 guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ
| Free IPTABLES SCRIPT! Get it here now!!! Hello everyone,
mbcx8nlp and I have been working on a good, general purpose iptables script for Linux machines. This should be the 'iptables script to end all iptables scripts' for most single, home lan and small business office users. 
mbcx8nlp has done all the hard work and I've tried to write interperative end user comments which makes sense. (HAH!)
So now we are throwing it open to the world to either sink or swim. We expect we hav e a pretty good swimmer here though. We (by means of this post) are also submitting this script to the Forum FAQ. (Are you paying attention there BMN and Howe81?)
Suggestions, constuctive comments, kudos and plaudits in general will be accepted with modest and becoming humility (DOUBLE HAH!) Flames will be regarded with jaded (ho-hum) polite non-interest.
Versions prior to 1.3 are internal and not available.
Requirements:
You must have iptables compiled into your kernel with the appropriate options selected.
Suggestions:
We suggest that you contact »www.mynetwatchman.com after installing this iptables script (and set LOGging to 1). If you frequent the DSLReports Security Forum »Security , you'll see that Lawrence Baldwin has done some very interesting, helpful and original research regarding Internet security issues. In support of that, we recommend installing the netwatchman agent as a benefit to the entire Internet community. (hint: Lawrence, perhaps you (or someone else) might like to write a blow-by-blow installation guide for the agent on Linux ).
Installation instructions:
These are generic instructions. I (guycad) have already written instructions specific to Gentoo GNU/Linux. You can find them at »How to initialise iptables in Gentoo
I will be writing a new version of same for possible inclusion in the Forum FAQ.
As root, move or copy the iptables script to /etc. Hint: I call the script 'init_iptables'
# cd /etc
# chmod 700 init_iptables
To execute it manually (as root):
# /etc/init_iptables
I'd suggest, however, that you add it to your boot scripts appropriately.
If you're using Gentoo - see my notes in the thread referenced above.
Have fun!
(special thanks to mbcx8nlp for his knowledge, time and patience - even if he does live on the wrong side of 'the pond')
P.S. I've included the script as an attachment since some of the lines are too long for posting.
--
My Pictures.
People who describe M$ software as 'mediocre' don't know the half of it.
WinDoze Free 2003
[text was edited by author 2002-10-26 11:00:05]
[text was edited by author 2002-10-26 11:00:37]
[text was edited by author 2002-10-26 11:07:21] |
|
| Maybe i'm missing something since i'm used to using ipchains but why is there no output chains? |
|
Nick8Premium
join:2001-03-17
UK
| There is an output chain (it's a built-in), it's just we don't put any rules in it - outbound traffic is not filtered..
I suppose a (commented - as in disabled) example of outbound filtering would be useful. I think that in many cases having to add rules to account for all acceptable outbound traffic would be more trouble than it's worth - if the outbound rules were enabled by default I would expect lots of "I used the script and now I can't play bzflag online  ", etc. I personally have an empty output chain here at home..
The script is really just intended as a simple example demonstrating how one would go about producing a simple stateful firewall / NAT box with iptables.. There are loads of more functional / complex scripts around but they are often a little difficult to learn from and are often total overkill. The bits of shell scripting (i.e. the conditionals, etc.) are just to make the script usable as-is in a range of situations.
[text was edited by author 2002-10-26 12:58:45] |
|
| reply to guycad$
This is a nice example. Thanks for sharing.
For my own use, I usually prefer to set the default chain policy to DROP or REJECT and then allow packets in and out that I want as oppose to your method. |
|
|
|
Nick8Premium
join:2001-03-17
UK | I don't think you can set a policy of reject.. The reject target is an optional module.
Even if you could, I dislike the way in which a plain reject rule (no --reject-with) sends back an dest. unreachable regardless of what it is rejecting.. I prefer to have it send RST ACKs / ICMP 3,3s when dropping TCP / UDP..
Since reject has to be a rule, I thought it would aid clarity to ignore policies altogether..
Thanks for the comments. |
|
 computxnullus cogito ergo google.Premium
join:2000-09-02
Kirksville, MO
 ·AT&T Southwest
| reply to guycad$
Great Job...Question, If i wanted to allow samba shares on the local reserved ip range only (not across the internet) what would the syntax be?
like below with addition of netmask for the local ip range??
# $IPT -A INPUT -i $WAN -p tcp --dport 239 -m state --state NEW -j ACCEPT
I will rtfm and stfw but looks like you guys have this stuff down so thought it would be good to get your input.
--
To err is human...to really foul up requires the root password. |
|
Nick8Premium
join:2001-03-17
UK
| The script should allow your LAN full access automatically (if you have a LAN interface or your WAN interface resides in a private subnet, i.e. you are behind NAT).
In any case, you needn't bother with the state match for local traffic - I used the NEW state match there just so that unexpected non-SYN traffic will get dropped.
Something like:
$IPT -A INPUT -p tcp -s <address/mask> --dport 139 -j ACCEPT
$IPT -A INPUT -p udp -s <address/mask> --dport 137:138 -j ACCEPT Should do..
Edit: If your LAN hangs off a separate interface to the Internet you could specify the interface with -i <iface>.
[text was edited by author 2002-10-26 15:14:43] |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | reply to computx
said by computx:
Great Job...
Thanx!!
quote:
Question, If i wanted to allow samba shares on the local reserved ip range only (not across the internet) what would the syntax be?
My goals (as opposed to mbcx8nlp's - ahhh, the mysterious mbcx8nlp) was to create a script and comments which would be good for general use particularly by people just getting into self security and iptables. IE - security for the rest of us. One of the primary assumptions of the script is that your local lan is trusted. This means that you can do anything you want on your local network including samba shares. And more importantly, to be able to do these things without having to worry about people trying to access your internal shares from the Internet.
The script, as is, is set up to provide you with a reasonably complete and secure firewall and yet allow unlimited local activity. No manual or seach required.
Simply read the comments. Make the appropriate selections. Run the script.
If any of the comments aren't clear or require additional explanation, please either post the question or let me know.  (since I'm the guilty party regarding the comments).
quote:
I will rtfm and stfw but looks like you guys have this stuff down so thought it would be good to get your input.
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
 DA OHDo, Or Do Not. There Is No 'try'.
join:2002-01-07
Denver, CO | reply to guycad$
said by init_iptables1.3-WAN section:
If you have two ethernet cards (as when you're using
your computer as a NAT router for your network, set this either as
or 'eth1' depending if your broadband (cable or ADSL) modem is
'eth0' connected to your first or second ethernet card respecively.
The above comment in the WAN section of the script is missing the word "eth0" after the word "as" and before the word "or" from line 2 to 3 above. Also, respectively is spelled wrong.
Hey, you said any comments...
--
"Victory goes to the player who makes the next-to-last mistake." |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | said by DA OH:
Hey, you said any comments...
And I meant it! ROFL - Well, those words USED to be there! And I take full blame for the misspelling.
I'll make the changes on my source and we'll release 1.4 after we have enough comments.
Thanx!!!
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
| reply to guycad$
Im going to ask this question at full risk of getting flamed, but I always wanted to know if the default gateway in a LAN should be considered as trusted?
Currently I have 3 machines and 1 router(192.168.0.1). When trusting connections should I trust the router's IP even if thats the one actually connected to the internet? Im very interested in this script since I don't have a firewall setup on the linux box. |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | said by dom6791:
I always wanted to know if the default gateway in a LAN should be considered as trusted?
Currently I have 3 machines and 1 router(192.168.0.1). When trusting connections should I trust the router's IP even if thats the one actually connected to the internet? Im very interested in this script since I don't have a firewall setup on the linux box.
I assume the router is set up as NAT. So long as the firmware in your router is secure (some, by default, permit administration from the Internet), then the answer to your question is yes. You can trust the gateway's local IP address.
It doesn't hurt to setup each computer on your local network with their own firewall either. Especially if you set up each local computer's firewall with stateful checking. IE - each local computer's firewall is set to only accept packets based on connections they've established.
I use an up-to-date Netgear NAT router between my mother's cable modem and her local network in FL. Works very well and have never had a problem with it. Of course, the admin function of the router is has a password different from the default. Plus, the router is set to not accept any admin connections from the Internet. It's accepts LAN based connections only.
Of course, YMMV. 
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
Nick8Premium
join:2001-03-17
UK
| reply to dom6791
There's no problem in doing so.. The only things coming from the router itself would be DHCP / syslog / SNMP messages, etc. In the unlikely event that someone gained control of your router, it's even less likely (probably impossible) that they would launch further attacks from it (it would be much easier to reconfigure it to allow external access to the LAN).
Since you are behind NA(P)T, the script is not really of much use to you. NAT will allow only valid 'return' traffic to pass from WAN->LAN (i.e. traffic that is part of a conversation initiated from the LAN). It has an almost identical effect to the firewall produced by the script, which uses stateful inspection to achieve the same thing.. The script does do some other stuff like dropping traffic from private addresses and malformed packets but I would imagine that it won't be doing much.. It can't hurt to use it though .
Guycad beat me to it..
[text was edited by author 2002-10-26 21:40:47] |
|
| reply to guycad$
Thank you guys! I always wanted to know that answer. |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | reply to Nick8
said by Nick8:
Guycad beat me to it...
It's funny how we give essentially the same answer but expressed totally differently.
If they can't understand me, then they should be able to understand you and visa versa. I think this works very well.
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
 shdesignsPowered By Infinite Improbabilty DrivePremium
join:2000-12-01
Stone Mountain, GA
·Atlantic Nexus
| reply to guycad$
Nice script. But you are really duplicating other peoples work.
Take a look at:
»www.linuxguruz.org/iptables/
I use 'Arno's IP tables script'. Handles many more things like spoofing, flood, SYN attacks, fragments, and other stuff.
I use it with only a few changes to my multi-homed server. Was not too difficult to add support for my VPN links. It includes a 'custom-routes' setup to handle things outside what it has built-in. That is where I add rules for my tap network devices and my second local subnet.
Yours is a simpler. Arno's does have lots of options that can be configured. For most they are straightforward.
--
Scott HenionConsultant, SHDesignshttp://shdesigns.org |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | said by shdesigns:
Nice script. But you are really duplicating other peoples work.
Take a look at:
»www.linuxguruz.org/iptables/
I had gone through just about all the iptables scripts at linuxguruz.org (have favorites link and it's well worn at times). The problem with most of the scripts is that they are not 'newbie' friendly. IE: included comments are often cryptic or there are simply too many choices. In fact, I was rather frustrated with most of them. Especially since most of them are really iptables scripts for NAT routers supporting large or sophisticated local network segments.
Very few of them are geared to single user, home user or small office user firewalls. Even the simpler scripts there can be hard to follow.
I'm not saying that they aren't useful as examples or anything like that. It's just that with most of them, they're either difficult to follow or overkill for most users. In fact, the more complex scripts are wonderful resources for getting into advanced firewall requirements.
After looking over the various iptables threads here at the ATU forum and getting some very helpful advice from mbcx8nlp, I decided that a more newbie friendly script would be helpful for other iptables n00bs. Like me! So I sort of dragooned mbcx8nlp into putting together this script. It's specifically limited in scope in order to not confused most users and contains everything most (relatively simple setups) users actually need.
OTOH, I completely agree that the linuxguruz.org site is a wonderful resource for example iptables scripts.
After digesting all the comments here, mbcx8nlp and I will probably post the script to the linuxguruz site anyway. It's part of that 'giving back to the community' thingie.
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
shdesignsPowered By Infinite Improbabilty DrivePremium
join:2000-12-01
Stone Mountain, GA Reviews:
·Atlantic Nexus
| Wasn't meant to be critical kudos on helping noobs.
Yes, for noobs yours is nice and simple especially since it is all in one file.
I looked at several at linuxguruz. Many are from the "If it was hard to write it should be hard to read" school.
Yours is good, especially for "joe sixpack" who does not have the attention span to RTFM and stumble through it.
Probably the last step is simplifying port forwarding. Arno's had nice defines like:
TCP_FORWARD ="23>192.168.1.2 80,8080>192.168.1.3"
UDP_FORWARD =""
Thats port[,port]>destination.
A lot easier to enter than the iptables line.
Yes, post this on linuxguruz site. You're right, it needs more easy to understand scripts.
Good work. Too bad I wasted so much time with ipchains. Live and learn
--
Scott HenionConsultant, SHDesignshttp://shdesigns.org |
|
Nick8Premium
join:2001-03-17
UK | reply to shdesigns
said by shdesigns:
Nice script. But you are really duplicating other peoples work.
I use 'Arno's IP tables script'. Handles many more things like spoofing, flood, SYN attacks, fragments, and other stuff.
Arno's script has a lot of rules for detection of nmap style scans (xmas, FIN, etc). The unclean match matches all of these AFAIK - that one rule duplicates a large section of his script. The spoofing and SYN flood protection, etc, are features of the (2.4) kernel rather than of the script .
It's almost as if he's trying to use iptables to do the job of an IDS . There are several much better solutions for doing this (portscand, snort, etc).
The basic premise of this type of script is to present a config file to the user and 'hide' iptables behind it.. You end up with a big ruleset, most of which most people probably don't understand (and much of which is often redundant).. Our goal was to provide an understandable example of actually using iptables rather than a whole host of 'features' .
A typical hand-crafted ruleset would be much smaller / more efficient than that provided by scripts such as Arno's, probably as easy to implement and certainly much easier to troubleshoot / tweak . |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | reply to shdesigns
said by shdesigns:
Wasn't meant to be critical kudos on helping noobs.
ROFL - wasn't taken as critical. 'Sides, it was good to take the opportunity to clarify the target audience. I think one of the best things to come from the iptables versus ipchains (in addition to the state matching) was the enormous simplification possible with iptables. (At least from my reading.)
Short, simple and sweet. S-cubed I always say.
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
