# am I secure

## kevmarks

I have been playing around with my firewall for about a week.  I have learnt alot and I think my firewall script is nearly finished.  Here it is

#lets start with a clean bill of health

iptables --flush

iptables --table nat --flush

iptables --delete-chain

iptables --table nat --delete-chain   

# I am just dam lazy with routing

route del default

route add default ppp0

#drop everything

iptables -P INPUT DROP

#if it came from my 2 internal machines, accept it

iptables -A INPUT -s 192.168.1.99 -j ACCEPT

iptables -A INPUT -s 192.168.1.100 -j ACCEPT 

#forward ports for counter strike and ident server

iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport 113 -j DNAT --to 192.168.1.99 

iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport 27015 -j DNAT --to 192.168.1.99

iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport 27005 -j DNAT --to 192.168.1.99

#accept nything that is established or related

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#if a packets ends up down here, I want to know about it.

iptables -A INPUT -j LOG --log-prefix "bad input:" 

#sort some kernel stuff out

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "0" > /proc/sys/net/ipv4/tcp_ecn

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 

#let's get  nating

iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

#iptables --append FORWARD --in-interface eth0 -j ACCEPT

#for reasurance

iptables -v -L INPUT

And thats it.  Not as long as some of the other scripts I have seen, but it seems to be doing the job.  Can anybody see any security holes here?    There has to be a few.

Thanks in advance for ny help   :Very Happy: 

----------

## ozukir@

Well I'm by no means an expert, but security has been a real important topic for me in the past few months. My systems are constantly being attacked (mostly IPs from Asia and Eastern Europe if you care to know). I've been crafting my Iptables firewall from the example given in the Gentoo security guide for a couple of weeks now. 

My cable modem connects to an OpenBSD router/firewall. The netfilter rules for it are pretty simple: everything out maintain state, select services in (http, https, ssh, and mysql) and Established/Related traffic in. From there, each box on my internal network has an iptables firewall, aide, and snort. The difference on my host based firewalls is that I limit outgoing connections as well as incoming.

The first thing that I notice about your script is that your accepting all connections from x.x.x.99 and x.x.x.100. What I've seen is that ip based policies are easily defeated by spoofing. I think you may want to limit connections based on the services, mac address, and ip address.

The second thing that I notice is that you're not controling ICMP at all. ICMP traffic should definately be controlled throughout your network. You should also consider how your system deals with fragments. I handle my kernel variables in the following script:

```
#!/sbin/runscript

depend () {

before *

}

start() {

ebegin "Setting /proc options."

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for i in /proc/sys/net/ipv4/conf/*; do

  /bin/echo "1" > $i/rp_filter

done

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

eend 0

}

```

Beyond what I can see in your script, I think the best approach is to tighten your exposure incrementally as traffic comes into your network. Once those packets make it to the application layer you should realize that it's all out of your control there. No matter how inherently secure your operating system is, your involvement at that point does not exist. So you want to be as sure as possible that what you receive is what you requested.

Take a look at my script for my internal computers. The script includes logging of portscans and flood protection. The other key is setting your kernel variables properly which I've included in the previous script. The best thing about these scripts is that they work perfectly with the Gentoo init system. Here's a copy ran from /etc/init.d:

```
#!/sbin/runscript

IPTABLES=/sbin/iptables

IPTABLESSAVE=/sbin/iptables-save

IPTABLESRESTORE=/sbin/iptables-restore

FIREWALL=/etc/firewall.rules

DNS1=24.217.0.3

DNS2=24.217.0.4

#inside

IIP=192.168.0.1

IINTERFACE=eth0

LOCAL_NETWORK=192.168.0.0/24

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

  need net procparam

}

rules() {

  stop

  ebegin "Setting internal rules"

  einfo "Setting default rule to drop"

  $IPTABLES -P FORWARD DROP

  $IPTABLES -P INPUT   DROP

  $IPTABLES -P OUTPUT  DROP

  #default rule

  einfo "Creating states chain"

  $IPTABLES -N allowed-connection

  $IPTABLES -F allowed-connection

  $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix "Bad packet from ${IINTERFACE}:"

  $IPTABLES -A allowed-connection -j DROP

  #ICMP traffic

  einfo "Creating icmp chain"

  $IPTABLES -N icmp_allowed

  $IPTABLES -F icmp_allowed

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

  $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"

  $IPTABLES -A icmp_allowed -p icmp -j DROP

  #Incoming traffic

  einfo "Creating incoming ssh traffic chain"

  $IPTABLES -N allow-ssh-traffic-in

  $IPTABLES -F allow-ssh-traffic-in

  #Flood protection

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -p tcp --dport ssh -j ACCEPT

  #Incoming traffic

  einfo "Creating incoming HTTP on port8000 traffic chain"

  $IPTABLES -N allow-http-traffic-in

  $IPTABLES -F allow-http-traffic-in

  #Flood protection

  $IPTABLES -A allow-http-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 8000 -j ACCEPT

  $IPTABLES -A allow-http-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 8000 -j ACCEPT

  $IPTABLES -A allow-http-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 8000 -j ACCEPT

  $IPTABLES -A allow-http-traffic-in -p tcp --dport 8000 -j ACCEPT

  #outgoing traffic

  einfo "Creating outgoing ssh traffic chain"

  $IPTABLES -N allow-ssh-traffic-out

  $IPTABLES -F allow-ssh-traffic-out

  $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

  einfo "Creating outgoing custom chain"

  $IPTABLES -N allow-custom-traffic-out

  $IPTABLES -F allow-custom-traffic-out

  $IPTABLES -A allow-custom-traffic-out -p tcp --dport 30000 -j ACCEPT

  einfo "Creating outgoing dns traffic chain"

  $IPTABLES -N allow-dns-traffic-out

  $IPTABLES -F allow-dns-traffic-out

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT

  einfo "Creating outgoing http/https traffic chain"

  $IPTABLES -N allow-www-traffic-out

  $IPTABLES -F allow-www-traffic-out

  $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT

  $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT

  einfo "Creating outgoing SMTP traffic chain"

  $IPTABLES -N allow-smtp-traffic-out

  $IPTABLES -F allow-smtp-traffic-out

  $IPTABLES -A allow-smtp-traffic-out -p tcp --dport smtp -j ACCEPT

  einfo "Creating outgoing POP traffic chain"

  $IPTABLES -N allow-pop-traffic-out

  $IPTABLES -F allow-pop-traffic-out

  $IPTABLES -A allow-pop-traffic-out -p tcp --dport 110 -j ACCEPT

  einfo "Creating outgoing NEWS traffic chain"

  $IPTABLES -N allow-news-traffic-out

  $IPTABLES -F allow-news-traffic-out

  $IPTABLES -A allow-news-traffic-out -p tcp --dport 119 -j ACCEPT

  einfo "Creating outgoing CD-lookup chain"

  $IPTABLES -N allow-cdlkup-traffic-out

  $IPTABLES -F allow-cdlkup-traffic-out

  $IPTABLES -A allow-cdlkup-traffic-out -p tcp --dport 888 -j ACCEPT

  einfo "Creating outgoing jabber client chain"

  $IPTABLES -N allow-jabber-traffic-out

  $IPTABLES -F allow-jabber-traffic-out

  $IPTABLES -A allow-jabber-traffic-out -p tcp --dport 5223 -j ACCEPT

  einfo "Creating outgoing dict.org client chain"

  $IPTABLES -N allow-dict-traffic-out

  $IPTABLES -F allow-dict-traffic-out

  $IPTABLES -A allow-dict-traffic-out -p tcp --dport 2628 -j ACCEPT

  einfo "Creating outgoing webmail client chain"

  $IPTABLES -N allow-webmail-traffic-out

  $IPTABLES -F allow-webmail-traffic-out

  $IPTABLES -A allow-webmail-traffic-out -p tcp --dport 2095 -j ACCEPT

  einfo "Creating outgoing cpanel client chain"

  $IPTABLES -N allow-cpanel-traffic-out

  $IPTABLES -F allow-cpanel-traffic-out

  $IPTABLES -A allow-cpanel-traffic-out -p tcp --dport 2082 -j ACCEPT

  

  einfo "Creating outgoing CUPS traffic chain"

  $IPTABLES -N allow-cups-traffic-out

  $IPTABLES -F allow-cups-traffic-out

  $IPTABLES -A allow-cups-traffic-out -p tcp --dport 515 -j ACCEPT

  

  #Catch portscanners

  einfo "Creating portscan detection chain"

  $IPTABLES -N check-flags

  $IPTABLES -F check-flags

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:" 

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  # Apply and add invalid states to the chains

  einfo "Applying chains to INPUT"

  $IPTABLES -A INPUT -m state --state INVALID -j DROP

  $IPTABLES -A INPUT -j icmp_allowed 

  $IPTABLES -A INPUT -j check-flags

  $IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -A INPUT -j allow-ssh-traffic-in

  $IPTABLES -A INPUT -j allow-http-traffic-in

  $IPTABLES -A INPUT -j allowed-connection

  einfo "Applying chains to OUTPUT"

  $IPTABLES -A OUTPUT -m state --state INVALID -j DROP

  $IPTABLES -A OUTPUT -j icmp_allowed

  $IPTABLES -A OUTPUT -j check-flags

  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  $IPTABLES -A OUTPUT -j allow-ssh-traffic-out

  $IPTABLES -A OUTPUT -j allow-custom-traffic-out

  $IPTABLES -A OUTPUT -j allow-dns-traffic-out

  $IPTABLES -A OUTPUT -j allow-www-traffic-out

  $IPTABLES -A OUTPUT -j allow-smtp-traffic-out

  $IPTABLES -A OUTPUT -j allow-pop-traffic-out

  $IPTABLES -A OUTPUT -j allow-news-traffic-out

  $IPTABLES -A OUTPUT -j allow-cdlkup-traffic-out

  $IPTABLES -A OUTPUT -j allow-jabber-traffic-out

  $IPTABLES -A OUTPUT -j allow-dict-traffic-out

  $IPTABLES -A OUTPUT -j allow-webmail-traffic-out

  $IPTABLES -A OUTPUT -j allow-cpanel-traffic-out

  $IPTABLES -A OUTPUT -j allow-cups-traffic-out

  $IPTABLES -A OUTPUT -j allowed-connection

  eend $?

}

start() {

  ebegin "Starting firewall"

  if [ -e "${FIREWALL}" ]; then

    restore

  else

    einfo "${FIREWALL} does not exists. Using default rules."

    rules

  fi

  eend $?

}

stop() {

  ebegin "Stopping firewall"

  $IPTABLES -F

  $IPTABLES -X

  $IPTABLES -P FORWARD ACCEPT

  $IPTABLES -P INPUT   ACCEPT

  $IPTABLES -P OUTPUT  ACCEPT

  eend $?

}

showstatus() {

  ebegin "Status"

  $IPTABLES -L -n -v --line-numbers

  eend $?

}

panic() {

  ebegin "Setting panic rules"

  $IPTABLES -F

  $IPTABLES -X

  $IPTABLES -t nat -F

  $IPTABLES -P FORWARD DROP

  $IPTABLES -P INPUT   DROP

  $IPTABLES -P OUTPUT  DROP

  $IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  eend $?

}

save() {

  ebegin "Saving Firewall rules"

  $IPTABLESSAVE > $FIREWALL

  eend $?

}

restore() {

  ebegin "Restoring Firewall rules"

  $IPTABLESRESTORE < $FIREWALL

  eend $?

}

restart() {

  svc_stop; svc_start

}

showoptions() {

  echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"

  echo "start)      will restore setting if exists else force rules"

  echo "stop)       delete all rules and set all to accept"

  echo "rules)      force settings of new rules"

  echo "save)       will store settings in ${FIREWALL}"

  echo "restore)    will restore settings from ${FIREWALL}"

  echo "showstatus) Shows the status" 

}

```

It needs some modifications for FTP to work, but that shouldn't be difficult. It's a slightly different approach than you typically see, but it's clear and concise. I don't know if you'll find my code useful, but if you'll look at the Gentoo security guide, it originally had NAT in it.

And to your original question, the answer is NO, NEVER. I can tell you some tales of my own experience that will have you lose faith in acheiving a "secured" system. I think of my security approach now as damage control.

----------

## kevmarks

Thanks for the help.  Your script looks huge compared to mine.  I will print it out and go through it with the iptables man page to try and understand what you are doing in there.

----------

## Ragnar

 *Quote:*   

> /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

 

How do you then forward the packets?

----------

## inukshuk

since you mentioned spoofed packages, i think the best approach is to filter based on interfaces, i.e. you drop EVERYTHING with a private (non-routable IP) that does not come from your internal interfaces.

you might already have that in your script and i just missed it -- if that's the case apologies... i just wanted to point it out  :Wink: 

;

----------

## ozukir@

I may not have been real clear. My script (modified slightly from the Gentoo Security Guide) is for a host-based firewall, behind my outside interface firewall. That's why I don't want to forward any packets here. On my outer interface I drop all non-routable addresses, no doubt.

----------

## Ragnar

 *ozukir@ wrote:*   

> I may not have been real clear. My script (modified slightly from the Gentoo Security Guide) is for a host-based firewall, behind my outside interface firewall. That's why I don't want to forward any packets here. On my outer interface I drop all non-routable addresses, no doubt.

 

OK

But is there any other way to forward packets then?

```
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
```

----------

## ozukir@

 *Ragnar wrote:*   

> But is there any other way to forward packets then?
> 
> 

 

The way that I understand it is that you most likely want to always turn off ip_forward, even for a firewall/router. ip_forward is for a multi-homed host, and not necessary to route connections between two interfaces.

Perhaps what you're asking for here is a forward chain in iptables with prerouting NAT such as:

```
iptables -t nat -A PREROUTING -i your_outside_interface-p tcp --dport YourDestinationPort -j DNAT --to-destination 192.168.0.99
```

There are some applications were ip_forward is useful, but I wouldn't think they apply here.Last edited by ozukir@ on Fri Nov 22, 2002 8:37 pm; edited 1 time in total

----------

## kevmarks

I thought that 

echo "1" > /proc/sys/net/ipv4/ip_forward 

just told the kernel that it was OK to forward packets.  and that NAT and explicit port forwarding commands did the actual hard work on forwarding ports?  

ok, back to the "am I secure?" question.  I seem to be pretty secure at least.  I am handling ICMP packets now with 

iptables -A INPUT -p tcp -i eth1 -j REJECT --reject-with tcp-reset

iptables -A INPUT -p udp -i eth1 -j REJECT --reject-with icmp-port-unreachable

I am thinking of creating a DMZ for one of the machines that will be here today or tomorrow.  Anybody know how to do this?

My home network is getting big, my little linksys 4 port switch will be maxed out soon!   :Razz: 

----------

## ozukir@

Well Ragnar and kevmarks, I believe you're right about

```
echo "1" > /proc/sys/net/ipv4/ip_forward
```

I had read some misleading information about the kernel parameter, that I am unable to clarify. I had thought that mangling the packets on input with an appropriate destination address based upon destination port would allow the packets to be forwarded in userspace using the kernel routing table. Much to learn.

----------

## elmie

My god ozukur, that iptable of yours is way too complex, why not just simplify it, lol

This is what I do for a rock soild firewall using iptables......

A very wise guy from our community wrote a very good script for our Australian condition. which has cable and adsl support for the ping back that they do..

generally it look something like this..

```

!/bin/sh

#

# Atomic IPTables firewall script v1.0 

#

# Simple but effective firewall for use

# in home/small office installations.

#

# Ashton Mills

# Written for the Atomic Uber Linux box guide,

# Issue 21, Oct 2002.

#

# Props to Con Tassios and Technion for their sample scripts.

# Environment variables, change these values accordingly

   EXT_IF="eth0"

   INT_IF="eth1"

   INT_NET="192.168.1.0/24"

   ANY="0.0.0.0/0"

   IPTABLES="/sbin/iptables"

   MODPROBE="/sbin/modprobe"

#

# You shouldn't need to touch anything below here

#

# Load appropriate iptables modules, others will be loaded dynamically on demand

   $MODPROBE ip_tables

   $MODPROBE iptable_filter

   $MODPROBE ip_nat_ftp

   $MODPROBE ip_conntrack

   $MODPROBE ip_conntrack_ftp

# Set proc values for TCP/IP. In order:

#

# Disable IP spoofing attacks

# Ignore broadcast pings

# Block source routing

# Kill redirects

# Set acceptable local port range

# Allow dynamic IP addresses

# Enable forwarding (gateway)

   echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

   echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

   echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

   echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

   echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

   echo "1" > /proc/sys/net/ipv4/ip_dynaddr

   echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything

   $IPTABLES -F INPUT

   $IPTABLES -F OUTPUT

   $IPTABLES -F FORWARD

   $IPTABLES -t nat -F

   

#

## --- DEFAULT POLICY --- ##

#

# Drop everything on INPUT and FORWARD chains, accept OUTPUT

   $IPTABLES -P INPUT DROP

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P OUTPUT ACCEPT

#

## --- INPUT CHAIN --- ##

# SSH loving      

#       $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

# Telnet loving

#       $IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT

#

# And etc etc to what ever port you want open

# Allow Telstra hearbeat -- BPA users uncomment this

#   $IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT

#   $IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

# Allow bootp port -- Optus users need this apparently

   

   $IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT

# Accept all connections on local and internal interfaces

   $IPTABLES -A INPUT -i lo -j ACCEPT

   $IPTABLES -A INPUT -i $INT_IF -j ACCEPT

# Stateful inspection -- Allow packets in from connections already established

   $IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop packets from invalid sources (reserved networks and localhost)

   $IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP

   $IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP

   $IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP

   $IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP

   $IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP

   

# Don't log igmp, ident, web or ssl. More noise we don't need to log.

   $IPTABLES -A INPUT -p igmp -j DROP

   $IPTABLES -A INPUT -p tcp --dport 113 -j DROP

   $IPTABLES -A INPUT -p tcp --dport 80 -j DROP

   $IPTABLES -A INPUT -p tcp --dport 443 -j DROP

# Log everything else

   $IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "

#

## --- FORWARD CHAIN --- ##

#

# Stateful inspection -- Allow packets in from connections already established

   $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all traffic out

   $IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

#

## --- OUTPUT CHAIN --- ##

#

# Follows policy

#

## --- NAT --- ##

#

# Enable masquerade ( the one that actually do all the work :) )

   $IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#

## -- Transparent proxy to Squid --- ##

#

#   $IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

```

I also use this with mrtg and I can see exactly how much downloads have I got left, since we don't have stuff like unlimit download, we Australian here have to see our cap has been reached..  :Sad: 

Now don't you think this is one simple iptable script,

----------

## ozukir@

 *elmie wrote:*   

> My god ozukur, that iptable of yours is way too complex, why not just simplify it, lol

 

I suppose that is your perogative, isn't that the point. I choose to do more fine tuned filtering and prevent output connections that are not specifically allowed. I will add again that the scripts provided are slightly modified versions of the scripts in the gentoo security guide. I'm not really the one to criticize your approach, as long as it suites your purposes. My approach is the result of trial and error, my limited knowledge, and my personal experience fending off focused and persistant attacks on my systems. And of course, there's the fact that it works.

----------

## Vancouverite

 *ozukir@ wrote:*   

> And of course, there's the fact that it works.

 

One can't sensibly argue with this approach. Nice scripts.     If your pf.conf is as nice I'd like a copy of that as well.

----------

## elmie

I agree, and am sorry if I did sound rude,

Just saying that it was very complex thats all... I guess if it works guess is good enough. 

I had a good look at the security guide thingy, and I felt that the guide was written by very paranoid person,  :Smile: 

But regardless my script is only intended to be used at home. and I only have to look out for 3 box.

regardless, is a nice script for what ever purpose you are using it for.

----------

## Vancouverite

ozukir@  Is there any particular reason that you've setup your Linux hosts to maintain outgoing state connections when this can be done only once on your OpenBSD box using normailzation with something like this:

```
scrub in on $ext_if all

block in on $ext_if all

pass out on $ext_if proto tcp all modulate state

pass out on $ext_if proto udp all keep state
```

Although over simplified and lacking I am sure you get my point. I'm guessing it's due to a DMZ type of setup.

----------

## ozukir@

I'm having a little difficulty understanding your question, so excuse me if I'm way off point. I do use connection state RELATED and ESTABLISHED to accept incoming traffic. The major point here is simplification of INPUT chain rules. I can't say that I fully understand the kernel state tables, but I have assumed that RELATED and ESTABLISHED are determined by time frame, tcp flags, and host address. R & E traffic are approved based upon all of these attributes. Without the stateful inspection one would have to allow incoming traffic on a full range on unpriviledged ports, checking their associated tcp flags for appropriateness, and only checking host addresses for known services such as DNS and your mail servers. So the major benefits of stateful matching are a more simplified rulesets and more sophisticated inbound filtering. For these reasons I use a stateful ruleset on my OpenBSD box as well. (I must add that I include stateless rules as well as stateful rules on my OpenBSD box, just in case the state tables max out my resources.)

The normalization you speak of only reassembles fragmented packets. While linux systems have a robust TCP stack, other OSes may reassemble the fragments less effectively. See here. From your post I'm not sure what you mean by  *Quote:*   

> this can be done only once on your OpenBSD box using normailzation

  Perhaps you are asking why do stateful inspection when it's already done on the OpenBSD box; well I can afford the added overhead for the reasons mentioned above.

----------

## Vancouverite

 *ozukir@ wrote:*   

> Perhaps you are asking why do stateful inspection when it's already done on the OpenBSD box; well I can afford the added overhead for the reasons mentioned above.

 

Yes that's what I was wondering about. I didn't word the above very well, I realize normalization has nothing to do with stateful connections.

----------

