Setup a server in FW

This firewall script is very interesting with a web/ftp server directly connected to Internet.
We are in the « easiest » IPTables mode without nat or mangle.
Please comment if you have any suggestion!

Here is my/etc/sysconfig/iptables (Don’t forget to replace « VOTRE_IP_PUBLIQUE » by your outgoing ip address)


# Mangle and NAT doesn't matter
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

#Defaut policies
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]

# Create separate chains for ICMP, TCP and UDP to traverse
:allowed - [0:0]
:tcp_packets - [0:0]
:OUTPUT DROP [0:0]
:udp_packets - [0:0]
:icmp_packets - [0:0]
:bad_tcp_packets - [0:0]
:SPOOFED - [0:0]
:test_manu - [0:0]

# We rejected bad tcp packets
-A bad_tcp_packets -p tcp -m state --tcp-flags SYN,ACK SYN,ACK --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m state --state NEW -j LOG  ! --syn --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m state --state NEW -j DROP  ! --syn

# allowed chain
-A allowed -p TCP -j ACCEPT  --syn
-A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
-A allowed -p TCP -j DROP

#TCP Rules:
#We allowed some tcp port (web, ftp)
#BE CARREFUL : SSH port is not allowed here
-A tcp_packets -p TCP -s 0/0 --dport auth -j allowed
-A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
-A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
-A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
-A tcp_packets -p TCP -s 0/0 --dport 60000:60200 -j allowed

#We don't close open session. Especially for PortKnocking
-A tcp_packets -p TCP -s 0/0 --dport 9912 -j allowed -m state --state ESTABLISHED --comment "Pour Webmin"
-A tcp_packets -p TCP -s 0/0 --dport 14213 -j allowed -m state --state ESTABLISHED --comment "Pour ssh"

#ICMP request are allowed
-A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
-A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#Bad tcp packets refused
-A INPUT -p tcp -j bad_tcp_packets

#Allow local request
-A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -p ALL -s VOTRE_IP_PUBLIQUE -i lo -j ACCEPT

#Rules for the Internet Request
-A INPUT -p ALL -m state -d VOTRE_IP_PUBLIQUE --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p TCP -i eth0 -j tcp_packets
-A INPUT -p UDP -i eth0 -j udp_packets
-A INPUT -p ICMP -i eth0 -j icmp_packets

#We log umatched packets
-A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG  --log-level DEBUG --log-prefix "IPT INPUT packet died: "
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG  --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# Flood  protection
-A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
-A FORWARD -p udp -m limit --limit 1/second -j ACCEPT

#Rules pour determiner les ip autorisees a sortir
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
-A OUTPUT -p ALL -s VOTRE_IP_PUBLIQUE -j ACCEPT

#We log umatched packets
-A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG  --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

# Spoof protection
#-A SPOOFED -s 127.0.0.0/8 -j DROP
-A SPOOFED -s 169.254.0.0/12 -j DROP
-A SPOOFED -s 172.16.0.0/12 -j DROP
-A SPOOFED -s 192.168.0.0/16 -j DROP
-A SPOOFED -s 10.0.0.0/8 -j DROP
-A INPUT -j SPOOFED

COMMIT

Ce contenu a été publié dans Linux. Vous pouvez le mettre en favoris avec ce permalien.

Une réponse à Setup a server in FW

  1. Ping : Port Knocking Configuration : Vargas Emmanuel Weblog

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *