[olug] Untangle firewall

Christopher Cashell topher-olug at zyp.org
Sun Aug 2 03:25:36 UTC 2009 

On Sat, Aug 1, 2009 at 9:24 PM, <charles.bird at powerdnn.com> wrote:
> I would like to look at the ubuntu firwall stuff, I can contribute to some rule I hope to make it better!

Okay, I've included my current firewall rules below.  Note that I
don't actually have the DMZ section in there anymore.  The services I
was providing on my local DMZ were recently moved to a VPS running at
Linode.com.  However, the rules specific to each interface are fairly
separated, and I think I did a decent job of commenting the rules, so
it should be fairly easy to use another interface as a template to
recreate the DMZ bit.  It's really just a few additional INPUT and
FORWARD rules.  Also, see the note at the beginning about ULOG vs.
LOG.

If anyone has any questions about these firewall rules, please let me
know.  I'd be happy to try to explain them further.

Lastly, if anyone wants to grab it directly, rather than via e-mail
(to prevent possible line-break issues and such), I dropped it on my
ftp server, to:

wget ftp://lab13.org/pub/iptables-rules

> Peace

--
Christopher

#!/bin/sh
##########################################################################
# IPTables Rules
# Written by Christopher Cashell <topher at zyp.org>
##########################################################################
#
# Note: The current configuration here uses ulog to handle iptables
# logging functions.  If you're not using ulog, you'll need to change
# all of the ulog lines to standard iptables log lines, which will
# instead send the logs to the kernel log buffer (to be picked up by
# syslog-ng/klogd/rsyslog/etc).  To Make the change across the whole
# file, you can use the following command line bit:
#
# sed -e 's/ULOG/LOG/' -e 's/--ulog-prefix/--log-prefix/' -e
's/--ulog-qthreshold 10//' iptables-rules >iptables-rules.log
##########################################################################

# For convenience, we define our interfaces here so we can easily switch
# things around if we have to change which interface is used for what.
LAN="eth0"
INTERNET="eth1"
WIFI="eth2"
DMZ="eth3"
# This is the tun interface for the work VPN connection.
WORKVPN="workvpn"

# Take the IPTables rules below, change the interface variables to be
# accurate, then pipe it into the iptables-restore command to load.
cat << IPTABLES-END | iptables-restore
*nat
:PREROUTING ACCEPT [10481879:2058258314]
:POSTROUTING ACCEPT [305104:25726601]
:OUTPUT ACCEPT [390824:33281700]
# NATing (static) from internal network traffic to static external
# address.
-A POSTROUTING -o $INTERNET -j SNAT --to-source 10.30.25.150
# NATing (dynamic) for internal network to Work VPN
-A POSTROUTING -o $WORKVPN -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [60301302:18174900615]
:INPUT ACCEPT [22144748:4208037592]
:FORWARD ACCEPT [34495703:13759951055]
:OUTPUT ACCEPT [13332245:4410149167]
:POSTROUTING ACCEPT [47847722:18174945556]
COMMIT
# Completed on Sat Aug 25 06:48:12 2007
# Generated by iptables-save v1.3.8 on Sat Aug 25 06:48:12 2007
*filter
:INPUT ACCEPT [312215:40164527]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6759870:3585426186]
:ABUSERS - [0:0]
:LOGDROP - [0:0]
:SPOOFDROP - [0:0]
:BADPACKETDROP - [0:0]
:LOGREJECT - [0:0]
:BAD-PACKETS - [0:0]
:ANTI-SPOOFING - [0:0]
# First thing we want to do, drop traffic for packets which are invalid,
# or that we shouldn't be getting, or are otherwise problematic.
-A INPUT -j BAD-PACKETS
# We also want to try to kill any potential spoofing attempts from all
# interfaces, by blocking any address ranges we know shouldn't be coming
# through there.
-A INPUT -j ANTI-SPOOFING
# Next thing we want to do, drop traffic from known (explicitely
# defined) abusive sources.
-A INPUT -j ABUSERS
# Accept locally generated traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s 10.30.25.150 -j ACCEPT
-A INPUT -s 192.168.1.1 -j ACCEPT
-A INPUT -s 192.168.2.1 -j ACCEPT
# We're doing wide-open acceptance on these, as each of them (IPSec and
# OpenVPN) provide internal controls for limiting access.
# OpenVPN creates interaces named tun0x by default.
-A INPUT -i tun+ -j ACCEPT
# Not currently using tap interfaces, so it is commented out.
#-A INPUT -i tap+ -j ACCEPT
# IPSec Protocols (IP Protocol 50 and 51).
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
##########################################################################
# Universal INPUT rules (all interfaces)
##########################################################################
# Provide some additional protection against abusers on this port (FTP).
# If anyone exceeds the limitations here, they will find their traffic
# dropped.
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent --set
--name abusers --rsource
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent
--update --seconds 180 --hitcount 6 --name abusers --rsource -j
LOGDROP
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m limit
--limit 1/min --limit-burst 4 -j ACCEPT
# These are the limited ports we've designated for use with PASV FTP (vsftpd)
-A INPUT -p tcp -m tcp --dport 13100:13111 -m state --state NEW -j ACCEPT
# Accept SSH traffic, but only at a specific rate.  Anyone with too many
# connection attempts on port 22 will stop getting their packets
# accepted (preventing (or at least severely limiting) brute force
# attacks).
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit
--limit 1/min --limit-burst 4 -j ACCEPT
# Accept SMTP traffic
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
# Accept DNS traffic
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
# Accept NTP traffic
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
# Accept HTTP/HTTPS traffic
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# Accept OpenVPN traffic
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
# Accept IPSec NAT-T (UDP) traffic
-A INPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
##########################################################################
# External Internet INPUT rules ($INTERNET)
##########################################################################
# Accept ICMP PING traffic
-A INPUT -i $INTERNET -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Drop annoying crap broadcast traffic from ISP device (without logging)
-A INPUT -i $INTERNET -s 10.3.0.2 -d 255.255.255.255 -p udp -m udp
--dport 68 -j DROP
# Immediately reject identd requests to avoid some SMTP delays
-A INPUT -i $INTERNET -p tcp -m tcp --dport 113 -j REJECT
# Accept traffic for existing connections
-A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
# Any traffic not otherwise allowed above will be logged and dropped
-A INPUT -i $INTERNET -j LOGDROP
##########################################################################
# Internal LAN INPUT rules ($LAN)
##########################################################################
# Drop annoying crap broadcast traffic related to Tivo (without logging)
-A INPUT -i $LAN -d 192.168.1.255 -p udp -m udp --dport 2190 -j DROP
# Accept DHCP requests from Internal
-A INPUT -i $LAN -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Accept ICMP PING traffic
-A INPUT -i $LAN -p icmp -m icmp --icmp-type any -j ACCEPT
# Accept Samba traffic
-A INPUT -i $LAN -p udp -m udp --dport 137 -m state --state NEW -j ACCEPT
-A INPUT -i $LAN -p udp -m udp --dport 138 -m state --state NEW -j ACCEPT
-A INPUT -i $LAN -p tcp -m tcp --dport 139 -m state --state NEW -j ACCEPT
-A INPUT -i $LAN -p tcp -m tcp --dport 445 -m state --state NEW -j ACCEPT
# Accept NFS4 traffic
-A INPUT -i $LAN -p tcp -m tcp --dport 2049 -m state --state NEW -j ACCEPT
# Accept Syslog traffic
-A INPUT -i $LAN -p tcp -m tcp --dport 514 -m state --state NEW -j ACCEPT
-A INPUT -i $LAN -p udp -m udp --dport 514 -m state --state NEW -j ACCEPT
# Accept traffic for existing connections
-A INPUT -i $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
# Any traffic not otherwise allowed above will be logged and dropped
-A INPUT -i $LAN -j LOGREJECT
##########################################################################
# Wifi INPUT rules ($WIFI)
##########################################################################
# Accept DHCP requests from Wifi
-A INPUT -i $WIFI -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Accept ICMP PING traffic
-A INPUT -i $WIFI -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traffic for existing connections
-A INPUT -i $WIFI -m state --state RELATED,ESTABLISHED -j ACCEPT
# Any traffic not otherwise allowed above will be logged and dropped
-A INPUT -i $WIFI -j LOGREJECT

# Forward OpenVPN Traffic, allowing us to route through OpenVPN tunnels
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
# Just like with INPUT, we want to drop invalid packets and packets that
# we should never have gotten.
-A FORWARD -j BAD-PACKETS
# We also want to try to kill any potential spoofing attempts from all
# interfaces, by blocking any address ranges we know shouldn't be coming
# through there.
-A FORWARD -j ANTI-SPOOFING
# We're going to log all connections that we forward through, for
# potentially setting more more restrictive forwarding rules later.
-A FORWARD -i $LAN -j ULOG --ulog-prefix "iptables: LAN-FWD "
--ulog-qthreshold 10 -m limit --limit 2/second --limit-burst 5
# Don't forward local e-mail traffic, require it to be handled by us at
# the MTA level (this is to help prevent spam in case of malware
# infection). Local MTA acts as mail relay.
-A FORWARD -p tcp -m tcp --dport 25 -j LOGDROP
# Forward all other traffic from LAN to Internet
-A FORWARD -i $INTERNET -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i $LAN -o $INTERNET -j ACCEPT
# Forward traffic from LAN to Wifi
-A FORWARD -i $WIFI -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i $LAN -o $WIFI -j ACCEPT
# We're going to log all wifi connections that we forward through, for
# security, integrity, and to keep track of what people are doing.
-A FORWARD -i $WIFI -j ULOG --ulog-prefix "iptables: WIFI-FWD "
--ulog-qthreshold 10 -m limit --limit 2/min --limit-burst 4
# Forward traffic from wifi to Internet
-A FORWARD -i $INTERNET -o $WIFI -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i $WIFI -o $INTERNET -j ACCEPT
# We're going to log all connections that we forward through, for
# potentially setting more more restrictive forwarding rules later.
-A FORWARD -i $WORKVPN -j ULOG --ulog-prefix "iptables: WORK-FWD "
--ulog-qthreshold 10 -m limit --limit 2/min --limit-burst 4
# Forward local traffic destined for Work VPN
-A FORWARD -i $WORKVPN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i $LAN -o $WORKVPN -j ACCEPT

# All other forward attempts get logged and rejected.
-A FORWARD -j LOGREJECT

# This chain contains known bad hosts that we've had previous problems
# with/from and that we ant to completely drop from existence.
-A ABUSERS -s 1.2.3.4 -j LOGDROP
-A ABUSERS -j RETURN

# Here we block some stuff that we should never be getting.
# Reject NEW packets that have SYN/ACK set.
-A BAD-PACKETS -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW
-j REJECT --reject-with tcp-reset
# Reject NEW packets without SYN set.
-A BAD-PACKETS -p tcp ! --syn -m state --state NEW -j BADPACKETDROP
-A BAD-PACKETS -p tcp --tcp-flags ALL ALL -j BADPACKETDROP
-A BAD-PACKETS -p tcp --tcp-flags ALL NONE -j BADPACKETDROP
-A BAD-PACKETS -m state --state INVALID -j BADPACKETDROP
-A BAD-PACKETS -j RETURN

# Any packets coming from the local LAN and NOT from the subnet assigned
# there should be dropped.
# -A ANTI-SPOOFING -i $LAN ! -s 192.168.1.0/24 -j SPOOFDROP
# Any packets coming from the Internet and claiming to be from the from
# the subnets assigned to the local LAN and Wifi there should be
# dropped.
-A ANTI-SPOOFING -i $INTERNET -s 192.168.0.0/16 -j SPOOFDROP
-A ANTI-SPOOFING -i $INTERNET -s 172.16.0.0/12 -j SPOOFDROP
# Any packets coming from the Wifi and NOT from the subnet assigned
# there should be dropped.
-A ANTI-SPOOFING -i $WIFI ! -s 192.168.2.0/24 -j SPOOFDROP
-A ANTI-SPOOFING -j RETURN

# Primary "drop" target, which logs all dropped packets.
-A LOGDROP -j ULOG --ulog-prefix "iptables: DROP " --ulog-qthreshold 10
-A LOGDROP -j DROP

# Spoof "drop" target, which logs all dropped packets.
-A SPOOFDROP -j ULOG --ulog-prefix "iptables: SPOOF-DROP " --ulog-qthreshold 10
-A SPOOFDROP -j DROP

# Bad Packet "drop" target, which logs all dropped packets.
-A BADPACKETDROP -j ULOG --ulog-prefix "iptables: BAD-DROP "
--ulog-qthreshold 10
-A BADPACKETDROP -j DROP

# Primary "reject" target, which logs all rejected packets.
-A LOGREJECT -j ULOG --ulog-prefix "iptables: REJECT " --ulog-qthreshold 10
-A LOGREJECT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 25 06:48:13 2007
IPTABLES-END

More information about the OLUG mailing list