IPTables requires the Linux 2.4 kernel. Before you write any rules, you need to flush and clear your tables. You'll need to add the mangle table if you use that as well. The default policy of 'drop' is always a good idea. The best philosophy behind any good firewall is twofold: That which is not allowed is denied; and too much paranoia can cause failure of the heart (false-positives, self-created DoS, etc). You can download it from http://netfilter.samba.org which also has some good tutorials as well.
iptables -t filter -F
iptables -t nat -F
iptables -t filter -X
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# If you turn on IP forwarding, you will also get the rp_filter, which
# automatically rejects incoming packets if the routing table entry
# for their source address doesn't match the network interface they're
# arriving on. This has security advantages because it prevents the
# so-called IP spoofing, however it can pose problems if you use
# asymmetric routing (packets from you to a host take a different path
# than packets from that host to you) or if you operate a non-routing
# host which has several IP addresses on different interfaces.
# Integer value determines if a source validation should be made. 1 means yes, 0
# means no. Disabled by default, but local/broadcast address spoofing is always
# on. If you set this to 1 on a router that is the only connection for a network to
# the net, it will prevent spoofing attacks against your internal networks
# (external addresses can still be spoofed), without the need for additional
# firewall rules. Change to 1 if this is what you need.
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo "Disabling rp_filter."
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
fi
# Syncookies can cause degredation of some services, fyi
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
# Ignore all ICMP ECHO requests sent to broadcast/multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Some routers violate RFC 1122 by sending bogus responses to broadcast
# frames. Such violations are normally logged via a kernel warning.
# If this is set to TRUE, the kernel will not give such warnings, which
# will avoid log file clutter.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Set the maximum number of connections to track. (Kernel Default: 2048)
echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
# Disable source-routing (SRR) of packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Log packets with impossible addresses to kernel log
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Do not accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
Exercise caution when blocking hosts. It's easy to become ultra-paranoid and block all connections to your system that you assume "shouldn't" occur. That's most likely when your phone will ring, or when you will end up locking yourself out. However, here's a simple way to use your /etc/hosts.deny file with your firewall rules:
echo -n "Dropping Bad Host: "
/usr/bin/awk -F" " '
/^$/ { next; };
/^#.*/ { next; };
/^.*/ { print $2; }; ' /etc/hosts.deny | /usr/bin/sort | /usr/bin/uniq |
( while read badip; do
echo -n "$badip "
iptables -A INPUT -s $badip/32 -j DROP
done )
echo
These apply to iptables only. Please note that connection tracking is not yet 100% comprehensive, so you can't rely on these rules by themselves. Repeat for FORWARD and OUTPUT. Note that with just these rules, you won't be able to estabish any connections -- specify that traffic after these rules.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The purpose PortSentry is to give an admin a heads up that their host is being probed. We don't need a super-alert machine, just enough to be a honey-pot lure so that we can gather a list of bad IP's and block them. Having your firewall script parse /etc/hosts.deny might not be a bad idea. Download the package from http://www.psionic.com/abacus/portsentry/ and:
$ make linux
$ make install
Edit portsentry.conf with the following. Replace the port values for TCP and UDP ports that you wish to monitor for in the first two lines. It is important that your firewall (ipchains/iptables/etc) does not block access to these ports, or portsentry won't be able to detect any activity on them.
# Replace with the ports you wish to monitor!
TCP_PORTS="1,2,3,4,5"
UDP_PORTS="1,2,3,4,5"
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
RESOLVE_HOST = "1"
BLOCK_TCP="1"
KILL_ROUTE="/usr/local/sbin/iptables -I INPUT -s $TARGET$/32 -j DROP"
KILL_HOSTS_DENY="ALL: $TARGET$"
SCAN_TRIGGER="0"
Then, edit /usr/local/psionic/portsentry/portsentry.ignore and
add in any host you want to have ignored if it connects to a tripwired port.
This should always contain at least the localhost (127.0.0.1) and the IP's of
the local interfaces. I wouldn't recommend putting in every machine IP on your
network, but you can use a netmask to do this.
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
# Add in your own IP as well.
127.0.0.1/32
0.0.0.0
x.y.z.z/32
In your startup files, add these lines:
/usr/local/psionic/portsentry/portsentry -tcp
/usr/local/psionic/portsentry/portsentry -udp
If you have enabled the multiport feature of iptables in your kernel, you can use this to your advantage to compensate for the ports in your portsentry file. Add this line near the end of your firewall script, and repeat for UDP ports if you use those as well. It might be worth noting that multiport can accept a maximum of 15 parameters.
# Add this to your firewall script
TCP_PORT=`/usr/bin/egrep "^TCP_PORTS" /usr/local/psionic/portsentry/portsentry.conf | /usr/bin/sed -e "s/TCP_PORTS=//g" | /usr/bin/sed -e "s/\"//g"`
echo "Allowing portsentry for: $TCP_PORT"
iptables -A INPUT -p tcp -d $extip -m multiport --destination-port $TCP_PORT -j ACCEPT
Temporary filenames can be guessed, even if you append the process numer to the filename. You also might want to consider making a private temp directory that is not accessible by others to save your temporary files (as opposed to /tmp). Here's an example:
# This is a good, safe way to make a tempoary file
TMPFILE=`mktemp -q /tmp/tempfile.XXXXXX`
if [ $? -ne 0 ]; then
echo "$0: Can't create temporary file!"
exit 1
fi
# This is a bad, unsafe way to make a temporary file
TMPFILE=/tmp/tempfile.$$
To make the bash shell automatically logout after not being used for a period
of time, set the variable TMOUT to the time in seconds of no input before logout.
This can be particularly useful in improving security if people forget to logout
or leave their terminals unattended.
$ export TMOUT=1800
This will auto logout after 1800 seconds (30 minutes).