Linux Firewall


Linux Firewalls

Third Edition
By Steve Suehring, Robert Ziegler


Chapter 4. Building and Installing a Standalone Firewall


The firewall that you'll build in this chapter is based on a deny-everything-by-default policy. All network traffic is blocked by default. Services are individually enabled as exceptions to the policy.

This chapter will use a script called rc.firewall to invoke iptables for each individual firewall rule you defined. The location of the script is dependent on the flavor of Linux where the script will be used. Fo redHat, the script should likely be within the /etc/rc.d/ directory.

iptables allows the address to be suffixed with a bit mask specifier. The mask's value can range from 0 through 32 , indicating the number of bits to mask.
  • A mask of 32, /32 , means that all the bits must match. Specifying an address as 192.168.10.30 is the same as specifying the address as 192.168.10.30/32.
  • A mask of 0, /0 , means that no bits in the address are required to match. Using /0 is the same as not specifying an address.
  • Any unicast address matches. iptables has a built-in alias for 0.0.0.0/0 , any/0 .

Initializing the Firewall



Remember that firewall filters are applied in the order in which you've defined them on the INPUT or OUTPUT chain. The rules are appended to the end of their chain in the order in which you define them.

Firewall initialization is :
  • defining global constants used in the shell script
  • enabling kernel support services (when necessary)
  • clearing out any existing rules in the firewall chains
  • defining default policies for the INPUT and OUTPUT chains
  • reenabling the loopback interface for normal system operation
  • denying access from any specific hosts or networks you've decided to block
  • defining some basic rules to protect against bad addresses
  • protect certain services running on unprivileged ports.
This presents the same firewall examples as they would appear in a firewall script:

#!/bin/sh
/sbin/modprobe ip_conntrack_ftp

ACCEPT_AUTH="0"
SSH_SERVER="0"
FTP_SERVER="0"
WEB_SERVER="0"
SSL_SERVER="0"
DHCP_CLIENT="1

PT="/sbin/iptables" # Location of iptables on your system
INTERNET="eth0" # Internet-connected interface
LOOPBACK_INTERFACE="lo" # however your system names it
IPADDR="my.ip.address" # your IP address
SUBNET_BASE="my.subnet.base" # ISP network segment base address
SUBNET_BROADCAST="my.subnet.bcast" # network segment broadcast address
MY_ISP="my.isp.address.range" # ISP server & NOC address range

NAMESERVER="isp.name.server.1" # address of a remote name server
POP_SERVER="isp.pop.server" # address of a remote pop server
MAIL_SERVER="isp.mail.server" # address of a remote mail gateway
NEWS_SERVER="isp.news.server" # address of a remote news server
TIME_SERVER="some.time.server" # address of a remote time server
DHCP_SERVER="isp.dhcp.server" # address of your ISP dhcp server

LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address

PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
SSH_PORTS="1024:65535"
NFS_PORT="2049"
LOCKD_PORT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"

XWINDOW_PORTS="6000:6063"
SQUID_PORT="3128"

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do 
  echo 0 > $f
done

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do 
  echo 0 > $f
done

# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do 
  echo 0 > $f
done


# Drop Spoofed Packets coming in on an interface, which, if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; 
  do echo 1 > $f
done

# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; 
  do echo 1 > $f
done
###########################################
# Remove any existing rules from all chains $IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT

$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]
then
  echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."
  exit 0
fi

# Unlimited traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy OUTPUT DROP


#######################################################
# Stealth Scans and TCP State Flags
# Unclean
$IPT -A INPUT -m unclean -j DROP
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

###########################################
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then 
  $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  # Using the state module alone, INVALID will break protocols that use 
  # bi-directional connections or multiple connections or exchanges, 
  # unless an ALG is provided for the protocol. At this time, FTP and 
  # IRC are the only protocols with ALG support.
  $IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: "
  $IPT -A INPUT -m state --state INVALID -j DROP
  $IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: "
  $IPT -A OUTPUT -m state --state INVALID -j DROP
fi
###########################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from # the external
interface's IP address
$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network $IPT -A
INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network $IPT -A
INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network $IPT -A
INPUT -i $INTERNET -s $CLASS_C -j DROP
# Refuse packets claiming to be from the loopback interface $IPT -A
INPUT -i $INTERNET -s $LOOPBACK -j DROP
# Refuse malformed broadcast packets
$IPT -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG$IPT -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
$IPT -A INPUT -i $INTERNET -d $BROADCAST_SRC -j LOG
$IPT -A INPUT -i $INTERNET -d $BROADCAST_SRC -j DROP

if [ "$DHCP_CLIENT" = "0" ]; then 
  # Refuse directed broadcasts
  # Used to map networks and in Denial of Service attacks
  $IPT -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
  $IPT -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
  # Refuse limited broadcasts 
  $IPT -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
fi
# Refuse Class D multicast addresses
# illegal as a source address
$IPT -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP
$IPT -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP
$IPT -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT
# Refuse Class E reserved IP addresses
$IPT -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
if [ "$DHCP_CLIENT" = "1" ]; then
  $IPT -A INPUT -i $INTERNET -p udp \
    -s $BROADCAST_SRC --sport 67 \
    -d $BROADCAST_DEST --dport 68 -j ACCEPT
fi
# refuse addresses defined as reserved by the IANA
# 0.*.*.* - Can't be blocked unilaterally with DHCP
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP

###########################################
# Disallowing Connections to Common TCP Unprivileged Server Ports
# X Window connection establishment
$IPT -A OUTPUT -o $INTERNET -p tcp --syn \
--destination-port $XWINDOW_PORTS -j REJECT
# X Window: incoming connection attempt
$IPT -A INPUT -i $INTERNET -p tcp --syn \
--destination-port $XWINDOW_PORTS -j DROP

# Establishing a connection over TCP to NFS, OpenWindows, SOCKS, or squid
$IPT -A OUTPUT -o $INTERNET -p tcp \
    -m multiport --destination-port \
    $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PO \
    --syn -j REJECT
$IPT -A INPUT -i $INTERNET -p tcp \
    -m multiport --destination-port \
    $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PO \
    --syn -j DROP
###########################################
# Disallowing Connections to Common UDP Unprivileged Server Ports
# NFS and lockd
if [ "$CONNECTION_TRACKING" = "1" ]; then 
  $IPT -A OUTPUT -o $INTERNET -p udp \
      -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
      -m state --state NEW -j REJECT
  $IPT -A INPUT -i $INTERNET -p udp \
      -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
      -m state --state NEW -j DROP
else
  $IPT -A OUTPUT -o $INTERNET -p udp \
      -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
      -j REJECT
  $IPT -A input -i $INTERNET -p udp \-m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
      -j DROP
fi
###########################################
# DNS Name Server
# DNS Forwarding Name Server or client requests
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p udp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER --dport 53 \
-m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p udp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER --dport 53 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp \
-s $NAMESERVER --sport 53 \-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# TCP is used for large responses
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER --dport 53 \
-m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER --dport 53 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \-s $NAMESERVER --sport 53 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# DNS Caching Name Server (local server to primary server)
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p udp \
-s $IPADDR --sport 53 \
-d $NAMESERVER --dport 53 \
-m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p udp \
-s $IPADDR --sport 53 \
-d $NAMESERVER --dport 53 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp \-s $NAMESERVER --sport 53 \
-d $IPADDR --dport 53 -j ACCEPT


#######################################################
# Filtering the AUTH User Identification Service (TCP Port 113)
# Outgoing Local Client Requests to Remote Servers
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 113 -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 113 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport 113 \-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$ACCEPT_AUTH" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1"
]; then $IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 113 \
-m state --state NEW -j ACCEPT
fi
$IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 113 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \-s $IPADDR --sport 113 \
--dport $UNPRIVPORTS -j ACCEPT
else
$IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 113 -j REJECT --reject-with tcp-reset fi

#######################################################
# Sending Mail to Any External Mail Server # Use "-d
$MAIL_SERVER" if an ISP mail gateway is used instead
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 25 -m state --state NEW -j ACCEPT
fi$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 25 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport 25 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT###########################################
# Retrieving Mail as a POP Client (TCP Port 110)
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $POP_SERVER --dport 110 -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $POP_SERVER --dport 110 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
-s $POP_SERVER --sport 110 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT###########################################
# Accessing Usenet News Services (TCP NNTP Port 119)
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NEWS_SERVER --dport 119 -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NEWS_SERVER --dport 119 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
-s $NEWS_SERVER --sport 119 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT###########################################
# ssh (TCP Port 22)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $SSH_PORTS \
--dport 22 -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $SSH_PORTS \
--dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport 22 \
-d $IPADDR --dport $SSH_PORTS -j ACCEPT#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$SSH_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -i
$INTERNET -p tcp \
--sport $SSH_PORTS \
-d $IPADDR --dport 22 \
-m state --state NEW -j ACCEPT
fi


$IPT -A INPUT -i $INTERNET -p tcp \
--sport $SSH_PORTS \
-d $IPADDR --dport 22 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \-s $IPADDR --sport 22 \
--dport $SSH_PORTS -j ACCEPT
fi

#######################################################
# ftp (TCP Ports 21, 20)
# Outgoing Local Client Requests to Remote Servers
# Outgoing Control Connection to Port 21
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 21 -m state --state NEW -j ACCEPT
fi

$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 21 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport 21 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
# Incoming Port Mode Data Channel Connection from Port 20
if [ "$CONNECTION_TRACKING" = "1" ]; then # This rule is not necessary if the ip_conntrack_ftp # module is used.
$IPT -A INPUT -i $INTERNET -p tcp \
--sport 20 \
-d $IPADDR --dport $UNPRIVPORTS \
-m state --state NEW -j ACCEPT
fi$IPT -A INPUT -i $INTERNET -p tcp \
--sport 20 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 20 -j ACCEPT
# Outgoing Passive Mode Data Channel Connection Between
Unprivileged Ports if [ "$CONNECTION_TRACKING" = "1" ]; then #
This rule is not necessary if the ip_conntrack_ftp # module is used.
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \--dport $UNPRIVPORTS -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport $UNPRIVPORTS \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$FTP_SERVER" = "1" ]; then
# Incoming Control Connection to Port 21
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -i
$INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 21 \
-m state --state NEW -j ACCEPT
fi$IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 21 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \
-s $IPADDR --sport 21 \
--dport $UNPRIVPORTS -j ACCEPT
# Outgoing Port Mode Data Channel Connection to Port 20
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -
o $INTERNET -p tcp \
-s $IPADDR --sport 20\
--dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \-s $IPADDR --sport 20 \
--dport $UNPRIVPORTS -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 20 -j ACCEPT
# Incoming Passive Mode Data Channel Connection Between
Unprivileged Ports if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport $UNPRIVPORTS \
-m state --state NEW -j ACCEPT
fi
$IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT$IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \
-s $IPADDR --sport $UNPRIVPORTS \
--dport $UNPRIVPORTS -j ACCEPT
fi###########################################
# HTTP Web Traffic (TCP Port 80)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 80 -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 80 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport 80 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$WEB_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -i
$INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 80 \
-m state --state NEW -j ACCEPT
fi
$IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 80 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \
-s $IPADDR --sport 80 \--dport $UNPRIVPORTS -j ACCEPT
fi###########################################
# SSL Web Traffic (TCP Port 443)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 443 -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 443 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport 443 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$SSL_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -i
$INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 443 \
-m state --state NEW -j ACCEPT
fi
$IPT -A INPUT -i $INTERNET -p tcp \
--sport $UNPRIVPORTS \
-d $IPADDR --dport 443 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p tcp ! --syn \
-s $IPADDR --sport 443 \--dport $UNPRIVPORTS -j ACCEPT
fi###########################################
# whois (TCP Port 43)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 43 -m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p tcp \
-s $IPADDR --sport $UNPRIVPORTS \
--dport 43 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp ! --syn \
--sport 43 \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT###########################################
# Accessing Remote Network Time Servers (UDP 123) # Note: Some
client and servers use source port 123
# when querying a remote server on destination port 123.
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p udp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $TIME_SERVER --dport 123 \
-m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p udp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $TIME_SERVER --dport 123 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp \
-s $TIME_SERVER --sport 123 \-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT###########################################
# Accessing Your ISP's DHCP Server (UDP Ports 67, 68)
# Some broadcast packets are explicitly ignored by the firewall.
# Others are dropped by the default policy.
# DHCP tests must precede broadcast-related rules, as DHCP relies # on
broadcast traffic initially.
if [ "$DHCP_CLIENT" = "1" ]; then
# Initialization or rebinding: No lease or Lease time expired.
$IPT -A OUTPUT -o $INTERNET -p udp \
-s $BROADCAST_SRC --sport 68 \
-d $BROADCAST_DEST --dport 67 -j ACCEPT
# Incoming DHCPOFFER from available DHCP servers
$IPT -A INPUT -i $INTERNET -p udp \
-s $BROADCAST_SRC --sport 67 \-d $BROADCAST_DEST --dport 68 -j ACCEPT
# Fall back to initialization # The client knows its server, but has
either lost its lease, # or else needs to reconfirm the IP address after
rebooting.
$IPT -A OUTPUT -o $INTERNET -p udp \
-s $BROADCAST_SRC --sport 68 \
-d $DHCP_SERVER --dport 67 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp \
-s $DHCP_SERVER --sport 67 \
-d $BROADCAST_DEST --dport 68 -j ACCEPT
# As a result of the above, we're supposed to change our IP
# address with this message, which is addressed to our new # address
before the dhcp client has received the update.
# Depending on the server implementation, the destination address #
can be the new IP address, the subnet address, or the limited # broadcastaddress.
# If the network subnet address is used as the destination, # the next
rule must allow incoming packets destined to the # subnet address, and
the rule must precede any general rules # that block such incoming
broadcast packets.
$IPT -A INPUT -i $INTERNET -p udp \
-s $DHCP_SERVER --sport 67 \
--dport 68 -j ACCEPT
# Lease renewal
$IPT -A OUTPUT -o $INTERNET -p udp \
-s $IPADDR --sport 68 \
-d $DHCP_SERVER --dport 67 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp \
-s $DHCP_SERVER --sport 67 \-d $IPADDR --dport 68 -j ACCEPT
# Refuse directed broadcasts # Used to map networks and in Denial
of Service attacks iptables -A INPUT -i $INTERNET -d
$SUBNET_BASE -j DROP
iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j
DROP
# Refuse limited broadcasts iptables -A INPUT -i $INTERNET -d
$BROADCAST_DEST -j DROP
fi###########################################
# ICMP Control and Status Messages
# Log and drop initial ICMP fragments
$IPT -A INPUT -i $INTERNET --fragment -p icmp -j LOG \
--log-prefix "Fragmented ICMP: "
$IPT -A INPUT -i $INTERNET --fragment -p icmp -j DROP
$IPT -A INPUT -i $INTERNET -p icmp \
--icmp-type source-quench -d $IPADDR -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp \
--icmp-type parameter-problem -d $IPADDR -j ACCEPT$IPT -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp \
--icmp-type destination-unreachable -d $IPADDR -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
# Don't log dropped outgoing ICMP error messages $IPT -A OUTPUT -o
$INTERNET -p icmp \
-s $IPADDR --icmp-type destination-unreachable -j DROP

# Intermediate traceroute responses $IPT -A
INPUT -i $INTERNET -p icmp \
--icmp-type time-exceeded -d $IPADDR -j ACCEPT# allow outgoing pings to anywhere
if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -o
$INTERNET -p icmp \
-s $IPADDR --icmp-type echo-request \
-m state --state NEW -j ACCEPT
fi
$IPT -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp \
--icmp-type echo-reply -d $IPADDR -j ACCEPT
# allow incoming pings from trusted hosts if [
"$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -i
$INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR \-m state --state NEW -j ACCEPT
fi
$IPT -A INPUT -i $INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT###########################################
# Logging Dropped Packets
# Don't log dropped incoming echo-requests $IPT -A INPUT -i
$INTERNET -p icmp \
--icmp-type ! 8 -d $IPADDR -j LOG
$IPT -A INPUT -i $INTERNET -p tcp \
-d $IPADDR -j LOG
$IPT -A OUTPUT -o $INTERNET -j LOG
exit 0




留言

熱門文章