I took a stab at writing my own firewall script using iptables based on code snippets here and there on the internet and some ideas of my own. My linode is mostly a hobby/learning tool with several small websites, may use phplist, asterisk, wordpress, drupal, on some of them. I am running Debian Squeeze.

Any comments on this? Actual or potential problems? Things to keep in mind? Etc. Thanks in advance!

I block any attempts to ftp, ssh (std port) and telnet for one day. And I have a catchall at the end of the input chain that locks out anyone that attempts 10 connections that fall through to the catchall. Any comments, suggestions on this in particular?

I put this in a file call firewall.conf and call it from rc.local so the firewall can be automatically configured on linode boot. As I understand it there is a way to make sure it is started immediately after the network services to minimize any vulnerability. How would I do that?

Any other ideas, suggestions?

iptables configuration

Insert in /etc/rc.local so that firewall is enabled at startup

KEY PARAMETERS

NONSTANDARD SSH PORT

NEWSSH=XXXXX (insert port number for XXXXX)

Enter the designation for the Internal Interface's

EXTIFA="eth0"

EXTIFB="eth0:0"

INTIF="eth0:1"

Enter the NETWORK address the Internal Interface is on

INTNET='192.168.1.0/24'

Enter the IP address of the Internal Interface

INTIP="192.168.XX.Y"

Static IP Addresses

EXTIPA="12.34.56.78"

EXTIPB="34.67.89.12"

LINODE RESOLVERS

RSVRA="74.207.241.5"

RSVRB="74.207.242.5"

#

CLEAR ANY EXISTING CONFIGURATION

iptables -F

Flush the user chain.. if it exists

if [ "iptables -L | grep DROPLOG" ]; then

iptables -F DROPLOG

fi

Flush the user chain.. if it exists

if [ "iptables -L | grep PSCAN" ]; then

iptables -F PSCAN

fi

Delete all User-specified chains

iptables -X

Reset all IPTABLES counters

iptables -Z

Creating a DROP chain

iptables -N LOGDROP

iptables -A LOGDROP -j LOG –log-level info

iptables -A LOGDROP -j DROP

Creating a PSCAN chain FOR SCAN THAT QUALIFIES FOR LOCKOUT

iptables -N PSCAN

iptables -A PSCAN -m recent --set --name intrusion

iptables -A PSCAN -j LOG --log-level info

iptables -A PSCAN -j DROP

DEFAULT POLICY FOR PACKETS

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

INCOMING TRAFFIC RULES

DROP INVALID packets

iptables -A INPUT -m state --state INVALID -j LOGDROP

LOCAL RESOLVER

iptables -A INPUT -i $EXTIFA -s $RSVRA -j ACCEPT

iptables -A INPUT -i $EXTIFA -s $RSVRB -j ACCEPT

iptables -A INPUT -i $EXTIFB -s $RSVRA -j ACCEPT

iptables -A INPUT -i $EXTIFB -s $RSVRB -j ACCEPT

loopback interfaces are valid.

iptables -A INPUT -i lo -j ACCEPT

Include port 22 initially and drop after non-standard ssh port nnnnn is tested

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

1 DAY LOCKOUT FOR CONNECT TO FTP, SSH, OR TELNET STD PORTS OR QUALIFIED PSCAN

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name intrusion

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name intrusion

iptables -A INPUT -p tcp --dport 23 -m state --state NEW -m recent --set --name intrusion

iptables -A INPUT -m recent --update --seconds 86400 --rttl --name intrusion -j LOGDROP

local interface, my private ip address, going anywhere is valid

DISABLED - AREN'T USING MY PRIVATE IP ADDRESS

iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT

remote interfaces, claiming to be local machines, IP spoofing, reject it

iptables -A INPUT -i $EXTIFA -s $INTNET -j LOGDROP

iptables -A INPUT -i $EXTIFB -s $INTNET -j LOGDROP

outgoing to local net on remote interfaces, stuffed routing, deny

iptables -A OUTPUT -o $EXTIFA -d $INTNET -j LOGDROP

iptables -A OUTPUT -o $EXTIFB -d $INTNET -j LOGDROP

NON-STANDARD SSH PORT

iptables -A INPUT -p tcp -m tcp --dport $NEWSSH -j ACCEPT

Accept established and related connections

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept www including ssl connections

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Accept smtp and secure smtp

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

Network Time Protocol to synchronize time

iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT

Internet Control Message Protocol including pings

iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT

iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Can add this section when telephony apps are installed

For SIP

iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT

For Asterisk 4569 and 5036

iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

Port for telephony and video conferencing apps

iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT

CATCHALL - >10 UNAUTHORIZED CONNECTION ATTEMPTS IN 1 HOUR PROBABLY AN INTRUDER SCAN -> 1 DAY LOCKOUT

iptables -A INPUT -m state --state NEW -m recent --set --name portscan

iptables -A INPUT -m state --state NEW -m recent --update --seconds 3600 --hitcount 10 --name portscan -j PSCAN

iptables -A INPUT -j LOGDROP

List packets and save

iptables -L

iptables-save