Hi All,
I've just been looking at various scripts and made the script below, Im
sure theres lots of stuff which could be done much better... but it
actually seems to be working :)
I've been wondering about the "log_martians" line.. As I understand it
concerns invalid IP addresses, but if any is encountered, to what is it
logged??
Lots of scripts starts with dropping everything, then flushing, that way
the drop line can't be doing much good??
Im having some problem with the syn flood protection part... as this box
forwards port 25 connections to a mail server it seems having a burst
limit of 5 could be a problem.. I could of course just increase it, but
I was wondering if anyone else had experience about what to do?
I cant figure out the line which logs all forwarded packets... Should it
log all port 25 connections with state=new or should it log some more
or?
I've had some trouble understanding the 3 basic chains, input, output,
forward... As I understand input/ouput ONLY concerns packets with
destination/source the box itself... packets from the internal net to
outside or the other way is always forward, and input/ouput never
applies here??
As this is my first netfilter script I would be interested in any
comments...
Regards
Christian Rasmussen
#!/bin/sh
INTIP=
EXTIP=
INTIF=
EXTIF=
INTNET=internal IP net
EXTNET=external IP net
INTMAIL=internal mailserver
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" >/proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" >/proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" >/proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -N spoof
$IPTABLES -A spoof -m limit --limit 5/minute -j LOG --log-prefix
"Spoofing: "
$IPTABLES -A spoof -j DROP
$IPTABLES -A FORWARD -i $INTIF -s ! $INTNET -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 172.16.0.0/12 -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 192.168.0.0/16 -j spoof
$IPTABLES -N icmp_check
$IPTABLES -A icmp_check -m state --state NEW -p icmp --icmp-type
source-quench -j ACCEPT
$IPTABLES -A icmp_check -m state --state NEW -p icmp --icmp-type
time-exceeded -j ACCEPT
$IPTABLES -A icmp_check -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_check -p icmp --icmp-type echo-request -m limit
--limit-burst 10 -j ACCEPT
$IPTABLES -A icmp_check -p icmp --icmp-type echo-request -j LOG
--log-prefix "ICMP Burst: " --log-ip-options --log-tcp-options
$IPTABLES -A icmp_check -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A FORWARD -p icmp -j icmp_check
$IPTABLES -A INPUT -p icmp -j icmp_check
$IPTABLES -A OUTPUT -p icmp -j icmp_check
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -N block
$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A block -m state --state NEW -i $INTIF -j ACCEPT
$IPTABLES -A block -m state --state INVALID -j LOG --log-prefix "Invalid
packet: " --log-ip-options --log-tcp-options
$IPTABLES -A block -m state --state INVALID -j DROP
$IPTABLES -A INPUT -j block
$IPTABLES -A FORWARD -j block
$IPTABLES -A OUTPUT -j block
# syn flood protection
#$IPTABLES -A FORWARD -p tcp --syn -m limit --limit-burst 5 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp --syn -j LOG --log-prefix "SYN flood: "
--log-ip-options --log-tcp-options
#$IPTABLES -A FORWARD -p tcp --syn -j DROP
# port scanner protection
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit-burst 1 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG
--log-prefix "Portscan: " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
$IPTABLES -t nat -A POSTROUTING -s $INTNET -d ! $INTNET -j SNAT --to
$EXTIP
$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD: " --log-ip-options
--log-tcp-options
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 25 -j DNAT --to
$INTMAIL:25
$IPTABLES -A FORWARD -i $EXTIF -d $INTMAIL -j ACCEPT
I've just been looking at various scripts and made the script below, Im
sure theres lots of stuff which could be done much better... but it
actually seems to be working :)
I've been wondering about the "log_martians" line.. As I understand it
concerns invalid IP addresses, but if any is encountered, to what is it
logged??
Lots of scripts starts with dropping everything, then flushing, that way
the drop line can't be doing much good??
Im having some problem with the syn flood protection part... as this box
forwards port 25 connections to a mail server it seems having a burst
limit of 5 could be a problem.. I could of course just increase it, but
I was wondering if anyone else had experience about what to do?
I cant figure out the line which logs all forwarded packets... Should it
log all port 25 connections with state=new or should it log some more
or?
I've had some trouble understanding the 3 basic chains, input, output,
forward... As I understand input/ouput ONLY concerns packets with
destination/source the box itself... packets from the internal net to
outside or the other way is always forward, and input/ouput never
applies here??
As this is my first netfilter script I would be interested in any
comments...
Regards
Christian Rasmussen
#!/bin/sh
INTIP=
EXTIP=
INTIF=
EXTIF=
INTNET=internal IP net
EXTNET=external IP net
INTMAIL=internal mailserver
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" >/proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" >/proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" >/proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -N spoof
$IPTABLES -A spoof -m limit --limit 5/minute -j LOG --log-prefix
"Spoofing: "
$IPTABLES -A spoof -j DROP
$IPTABLES -A FORWARD -i $INTIF -s ! $INTNET -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 172.16.0.0/12 -j spoof
$IPTABLES -A FORWARD -i $EXTIF -s 192.168.0.0/16 -j spoof
$IPTABLES -N icmp_check
$IPTABLES -A icmp_check -m state --state NEW -p icmp --icmp-type
source-quench -j ACCEPT
$IPTABLES -A icmp_check -m state --state NEW -p icmp --icmp-type
time-exceeded -j ACCEPT
$IPTABLES -A icmp_check -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_check -p icmp --icmp-type echo-request -m limit
--limit-burst 10 -j ACCEPT
$IPTABLES -A icmp_check -p icmp --icmp-type echo-request -j LOG
--log-prefix "ICMP Burst: " --log-ip-options --log-tcp-options
$IPTABLES -A icmp_check -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A FORWARD -p icmp -j icmp_check
$IPTABLES -A INPUT -p icmp -j icmp_check
$IPTABLES -A OUTPUT -p icmp -j icmp_check
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -N block
$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A block -m state --state NEW -i $INTIF -j ACCEPT
$IPTABLES -A block -m state --state INVALID -j LOG --log-prefix "Invalid
packet: " --log-ip-options --log-tcp-options
$IPTABLES -A block -m state --state INVALID -j DROP
$IPTABLES -A INPUT -j block
$IPTABLES -A FORWARD -j block
$IPTABLES -A OUTPUT -j block
# syn flood protection
#$IPTABLES -A FORWARD -p tcp --syn -m limit --limit-burst 5 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp --syn -j LOG --log-prefix "SYN flood: "
--log-ip-options --log-tcp-options
#$IPTABLES -A FORWARD -p tcp --syn -j DROP
# port scanner protection
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit-burst 1 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG
--log-prefix "Portscan: " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
$IPTABLES -t nat -A POSTROUTING -s $INTNET -d ! $INTNET -j SNAT --to
$EXTIP
$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD: " --log-ip-options
--log-tcp-options
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 25 -j DNAT --to
$INTMAIL:25
$IPTABLES -A FORWARD -i $EXTIF -d $INTMAIL -j ACCEPT