# firewall

## compucoder

anyone got an iptable script i can use / modify that blocks pretty much everything you normally dont use?

i have a cable modem, use dns, etc. 

i run an apache2 server.

i also have a home lan that i use this box to MASQUERADE(nat) for.

i have only ever used iptables for nat but i should really get a firewall configured. Also willing to listen to suggestions on other / better approaches to getting myself a really secure firewall setup.

thanx.

----------

## iamarug

well, you can try firestarter (gtk) or kmyfirewall (Qt). Both work pretty well in my experience. With firestarter, you can also have a little icon in the gnome notification area that shows you some logging stuff and lets you modify the firewall. I dont think that is possible with kmyfirewall.

ps: forgot to say, there are both iptables based  :Smile: 

----------

## asiobob

if you use KDE try Guarddog a very nice app for setting up a "firewall", front end to IP tables. www.simonzone.com, shorewall is good as well and iamarug has some excellent suggestions

----------

## didl

Shorewall is a really cool and text-based front-end for iptables. 

It is very easy to set up and I can highly recommend it   :Laughing: 

----------

## b0d0r

I have this script to do NAT and firewall...

Works pretty well for what i need anyway..

```

# location of ip tables

IPTABLES=/sbin/iptables

INSMOD=/sbin/insmod

EXTIF="eth1"

INTIF="eth0"

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE Set external and

## Verify Kernel Modules

#/sbin/depmod -a

##loading modules

#$INSMOD ip_tables

#$INSMOD ip_conntrack

#$INSMOD ip_conntrack_ftp

#$INSMOD ip_conntrack_irc

#$INSMOD iptable_nat

#$INSMOD ip_nat_ftp

#end of loading modules

#ENABLE FORWARDING+DYNAMIC ADDRESS

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state  ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -p icmp -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 10.0.0.0/16 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 1024:65535 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p udp --dport 1024:65535 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p udp --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p udp --dport 80 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT

# This line must be last whatever happens :)

$IPTABLES -A INPUT -i $EXTIF -j REJECT

```

----------

## compucoder

thanx for the suggestions.

I am gonna try guarddog and seeif I like it.

----------

## jasewong

want to give this a try???

http://greatwall.sourceforge.net

----------

## Nickw

I use Netfire.  Does exactly everything I need and more, plus pretty easy to configure.

http://feenix.burgiss.net/linux/netfire/

Nick

----------

## usingloser

I could never get shorewall to work correctly.  No matter what I would do, it would never properly read in my ip addresses on my eth cards.  It would always say they are 0.0.0.0/0.

----------

## tomchuk

I've always been fond of the Gentoo security doc's firewall script (with a little modification):

```

#!/sbin/runscript

IPTABLES=/sbin/iptables

IPTABLESSAVE=/sbin/iptables-save

IPTABLESRESTORE=/sbin/iptables-restore

FIREWALL=/etc/firewall.rules

DNS1=192.168.1.1

DNS2=24.29.99.19

DNS3=24.29.99.18

#inside

LOCAL_NETWORK=192.168.1.0/29

#outside

OIP=192.168.1.2

OINTERFACE=eth0

IINTERFACE=${OINTERFACE}

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

  need net procparam

}

rules() {

  stop

  ebegin "Setting internal rules"

  einfo "Setting default rule to drop"

  $IPTABLES -P FORWARD DROP

  $IPTABLES -P INPUT   DROP

  $IPTABLES -P OUTPUT  DROP

  #default rule

  einfo "Creating states chain"

  $IPTABLES -N allowed-connection

  $IPTABLES -F allowed-connection

  $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A allowed-connection -i $OINTERFACE -m limit -j LOG --log-prefix "FWALL Bad packet from ${IINTERFACE}: "

  $IPTABLES -A allowed-connection -j DROP

  #ICMP traffic

  einfo "Creating icmp chain"

  $IPTABLES -N icmp_allowed

  $IPTABLES -F icmp_allowed

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

  $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "FWALL Bad ICMP traffic: "

  $IPTABLES -A icmp_allowed -p icmp -j DROP

  #Incoming traffic

  einfo "Creating incoming ssh traffic chain"

  $IPTABLES -N allow-ssh-traffic-in

  $IPTABLES -F allow-ssh-traffic-in

  #Flood protection - allow 1 connect per second from server

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp -s 64.239.9.33 --tcp-flags ALL RST --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp -s 64.239.9.33 --tcp-flags ALL FIN --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp -s 64.239.9.33 --tcp-flags ALL SYN --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp -s 64.239.9.33 --dport ssh -j ACCEPT

  einfo "Creating incoming ftp traffic chain"

  # allow established active or passive ftp connections through

  $IPTABLES -N allow-ftp-traffic-in

  $IPTABLES -F allow-ftp-traffic-in

  $IPTABLES -A allow-ftp-traffic-in -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

  $IPTABLES -A allow-ftp-traffic-in -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A allow-ftp-traffic-in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

  

  einfo "Creating incoming irc traffic chain"

  # allow established irc connections

  $IPTABLES -N allow-irc-traffic-in

  $IPTABLES -F allow-irc-traffic-in

  $IPTABLES -A allow-irc-traffic-in -p tcp --sport 6667:6669 -m state --state ESTABLISHED -j ACCEPT

  $IPTABLES -A allow-irc-traffic-in -p tcp --dport 6667:6669 -m state --state ESTABLISHED -j ACCEPT

  

  einfo "Creating incoming traffic chain for nfeher"

  # allow all traffic from laptop's mac address 

  $IPTABLES -N allow-nfeher-traffic-in

  $IPTABLES -F allow-nfeher-traffic-in

  $IPTABLES -A allow-nfeher-traffic-in -m mac --mac-source 00:03:93:ee:ea:f2 -j ACCEPT

  #outgoing traffic

  einfo "Creating outgoing ssh traffic chain"

  # allow outgoing ssh trafic

  $IPTABLES -N allow-ssh-traffic-out

  $IPTABLES -F allow-ssh-traffic-out

  $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

  einfo "Creating outgoing dns traffic chain"

  # allow outgoing dns queries to isp's dns servers

  $IPTABLES -N allow-dns-traffic-out

  $IPTABLES -F allow-dns-traffic-out

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS3 --dport domain -j ACCEPT

  einfo "Creating outgoing http/https traffic chain"

  # allow outgoing http, https and requests to server's web admin

  $IPTABLES -N allow-www-traffic-out

  $IPTABLES -F allow-www-traffic-out

  $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT

  $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT

  $IPTABLES -A allow-www-traffic-out -p tcp --dport 8443 -d 64.239.9.33 -j ACCEPT

  einfo "Creating outgoing rsync traffic chain"

  # allow rsync traffic out

  $IPTABLES -N allow-rsync-traffic-out

  $IPTABLES -F allow-rsync-traffic-out

  $IPTABLES -A allow-rsync-traffic-out -p tcp --dport 873 -j ACCEPT

  einfo "Creating outgoing time traffic chain"

  # allow rdate to sync with the columbia.edu ntp server

  $IPTABLES -N allow-time-traffic-out

  $IPTABLES -F allow-time-traffic-out

  $IPTABLES -A allow-time-traffic-out -p tcp --dport time -d 128.59.59.177 -j ACCEPT

  einfo "Creating outgoing smtp traffic chain"

  # allow sending mail

  $IPTABLES -N allow-smtp-traffic-out

  $IPTABLES -F allow-smtp-traffic-out

  $IPTABLES -A allow-smtp-traffic-out -p tcp --dport smtp -j ACCEPT

  einfo "Creating outgoing mail traffic chain"

  # allow pop3 and imap requests to email server

  $IPTABLES -N allow-mail-traffic-out

  $IPTABLES -F allow-mail-traffic-out

  $IPTABLES -A allow-mail-traffic-out -p tcp --dport 143 -d 64.239.9.33 -j ACCEPT

  $IPTABLES -A allow-mail-traffic-out -p tcp --dport 110 -d 64.239.9.33 -j ACCEPT

  

  einfo "Creating outgoing ftp traffic chain"

  # allow outgoing active and passive ftp

  $IPTABLES -N allow-ftp-traffic-out

  $IPTABLES -F allow-ftp-traffic-out

  $IPTABLES -A allow-ftp-traffic-out -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

  $IPTABLES -A allow-ftp-traffic-out -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

  $IPTABLES -A allow-ftp-traffic-out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

  einfo "Creating outgoing irc traffic chain"

  # allow outgoing irc

  $IPTABLES -N allow-irc-traffic-out

  $IPTABLES -F allow-irc-traffic-out

  $IPTABLES -A allow-irc-traffic-out -p tcp --sport 6667:6669 -m state --state ESTABLISHED -j ACCEPT

  $IPTABLES -A allow-irc-traffic-out -p tcp --dport 6667:6669 -m state --state NEW,ESTABLISHED -j ACCEPT

  

  einfo "Creating outgoing dict traffic chain"

  # allow dict (dictionary) traffic to dict.org

  $IPTABLES -N allow-dict-traffic-out

  $IPTABLES -F allow-dict-traffic-out

  $IPTABLES -A allow-dict-traffic-out -p tcp --dport 2628 -d 66.111.36.30 -j ACCEPT

  einfo "Creating outgoing cvs traffic chain"

  # allow outoging cvs traffic

  $IPTABLES -N allow-cvs-traffic-out

  $IPTABLES -F allow-cvs-traffic-out

  $IPTABLES -A allow-cvs-traffic-out -p tcp --dport cvspserver -j ACCEPT  

  $IPTABLES -A allow-cvs-traffic-out -p udp --dport cvspserver -j ACCEPT

  einfo "Creating outgoing IM traffic chain"

  # allow connection to IM servers

  $IPTABLES -N allow-im-traffic-out

  $IPTABLES -F allow-im-traffic-out

  $IPTABLES -A allow-im-traffic-out -p tcp --dport 5050 -m state --state NEW -j ACCEPT

  $IPTABLES -A allow-im-traffic-out -p tcp --dport 1863 -m state --state NEW -j ACCEPT

  $IPTABLES -A allow-im-traffic-out -p tcp --dport 5190 -m state --state NEW -j ACCEPT

  

  einfo "Creating outgoing traffic chain for nfeher"

  # allow all traffic to laptop's mac address

  $IPTABLES -N allow-nfeher-traffic-out

  $IPTABLES -F allow-nfeher-traffic-out

  $IPTABLES -A allow-nfeher-traffic-out -d 192.168.1.3 -j ACCEPT

  #Catch portscanners

  einfo "Creating portscan detection chain"

  $IPTABLES -N check-flags

  $IPTABLES -F check-flags

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "FWALL NMAP-XMAS: "

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "FWALL XMAS: "

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "FWALL XMAS-PSH: "

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "FWALL NULL_SCAN: "

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "FWALL SYN/RST: "

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "FWALL SYN/FIN: "

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  # Apply and add invalid states to the chains

  einfo "Applying chains to INPUT"

  $IPTABLES -A INPUT -m state --state INVALID -j DROP

  $IPTABLES -A INPUT -j icmp_allowed 

  $IPTABLES -A INPUT -j check-flags

  $IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -A INPUT -j allow-ssh-traffic-in

  $IPTABLES -A INPUT -j allow-ftp-traffic-in

  $IPTABLES -A INPUT -j allow-irc-traffic-in

  $IPTABLES -A INPUT -j allow-nfeher-traffic-in

  $IPTABLES -A INPUT -j allowed-connection

  einfo "Applying chains to FORWARD"

  #$IPTABLES -A FORWARD -m state --state INVALID -j DROP

  #$IPTABLES -A FORWARD -j icmp_allowed 

  #$IPTABLES -A FORWARD -j check-flags

  #$IPTABLES -A FORWARD -o lo -j ACCEPT

  #$IPTABLES -A FORWARD -j allow-ssh-traffic-in

  #$IPTABLES -A FORWARD -j allow-www-traffic-out

  #$IPTABLES -A FORWARD -j allowed-connection

  einfo "Applying chains to OUTPUT"

  $IPTABLES -A OUTPUT -m state --state INVALID -j DROP

  $IPTABLES -A OUTPUT -j icmp_allowed

  $IPTABLES -A OUTPUT -j check-flags

  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  $IPTABLES -A OUTPUT -j allow-ssh-traffic-out

  $IPTABLES -A OUTPUT -j allow-dns-traffic-out

  $IPTABLES -A OUTPUT -j allow-www-traffic-out

  $IPTABLES -A OUTPUT -j allow-rsync-traffic-out

  $IPTABLES -A OUTPUT -j allow-time-traffic-out

  $IPTABLES -A OUTPUT -j allow-smtp-traffic-out

  $IPTABLES -A OUTPUT -j allow-mail-traffic-out

  $IPTABLES -A OUTPUT -j allow-ftp-traffic-out

  $IPTABLES -A OUTPUT -j allow-irc-traffic-out

  $IPTABLES -A OUTPUT -j allow-cvs-traffic-out

  $IPTABLES -A OUTPUT -j allow-dict-traffic-out

  $IPTABLES -A OUTPUT -j allow-im-traffic-out

  $IPTABLES -A OUTPUT -j allow-nfeher-traffic-out

  $IPTABLES -A OUTPUT -j allowed-connection

  #Allow client to route through via NAT (Network Address Translation)

  # $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE 

  eend $?

}

start() {

  ebegin "Starting firewall"

  # make absolutley sure modules are loaded

  modprobe ip_tables > /dev/null 2>&1

  modprobe ipt_limit > /dev/null 2>&1

  modprobe ipt_mac > /dev/null 2>&1

  modprobe ipt_LOG > /dev/null 2>&1

  modprobe ipt_MARK > /dev/null 2>&1

  modprobe ipt_state > /dev/null 2>&1

  modprobe ip_conntrack > /dev/null 2>&1

  modprobe ip_conntrack_ftp > /dev/null 2>&1

  modprobe ip_conntrack_irc > /dev/null 2>&1

  if [ -e "${FIREWALL}" ]; then

    restore

  else

    einfo "${FIREWALL} does not exists. Using default rules."

    rules

  fi

  eend $?

}

stop() {

  ebegin "Stopping firewall"

  $IPTABLES -F

#  $IPTABLES -t nat -F

  $IPTABLES -X

  $IPTABLES -P FORWARD ACCEPT

  $IPTABLES -P INPUT   ACCEPT

  $IPTABLES -P OUTPUT  ACCEPT

  eend $?

}

showstatus() {

  ebegin "Status"

  $IPTABLES -L -n -v --line-numbers

#  einfo "NAT status"

#  $IPTABLES -L -n -v --line-numbers -t nat

  eend $?

}

panic() {

  ebegin "Setting panic rules"

  $IPTABLES -F

  $IPTABLES -X

#  $IPTABLES -t nat -F

  $IPTABLES -P FORWARD DROP

  $IPTABLES -P INPUT   DROP

  $IPTABLES -P OUTPUT  DROP

  $IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  eend $?

}

save() {

  ebegin "Saving Firewall rules"

  $IPTABLESSAVE > $FIREWALL

  eend $?

}

restore() {

  ebegin "Restoring Firewall rules"

  $IPTABLESRESTORE < $FIREWALL

  eend $?

}

restart() {

  svc_stop; svc_start

}

showoptions() {

  echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"

  echo "start)      will restore setting if exists else force rules"

  echo "stop)       delete all rules and set all to accept"

  echo "rules)      force settings of new rules"

  echo "save)       will store settings in ${FIREWALL}"

  echo "restore)    will restore settings from ${FIREWALL}"

  echo "showstatus) Shows the status" 

}

```

I've commented out all the NAT stuff as I have another box doing NAT (pf with OpenBSD). The script depends on the procparam script from the same gentoo security docs:

```

#!/sbin/runscript

depend() {

 use checkroot

}

start() {

 ebegin "Setting /proc options."

 /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

 /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

 /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

 /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

 /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 for i in /proc/sys/net/ipv4/conf/*; do

   /bin/echo "1" > $i/rp_filter

 done

 /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

 /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

 eend 0

}

```

----------

