2005-04-19, 11:17 PM
I'm going to show you a current set of rules I have for a firewall on a machine that is acting as a gateway.
eth0 is the private network with hosts that use this machine as a gateway.
eth1 is the internet access network.
eth0 has an interface of 192.168.10.1, static for the private network.
eth1 has an interface of 192.168.1.169, although when this goes into a production environment this will become a publicly routable address or the address assigned by a dsl/cable modem.
There are a lot of comments that prepend the rules that should clarify what I am doing, but if you get confused or have any questions feel free to ask.
This is still a work in progress so not all of my table/chain policies are exactly the way I'll have them be as I reach a final version.
Code:
# Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BANNED - [0:0]
:LDROP - [0:0]
# example ban, dropped but logged first
#-A PREROUTING -s 1.2.3.4 -j BANNED
# example, not logged just dropped
#-A PREROUTING -s 2.3.4.5 -j DROP
#
-A PREROUTING -p tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 53 -j ACCEPT
-A PREROUTING -i eth0 -p udp --dport 53 -j ACCEPT
#-A PREROUTING -i eth1 -p tcp --sport 0:19 -j LDROP
#-A PREROUTING -i eth1 -p tcp --dport 0:19 -j LDROP
# kill DHCP, dont even log it
-A PREROUTING -i eth1 -p udp --sport 67:68 --dport 67:68 -j DROP
# evil windows! this is actually the port ranges for windows file sharing (samba included)
# drop and dont bother logging
-A PREROUTING -i eth1 -p tcp --dport 135:139 -j DROP
-A PREROUTING -i eth1 -p udp --dport 135:139 -j DROP
# seeing some traffic hitting broadcast via udp, got tired of seeing it in the logs.
-A PREROUTING -i eth1 -p udp -d 255.255.255.255 -j DROP
# punched a hole to allow access to gkrellm for monitoring
-A PREROUTING -i eth1 -p tcp --dport 19150 -j ACCEPT
# for a very strict firewall, this would be a good place to drop anything you werent explicitly expecting.
#-A PREROUTING -i eth1 -j LDROP
# this rule is very important, if the public interface address for eth1 changes, you must update this rule
# if this is going to be a dynamic address, you should just switch to MASQ instead of SNAT
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.169
# setup the BANNED chain
-A BANNED -p tcp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (tcp) " --log-level info
-A BANNED -p udp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (udp) " --log-level info
-A BANNED -p icmp -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (icmp) " --log-level info
-A BANNED -f -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "pre-BANNED (fragment) " --log-level info
-A BANNED -j DROP
# setup the LOG & DROP chain
-A LDROP -p tcp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (tcp) " --log-level info
-A LDROP -p udp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (udp) " --log-level info
-A LDROP -p icmp -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (icmp) " --log-level info
-A LDROP -f -m limit --limit 30/min --limit-burst 3 -j LOG --log-prefix "pre-DROPPED (fragment) " --log-level info
-A LDROP -j DROP
COMMIT
# Generated by iptables-save v1.2.9 on Fri Apr 30 02:26:35 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCPCHK - [0:0]
:ICMPCHK - [0:0]
:INETIN - [0:0]
:INETOUT - [0:0]
:LDROP - [0:0]
:MARTIAN - [0:0]
# internal network - disable this for production use (where inet interface isnt 192.168.1/24)
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j INETIN
# as per draft-manning-dsua-03.txt, IANA Special Use Address blocks and NFC (no fscking clue)
# 0.0.0.0 - 0.255.255.255 (0/8 prefix) RESERVED-1 IANA SUA
# 127.0.0.0 - 127.255.255.255 (127/8 prefix) LOOPBACK IANA SUA
# 192.0.2.0 - 192.0.2.255 (192.0.2/24 prefix) NET-TEST IANA SUA
# 10.0.0.0 - 10.255.255.255 (10/8 prefix) CLASS A private networks RFC1918
# 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) CLASS B private networks RFC1918
# 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) CLASS C private networks RFC1918
# 224.0.0.0 - 239.255.255.255 (224/4 prefix) CLASS D multicast addresses RFC1166
# 240.0.0.0 - 247.255.255.255 (240/5 prefix) CLASS E reserved addresses RFC1166
# 248.0.0.0 - 255.255.255.255 (248/5 prefix) CLASS E reserved addresses RFC1166
# 169.254.0.0 - 169.254.255.255 (169.254/16 prefix) AUTOCONFIGURATION NFC
-A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j MARTIAN
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j MARTIAN
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j MARTIAN
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 240.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 248.0.0.0/248.0.0.0 -i eth1 -j MARTIAN
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth1 -j MARTIAN
#
-A INPUT -i eth1 -j INETIN
-A INPUT -i lo -j ACCEPT
# private local network (eth0)
-A INPUT -s 192.168.10.0/255.255.255.0 -i eth0 -j ACCEPT
#
-A FORWARD -i eth1 -o eth0 -j INETIN
-A FORWARD -s 192.168.10.0/255.255.255.0 -o eth1 -j INETOUT
-A FORWARD -j LDROP
-A OUTPUT -o eth1 -j INETOUT
-A OUTPUT -o eth0 -j ACCEPT
-A TCPCHK -p tcp --tcp-flags ALL NONE -m limit --limit 30/min -j LOG --log-prefix "NULL scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 30/min -j LOG --log-prefix "XMAS scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 30/min -j LOG --log-prefix "FIN scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH scan " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "SYN/FIN scan " --log-level info
-A TCPCHK -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN/RST scan " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "FIN/RST scan " --log-level info
-A TCPCHK -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 10/sec -j ACCEPT
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "possible SYN scan/flood " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -m limit --limit 30/min -j LOG --log-prefix "PSH,ACK w/ RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ALL -m limit --limit 30/min -j LOG --log-prefix "ALL tcp-flags " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ALL -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 30/min -j LOG --log-prefix "SYN,FIN " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "SYN,RST " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -m limit --limit 30/min -j LOG --log-prefix "RST,FIN " --log-level info
-A TCPCHK -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
-A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -m limit --limit 30/min -j LOG --log-prefix "SYN,URG " --log-level info
-A TCPCHK -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
-A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "PSH,SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL PSH,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,SYN -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 30/min -j LOG --log-prefix "PSH w/o ACK" --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "URG w/o ACK" --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,URG URG -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, RST, or SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,RST,SYN NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RST w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -m limit --limit 30/min -j LOG --log-prefix "no ACK, no SYN " --log-level info
-A TCPCHK -p tcp --tcp-flags ACK,SYN NONE -j DROP
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -m limit --limit 30/min -j LOG --log-prefix "SYN w/ ESTABLISHED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,SYN w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,RST w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,RST -m state --state RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,PSH,RST w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state ESTABLISHED -j RETURN
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "ACK,FIN,PSH w/ NEW,RELATED " --log-level info
-A TCPCHK -p tcp --tcp-flags ALL ACK,FIN,PSH -m state --state NEW,RELATED -j DROP
-A TCPCHK -p tcp -m state --state INVALID -m limit --limit 30/min -j LOG --log-prefix "INVALID state " --log-level info
-A TCPCHK -p tcp -m state --state INVALID -j DROP
#
-A ICMPCHK -p icmp --icmp-type 5 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP redirect " --log-level info
-A ICMPCHK -p icmp --icmp-type 5 -j DROP
-A ICMPCHK -p icmp --icmp-type 9 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP router advertisment " --log-level info
-A ICMPCHK -p icmp --icmp-type 9 -j DROP
-A ICMPCHK -p icmp --icmp-type 10 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP route solicitation " --log-level info
-A ICMPCHK -p icmp --icmp-type 10 -j DROP
-A ICMPCHK -p icmp --icmp-type 13 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp request " --log-level info
-A ICMPCHK -p icmp --icmp-type 13 -j DROP
-A ICMPCHK -p icmp --icmp-type 14 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP timestamp reply " --log-level info
-A ICMPCHK -p icmp --icmp-type 14 -j DROP
-A ICMPCHK -p icmp --icmp-type 15 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info request " --log-level info
-A ICMPCHK -p icmp --icmp-type 15 -j DROP
-A ICMPCHK -p icmp --icmp-type 16 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP info reply " --log-level info
-A ICMPCHK -p icmp --icmp-type 16 -j DROP
-A ICMPCHK -p icmp --icmp-type 17 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask request " --log-level info
-A ICMPCHK -p icmp --icmp-type 17 -j DROP
-A ICMPCHK -p icmp --icmp-type 18 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP address mask reply " --log-level info
-A ICMPCHK -p icmp --icmp-type 18 -j DROP
-A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A ICMPCHK -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP excessive pings " --log-level info --log-tcp-sequence
-A ICMPCHK -p icmp --icmp-type 8 -j DROP
-A ICMPCHK -p icmp ! --icmp-type 8 -m limit --limit 5/min --limit-burst 1 -j LOG --log-prefix "ICMP allowed " --log-level info
-A ICMPCHK -p icmp ! --icmp-type 8 -j ACCEPT
-A INETIN -p tcp -j TCPCHK
-A INETIN -p icmp -j ICMPCHK
-A INETIN -m state --state ESTABLISHED -j ACCEPT
-A INETIN -p tcp -m state --state RELATED --dport 1024:65535 -j ACCEPT
-A INETIN -p udp -m state --state RELATED --dport 1024:65535 -j ACCEPT
# allow dns
-A INETIN -p tcp --dport 53 -j ACCEPT
-A INETIN -p udp --dport 53 -j ACCEPT
# allow ssh
-A INETIN -p tcp --dport 22 -j ACCEPT
# gkrellm
-A INETIN -p tcp --dport 19150 -j ACCEPT
#
# default policy = log and drop
-A INETIN -p tcp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (tcp) " --log-level info
-A INETIN -p udp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (udp) " --log-level info
-A INETIN -p icmp -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (icmp) " --log-level info
-A INETIN -f -m limit --limit 30/min --limit-burst 1 -j LOG --log-prefix "DROPPED by policy (fragment) " --log-level info
# this effectively sets the policy to DROP, we could remove this and set it in the chain creation rule
-A INETIN -j DROP
# example drop in INETOUT chain
#-A INETOUT -d 1.2.3.4 -p tcp -j DROP
-A INETOUT -j ACCEPT
-A LDROP -p tcp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (tcp) " --log-level info
-A LDROP -p udp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (udp) " --log-level info
-A LDROP -p icmp -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (icmp) " --log-level info
-A LDROP -f -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "DROPPED (fragment) " --log-level info
-A LDROP -j DROP
-A MARTIAN -m limit --limit 30/min --limit-burst 2 -j LOG --log-prefix "martian network " --log-level info
-A MARTIAN -j DROP
COMMIT