is this a secure iptables? - Security

This is a discussion on is this a secure iptables? - Security ; hi... i'm trying to create a centos 5.1 router that will in the futre function as a web server and smb server , and in the mean time it should allow access to local subnet. as well as 2 pc ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: is this a secure iptables?

  1. is this a secure iptables?

    hi...

    i'm trying to create a centos 5.1 router that will in the futre
    function as a web server and smb server , and in the mean time it
    should allow access to local subnet. as well as 2 pc with file share
    emule etc..

    the thing i don't want to create a generic rule for all the local lan
    allowing all ports and all protocols to pass thorugh, i'm also
    wondering about any switch about established related stuff i should
    harden, any ideas how to improve this?

    also if i'm forwarding in/out packets of certain ports to pc's inside
    the subnet, do i have to give them access in input ouput chain as
    well?

    #!/bin/sh
    #iptables script, generated from iptables-save file

    IPT='/sbin/iptables'

    LAN_NETWORK=196.168.1.0/24
    LAN_ETH=eth0
    WAN_ETH=eth1
    INET_ETH=ppp0
    EMULE_PC=192.168.1.33
    DAD_PC=192.168.1.34

    $IPT -F
    $IPT -X
    $IPT -P INPUT DROP
    $IPT -P FORWARD DROP
    $IPT -P OUTPUT DROP

    $IPT -N okay
    $IPT -A okay -p tcp --syn -j ACCEPT
    $IPT -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A okay -p tcp -j DROP


    # local lan and loop back

    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT

    # ping

    $IPT -A INPUT -i $LAN_ETH -p icmp --icmp-type any -j ACCEPT


    # samba rules

    $IPT -A INPUT -p TCP -i $LAN_ETH --dport 137:139 -j ACCEPT
    $IPT -A OUTPUT -p TCP -o $LAN_ETH --sport 137:139 -j ACCEPT
    $IPT -A INPUT -p TCP -i $LAN_ETH --dport 445 -j ACCEPT
    $IPT -A OUTPUT -p TCP -o $LAN_ETH --sport 445 -j ACCEPT


    #$IPT -A INPUT -p TCP --dport 137:138 -j ACCEPT
    #$IPT -A INPUT -p TCP -m state --state NEW -m tcp --dport 139 -j
    ACCEPT
    #$IPT -A INPUT -p TCP -m state --state NEW -m tcp --dport 445 -j
    ACCEPT

    # SSH

    $IPT -A INPUT -p TCP -i $LAN_ETH --dport 22 -j ACCEPT
    $IPT -A OUTPUT -p TCP -o $LAN_ETH --sport 22 -j ACCEPT
    $IPT -A INPUT -p TCP -i ppp0 -s 0/0 --dport 22 -j okay
    $IPT -A OUTPUT -p TCP -o ppp0 -d 0/0 --sport 22 -j okay

    # TOTAL LAN FREEDOM !!

    #$IPT -A INPUT -p ALL -i $LAN_ETH -j ACCEPT
    #$IPT -A OUTPUT -p ALL -o $LAN_ETH -j ACCEPT
    #$IPT -A INPUT -p ALL -i $LAN_ETH -d 192.168.1.255 -j ACCEPT

    # ppp dialer

    $IPT -A INPUT -p ALL -i $WAN_ETH -d 172.23.128.1/255.255.224.0 -j
    ACCEPT
    $IPT -A OUTPUT -p ALL -s 172.23.0.0/8 -j ACCEPT

    # ISP DNS servers

    $IPT -A INPUT -p UDP -i $INET_ETH -s 212.117.129.5 --sport 53 -j
    ACCEPT
    $IPT -A OUTPUT -p UDP -o $INET_ETH -d 212.117.129.5 --dport 53 -j
    ACCEPT
    $IPT -A INPUT -p UDP -i $INET_ETH -s 212.117.128.6 --sport 53 -j
    ACCEPT
    $IPT -A OUTPUT -p UDP -o $INET_ETH -d 212.117.128.6 --dport 53 -j
    ACCEPT


    # web server from outside

    $IPT -A INPUT -p TCP -i $INET_ETH -s 0/0 --dport 80 -j okay
    $IPT -A OUTPUT -p TCP -o $INET_ETH -d 0/0 --sport 80 -j okay

    # NAT

    $IPT -t nat -A POSTROUTING -o $INET_ETH -j MASQUERADE

    #$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -i $LAN_ETH -j ACCEPT
    $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


    # EMULE
    $IPT -t nat -A PREROUTING -p TCP --dport 4662 -j DNAT --to $EMULE_PC:
    4662
    $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 4662 -j
    ACCEPT
    $IPT -t nat -A PREROUTING -p UDP --dport 4672 -j DNAT --to $EMULE_PC:
    4672
    $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 4672 -j
    ACCEPT


    # dc
    $IPT -t nat -A PREROUTING -p TCP --dport 1412 -j DNAT --to $EMULE_PC:
    1412
    $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 1412 -j
    ACCEPT
    $IPT -t nat -A PREROUTING -p UDP --dport 1412 -j DNAT --to $EMULE_PC:
    1412
    $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 1412 -j
    ACCEPT


    # bitorrent
    $IPT -t nat -A PREROUTING -p TCP --dport 6881 -j DNAT --to $EMULE_PC:
    6881
    $IPT -t nat -A PREROUTING -p TCP --dport 6882 -j DNAT --to $EMULE_PC:
    6882
    $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 6881:6882 -j
    ACCEPT

    $IPT -t nat -A PREROUTING -p TCP --dport 56881:56882 -j DNAT --to
    $EMULE_PC
    $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 56881:56882 -
    j ACCEPT
    $IPT -t nat -A PREROUTING -p UDP --dport 56881:56882 -j DNAT --to
    $EMULE_PC
    $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 56881:56882 -
    j ACCEPT

    $IPT -t nat -A PREROUTING -p TCP --dport 54662 -j DNAT --to $EMULE_PC
    $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 54662 -j
    ACCEPT
    $IPT -t nat -A PREROUTING -p UDP --dport 54672 -j DNAT --to $EMULE_PC
    $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 54672 -j
    ACCEPT

    $IPT -t nat -A PREROUTING -p TCP --dport 57881:57882 -j DNAT --to
    $DAD_PC
    $IPT -A FORWARD -p TCP -i $INET_ETH -d $DAD_PC --dport 57881:57882 -j
    ACCEPT
    $IPT -t nat -A PREROUTING -p UDP --dport 57881:57882 -j DNAT --to
    $DAD_PC



  2. Re: is this a secure iptables?

    elh.maayan@gmail.com wrote:
    > hi...
    >
    > i'm trying to create a centos 5.1 router that will in the futre
    > function as a web server and smb server , and in the mean time it
    > should allow access to local subnet. as well as 2 pc with file share
    > emule etc..
    >
    > the thing i don't want to create a generic rule for all the local lan
    > allowing all ports and all protocols to pass thorugh, i'm also
    > wondering about any switch about established related stuff i should
    > harden, any ideas how to improve this?
    >
    > also if i'm forwarding in/out packets of certain ports to pc's inside
    > the subnet, do i have to give them access in input ouput chain as
    > well?
    >
    > #!/bin/sh
    > #iptables script, generated from iptables-save file
    >
    > IPT='/sbin/iptables'
    >
    > LAN_NETWORK=196.168.1.0/24
    > LAN_ETH=eth0
    > WAN_ETH=eth1
    > INET_ETH=ppp0
    > EMULE_PC=192.168.1.33
    > DAD_PC=192.168.1.34
    >
    > $IPT -F
    > $IPT -X
    > $IPT -P INPUT DROP
    > $IPT -P FORWARD DROP
    > $IPT -P OUTPUT DROP
    >
    > $IPT -N okay
    > $IPT -A okay -p tcp --syn -j ACCEPT
    > $IPT -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    > $IPT -A okay -p tcp -j DROP
    >
    >
    > # local lan and loop back
    >
    > $IPT -A INPUT -i lo -j ACCEPT
    > $IPT -A OUTPUT -o lo -j ACCEPT
    >
    > # ping
    >
    > $IPT -A INPUT -i $LAN_ETH -p icmp --icmp-type any -j ACCEPT
    >
    >
    > # samba rules
    >
    > $IPT -A INPUT -p TCP -i $LAN_ETH --dport 137:139 -j ACCEPT
    > $IPT -A OUTPUT -p TCP -o $LAN_ETH --sport 137:139 -j ACCEPT
    > $IPT -A INPUT -p TCP -i $LAN_ETH --dport 445 -j ACCEPT
    > $IPT -A OUTPUT -p TCP -o $LAN_ETH --sport 445 -j ACCEPT
    >
    >
    > #$IPT -A INPUT -p TCP --dport 137:138 -j ACCEPT
    > #$IPT -A INPUT -p TCP -m state --state NEW -m tcp --dport 139 -j
    > ACCEPT
    > #$IPT -A INPUT -p TCP -m state --state NEW -m tcp --dport 445 -j
    > ACCEPT
    >
    > # SSH
    >
    > $IPT -A INPUT -p TCP -i $LAN_ETH --dport 22 -j ACCEPT
    > $IPT -A OUTPUT -p TCP -o $LAN_ETH --sport 22 -j ACCEPT
    > $IPT -A INPUT -p TCP -i ppp0 -s 0/0 --dport 22 -j okay
    > $IPT -A OUTPUT -p TCP -o ppp0 -d 0/0 --sport 22 -j okay
    >
    > # TOTAL LAN FREEDOM !!
    >
    > #$IPT -A INPUT -p ALL -i $LAN_ETH -j ACCEPT
    > #$IPT -A OUTPUT -p ALL -o $LAN_ETH -j ACCEPT
    > #$IPT -A INPUT -p ALL -i $LAN_ETH -d 192.168.1.255 -j ACCEPT
    >
    > # ppp dialer
    >
    > $IPT -A INPUT -p ALL -i $WAN_ETH -d 172.23.128.1/255.255.224.0 -j
    > ACCEPT
    > $IPT -A OUTPUT -p ALL -s 172.23.0.0/8 -j ACCEPT
    >
    > # ISP DNS servers
    >
    > $IPT -A INPUT -p UDP -i $INET_ETH -s 212.117.129.5 --sport 53 -j
    > ACCEPT
    > $IPT -A OUTPUT -p UDP -o $INET_ETH -d 212.117.129.5 --dport 53 -j
    > ACCEPT
    > $IPT -A INPUT -p UDP -i $INET_ETH -s 212.117.128.6 --sport 53 -j
    > ACCEPT
    > $IPT -A OUTPUT -p UDP -o $INET_ETH -d 212.117.128.6 --dport 53 -j
    > ACCEPT
    >
    >
    > # web server from outside
    >
    > $IPT -A INPUT -p TCP -i $INET_ETH -s 0/0 --dport 80 -j okay
    > $IPT -A OUTPUT -p TCP -o $INET_ETH -d 0/0 --sport 80 -j okay
    >
    > # NAT
    >
    > $IPT -t nat -A POSTROUTING -o $INET_ETH -j MASQUERADE
    >
    > #$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > $IPT -A FORWARD -i $LAN_ETH -j ACCEPT
    > $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    >
    >
    > # EMULE
    > $IPT -t nat -A PREROUTING -p TCP --dport 4662 -j DNAT --to $EMULE_PC:
    > 4662
    > $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 4662 -j
    > ACCEPT
    > $IPT -t nat -A PREROUTING -p UDP --dport 4672 -j DNAT --to $EMULE_PC:
    > 4672
    > $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 4672 -j
    > ACCEPT
    >
    >
    > # dc
    > $IPT -t nat -A PREROUTING -p TCP --dport 1412 -j DNAT --to $EMULE_PC:
    > 1412
    > $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 1412 -j
    > ACCEPT
    > $IPT -t nat -A PREROUTING -p UDP --dport 1412 -j DNAT --to $EMULE_PC:
    > 1412
    > $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 1412 -j
    > ACCEPT
    >
    >
    > # bitorrent
    > $IPT -t nat -A PREROUTING -p TCP --dport 6881 -j DNAT --to $EMULE_PC:
    > 6881
    > $IPT -t nat -A PREROUTING -p TCP --dport 6882 -j DNAT --to $EMULE_PC:
    > 6882
    > $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 6881:6882 -j
    > ACCEPT
    >
    > $IPT -t nat -A PREROUTING -p TCP --dport 56881:56882 -j DNAT --to
    > $EMULE_PC
    > $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 56881:56882 -
    > j ACCEPT
    > $IPT -t nat -A PREROUTING -p UDP --dport 56881:56882 -j DNAT --to
    > $EMULE_PC
    > $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 56881:56882 -
    > j ACCEPT
    >
    > $IPT -t nat -A PREROUTING -p TCP --dport 54662 -j DNAT --to $EMULE_PC
    > $IPT -A FORWARD -p TCP -i $INET_ETH -d $EMULE_PC --dport 54662 -j
    > ACCEPT
    > $IPT -t nat -A PREROUTING -p UDP --dport 54672 -j DNAT --to $EMULE_PC
    > $IPT -A FORWARD -p UDP -i $INET_ETH -d $EMULE_PC --dport 54672 -j
    > ACCEPT
    >
    > $IPT -t nat -A PREROUTING -p TCP --dport 57881:57882 -j DNAT --to
    > $DAD_PC
    > $IPT -A FORWARD -p TCP -i $INET_ETH -d $DAD_PC --dport 57881:57882 -j
    > ACCEPT
    > $IPT -t nat -A PREROUTING -p UDP --dport 57881:57882 -j DNAT --to
    > $DAD_PC
    >
    >

    if you disable netbios over tcp/ip and use windows 2000 or up
    then you can disable port 445 as well iirc

  3. Re: is this a secure iptables?

    correction: if you enable NBT over tcp/ip you can close down
    port 445 as well ...

  4. Re: is this a secure iptables?

    On Feb 20, 7:14*pm, goarilla <"kevin DOT paulus AT skynet DOT be">
    wrote:
    > correction: if you enable NBT over tcp/ip you can close down
    > port 445 as well ...


    thanks, other then that, it looks ok?

  5. Re: is this a secure iptables?

    elh.maayan@gmail.com writes:

    > On Feb 20, 7:14*pm, goarilla <"kevin DOT paulus AT skynet DOT be">
    > wrote:
    >> correction: if you enable NBT over tcp/ip you can close down
    >> port 445 as well ...

    >
    > thanks, other then that, it looks ok?


    I did not really look at your rules. But if you use connection tracking
    you might wish to drop invalid packets first (see man
    iptables). Additionally if you don't use ipv6, disable it. If you use it
    or don't want to disable it you might wish to to use ip6tables.

    The safest bet is to have only processes listening you really need
    (maybe bind to specific address/localhost - check with netstat and also
    use the access restrictions provided by those processes).
    Read some more documentation (especially about connection tracking) and
    maybe take a look at what the others do, f.e. there are some helpers out
    there to create your rules. (maybe shorewall)
    Last but not least you can use tools like nmap to test your rules.

    After a quick look at your rules:
    - I don't really understand whats the intent of your "okay" chain.
    - to detect problems it is often useful to log the packets you drop
    (maybe rate limited)
    - don't accept packets with local addresses from external interfaces
    (or generally don't accept packets with source addresses you don't
    expect on that interface)

    Hope that helps

    PS: don't overestimate the effect of firewall rules for overall security

+ Reply to Thread