Firewall Critique - IPTables For Router

The following is a firewall written via BASH and IPTABLES. There is a DHCP assigned WAN interface, and a single physical connection for the internal network with two IPs bound to is, one for the real network, the 192.168.1.xxx network and a network 10.0.0.xxx which is populated by VMWare Server machines. How well written is this firewall, scored by US acedemic scores? (A,B,C,D,F, No credit go to the principle's office now!!!)

---- START ----- ######WRAPTEXTBAR################################################################# # First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc. export LC_ALL="en"

######################################################################## # VARIABLE DEFINITION ######################################################################## INTIF1=eth0 EXTIF=eth1 VIRIF=eth0

# ****** Loop device/localhost ****** LPDIF=lo LPDIP=127.0.0.1 LPDMSK=255.0.0.0 LPDNET="$LPDIP/$LPDMSK"

# ****** Text tools variables ****** IPT='/sbin/iptables' IFC='/sbin/ifconfig' G='/bin/grep' SED='/bin/sed'

# ****** Markable Priorities ****** MARKPRIO1="1" MARKPRIO2="2" MARKPRIO3="3" MARKPRIO4="4"

# ****** Rates ****** UPRATE="256kbit" P2PRATE="128kbit" PRIORATE1="65kbit" PRIORATE2="46kbit" PRIORATE3="27kbit" PRIORATE4="8kbit"

# ****** Quantum ****** QUANTUM1="12187" QUANTUM2="8625" QUANTUM3="5062" QUANTUM4="1500"

# ****** Burst ****** BURST1="6k" BURST2="4k" BURST3="2k" BURST4="0k" CBURST1="3k" CBURST2="2k" CBURST3="1k" CBURST4="0k"

# ****** Port Definitions ****** IRC='ircd' MSN=1863 ICQ=5190 NFS='sunrpc' PORTAGE='rsync' BT='50000:50100' NATRANGES='2222 2223 2224 51100:51200 51300:51400 51500:51600

51700:51800' OpenPGP_HTTP_Keyserver=11371

TCPSERV="8080 domain rsync ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver $BTi $NATRANGES"

UDPSERV="8080 domain time rsync $BT $NATRANGES"

######################################################################## # PORT BLOCKING RULES ######################################################################## # ****** Common Ports For both UDP and TCP ****** COMBLOCK="0:1 13 98 111 137:139 1214 1999 2049 3049 4329 6346 3128 8000

8008 12345 65535"

# ****** TCP Ports to Block ****** TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"

# ***** UDP Ports To Block ****** UDPBLOCK="$COMBLOCK 520 123 517:518 1427 9000"

######################################################################## # QoS Config # "QoS is not complete yet as we still need to mark our traffic" # ***** Example for ICMP ***** # iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1 # iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1 # We will echo this out rather then internal comments for this # section only... ######################################################################## echo "STARTING QoS Config"

echo "******Set queue length for $EXTIF******"

ifconfig $EXTIF txqueuelen 16

echo "******Specify queue discipline******" tc qdisc add dev $EXTIF root handle 1:0 htb default 103 r2q 1

echo "******Set root class******" tc class add dev $EXTIF parent 1:0 classid 1:1 htb rate $UPRATE burst $BURST1 cburst $CBURST1

echo "******Specify sub classes*******" tc class add dev $EXTIF parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0

tc class add dev $EXTIF parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1

tc class add dev $EXTIF parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2

tc class add dev $EXTIF parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $P2PRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3

echo "******Filter packets (Effectivly Translate the Priority to a class ID******" tc filter add dev $EXTIF parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101

tc filter add dev $EXTIF parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102

tc filter add dev $EXTIF parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103

tc filter add dev $EXTIF parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104

echo "******Add queuing disciplines******" tc qdisc add dev $EXTIF parent 1:101 sfq perturb 16 quantum $QUANTUM1 tc qdisc add dev $EXTIF parent 1:102 sfq perturb 16 quantum $QUANTUM2 tc qdisc add dev $EXTIF parent 1:103 sfq perturb 16 quantum $QUANTUM3 tc qdisc add dev $EXTIF parent 1:104 sfq perturb 16 quantum $QUANTUM4

######################################################################## # Deny then accept: this keeps holes from opening up # while we close ports and such. Effectivly this means any unmatched # traffic is DROPPED. ######################################################################## $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP

######################################################################## # Flush all existing chains and erase personal chains # "This is to reset the Fail2Ban chain" ######################################################################## CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $CHAINS; do $IPT -t $i -F done for i in $CHAINS; do $IPT -t $i -X done

######################################################################## # Ensure Firewall Option are on in the kernel ######################################################################## echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

######################################################################## # Source Address Verification ######################################################################## for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done ######################################################################## # Disable IP source routing and ICMP redirects ######################################################################## for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done echo 1 > /proc/sys/net/ipv4/ip_forward

######################################################################### # Setting up external interface environment variables # and output Network Settings ######################################################################### EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\\([^ ]*\\) .*/\\1/'`" EXTBC="255.255.255.255" EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\\([^ ]*\\)/\\1/'`" EXTNET="$EXTIP/$EXTMSK" echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\\([^ ]*\\) .*/\\1/'`" INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\\([^ ]*\\) .*/\\1/'`" INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\\([^ ]*\\)/\\1/'`" INTNET1="$INTIP1/$INTMSK1" echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

VIRIP="`$IFC $VIRIF:1|$G addr:|$SED 's/.*addr:\\([^ ]*\\) .*/\\1/'`" VIRBC="`$IFC $VIRIF:1|$G Bcast:|$SED 's/.*Bcast:\\([^ ]*\\) .*/\\1/'`" VIRMSK="`$IFC $VIRIF:1|$G Mask:|$SED 's/.*Mask:\\([^ ]*\\)/\\1/'`" VIRNET="$VIRIP/$VIRMSK" echo "VIRIP=$VIRIP VIRBC=$VIRBC VIRMSK=$VIRMSK VIRNET=$VIRNET"

########################################### # !!!! BEGIN FIREWALL RULES !!!! ########################################### # # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ####### ####### # ############### ############### # ############# ############# # ########### ########### # ######### ######### # ####### ####### # ##### ##### # ### ### # # # # ###########################################

#0###################################################################### # CUSTOM LOGGING GROUPS ########################################################################

# ****** Drop LOG ******* # Anything Dropped # *********************** $IPT -N LOGDROP 2> /dev/null $IPT -A LOGDROP -j LOG --log-prefix 'DROP:' $IPT -A LOGDROP -j DROP

# ****** Reject LOG ******* # Anything Rejected # *********************** $IPT -N LOGREJECT 2> /dev/null $IPT -A LOGREJECT -j LOG --log-prefix 'LOGREJECT:' $IPT -A LOGREJECT -j REJECT

# ****** Broadcast LOG ******* # Anything Broadcast # *********************** $IPT -N LOGBROADCAST 2> /dev/null $IPT -A LOGBROADCAST -j LOG --log-prefix 'LOGBROADCAST:' $IPT -A LOGBROADCAST -j REJECT

# ****** Foreign LOG ******* # Wrong Subnet traffic # *********************** $IPT -N LOGFOREIGN 2> /dev/null $IPT -A LOGFOREIGN -j LOG --log-prefix 'LOGFOREIGN:' $IPT -A LOGFOREIGN -j REJECT

#Q######################################### # QoS Prioritize Traffic Types # This section will need a rewrite eventually ###########################################

# ****** Priority 1 ******* # * Critical and System # *************************

# ********** # ***** icmp # ********** $IPT -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1

# ********** # ***** SSH # ********** $IPT -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1

# ********** # ***** NON-TCP # ********** $IPT -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1

# ****** Priority 2 ******* # * Reserved For Future # *************************

# ****** Priority 3 ******* # * HTTP Traffic # *************************

# ********** # ***** HTTP # ********** $IPT -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3

$IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3

# ********** # ***** HTTPS # ********** $IPT -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3 $IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3 # ********** # ***** SMTP # ********** $IPT -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3 $IPT -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3

# ****** Priority 4 ******* # * packets > 1024 bytes # ************************* $IPT -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4

# ********** # ***** Bittorrent # ********** $IPT -t mangle -A FORWARD -i $EXTIF -p tcp --sport $BT -j MARK

--set-mark $MARKPRIO4

$IPT -t mangle -A FORWARD -i $EXTIF -p tcp --dport $BT -j MARK

--set-mark $MARKPRIO4

# ****** TOS Priority ******* # Remaining packets are marked according to TOS # *************************** $IPT -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark

--mark 0 -j MARK --set-mark $MARKPRIO1 $IPT -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark $MARKPRIO2 $IPT -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark

--mark 0 -j MARK --set-mark $MARKPRIO4

#Keep Existing Connections Alive on a re-run $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# MASQURADE RULES $IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPT -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT

# MASQURADE RULES $IPT -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT $IPT -A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT

# Backup SSH $IPT -A INPUT -p tcp -m tcp -s 192.168.1.180 --dport 22 -m state

--state NEW,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp -m tcp -d 192.168.1.180 --sport 22 -m state

--state ESTABLISHED,RELATED -j ACCEPT # Backup EXT SSH $IPT -A INPUT -p tcp -m tcp -i $EXTIF --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp -m tcp -o $EXTIF --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT #11##################################################################### # NAT RULES ######################################################################## $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE $IPT -t nat -A POSTROUTING -o $EXTIF -s $VIRNET -j MASQUERADE

$IPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#1###################################################################### # LOOPBACK RULES # -------------- # Now we are going to accpet all traffic from our loopback device # if the IP matches any of our interfaces. ######################################################################## $IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT $IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT $IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT $IPT -A INPUT -i $LPDIF -s $VIRIP -j ACCEPT

#2###################################################################### # BROADCAST RULES (LOG TO LOGBROADCAST) # --------------- # Blocking Broadcasts ######################################################################## $IPT -A INPUT -i $EXTIF -d $EXTBC -j LOGBROADCAST $IPT -A INPUT -i $INTIF1 -d $INTBC1 -j LOGBROADCAST $IPT -A INPUT -i $VIRIF -d $VIRBC -j LOGBROADCAST

$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j LOGBROADCAST $IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j LOGBROADCAST $IPT -A OUTPUT -o $VIRIF -d $VIRBC -j LOGBROADCAST

$IPT -A FORWARD -o $EXTIF -d $EXTBC -j LOGBROADCAST $IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j LOGBROADCAST $IPT -A FORWARD -o $VIRIF -d $VIRBC -j LOGBROADCAST

#3###################################################################### # WAN TO LAN RULES (LOG TO LOGDROP) # ---------------- # Block WAN access to internal network # This also stops nefarious crackers from using our network as a # launching point to attack other people # iptables translation: # "if input going into our external interface does not originate from our isp assigned # ip address, drop it like a hot potato ######################################################################## $IPT -A INPUT -i $EXTIF -d ! $EXTIP -j LOGDROP

#5###################################################################### # ALLOW DNS ######################################################################## $IPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT $IPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

#6###################################################################### # Block outbound ICMP (except for PING) ######################################################################## $IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP $IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP

#7###################################################################### # Loop and Block Ports ######################################################################## echo -n "FW: Blocking attacks to TCP port " for i in $TCPBLOCK; do echo -n "$i " $IPT -A INPUT -p tcp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-1-$i" $IPT -A OUTPUT -p tcp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-2-$i" $IPT -A FORWARD -p tcp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-3-$i" done echo "" echo -n "FW: Blocking attacks to UDP port " for i in $UDPBLOCK; do echo -n "$i " $IPT -A INPUT -p udp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-4-$i" $IPT -A OUTPUT -p udp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-5-$i" $IPT -A FORWARD -p udp --dport $i -j LOGDROP -m comment --comment "Rule Block 7-6-$i" done echo ""

#8###################################################################### # Loop and Allow Ports to be used from LAN THESE ARE NOT NAT RULES!! # If you are going to NAT a port range you have to add it here also # All services ports are read from /etc/services # WHAT DO WE ALLOW PEOPLE INSIDE OUR NETWORK TO USE ######################################################################## echo -n "FW: Allowing inside systems to use service:" for i in $TCPSERV; do echo -n "$i " $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-1-$i" $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-2-$i" $IPT -A FORWARD -i $VIRIF -p tcp -s $VIRNET --dport $i --syn -m state

--state NEW -j ACCEPT -m comment --comment "Rule Block 8-3-$i"

done echo "" echo -n "FW: Allowing inside systems to use service:" for i in $UDPSERV; do echo -n "$i " $IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state

--state NEW -j ACCEPT -m comment --comment "Rule Block 8-4-$i" $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state

--state NEW -j ACCEPT -m comment --comment "Rule Block 8-5-$i" $IPT -A FORWARD -i $VIRIF -p udp -s $VIRNET --dport $i -m state

--state NEW -j ACCEPT -m comment --comment "Rule Block 8-6-$i" done echo ""

#9###################################################################### # Allow to ping out ######################################################################## $IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state

--state NEW -j ACCEPT $IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state

--state NEW -j ACCEPT $IPT -A FORWARD -i $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state

--state NEW -j ACCEPT

#10##################################################################### # Allow firewall to ping internal systems ######################################################################## $IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state

--state NEW -j ACCEPT $IPT -A INPUT -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW

-j ACCEPT

$IPT -A OUTPUT -o $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state

--state NEW -j ACCEPT $IPT -A INPUT -i $VIRIF -p tcp --dport 22 --syn -m state --state NEW

-j ACCEPT

#12##################################################################### # NAT Translations (INSERT ON THE FORWARD) ########################################################################

#*********************************************************************** #*Bit Torrent to MOAT*************************************************** #*********************************************************************** $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport $BT -j DNAT

--to-destination 192.168.1.180 $IPT -A FORWARD -s 192.168.1.180 -p tcp --dport $BT -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport $BT -j DNAT

--to-destination 192.168.1.180 $IPT -A FORWARD -s 192.168.1.180 -p udp --dport $BT -j ACCEPT #*********************************************************************** #*SSH To Internal Servers*********************************************** #*********************************************************************** $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2222 -j DNAT

--to-destination 10.0.0.1 $IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 2222 -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2223 -j DNAT

--to-destination 10.0.0.101 $IPT -A FORWARD -s 10.0.0.101 -p tcp --dport 2223 -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2224 -j DNAT

--to-destination 10.0.0.102 $IPT -A FORWARD -s 10.0.0.102 -p tcp --dport 2224 -j ACCEPT

$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 'rsync' -j DNAT

--to-destination 10.0.0.1 $IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 'rsync' -j ACCEPT $IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 'rsync' -j DNAT

--to-destination 10.0.0.1 $IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 'rsync' -j ACCEPT ########################################################################

#Comms between the Local Lan and the VM lan For now, unrestricted $IPT -A FORWARD -s $INTNET1 -d $VIRNET -j ACCEPT $IPT -A FORWARD -s $VIRNET -d $INTNET1 -j ACCEPT

#4###################################################################### # FOREIGN LAN RULES (LOG TO LOGFORIEGN) # Now we will block internal addresses originating from anything but our # two predefined interfaces.....just remember that if you jack your # your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly # for that IP as well # Interface one/internal net one # These rules don't seem to work as the source should be a network not an address # plus with two different subnets bound to the same IF these would implode and # possess the toaster resulting in meyhem, anarchy, and a 3's Company revival ######################################################################## #$IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j LOGFOREIGN #$IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j LOGFOREIGN #$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j LOGFOREIGN #$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j LOGFOREIGN

#$IPT -A INPUT -i $VIRIF -s ! $VIRNET -j LOGFOREIGN #$IPT -A OUTPUT -o $VIRIF -d ! $VIRNET -j LOGFOREIGN #$IPT -A FORWARD -i $VIRIF -s ! $VIRNET -j LOGFOREIGN #$IPT -A FORWARD -o $VIRIF -d ! $VIRNET -j LOGFOREIGN

# An additional Egress check $IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j LOGFOREIGN

#13###################################################################### # Block and log what me may have forgot (APPEND) ######################################################################## $IPT -A INPUT -j LOGDROP $IPT -A OUTPUT -j LOGREJECT $IPT -A FORWARD -j LOGDROP

--- SNIP----

Reply to
Idgarad
Loading thread data ...

I'm not going to grade this, but rather comment on some points I noticed.

Setting the default policies to DROP is good. However, you don't set default polices for the other chains (e.g. the PRE- and POSTROUTING chains in the nat and mangle table). Also the very first thing you should do after variable definitions (IMHO) is to disable IP-forwarding. You can re-enable it after the default policies are set.

[...]

I prefer to set the options before I set the default policies, but that's probably just a personal preference. Aside from that here's a nice little something I've seen a while ago, which makes setting the options a little more human-readable:

enable() { for option in "$@"; do echo "1" > $option done }

disable() { for option in "$@"; do echo "0" > $option done }

disable /proc/sys/net/ipv4/ip_forward

enable /proc/sys/net/ipv4/tcp_syncookies enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts enable /proc/sys/net/ipv4/conf/*/rp_filter ...

enable /proc/sys/net/ipv4/ip_forward

[...]

I'd be more specific about the rejections:

$IPT -A LOGREJECT -p tcp -j REJECT --reject-with tcp-reset $IPT -A LOGREJECT -p udp -j REJECT --reject-with icmp-port-unreachable

[...]

I prefer to sort my rules by chain (i.e. first set all the rules for the INPUT chain, then all the rules for the OUTPUT chain, ...).

Above you set a great deal of variables, but here you write addresses as literals. I'd rather set variables for these as well. Also you're using "/24" as the netmask here, whereas you have used "/255.0.0.0" above. I suggest to use either one or the other to keep the notation consistent.

The OUTPUT rules are superfluous since you already allowed all ESTABLISHED,RELATED traffic. And since you allow SSH from any host on the external interface I'd just allow SSH from any host on the internal interface as well (unless there are serious reasons not to).

[...]

Is there any reason to not just accept any traffic on the loopback interface and be done with it?

[...]

Ping needs not only ICMP type 8 (echo-request) but also ICMP type 0 (echo-reply). You may want to allow some other types (e.g. 3 or 12) as well.

Use REJECT rather than DROP, and unless you are in dire need of knowing when access to these ports was denied I wouldn't log it anyway. It just increases the size of your logs.

[...]

"--syn" and "--state NEW" are equivalent. You need only one of them.

[...]

I'm not sure if "state" applies to ICMP packets.

So you're allowing SSH from any host on the other interfaces as well. Why did you make four rules instead of just one?

$IPT -A INPUT -p tcp --dport 22 -m state NEW -j ACCEPT

Aside from that: keep your rules simple. You're making things way too complicated.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

No disrespect, but....

Like all hand crafted IPTables policies of more than 5 lines it's an unmaintainable nightmare when compared to the alternatives.

I would prefer to have teeth pulled with a rusty molegrips than to have to face managing it everyday.

greg

Reply to
Greg Hennessy

Wrong. It can be if you do it the wrong way (like the OP did), but that's not necessarily so.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Which, considering the exerable unintuitive user interface is not surprising.

Au contraire, it cannot be syntax checked before loading the policy, therefore a simple typo has the very real potential to completely hose a production installation.

Enterprise change management of anything other than a trivial IPTables policy is a nightmare, especially when that policy is managed by more than one set of eyes.

BTDTGTTS.

greg

Reply to
Greg Hennessy

Greg Hennessy wrote: [IPTables]

Of course it can.

Only if you're very dumb.

To script has many advantages. You know what you're doing.

Yours, VB.

Reply to
Volker Birk

Are you really going to claim that the above mishmash of shell and random macro expanded line noise can be syntax checked in its entirety before any part of it is loaded to replace the currently running policy ?

Please elucidate.

Anyone who suggests loading a.n. other piece of software to provide functionality which should be there by default will be laughed at derisively.

Ahh, the stock retort of those who allegedly know it all.

Meanwhile back in the real world typos can and do happen with annoying regularity.

To assert otherwise is asinine.

There are far better packet filtering solutions than IPtables out there, get over it.

greg

Reply to
Greg Hennessy

Yes. But this would not be sensible. There are much more sensible ways to script it.

Maybe. But netfilter is very practical. And it's Free Software.

Yours, VB.

Reply to
Volker Birk

You know you could have avoided the whole argument by simple replying with "F" or "D-" :)

Part of the reason to use a script (it interject some additional ammo for you two) was to integrate the HTB and QoS options into a single script. While I am open to any suggestions on better ways to manage it, IPTables is a requirement. Originally we were using FWBuilder to manage it but when, over time, strange things began to happen the way FWBuilder crafts it's script was a support nightmare. Thus they wanted something more hand-crafted for easier support.

Concerning Greg and VB's mini-flame I can add one thing for the two of you to bounce around per your comments regarding production environments. Regardless of the approach taken, who in their right mind would promote untested configurations (regardless of what it is) into production without testing? Regardless of the implementation I would assume that it would first be put through some paces either in a test environment (we use a VMWare virutal network hosted on a machine in the DMZ to test configurations, those systems also serve as our honey-pots.) or at least some form of change control. Even when we used hardware firewalls like those bloddy Watchguards and Pix we had two and always tested configurations on the secondary firewall.

Now please continue your ethusiastic discussion. I am learning quite a bit...

Reply to
Idgarad

Sorry, but I did not want to flame.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.