S
ShockingAlberto
Guest
I'm trying to use netfilter to setup a firewall. I found a couple of simple scripts, and i think i can now understand iptables a bit. I mauled one of the scripts i found, however i've had some problems.
For a start IRC stops working. The script has this line:
Which i'm gathering should allow for incoming packets from hosts which i've established a connection to. However i lose connection to IRC with the script active. I've allways ran the script(and hence started the firewall) when i'm allready connected, as i have another problem. Could it be that the netfilter doesn't know that i started a connection with quakenet/gamesnet, so denies it? If i connected to IRC with the chains/rules in place would it work?
The other more important problem is that i can't seem to resolve any addresses. I'm able to access websites that Mozilla has cached the IPs for, however when i try to access sites that i haven't allready been to, it gets stuck trying to resolv the address. XChat also gets stuck doing this if i connect with the rules in place. I've set policy for INPUT to ACCEPT, so i'm guess that the parts of the script that stop ``bad'' pakcets are blocking it. I have the IPs of my resolve servers, so can i put in a rule at the top of INPUT to allow through packets from this server? What would the line be, as i'm not sure what protocol and what port dns servers use :/
I've tried asking in #linux.uk, but the lazy bastards ignore me. I've come to the conclusion that they're all just increadably anti-social, it's not even like i'm some newbie who goes in there to ask questions - I'm in there over 10 hours a day!
Here's the script:
If someone here uses an iptables script, or knows where there's a good one, i wouldn't mind trying it. Also, while we're on the subject, how possable is it that someone could crack my box without a firewall? I don't think i have anything running which listens on ports besides sendmail...
For a start IRC stops working. The script has this line:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
The other more important problem is that i can't seem to resolve any addresses. I'm able to access websites that Mozilla has cached the IPs for, however when i try to access sites that i haven't allready been to, it gets stuck trying to resolv the address. XChat also gets stuck doing this if i connect with the rules in place. I've set policy for INPUT to ACCEPT, so i'm guess that the parts of the script that stop ``bad'' pakcets are blocking it. I have the IPs of my resolve servers, so can i put in a rule at the top of INPUT to allow through packets from this server? What would the line be, as i'm not sure what protocol and what port dns servers use :/
I've tried asking in #linux.uk, but the lazy bastards ignore me. I've come to the conclusion that they're all just increadably anti-social, it's not even like i'm some newbie who goes in there to ask questions - I'm in there over 10 hours a day!
Here's the script:
Code:
#!/bin/sh
WAN_IFACE="ppp0"
ANYWHERE="0/0"
IPTABLES="/sbin/iptables"
# This module may need to be loaded:
modprobe ip_conntrack_ftp
# Let's start clean and flush all chains to an empty state.
iptables -F
iptables -X
# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that IPTABLES uses.
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT
#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP
#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP
#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP
#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP
#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall
#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall
If someone here uses an iptables script, or knows where there's a good one, i wouldn't mind trying it. Also, while we're on the subject, how possable is it that someone could crack my box without a firewall? I don't think i have anything running which listens on ports besides sendmail...