Securing the box using IPTables
As the title of this guide suggests, it aims to secure the box from being hacked. However, it
is by no means a complete solution and should only be considered as a deterent against newbie
hackers.
What follows are the firewall rules to be typed at the shell prompt. Lines beginning with #
are for information purposes only, and shouldn't be typed. When you have typed in these commands,
you need to save the configuration using /etc/init.d/iptables save.
The rules aim to carry out a crude method of traffic shaping, basically giving priority to traffic
that needs a response immediately, allowing file sharing apps such as Azureus to continue in the background
unnoticed. They attempt to filter out any portscanners and flood attacks, and log this activity. Traffic is
only allowed from specified MAC addresses and IP addresses, although it is possible for these to be
spoofed. New connections can only be made from inside the firewall, so an external machine shouldn't
be able to make a new connection. A Network Intrusion Detection System is an additional program that can
help to add a bit of extra security to your box (see later guide).
# Flush the firewall rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Do masquerading.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Assign priority to web, email, and ftp traffic.
iptables -A PREROUTING -t mangle -p tcp --sport http -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp -m multiport --sports smtp,pop3 -j TOS --set-tos Minimize-Cost
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput
iptables -A OUTPUT -t mangle -p tcp --dport http -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp -m multiport --dports smtp,pop3 -j TOS --set-tos Minimize-Cost
iptables -A OUTPUT -t mangle -p tcp --dport ftp -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport ftp-data -j TOS --set-tos Maximize-Throughput
# Allow good icmp traffic, filter the bad stuff.
iptables -N ICMPFILTER
iptables -A ICMPFILTER -m state --state NEW -p icmp --icmp-type time-exceeded -j RETURN
iptables -A ICMPFILTER -m state --state NEW -p icmp --icmp-type destination-unreachable -j RETURN
iptables -A ICMPFILTER -p icmp -j DROP
# Catch portscanners, including syn flooding by limiting bursting (last one).
iptables -N FILTERSCANNERS
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FILTERSCANNERS -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN
# Forwarding is a bi-directional chain. Drop by default. Only allow new connections from the
# know host. Allow existing connections to send data back to us. Drop invalid packets. Also
# filter out bad icmp traffic, and port scanners. Provision unblocked download ports.
# Also allow a specific IP to access http for mythweb access.
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m multiport --dports <download_port_1>,<download_port_2> -p tcp -j ACCEPT
iptables -A FORWARD -j ICMPFILTER
iptables -A FORWARD -j FILTERSCANNERS
iptables -A FORWARD -m multiport --dports http -p tcp -m state --state NEW -s <allowed_http_ip_1> -j ACCEPT
iptables -A FORWARD -m mac --mac-source <good_mac_1> -m state --state NEW -s <good_ip_1> -j ACCEPT
iptables -A FORWARD -m mac --mac-source <good_mac_2> -m state --state NEW -s <good_ip_2> -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop by default on the input. Only allow new connections from the know host. Allow existing
# connections to send data back to us. Drop invalid packets. Also filter out bad icmp traffic,
# and port scanners. Provision unblocked download ports. Also allow a specific IP to access
# http for mythweb access.
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m multiport --dports <download_port_1>,<download_port_2> -p tcp -j ACCEPT
iptables -A INPUT -j ICMPFILTER
iptables -A INPUT -j FILTERSCANNERS
iptables -A INPUT -m state --state NEW -s localhost -j ACCEPT
iptables -A INPUT -m multiport --dports http -p tcp -m state --state NEW -s <allowed_http_ip_1> -j ACCEPT
iptables -A INPUT -m mac --mac-source <good_mac_1> -m state --state NEW -s <good_ip_1> -j ACCEPT
iptables -A INPUT -m mac --mac-source <good_mac_2> -m state --state NEW -s <good_ip_2> -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop invalid packets on output too.
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
|
