SidVicious
04-20-2002, 01:22 AM
This is a set of rules I am working on. It will be setup as an iptables script when I am done, but I would like comments on them to see what other people think:
#!/bin/sh
###########################################################
##We are going to make sure these rules are the only rules
##we use to allow or block traffic
echo Flushing old rules
/sbin/iptables -A INPUT -F
/sbin/iptables -A FORWARD -F
/sbin/iptables -A OUTPUT -F
##If you have physical access to a console on the machine
##you are firewalling uncomment the next lines
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT DROP
##If you do not have physical access you will lock yourself
##completely out of the machine and not be able to get back
##in. We are serious, this is not a joke.
##Done flushing tables
###########################################################
###########################################################
##These rules will kill attempted SYN floods by setting up
##a new chain and comparing packet against it
echo We need to kill SYN floods
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP
##Done stopping SYN floods
###########################################################
###########################################################
## These rules kill fragemented packets
echo Dropping fragmented packets
/sbin/iptables -A INPUT -i eth0 -f -j LOG --log-prefix "****Fragments Dropped: "
/sbin/iptables -A INPUT -i eth0 -f -j DROP
##Done dropping fragmented packets
###########################################################
###########################################################
##Making sure all new tcp connections have SYN bit set
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
##Done setting new connection rules
###########################################################
###########################################################
##We are allowing localhost to connect for now
##We assume interface lo to be trusted
echo Allowing necessary traffic
/sbin/iptables -A INPUT -i lo -p all -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
##Done setting up localhost
###########################################################
###########################################################
##The following rules allow http, https,
##Webmin, SSH, ports 60000-65535 for protfpd,
##smtp, and pop3, ftp incoming, and ftp data
##as well as logging SSH and Webmin connections
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 8686 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 20 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 21 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 60000: -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 8686 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 20 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 21 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 60000: -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 443 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 8686 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 20 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 21 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 60000: -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 110 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 443 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 22 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 8686 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 20 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 21 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 60000: -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 110 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 443 -j ACCEPT
##Unless we run IMAP this stays commented
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 143 -j ACCEPT
##We are allowing DNS queries
/sbin/iptables -A INPUT -o eth0 -p udp --source-port 53 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --source-port 53 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED -j ACCEPT
##Done allowing traffic
###########################################################
echo Done allowing traffic now lockin down.
###########################################################
##We now drop everything that doesn't match and some stuff
##explicitly just to make sure
##These rules block and log known spoofed IP addresses
/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "****Non-routable:"
/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "****Non-routable:"
/sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j REJECT
##We block all external connects to MySQL
/sbin/iptables -A INPUT -p tcp --destination-port 3306 -j REJECT
/sbin/iptables -A INPUT -p udp --destination-port 3306 -j REJECT
##Dropping everything else
/sbin/iptables -A INPUT -p tcp --syn -j LOG --log-prefix "****Dropped TCP: "
/sbin/iptables -A INPUT -p tcp --syn -j DROP
/sbin/iptables -A INPUT -p icmp --syn -j LOG --log-prefix "****Dropped ICMP: "
/sbin/iptables -A INPUT -p icmp -j DROP
/sbin/iptables -A INPUT -p udp --syn -j LOG --log-prefix "****Dropped UDP: "
/sbin/iptables -A INPUT -p udp -j DROP
##Done dropping traffic
###########################################################
###########################################################
##These rules set the default for the rulesets
##Comment these out if you are on a local box
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
##Default rules set
###########################################################
exit 0
this is setup to run as a shell script, if you test these on your server, I highly reccomend that you creat a cron to clear the rules in case you lock yourself out, you will also need a cron to reset the default for the tables to accept. If you don't know what I am talking about I wouldn't reccomed using these rules as they are in testing.
#!/bin/sh
###########################################################
##We are going to make sure these rules are the only rules
##we use to allow or block traffic
echo Flushing old rules
/sbin/iptables -A INPUT -F
/sbin/iptables -A FORWARD -F
/sbin/iptables -A OUTPUT -F
##If you have physical access to a console on the machine
##you are firewalling uncomment the next lines
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT DROP
##If you do not have physical access you will lock yourself
##completely out of the machine and not be able to get back
##in. We are serious, this is not a joke.
##Done flushing tables
###########################################################
###########################################################
##These rules will kill attempted SYN floods by setting up
##a new chain and comparing packet against it
echo We need to kill SYN floods
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP
##Done stopping SYN floods
###########################################################
###########################################################
## These rules kill fragemented packets
echo Dropping fragmented packets
/sbin/iptables -A INPUT -i eth0 -f -j LOG --log-prefix "****Fragments Dropped: "
/sbin/iptables -A INPUT -i eth0 -f -j DROP
##Done dropping fragmented packets
###########################################################
###########################################################
##Making sure all new tcp connections have SYN bit set
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
##Done setting new connection rules
###########################################################
###########################################################
##We are allowing localhost to connect for now
##We assume interface lo to be trusted
echo Allowing necessary traffic
/sbin/iptables -A INPUT -i lo -p all -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
##Done setting up localhost
###########################################################
###########################################################
##The following rules allow http, https,
##Webmin, SSH, ports 60000-65535 for protfpd,
##smtp, and pop3, ftp incoming, and ftp data
##as well as logging SSH and Webmin connections
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 8686 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 20 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 21 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 60000: -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --destination-port 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 8686 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 20 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 21 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 60000: -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 443 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 8686 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 20 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 21 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 60000: -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 110 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 443 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 22 -j LOG --log-prefix "****SSH: "
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 22 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 8686 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 20 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 21 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 60000: -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 110 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 443 -j ACCEPT
##Unless we run IMAP this stays commented
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 143 -j ACCEPT
##We are allowing DNS queries
/sbin/iptables -A INPUT -o eth0 -p udp --source-port 53 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --source-port 53 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED -j ACCEPT
##Done allowing traffic
###########################################################
echo Done allowing traffic now lockin down.
###########################################################
##We now drop everything that doesn't match and some stuff
##explicitly just to make sure
##These rules block and log known spoofed IP addresses
/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "****Non-routable:"
/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "****Non-routable: "
/sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j REJECT
/sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "****Non-routable:"
/sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j REJECT
##We block all external connects to MySQL
/sbin/iptables -A INPUT -p tcp --destination-port 3306 -j REJECT
/sbin/iptables -A INPUT -p udp --destination-port 3306 -j REJECT
##Dropping everything else
/sbin/iptables -A INPUT -p tcp --syn -j LOG --log-prefix "****Dropped TCP: "
/sbin/iptables -A INPUT -p tcp --syn -j DROP
/sbin/iptables -A INPUT -p icmp --syn -j LOG --log-prefix "****Dropped ICMP: "
/sbin/iptables -A INPUT -p icmp -j DROP
/sbin/iptables -A INPUT -p udp --syn -j LOG --log-prefix "****Dropped UDP: "
/sbin/iptables -A INPUT -p udp -j DROP
##Done dropping traffic
###########################################################
###########################################################
##These rules set the default for the rulesets
##Comment these out if you are on a local box
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
##Default rules set
###########################################################
exit 0
this is setup to run as a shell script, if you test these on your server, I highly reccomend that you creat a cron to clear the rules in case you lock yourself out, you will also need a cron to reset the default for the tables to accept. If you don't know what I am talking about I wouldn't reccomed using these rules as they are in testing.