.localdomain> said:
>#!/bin/bash
># Must be run by root
>#@(#) 25 JUN 2004
.... [140 or so lines of iptables script snipped]

Ok,

could you now describe
- for which kind of host this is intended for?
- what are the benefits for this set-up?
- what are the risks/problems of this set-up?

For the last I have some comments:
- lets thrhough everything not specifically prohibited
(actually depends on chain default policies, which are not
explicitly set by the script)
- prohibits some host internal traffic that might be needed
- the logdrop rule chain makes the host using this script
a potential target for a DOS attack
- large amount of unneeded specific rules (f.ex. HTTP does not
utilize UDP under any circumstances)


Below is my "starting point" - which prohibits _all_ connection attempts
from external systems (except ping), makes some sanity checks to
the packets, and explicitly passes through all return traffic for
connections originated from the machine itself (and also doesn't
prohibit any host-internal traffic). So, as such this is usable for
a end-user workstation. For f.ex. a web server, incoming TCP traffic
on port 80 needs to be allowed (perhaps along with blacklisting some
address ranges).


#! /bin/bash -
PATH=/sbin; export PATH

# Set default policies to drop all traffic -- anything that is desired
# needs to be specifically allowed
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Common: rules common for both incoming and outgoing sessions;
# - acceptance of return packets for allowed sessions
# - dropping of packets in nonsense session states
# - acceptance of all localhost traffic
iptables -N common
iptables -A common -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A common -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "New not SYN:"
iptables -A common -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
iptables -A common -m state --state INVALID -j LOG --log-prefix "Invalid state:"
iptables -A common -m state --state INVALID -j DROP
iptables -A common -i lo -j ACCEPT
iptables -A common -o lo -j ACCEPT
iptables -A common -j RETURN

# Blacklist: list here the IP addresses/ranges from which no traffic
# is desired
iptables -N blacklist
# iptables -A blacklist -s #.#.#.# -j DROP
iptables -A blacklist -j RETURN

# Incoming:
#
# Handle IP-based blacklisting
iptables -A INPUT -j blacklist
# Sanity check; allow return packets
iptables -A INPUT -j common
# Allow incoming ICMP echo (ping) requests
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
# Specify here the accepted incoming sessions;
# example: allow ssh in
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# example: allow all traffic from a trusted interface
# iptables -A INPUT -i ethX -j ACCEPT
#
# Specify here the incoming requests you want to actively reject
# and not log (f.ex. ident queries from upstream SMTP servers)
# iptables -A INPUT -p tcp -m tcp --dport 113 -s #.#.#.# -j REJECT --reject-with tcp-reset
# For a workstation, just rejecting everything w/o logging makes most
# sense in majority of cases
iptables -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
#
# Log&drop all the rest
iptables -A INPUT -j LOG --log-prefix "Forbidden incoming session:"
#
# Specify here the incoming requests you want to actively reject
# after they've been logged -- the rest will just be DROPped
#
###
#
# Outgoing:
#
# Sanity check; allow return packets
iptables -A OUTPUT -j common
# Workstation use -- allow all outgoing traffic after sanity check
iptables -A OUTPUT -j ACCEPT
#
# For a more secure/restricted set-up, comment out the above and
# just accept the desired outbound traffic
#
# Accept ICMP echo (ping) requests and responses
# iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
# Specify here the accepted outgoing sessions; example: allow pop3 out
# iptables -A OUTPUT -d #.#.#.# -p tcp -m tcp --dport 110 -j ACCEPT
# Allow DNS out; fill in the provider DNS serv ip
# iptables -A OUTPUT -d #.#.#.# -p tcp -m tcp --dport 53 -j ACCEPT
# iptables -A OUTPUT -d #.#.#.# -p udp -m udp --dport 53 -j ACCEPT
#
# Log all the rest
#
# iptables -A OUTPUT -j LOG --log-prefix "Forbidden outbound session:"
#
# Actively reject all the rest
# (no "DROP" here; it'd just cause a delay; REJECT terminates the
# session immediately)
#
# iptables -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
# iptables -A OUTPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable

--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)