# Newbie Firewall Init Script

## mcdermottpa

The following is a basic firewall init script I wrote for my home computer. It is very much a work in progress and is probably full of holes. The script is intended as a quick plug in for newbies while they are figuring out Gentoo and learning about iptables.

A little about my impetus to post this: I have been using Linux/Gentoo for a month now. For a very long time I was running without a firewall of any kind, mainly because I didn't have the time/inclination to figure iptables out. There does not seem to be a newbie friendly firewall setup guide (at least I couldn't find it  :Sad:  ).  Being a n00b, I had to do a lot of studying just to get a firewall working that gave some protection while allowing me to do day to day things like surf the web and check email.

At some point I would like to post a how-to on the wiki so that newbies can use this script. To do that though I'm going to have to do more testing and get a lot of feedback.

(FIXED) Before you look at the code, there is one bug I have not worked out. Setting the ALLOW_ESTABLISHED_OUTBOUND variable to 'on' breaks dns lookup for some web pages, but not all.

```
#!/sbin/runscript

# Copyright 2004 Peter McDermott

# Distributed under the terms of the GNU General Public License v2

#

# Basic Netfilter Script 0.0.1 2004/11/5

# <peter@mcdermottpa.com>

#

# This is not a production release.

# It should be treated as entirely insecure.

#

# This script is intended for users who are running Gentoo with a

# direct connection to the Internet or one connected though a router.

#

start() {

  ebegin "Starting Firewall"

/bin/echo ' '

# Script Variables

# ----------------------------------------

# interface to the internet

# could be eth0, ath0 or something else

INTERFACE="ath0"

# the loopback address

LOOPBACK="127.0.0.0/8"

# reserved local addresses

RESERVED_IP_172_SPACE="172.16.0.0/12"

RESERVED_IP_192_SPACE="192.168.0.0/16"

RESERVED_IP_10_SPACE="10.0.0.0/8"

RESERVED_IP_MULTICAST="224.0.0.0/4"

RESERVED_IP_FUTURE="240.0.0.0/5"

# unprivileged ports

PORTS_HIGH="1024:65535"

# common ssh source ports 

PORTS_SSH="500:1023"

# Add ports here for generic access.

# In number or name format (see /etc/services for your list).

# Don't forget rsync is used by portage .

OPEN_PORTS_OUTBOUND="ntp ssh pop3 imap2 smtp domain www https rsync"

# This is for any servers you may be running

# NOT to allow inbound traffic established 

OPEN_PORTS_INBOUND="www"

# Leave this on unless your computer is a server that needs to make no

# outbound connections. (if OPEN_PORTS_OUTBOUND is unset)

ALLOW_ESTABLISHED_INBOUND="on"

# Turn this on if your computer is hosting a server of some kind.

ALLOW_ESTABLISHED_OUTBOUND="on"

# Add checking to secure against several types of attacks.

# Not all possible attacks by these methods will be stopped

# using these security options. You have been warned.

# sfd - SYC Flooding

# pod - Ping of Death

# ps  - Port Scanning

# os  - OS Fingerprinting

# bd  - Backdoors and Virii

SECURITY_OPTIONS="sfd pod ps os bd"

# Misc. Settings

# ----------------------------------------

# some firewall settings you may or may not want

/bin/echo 0  > /proc/sys/net/ipv4/ip_forward # turned on later on

/bin/echo 1  > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

/bin/echo 1  > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

/bin/echo 10 > /proc/sys/net/ipv4/icmp_ratelimit

/bin/echo 1  > /proc/sys/net/ipv4/conf/all/rp_filter

/bin/echo 1  > /proc/sys/net/ipv4/conf/all/log_martians

/bin/echo 0  > /proc/sys/net/ipv4/conf/all/send_redirects

/bin/echo 0  > /proc/sys/net/ipv4/conf/all/accept_source_route

# flush default chains

/bin/echo -e "   [Flushing] Default chains..."

/sbin/iptables           --flush

/sbin/iptables -t nat    --flush

/sbin/iptables -t mangle --flush

# Flush Old Tables

# ----------------------------------------

# Flush user-defined chains

/bin/echo -e '   [Flushing] User-defined chains...'

/sbin/iptables           --delete-chain

/sbin/iptables -t nat    --delete-chain

/sbin/iptables -t mangle --delete-chain

# Add User Defined Chains

/sbin/iptables -N syn-flood

/sbin/iptables -N pod

/sbin/iptables -N valid-tcp-flags

/sbin/iptables -N os-fingerprint

/sbin/iptables -N backdoors

/sbin/iptables -N LOG-and-drop

# User-defined Chains

# ----------------------------------------

# Adds some degree of SYN flood protection.

/sbin/iptables -A syn-flood -p tcp   --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT

/sbin/iptables -A syn-flood -p tcp   --syn -j DROP

/sbin/iptables -A syn-flood -p tcp ! --syn -j ACCEPT

# Defend against The Ping of Death.

/sbin/iptables -A pod -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Check for incorrect TCP state flags (port scans).

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL NONE                -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL ALL                 -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL FIN,URG,PSH         -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN FIN             -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH             -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG             -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN         -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST         -j LOG-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST         -j LOG-and-drop

# Block OS Fingerprinting (Does not always work).

/sbin/iptables -A os-fingerprint -p tcp --dport 0 -j DROP

/sbin/iptables -A os-fingerprint -p udp --dport 0 -j DROP

/sbin/iptables -A os-fingerprint -p tcp --sport 0 -j DROP

/sbin/iptables -A os-fingerprint -p udp --sport 0 -j DROP

# Block ICMP-Address-Mask

/sbin/iptables -A os-fingerprint -p icmp --icmp-type address-mask-request -j DROP 

/sbin/iptables -A os-fingerprint -p icmp --icmp-type address-mask-reply   -j DROP

# Block Various Virii and Backdoors

/sbin/iptables -A backdoors -p tcp --dport 6670        -j DROP #Deepthroat

/sbin/iptables -A backdoors -p tcp --dport 1243        -j DROP #Subseven

/sbin/iptables -A backdoors -p udp --dport 1243        -j DROP #Sebseven

/sbin/iptables -A backdoors -p tcp --dport 27374       -j DROP #Subseven

/sbin/iptables -A backdoors -p udp --dport 27374       -j DROP #Subseven

/sbin/iptables -A backdoors -p tcp --dport 6711:6713   -j DROP #Subseven

/sbin/iptables -A backdoors -p tcp --dport 12345:12346 -j DROP #Netbus

/sbin/iptables -A backdoors -p tcp --dport 20034       -j DROP #Netbus

/sbin/iptables -A backdoors -p udp --dport 31337:31338 -j DROP #Back Orifice

/sbin/iptables -A backdoors -p udp --dport 28431       -j DROP #Hack-a-Tack-2000

# Log and drop chain

/sbin/iptables -A LOG-and-drop -j LOG --log-ip-options --log-tcp-options --log-level debug

/sbin/iptables -A LOG-and-drop -j DROP

# Forwarding Not Supported

# ----------------------------------------

# This is a basic iptables script so there is no forwarding. (may be added later)

/bin/echo -e '   [Dropping] All forwarding packets'

/sbin/iptables -A FORWARD -j DROP

# Security Options

# ----------------------------------------

for OPTION in $SECURITY_OPTIONS ; do

  # SYN Flooding

  if [ 'sfd' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For SYN Flooding'

       /sbin/iptables -A INPUT  -p tcp -j syn-flood

       /sbin/iptables -A OUTPUT -p tcp -j syn-flood

  fi

  # Ping of Death

  if [ 'pod' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For The Ping of Death'

       /sbin/iptables -A INPUT  -j pod

       /sbin/iptables -A OUTPUT -j pod

  fi

  # Port Scanning

  if [ 'ps' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For invalid TCP state flag combinations (port scans)'

       /sbin/iptables -A INPUT  -p tcp -j valid-tcp-flags

       /sbin/iptables -A OUTPUT -p tcp -j valid-tcp-flags

  fi

  if [ 'os' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For OS Fingerprinting'

       /sbin/iptables -A INPUT  -j os-fingerprint

       /sbin/iptables -A OUTPUT -j os-fingerprint

  fi

  if [ 'bd' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For Backdoor and Virii Attacks'

       /sbin/iptables -A INPUT  -j backdoors

       /sbin/iptables -A OUTPUT -j backdoors

  fi

done

# Accept Generic Outbound Ports

# ----------------------------------------

for PORT in $OPEN_PORTS_OUTBOUND ; do

  /bin/echo -e "   [Allowing] (outbound) $PORT"

  /sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport $PORT -m state --state NEW -j ACCEPT

  /sbin/iptables -A OUTPUT -o $INTERFACE -p UDP --sport $PORTS_HIGH --dport $PORT -m state --state NEW -j ACCEPT

  # DNS needs established outbound connections. 

  if [ 'domain' == $PORT ]

    then

      /sbin/iptables -A OUTPUT -o $INTERFACE -p UDP --sport $PORTS_HIGH --dport $PORT -m state --state ESTABLISHED -j ACCEPT

  fi

done

# Accept Custom Ports Outbound

# ----------------------------------------

# a custom way of handling outbound ftp

/bin/echo -e '   [Allowing] (outbound) ftp'

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport ftp         -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --dport $PORTS_HIGH --sport ftp ! --syn -j ACCEPT

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport $PORTS_HIGH         -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --dport $PORTS_HIGH --sport $PORTS_HIGH ! --syn -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --dport ftp --syn                               -j DROP 

# allow wake on lan packets with a destination port of 9

/sbin/iptables -A OUTPUT -o $INTERFACE -p UDP --sport $PORTS_HIGH --dport 9 -j ACCEPT

# Accept Generic Inbound Ports

# ----------------------------------------

for PORT in $OPEN_PORTS_INBOUND ; do

  /bin/echo -e "   [Allowing] (inbound) $PORT"

  /sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport $PORTS_HIGH --dport $PORT -m state --state NEW -j ACCEPT

  /sbin/iptables -A INPUT  -i $INTERFACE -p UDP --sport $PORTS_HIGH --dport $PORT -m state --state NEW -j ACCEPT

done

# Accept Custom Ports Inbound

# ----------------------------------------

# restrict inbound ssh connections to local ip addresses

# the whole world does not need ssh access to your computer

/bin/echo -e '   [Allowing] (inbound) ssh, local only'

/sbin/iptables -A INPUT -i $INTERFACE -s $RESERVED_IP_192_SPACE -p TCP --sport $PORTS_HIGH --dport ssh -m state --state NEW,RELATED -j ACCEPT

/sbin/iptables -A INPUT -i $INTERFACE -s $RESERVED_IP_192_SPACE -p UDP --sport $PORTS_HIGH --dport ssh -m state --state NEW,RELATED -j ACCEPT

# allows internal processes to access the loopback device

# many of the programs your running need this

/bin/echo -e '   [Allowing] Loopback Interface'

/sbin/iptables -A INPUT  -i lo -j ACCEPT

/sbin/iptables -A OUTPUT -o lo -j ACCEPT

/bin/echo -e '   [Allowing] ICMP Pinging'

/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT

# Established Connection Handling

# ----------------------------------------

# this will allow return traffic initiated by your computer

if [ 'on' == $ALLOW_ESTABLISHED_INBOUND ]

  then

    /bin/echo -e '   [Allowing] Inbound packets for established connections'

    /sbin/iptables -A INPUT -i $INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A INPUT -i $INTERFACE -m state --state NEW,INVALID         -j LOG-and-drop 

fi

# if your running a server you'll need this

if [ 'on' == $ALLOW_ESTABLISHED_OUTBOUND ]

  then

    /bin/echo -e '   [Allowing] Outbound packets for established connections'

    /sbin/iptables -A OUTPUT -o $INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A OUTPUT -o $INTERFACE -m state --state NEW,INVALID         -j LOG-and-drop 

fi

# DROP All Other Packets

# ----------------------------------------

# the firewall is useless without this

/bin/echo -e '   [Dropping] All other packets'

/sbin/iptables -A INPUT   -j DROP

/sbin/iptables -A OUTPUT  -j DROP

/sbin/iptables -A FORWARD -j DROP

/bin/echo ' '

  eend $?

}

stop() {

  ebegin "Stopping Firewall"

/bin/echo ' '

# Flush Default Chains

/bin/echo -e "   [Flushing] Default chains..."

/sbin/iptables           --flush

/sbin/iptables -t nat    --flush

/sbin/iptables -t mangle --flush

# Flush User Defined Chains

/bin/echo -e '   [Flushing] User-defined chains...'

/sbin/iptables           --delete-chain

/sbin/iptables -t nat    --delete-chain

/sbin/iptables -t mangle --delete-chain

/bin/echo ' '

  eend $?

}

restart() {

  ebegin "Restarting Firewall"

  svc_stop

  svc_start

  eend $?

}

status() {

  /sbin/iptables -L -n -v

  eend $?

}
```

So if you have observations or suggestions, please help me out and post them.Last edited by mcdermottpa on Sun Nov 07, 2004 9:12 am; edited 2 times in total

----------

## untiefe

 *mcdermottpa wrote:*   

> There does not seem to be a newbie friendly firewall setup guide (at least I couldn't find it  ).

 

Try kmyfirewall (emerge kmyfirewall). I think it is a really easy gui to setup iptables...

----------

## arskq

I'd recommend to take a look at FireHOL if you want it the easy way. (also in portage) http://firehol.sf.net

----------

## 80686

I can recommend fwbuilder.

It's made for bigger setups and therefor not always suitable for beginners (depends on their knowledge about firewalls in general).

To configure iptables for bigger setups with several nets (dmz, lan ie.) and a bunch of magic it is just great.

----------

## mcdermottpa

I'm trying them out now and they look good. I Like fwbuilder.builder especially. But this does not address the problem I was really thinking of.... while a newbie is installing,  compiling X, Gnome (or KDE),  and trying to learn a million and one things about linux/gentoo, he/she is connected to the net without any kind of firewall. Aren't newbies the least capable of responding to a successful attack? Shouldn't there be some kind of basic firewall in place right after typing 'emerge system' ?

Oh I updateed the init script above and got rid of the bug. (seems dns has special needs.   :Razz:  )

----------

## 80686

Ok, I understood and agree with you.

What about integrating that into the iptables package which also contains 

```
/etc/conf.d/iptables
```

 and 

```
/etc/init.d/iptables
```

?

I think that would be the right place. Additionally, the Gentoo Installation Guide should be updated, explaining that people need to install iptables if they connect to the internet.

A default setup could be integrated by installing ist into 

```
/var/lib/iptables/rules-save
```

, thats the place where the 

```
/etc/init.d/iptables
```

 script saves the current state of the iptables when called with 

```
/etc/init.d/iptables save
```

. These settings will then be used when starting 

```
/etc/init.d/iptables
```

.

Perhaps it would make sense to integrate the variables from your script into 

```
/etc/conf.d/iptables
```

 and use a additional parameter for 

```
/etc/init.d/iptables
```

 (ie. 'setup') to run your script, read the variables and setup the iptables as wanted.[/code]

----------

## mcdermottpa

Thanks for explaining how /etc/init.d/iptables works 80686. It was something I haven't even looked at   :Embarassed: .  I'm going to see what I can do about integrating an optional parameter so that there is a "default installation firewall" that can be switched off/modified when users are ready.

It would allow http https rsync distcc ssh php3 imap smtp, and maybe ftp but drop everything else for a safer installation and newbie experience.

While I have been lucky, looking through some past network/security posts, it looks like a lot of newbies who forget about test accounts (some without passwords) and don't have firewalls working.are getting hacked. I agree, a strong recommendation should be in the handbook. If it were integrated with a simple variable like:

```
installation_firewall=on
```

in /etc/conf.d/iptables and it would be a safer world for all.

One question though. The format of /var/lib/iptables/rules-save is a bit confusing. Is there some place I can read about it? A section like this:

 *Quote:*   

> :PREROUTING ACCEPT [776:239046]
> 
> :POSTROUTING ACCEPT [74:5235]
> 
> :OUTPUT ACCEPT [0:0]
> ...

 

is doing something, I'm just not sure what   :Smile: 

----------

## 80686

the contents of  /var/lib/iptables/rules-save are written by calling 

```
iptables-save  /var/lib/iptables/rules-save
```

. So it has a special internal format invented by the iptables guys.

That's a standard command that is used when you call

```
/etc/init.d/iptables save
```

To see what it does just wrap it the other way round:

```

# iptables-restore /var/lib/iptables/rules-save

# iptables -L

```

----------

## mcdermottpa

I've been working on my firewall init script. It has been trimmed down a bit and several bugs have been fixed since the last posted version. 

```
#!/sbin/runscript

# Copyright 2004 Peter McDermott

# Distributed under the terms of the GNU General Public License v2

#

# Basic Netfilter Script 0.1.3 2004/11/16

# <peter@mcdermottpa.com>

#

# This is not a production release.

# It should be treated as entirely insecure.

#

# This script is intended for users who are running Gentoo with a

# direct connection to the Internet or one connected though a router.

#

start() {

  ebegin "Starting Firewall"

/bin/echo ' '

# interface to the internet

# could be eth0, ath0 or something else

INTERFACE="ath0"

# the loopback address

LOOPBACK="127.0.0.0/8"

# reserved local addresses

RESERVED_IP_172_SPACE="172.16.0.0/12"

RESERVED_IP_192_SPACE="192.168.0.0/16"

RESERVED_IP_10_SPACE="10.0.0.0/8"

RESERVED_IP_MULTICAST="224.0.0.0/4"

RESERVED_IP_FUTURE="240.0.0.0/5"

# unprivileged ports

PORTS_HIGH="1024:65535"

# Add checking to secure against several types of attacks.

# Not all possible attacks by these methods will be stopped

# using these security options. You have been warned.

# sfd - SYC Flooding

# pod - Ping of Death

# ps  - Port Scanning

# os  - OS Fingerprinting

# bd  - Backdoors and Virii

SECURITY_OPTIONS="sfd pod ps os bd"

# some firewall settings you may or may not want (or need)

/bin/echo 0  > /proc/sys/net/ipv4/ip_forward # turned on later on

/bin/echo 1  > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

/bin/echo 1  > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

/bin/echo 10 > /proc/sys/net/ipv4/icmp_ratelimit

/bin/echo 1  > /proc/sys/net/ipv4/conf/all/rp_filter

/bin/echo 1  > /proc/sys/net/ipv4/conf/all/log_martians

/bin/echo 0  > /proc/sys/net/ipv4/conf/all/send_redirects

/bin/echo 0  > /proc/sys/net/ipv4/conf/all/accept_source_route

# flush default chains

/bin/echo -e "   [Flushing] Default chains..."

/sbin/iptables           --flush

/sbin/iptables -t nat    --flush

/sbin/iptables -t mangle --flush

# Flush user-defined chains

/bin/echo -e '   [Flushing] User-defined chains...'

/sbin/iptables           --delete-chain

/sbin/iptables -t nat    --delete-chain

/sbin/iptables -t mangle --delete-chain

# Add User Defined Chains

/sbin/iptables -N syn-flood

/sbin/iptables -N pod

/sbin/iptables -N valid-tcp-flags

/sbin/iptables -N os-fingerprint

/sbin/iptables -N backdoors

/sbin/iptables -N LOG-ps-and-drop

/sbin/iptables -N LOG-os-and-drop

/sbin/iptables -N LOG-bd-and-drop

/sbin/iptables -N LOG-and-drop

# All packets that are not explicitly accepted should be dropped.

/bin/echo -e '   [Dropping] All packets not explicitly accepted'

/sbin/iptables -P INPUT DROP

/sbin/iptables -P OUTPUT DROP

/sbin/iptables -P FORWARD DROP

# Adds some degree of SYN flood protection.

/sbin/iptables -A syn-flood -p tcp                  --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT

/sbin/iptables -A syn-flood -i $INTERFACE  -p tcp   --syn -j LOG --log-ip-options --log-tcp-options --log-level crit --log-prefix 'FIREWALL DROP SYN: '

/sbin/iptables -A syn-flood -p tcp                  --syn -j DROP

/sbin/iptables -A syn-flood -p tcp                ! --syn -j ACCEPT

# Defend against The Ping of Death.

/sbin/iptables -A pod -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Check for incorrect TCP state flags (port scans).

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL NONE                -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL ALL                 -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL FIN,URG,PSH         -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN FIN             -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH             -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG             -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN         -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST         -j LOG-ps-and-drop

/sbin/iptables -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST         -j LOG-ps-and-drop

# Log and drop possible port scans

/sbin/iptables -A LOG-ps-and-drop -j LOG --log-ip-options --log-tcp-options --log-level warning --log-prefix 'FIREWALL DROP PORT SCAN: ' 

/sbin/iptables -A LOG-ps-and-drop -j DROP

# Block OS Fingerprinting (Does not always work).

/sbin/iptables -A os-fingerprint -p tcp --dport 0 -j LOG-os-and-drop

/sbin/iptables -A os-fingerprint -p udp --dport 0 -j LOG-os-and-drop

/sbin/iptables -A os-fingerprint -p tcp --sport 0 -j LOG-os-and-drop

/sbin/iptables -A os-fingerprint -p udp --sport 0 -j LOG-os-and-drop

# Block ICMP-Address-Mask

/sbin/iptables -A os-fingerprint -p icmp --icmp-type address-mask-request -j LOG-os-and-drop 

/sbin/iptables -A os-fingerprint -p icmp --icmp-type address-mask-reply   -j LOG-os-and-drop

# Log and drop possible OS Fingerprinting

/sbin/iptables -A LOG-os-and-drop -j LOG --log-ip-options --log-tcp-options --log-level warning --log-prefix 'FIREWALL DROP OS FP: ' 

/sbin/iptables -A LOG-os-and-drop -j DROP

# Block Various Virii and Backdoors

/sbin/iptables -A backdoors -p tcp --dport 6670        -j LOG-bd-and-drop #Deepthroat

/sbin/iptables -A backdoors -p tcp --dport 1243        -j LOG-bd-and-drop #Subseven

/sbin/iptables -A backdoors -p udp --dport 1243        -j LOG-bd-and-drop #Sebseven

/sbin/iptables -A backdoors -p tcp --dport 27374       -j LOG-bd-and-drop #Subseven

/sbin/iptables -A backdoors -p udp --dport 27374       -j LOG-bd-and-drop #Subseven

/sbin/iptables -A backdoors -p tcp --dport 6711:6713   -j LOG-bd-and-drop #Subseven

/sbin/iptables -A backdoors -p tcp --dport 12345:12346 -j LOG-bd-and-drop #Netbus

/sbin/iptables -A backdoors -p tcp --dport 20034       -j LOG-bd-and-drop #Netbus

/sbin/iptables -A backdoors -p udp --dport 31337:31338 -j LOG-bd-and-drop #Back Orifice

/sbin/iptables -A backdoors -p udp --dport 28431       -j LOG-bd-and-drop #Hack-a-Tack-2000

# Log and drop possible Backdoor Attacks

/sbin/iptables -A LOG-bd-and-drop -j LOG --log-ip-options --log-tcp-options --log-level warning --log-prefix 'FIREWALL DROP BACKDOOR: ' 

/sbin/iptables -A LOG-bd-and-drop -j DROP

# Generic Log and drop chain

/sbin/iptables -A LOG-and-drop -j LOG --log-ip-options --log-tcp-options --log-level debug --log-prefix 'FIREWALL DROP: ' 

/sbin/iptables -A LOG-and-drop -j DROP

# This is a basic iptables script so there is no forwarding. (may be added later)

/bin/echo -e '   [Dropping] All forwarding packets'

/sbin/iptables -A FORWARD -j DROP

for OPTION in $SECURITY_OPTIONS ; do

  # SYN Flooding

  if [ 'sfd' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For SYN Flooding (logging)'

       /sbin/iptables -A INPUT  -p tcp -j syn-flood

       /sbin/iptables -A OUTPUT -p tcp -j syn-flood

  fi

  # Ping of Death

  if [ 'pod' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For The Ping of Death (logging)'

       /sbin/iptables -A INPUT  -j pod

       /sbin/iptables -A OUTPUT -j pod

  fi

  # Port Scanning

  if [ 'ps' == $OPTION ]

    then

       /bin/echo -e '   [Checking] Port Scans (logging)'

       /sbin/iptables -A INPUT  -p tcp -j valid-tcp-flags

       /sbin/iptables -A OUTPUT -p tcp -j valid-tcp-flags

  fi

  if [ 'os' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For OS Fingerprinting (logging)'

       /sbin/iptables -A INPUT  -j os-fingerprint

       /sbin/iptables -A OUTPUT -j os-fingerprint

  fi

  if [ 'bd' == $OPTION ]

    then

       /bin/echo -e '   [Checking] For Backdoor Attacks (logging)'

       /sbin/iptables -A INPUT  -j backdoors

       /sbin/iptables -A OUTPUT -j backdoors

  fi

done

# ftp

/bin/echo -e '   [Allowing] (outbound) ftp'

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport ftp                 -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport ftp         --dport $PORTS_HIGH ! --syn -j ACCEPT

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport $PORTS_HIGH         -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport $PORTS_HIGH --dport $PORTS_HIGH ! --syn -j ACCEPT

# pop email accounts

/bin/echo -e "   [Allowing] (outbound) pop3"

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport pop3        -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport pop3        --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# imap email accounts

/bin/echo -e "   [Allowing] (outbound) imap2"

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport imap2       -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport imap2       --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# for sending email

/bin/echo -e "   [Allowing] (outbound) smtp"

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport smtp        -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport smtp        --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# domain name lookups (unless you plan using ip addresses you'll need this)

/bin/echo -e "   [Allowing] (outbound) domain"

/sbin/iptables -A OUTPUT -o $INTERFACE -p UDP --sport $PORTS_HIGH --dport domain      -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p UDP --sport domain      --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# good old http (web browsing)

/bin/echo -e "   [Allowing] (outbound) www"

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport www         -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport www         --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# encypted http

/bin/echo -e "   [Allowing] (outbound) https"

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport https       -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport https       --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# needed if you 'portage sync'

/bin/echo -e "   [Allowing] (outbound) rsync"

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport rsync       -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport rsync       --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# allows internal processes to access the loopback device

# many of the programs your running need this

/bin/echo -e '   [Allowing] Loopback Interface'

/sbin/iptables -A INPUT  -i lo -j ACCEPT

/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# allows pinging

/bin/echo -e '   [Allowing] ICMP Pinging'

/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT

/bin/echo ' '

  eend $?

}

stop() {

  ebegin "Stopping Firewall"

/bin/echo ' '

# Flush Default Chains

/bin/echo -e "   [Flushing] Default chains..."

/sbin/iptables           --flush

/sbin/iptables -t nat    --flush

/sbin/iptables -t mangle --flush

# Flush User Defined Chains

/bin/echo -e '   [Flushing] User-defined chains...'

/sbin/iptables           --delete-chain

/sbin/iptables -t nat    --delete-chain

/sbin/iptables -t mangle --delete-chain

/bin/echo ' '

  eend $?

}

restart() {

  ebegin "Restarting Firewall"

  svc_stop

  svc_start

  eend $?

}

status() {

  /sbin/iptables -L -n -v

  eend $?

}
```

There are a few things I use but that were removed from the script to keep things generic.

```
# to connect to your very own ntp server (to sync your computer's clock with the world)

/bin/echo -e "   [Allowing] (outbound) ntp"

/sbin/iptables -A OUTPUT -o $INTERFACE -p UDP --sport ntp --dport ntp  -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p UDP --sport ntp --dport ntp  -m state --state ESTABLISHED     -j ACCEPT

# ssh, this will allow you to connect to any ssh server, but only local ip addresses will be able to connect (if your running sshd)

/bin/echo -e '   [Allowing] (in/out) ssh, inbound local network only'

/sbin/iptables -A OUTPUT -o $INTERFACE                           -p TCP --sport $PORTS_HIGH --dport ssh         -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE                           -p TCP --sport ssh         --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -s $RESERVED_IP_192_SPACE -p TCP --sport ssh         --dport $PORTS_HIGH -m state --state NEW             -j ACCEPT

# needed if you want to use distcc

/bin/echo -e "   [Allowing] (outbound) distcc"

/sbin/iptables -A OUTPUT -o $INTERFACE -p TCP --sport $PORTS_HIGH --dport rsync       -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERFACE -p TCP --sport rsync       --dport $PORTS_HIGH -m state --state ESTABLISHED     -j ACCEPT

# allow wake on lan packets with a destination port of 9 (could be any port really)

/bin/echo -e "   [Allowing] (outbound) wakeonlan packets"

/sbin/iptables -A OUTPUT -o $INTERFACE -p UDP --sport $PORTS_HIGH --dport 9 -j ACCEPT
```

----------

## shiny

 *80686 wrote:*   

> the contents of  /var/lib/iptables/rules-save are written by calling 
> 
> ```
> iptables-save  /var/lib/iptables/rules-save
> ```
> ...

 

My problem: Rules don't get loaded automatically after bootup and I have to load them manually   :Confused: 

At first I thought there is something wrong with saving the rules when I type 

```
/etc/init.d/iptables save
```

but /var/lib/iptables/rules-save contains my rules and the file is written 2 seconds ago, so saving itself works. I manually load the rules with 

```
/sbin/iptables-restore < /var/lib/iptables/rules-save
```

which works too. Btw: I didn't forget

```
rc-update add iptables default
```

But when the system boots and /etc/init.d/iptables is called (it is because iptables itself is running  after boot) it seems like line 5 in 

```
start() {

        checkrules || return 1

        ebegin "Loading iptables state and starting firewall"

        einfo "Restoring iptables ruleset"

       /sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}

        if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then

                einfo "Enabling forwarding for ipv4"

                echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

        fi

        eend $?

}

```

is ignored. Am I right?

Or formulated in another way: In which way can the rules be loaded automatically?   :Sad: 

Any help is appreciated!

cheers,

  shiny

----------

## shiny

my prob is solved   :Very Happy: 

msyslog couldn't be started due to a parameter in its config that start-stop-daemon doesn't know (god knows why..). so "logger" wasn't available and so iptables didn't start because its depend clause in /etc/init.d/iptables .

so i uninstalled msyslog and installed sysklogd and everything works fine now   :Very Happy: 

and all this trouble for days only because of an invalid parameter..   :Rolling Eyes: 

----------

## Matteo Azzali

Checked the script (marked as exec and store in init.d) working good.

Adding this one on the livecd would be great......

----------

## GurliGebis

Run your script, run /etc/init.d/iptabes save, then add iptables to default runlevel.

If you need forwarding, add it to /etc/sysctl.conf

That way you do not need to run the script every time you reboot  :Smile: 

----------

