I have been trying to get a basic packet filter firewall using iptables. After reading a bit I have more questions than answers.
viewtopic.php?f=157&t=216978&hilit=iptables&start=20
this discussion seems to be about packet filters vs application fire walls (is ufw an application fire wall? can you use iptables and ufw together?)
here is my script so far:
Code: Select all
#! /bin/sh
# init.d/localfw
#
# System startup script for local packet filters
# (NOT an actual firewall)
#
### BEGIN INIT INFO
# Provides: localfw
# Required-Start: $networking $syslog
# Required-Stop: $networking $syslog
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Short-Description: Example initscript
# Description: Start localfw to add some basic protections for host
### END INIT INFO
#
# Author: tehbrozor (using help)
IPTABLES=/sbin/iptables
test -x $IPTABLES || exit 5
#IP_LOCAL=192.168.42.110 #Way too fetch local ip? or update for DHCP?
case "$1" in
start)
echo -n "Loading host packet filters"
#Load kernel modules
modprobe ip_tables
modprobe ip_conntrack
# Flush active rules and custom chains
$IPTABLES --flush
$IPTABLES --delete-chain
# set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT #for now.. focus on inbound- come back to authorize only desired outgoing packets
# local processes only ought to be using loopback interface anyways
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#authorized packets ought to conform to basic rules
$IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
# actual local traffic won't come from local ip- but local loopback
#$IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix "Spoofed source IP"
#$IPTABLES -A INPUT -s $IP_LOCAL -j DROP
#inbound tcp sessions ought to start with SYN packet
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan attempt?"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# INBOUND POLICY----------------------------------
# packets that enter our network interface from network and are addressed to this host
#accept inbound packets that are part of ongoing connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#accept DNS access
$IPTABLES -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
# Log and DROP anything that doesn't match our INBOUND POLICY---
$IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"
$IPTABLES -A INPUT -j DROP
# OUTBOUND POLICY---------------------------------
#To dos: (right now its accept policy but later...)
# 1) approve established connections
# 2) limit outbound ping for admin testing only
# 3) allow outbound DNS queries
# 4) govern ability to initiate connections to services that I use, when I use them
# 5) log and drop anything else
# FORWARD POLICY----------------------------------
$IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped by default:"
$IPTABLES -A FORWARD -j DROP
;;
#Unload packet filters for testing (Dont do when connected to network! (if you can help it :/))
#
wide_open)
echo -n "DANGER!! Unloading host's packet filter!"
$IPTABLES --flush
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
;;
stop)
echo -n "Batten-down the hatches! packet filter stopping"
$IPTABLES --flush
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
;;
status)
echo "using iptables to check packet filter status..."
$IPTABLES --line-numbers -vn --list
;;
*)
echo "Usage: $0 {start|stop|wide_open|status}"
exit 1
;;
esac
http://www.linuxquestions.org/questions ... pt-189039/
in that thread I see that you must allow tcp connections on the ports being used: 80, 81 and any other ports used for http (I had found some more, but seem to have lost those posts). What I dont get is this.. If I've approved any established or related (it is OR right?) inbound packets and my outbound policy is accept (for now) why isn't the script working as is?
the iptables man pages did say established connections must have two way traffic to be established, but isn't a returning http packet related to my connection requests? Any help or a pointing in the right direction would be appreciated!
(I'm running LMDE 2 Betsy- Thank you!)