[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES



Here is a copy of my firewall script if you want to use it!

It is for a single dial-up machine, running Apache Web
server.

You can alter it to suit your own machines needs.

If you leave SuSEFirewall running, my script should clear
all the SuSEFirewall rules out of IPTables, and put it's own
rules in the packet filter. You need to check the POLICY
rules though - I don't think FLUSHing IPTables rules affects
the POLICY of built-in chains.

USE AT YOUR OWN RISK!

You need to copy this to a safe place on your machine, and
set the file as executable - See 'man chmod' for details.

Or under mc (Norton Commander type filemanager) highlight
the name of the file to modify, press F9, pull down the File
menu, select Advanced chown option, set the file permissions
as rwx --- --- and set the owner/group for the file as well.

Then add a line to /etc/init.d/boot.local - this will
execute the script each time you reboot the machine. You
need to check the script is called AFTER SuSEFirewall is up
and running, or SuSEFirewall will overwrite the rules this
script sets up in the IPTables packet filter!

===
You can also open a terminal as root, and CD to the
directory where you have put the firewall script.

As root, if you do ./my-fw > firewall.out

You will get the output sent to the file named firewall.out

This is handy for checking the firewall script for any
syntax errors.
===


#! /bin/bash

# copyright Keith Anthony Roberts (c) 2003

# file-id: /path/to/firewall/script/my-fw #

# custom script to start iptables packet filter firewall rules #
# run from /etc/init.d/boot.local #

# last updated 15-07-2003 #

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "Running /path/to/firewall/script/my-fw"
echo " - Initial status of firewall is:"
echo "=======================================================================";
echo;
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "NAT table initial status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list status of NAT table
 iptables -t nat -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "MANGLE table initial status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list status of MANGLE table
 iptables -t mangle -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "FILTER table initial status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list status of FILTER table
 iptables -t filter -L -v
#------------------------------------------------------#

#------------------------------------------------------#

# flush ALL rules in ALL tables
 iptables -t nat -F
 iptables -t mangle -F
 iptables -t filter -F

# clear packet & byte counters
 iptables -t nat -Z
 iptables -t mangle -Z
 iptables -t filter -Z

# delete ALL user-defined chains in ALL tables
 iptables -t nat -X
 iptables -t mangle -X
 iptables -t filter -X

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "Starting up my own custom firewall now!"
echo "=======================================================================";
echo;
#------------------------------------------------------#

#******************************************************#
#                 NAT table rules                      #
#******************************************************#
# NOT USED

#******************************************************#
#                MANGLE table rules                    #
#******************************************************#
# NOT USED

#******************************************************#
#                FILTER table rules                    #
#******************************************************#

# LOG all packets going through the FORWARD chain - should disable this really
 iptables -A FORWARD -j LOG --log-prefix 'FILTER-FWD PKTS '

#------------------------------------------------------#
# LOG INPUT Syn-flood Denial of Service attempts - 10 per hour
 iptables -A INPUT -i ppp0 -p tcp --syn -m limit --limit 10/h \
   -j LOG --log-prefix 'Syn-flood INP attack??? '

# Syn-flood INPUT protection
 iptables -A INPUT -i ppp0 -p tcp --syn -m limit --limit 1/s -j ACCEPT

#------------------------------------------------------#
# LOG INPUT Furtive Port Scanner attempts - 10 per hour
 iptables -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
   -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner INP attack??? '

# Port Scanner INPUT protection
 iptables -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
   -m limit --limit 1/s -j ACCEPT

#------------------------------------------------------#
# LOG INPUT Ping of Death Denial of Service attempts - 10 per hour
 iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
   -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death INP attack??? '

# Pingu of Death INPUT protection
 iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
   -m limit --limit 1/s -j ACCEPT

#------------------------------------------------------#

#------------------------------------------------------#
# LOG FORWARD Syn-flood Denial of Service attempts - 10 per hour
 iptables -A FORWARD -p tcp --syn -m limit --limit 10/h \
   -j LOG --log-prefix 'Syn-flood FWD attack??? '

# Syn-flood FORWARDing protection
 iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

#------------------------------------------------------#
# LOG FORWARD Furtive Port Scanner attempts - 10 per hour
 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
   -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner FWD attack??? '

# Port Scanner FORWARDing protection
 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
   -m limit --limit 1/s -j ACCEPT

#------------------------------------------------------#
# LOG FORWARD Ping of Death Denial of Service attempts - 10 per hour
 iptables -A FORWARD -p icmp --icmp-type echo-request \
   -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death FWD attack??? '

# Ping of Death FORWARDing protection
 iptables -A FORWARD -p icmp --icmp-type echo-request \
   -m limit --limit 1/s -j ACCEPT

#------------------------------------------------------#
# create a new chain for apache connections
#------------------------------------------------------#

 iptables -N open_port_80

# LOG all NEW, ESTABLISHED, RELATED
# remote connections coming in on ppp0 to apache port 80
 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 \
  -m state ! --state INVALID \
  -j LOG --log-prefix 'Remote Port 80 connects '

# ACCEPT all NEW, ESTABLISHED, RELATED
# remote connections coming in on ppp0 to apache port 80
 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 \
  -m state ! --state INVALID \
  -j ACCEPT

# LOG all local connections to apache port 80
 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 \
  -j LOG --log-prefix 'Local Port 80 connects '

# ACCEPT all local connections to apache port 80
 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 -j ACCEPT

#------------------------------------------------------#
# create new chain that blocks all other
# new connection attempts coming in from ppp0
#------------------------------------------------------#

 iptables -N block

# LOG all other new connection attempts (& invalid packets) coming from ppp0
 iptables -A block -i ppp0 -m state --state NEW,INVALID \
   -j LOG --log-prefix 'DROPPED NEW CONNS ON PPP0 '

# DROP all new connection attempts (& invalid packets) coming from ppp0
# and not for apache web server
 iptables -A block -i ppp0 -m state --state NEW,INVALID -j DROP

#------------------------------------------------------#
# jump to various chains from INPUT and FORWARD chains
#------------------------------------------------------#

 iptables -A INPUT -j open_port_80
 iptables -A INPUT -j block
 iptables -A FORWARD -j block

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "New status of firewall using my own custom rules is:"
echo "=======================================================================";
echo;
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "NAT table - new status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list current status of NAT table
 iptables -t nat -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "MANGLE table - new status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list current status of MANGLE table
 iptables -t mangle -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "FILTER table - new rules"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list current status of FILTER table
 iptables -L -v
#------------------------------------------------------#

# exit with a valid code

 exit 0

#------------------------------------------------------#

# end of firewall #






On 22 Jul 2003, Ray Leach wrote:

> On Tue, 2003-07-22 at 13:31, Knut Erik Hauslo wrote:
> > Hello Uli,
> >
> > So if i deactivate firewall2, IPTABLES is still active and i can add my own set of rules (iptables -A TCP etc.) and they are active right away?
> >
> No, then you need to write your own shell script and get it to start
> when you start your machine.
>
>
> > Cheers
> > -KEH
> >
> >
> > -----Original Message-----
> > From: Ulrich Roth [mailto:Roth@xxxxxxxxx]
> > Sent: Tuesday, July 22, 2003 1:25 PM
> > To: suse-security@xxxxxxxx
> > Subject: AW: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES
> >
> >
> > Hi Knut,
> >
> > > i am new to SuSE (Linux in generall) and have been fiddeling with
> > > firewall 2 for some time.
> > >
> > > My question is: If i deactivate SuSEfirewall2 (using YaST), will any
> > > IPTABLES rule i might create afterward still take action? And if not,
> > > where do i enable it (IPTABLES)?
> > Iptables is enabled by default. SuSEfirewall2 is only a shell script that runs many many iptables commands, depending on how you configure it. You may create your own script to execute iptables commands, or you may use SuSE's firewall script. SuSE made this script in order to make life easier for admins. Bye
> > 	Uli
> > --
> > Ulrich Roth
> > IMPACT Business & Technology Consulting GmbH
> > Im Mediapark 8 / KölnTurm
> > D-50670 Koeln
> > Phone +49-221-93 70 80-29
> > Fax   +49-221-93 70 80-15
> > E-Mail: roth@xxxxxxxxx
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx Security-related bug reports go to security@xxxxxxx, not here
> --
> --
> Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
> Network Support Specialist
> http://www.knowledgefactory.co.za
> "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
> Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
> --
>


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here