Protecting your Linux box
-
mudasir
- Captain
- Posts: 565
- Joined: Tue Oct 17, 2006 5:23 am
- Location: Dubai
-
Contact:
Post
by mudasir »
AOA,
Dear Farrukh bhai and Kashif Bhai,
I have also tried the following rules
iptables -A INPUT -i $NETWORK -p tcp --dport 20:21 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NETWORK -p tcp --dport 20:21 -m state --state NEW,RELATED -j ACCEPT
iptables -A INPUT -i $NETWORK -p tcp --dport 1024:65535 -m state --state NEW,RELATED -j ACCEPT
iptables -A INPUT -i $NETWORK -p tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $NETWORK -p tcp --dport 1024:65535 -m state --state NEW,RELATED -j ACCEPT
iptables -A FORWARD -i $NETWORK -p tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
Still no progress....
-
LinuxFreaK
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
-
Contact:
Post
by LinuxFreaK »
Dear mudasir,
Salam,
Using following rule will help you.
# iptables -I INPUT -i eth0 -s 0.0.0.0 -d 192.168.0.1 -m state --state ESTABLISHED,RELATED -j ACCEPT
Best Regards.
Farrukh Ahmed
-
mudasir
- Captain
- Posts: 565
- Joined: Tue Oct 17, 2006 5:23 am
- Location: Dubai
-
Contact:
Post
by mudasir »
AOA,
Dear Farrukh bhai,
Thanks for your reply.
I will try these today, and will let you know.
-
mudasir
- Captain
- Posts: 565
- Joined: Tue Oct 17, 2006 5:23 am
- Location: Dubai
-
Contact:
Post
by mudasir »
AOA,
Dear Farrukh bhai,
I tried the rule that you told me to try still no progress.
My Final Script that i am using is as follows
Code: Select all
#!/bin/sh
###############################################
#### Firewall Script Created By ####
#### Mudasir Mirza ####
#### cool_mudasir@hotmail.com ####
#### 0092-321-2395320 ####
###############################################
#set -x
########################
## Defining Variables ##
########################
# Path to IPTABLES executable
IPT="/sbin/iptables"
# Interface Card Connected to Local Network
NETWORK="eth1"
# Interface Card Connected to Internet
INTERNET="eth0"
# Loopback Interface
LOOPBACK="lo"
# IP Addreses of Server
SERVER_IP="10.0.0.3"
# Local Network IP Range / Subnet
LOC_IP="10.0.0.0/24"
# INTERNAL Broadcast
LOC_BCAST=10.0.0.255
# IP On The Internet Interface
NET_IP="192.168.1.3/24"
# DHCP Server IP
DHCP_SERVER="10.0.0.3"
# SSH Port
SSH_PORT="22"
# FTP on the Network
FTP_IP="10.0.0.6"
# FTP Port
FTP_PORT="21"
# Primiry DNS Server
P_DNS="203.99.163.240"
# Alternate DNS Server
A_DNS="203.99.163.243"
# Path To Directory Containing MAC Addresses
MACDIR="/macs"
# Path To File Containing MAC Addresses
MACFILE="/macs/allowed.macs"
# Path To File Containging IP Addresses
IPFILE="/macs/allowed.ips"
# Location of modprobe
MOD="/sbin/modprobe"
#########################
### Flushing IPTABLES ###
#########################
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
#################################################
### Calling Required IPTABLES Modules For FTP ###
#################################################
$MOD ip_conntrack
$MOD ip_conntrack_ftp
$MOD ip_nat_ftp
########################################
### Setting Default Policies to Drop ###
########################################
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
echo Default Policies Set To Drop
####################################
### Setting Needed PROC Settings ###
####################################
echo 1 > /proc/sys/net/ipv4/ip_forward
##############################
### Setting IPTABLES Rules ###
##############################
###############################
### MAC Addresses Filtering ###
###############################
rm -f $MACDIR/mac.addresses
cat $MACFILE | awk '{ print $1 }' >> $MACDIR/mac1
cat $MACDIR/mac1 | sed "s/#.*//" > $MACDIR/mac2
cat $MACDIR/mac2 | sed "/^ /d;/^$/d;" > $MACDIR/mac.addresses
rm -f $MACDIR/mac1
rm -f $MACDIR/mac2
rm -f $MACDIR/ip.adresses
cat $IPFILE | awk '{ print $1 }' >> $MACDIR/ip1
cat $MACDIR/ip1 | sed "s/#.*//" > $MACDIR/ip2
cat $MACDIR/ip2 | sed "/^ /d;/^$/d;" > $MACDIR/ip.addresses
rm -f $MACDIR/ip1
rm -f $MACDIR/ip2
echo -----------------------------------------------
echo Marking Packets from Known MAC and IP Addresses
echo -----------------------------------------------
cat $MACDIR/mac.addresses | while read MACS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -m mac --mac-source $MACS -j MARK --set-mark 1
done
$IPT -t mangle -A PREROUTING -i $NETWORK -s 10.0.0.10 -j MARK --set-mark 1
cat $MACDIR/ip.addresses | while read IPS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -s $IPS -j MARK --set-mark 1
done
echo -----------------------------------------------
echo ---- MAC and IP Address Filtering Complete ----
echo -----------------------------------------------
$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable
#########################################
### MAC Addresses Filtering Completed ###
#########################################
#####################
### Rules for FTP ###
#####################
$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d 0.0.0.0 -p tcp --dport 20:21 -j ACCEPT
$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d 0.0.0.0 -p tcp --dport 1024:65535 -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 20:21 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d $LOC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p tcp --dport 21 -m mark --mark 1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -p tcp --dport 20 -m mark --mark 1 -j MASQUERADE
#########################
### SSH From Internet ###
#########################
$IPT -A INPUT -i $INTERNET -p tcp --dport $SSH_PORT -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp --dport $SSH_PORT -j ACCEPT
#################################################################
### Redirecting FTP Traffic Coming From Internet To LOCAL FTP ###
#################################################################
$IPT -t nat -A PREROUTING -i $INTERNET -p udp --dport 21 -j DNAT --to $FTP_IP:$FTP_PORT
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp --dport 21 -j DNAT --to $FTP_IP:$FTP_PORT
################################
### Accepting Marked Packets ###
################################
$IPT -A INPUT -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m mark --mark 1 -j ACCEPT
####################################
### Droping All Unmarked Packets ###
####################################
$IPT -A FORWARD -i $NETWORK -m mark ! --mark 1 -j DROP
$IPT -A INPUT -i $NETWORK -m mark ! --mark 1 -j DROP
########################################################
### Accepting Voice/CAM Request for Marked Packets. ###
########################################################
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p udp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5100 -j ACCEPT
#######################################################
### Droping Voice/CAM Traffic which is not Marked. ###
#######################################################
$IPT -t nat -A PREROUTING -i $NETWORK -m mark ! --mark 1 -p tcp --dport 5000:5010 -j DROP
$IPT -t nat -A PREROUTING -m mark ! --mark 1 -i NETWORK -p tcp --dport 5100 -j DROP
################################
### Accepting DHCP Request. ###
################################
$IPT -A INPUT -i $NETWORK -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT
################################################################
### Redirecting HTTP and FTP Traffic to Squid Proxy Server. ###
################################################################
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 80 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 21 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 21 -j REDIRECT --to-port 8080
#################################################
### MASQUERADE All packets that are Marked. ###
#################################################
$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -m mark --mark 1 -o $INTERNET -j MASQUERADE
###############################
### Rules for ICMP Protocol ###
###############################
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $P_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $A_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d ! $LOC_IP -p icmp --icmp-type echo-request -j DROP
#$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable
$IPT -A INPUT -p icmp -s $LOC_IP -d $LOC_BCAST -j DROP
###############################################
### No Restriction for Loopback Interface ###
###############################################
$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT
########################################################################
### Droping Packets coming from internet claming to be from Network ###
########################################################################
$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP
$IPT -A INPUT -i $NETWORK -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -j ACCEPT
#######################################################
### Accepting Extablished and Related Connections ###
#######################################################
$IPT -I INPUT -i $NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
############################################
### Droping Invalid and Unknown Packets ###
############################################
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP
#$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --syn -s $LOC_IP --dport 80 -m mark ! --mark 1 -j DROP
Still No FTP site is opening behind it...FTP Site is opening on SERVER not on CLIENT. By FTP Site i do not mean LOCAL FTP.
-
LinuxFreaK
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
-
Contact:
Post
by LinuxFreaK »
Dear mudasir,
Salam,
Use this rule before any other rule.
Code: Select all
$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d $LOC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
Best Regards.
Farrukh Ahmed