IPTABLES and Firewall startup on boot
Any comments on this? Actual or potential problems? Things to keep in mind? Etc. Thanks in advance!
I block any attempts to ftp, ssh (std port) and telnet for one day. And I have a catchall at the end of the input chain that locks out anyone that attempts 10 connections that fall through to the catchall. Any comments, suggestions on this in particular?
I put this in a file call firewall.conf and call it from rc.local so the firewall can be automatically configured on linode boot. As I understand it there is a way to make sure it is started immediately after the network services to minimize any vulnerability. How would I do that?
Any other ideas, suggestions?
iptables configuration
Insert in /etc/rc.local so that firewall is enabled at startup
KEY PARAMETERS
NONSTANDARD SSH PORT
NEWSSH=XXXXX (insert port number for XXXXX)
Enter the designation for the Internal Interface's
EXTIFA="eth0"
EXTIFB="eth0:0"
INTIF="eth0:1"
Enter the NETWORK address the Internal Interface is on
INTNET='192.168.1.0/24'
Enter the IP address of the Internal Interface
INTIP="192.168.XX.Y"
Static IP Addresses
EXTIPA="12.34.56.78"
EXTIPB="34.67.89.12"
LINODE RESOLVERS
RSVRA="74.207.241.5"
RSVRB="74.207.242.5"
#
CLEAR ANY EXISTING CONFIGURATION
iptables -F
Flush the user chain.. if it exists
if [ "iptables -L | grep DROPLOG
" ]; then
iptables -F DROPLOG
fi
Flush the user chain.. if it exists
if [ "iptables -L | grep PSCAN
" ]; then
iptables -F PSCAN
fi
Delete all User-specified chains
iptables -X
Reset all IPTABLES counters
iptables -Z
Creating a DROP chain
iptables -N LOGDROP
iptables -A LOGDROP -j LOG –log-level info
iptables -A LOGDROP -j DROP
Creating a PSCAN chain FOR SCAN THAT QUALIFIES FOR LOCKOUT
iptables -N PSCAN
iptables -A PSCAN -m recent --set --name intrusion
iptables -A PSCAN -j LOG --log-level info
iptables -A PSCAN -j DROP
DEFAULT POLICY FOR PACKETS
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
INCOMING TRAFFIC RULES
DROP INVALID packets
iptables -A INPUT -m state --state INVALID -j LOGDROP
LOCAL RESOLVER
iptables -A INPUT -i $EXTIFA -s $RSVRA -j ACCEPT
iptables -A INPUT -i $EXTIFA -s $RSVRB -j ACCEPT
iptables -A INPUT -i $EXTIFB -s $RSVRA -j ACCEPT
iptables -A INPUT -i $EXTIFB -s $RSVRB -j ACCEPT
loopback interfaces are valid.
iptables -A INPUT -i lo -j ACCEPT
Include port 22 initially and drop after non-standard ssh port nnnnn is tested
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
1 DAY LOCKOUT FOR CONNECT TO FTP, SSH, OR TELNET STD PORTS OR QUALIFIED PSCAN
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name intrusion
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name intrusion
iptables -A INPUT -p tcp --dport 23 -m state --state NEW -m recent --set --name intrusion
iptables -A INPUT -m recent --update --seconds 86400 --rttl --name intrusion -j LOGDROP
local interface, my private ip address, going anywhere is valid
DISABLED - AREN'T USING MY PRIVATE IP ADDRESS
iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT
remote interfaces, claiming to be local machines, IP spoofing, reject it
iptables -A INPUT -i $EXTIFA -s $INTNET -j LOGDROP
iptables -A INPUT -i $EXTIFB -s $INTNET -j LOGDROP
outgoing to local net on remote interfaces, stuffed routing, deny
iptables -A OUTPUT -o $EXTIFA -d $INTNET -j LOGDROP
iptables -A OUTPUT -o $EXTIFB -d $INTNET -j LOGDROP
NON-STANDARD SSH PORT
iptables -A INPUT -p tcp -m tcp --dport $NEWSSH -j ACCEPT
Accept established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept www including ssl connections
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Accept smtp and secure smtp
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
Network Time Protocol to synchronize time
iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT
Internet Control Message Protocol including pings
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
Can add this section when telephony apps are installed
For SIP
iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT
For Asterisk 4569 and 5036
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
Port for telephony and video conferencing apps
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
CATCHALL - >10 UNAUTHORIZED CONNECTION ATTEMPTS IN 1 HOUR PROBABLY AN INTRUDER SCAN -> 1 DAY LOCKOUT
iptables -A INPUT -m state --state NEW -m recent --set --name portscan
iptables -A INPUT -m state --state NEW -m recent --update --seconds 3600 --hitcount 10 --name portscan -j PSCAN
iptables -A INPUT -j LOGDROP
List packets and save
iptables -L
iptables-save