Firewall with iptables(netfilter)?

[ShockingAlberto]

I'm trying to use netfilter to setup a firewall. I found a couple of simple scripts, and i think i can now understand iptables a bit. I mauled one of the scripts i found, however i've had some problems.

For a start IRC stops working. The script has this line:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Which i'm gathering should allow for incoming packets from hosts which i've established a connection to. However i lose connection to IRC with the script active. I've allways ran the script(and hence started the firewall) when i'm allready connected, as i have another problem. Could it be that the netfilter doesn't know that i started a connection with quakenet/gamesnet, so denies it? If i connected to IRC with the chains/rules in place would it work?

The other more important problem is that i can't seem to resolve any addresses. I'm able to access websites that Mozilla has cached the IPs for, however when i try to access sites that i haven't allready been to, it gets stuck trying to resolv the address. XChat also gets stuck doing this if i connect with the rules in place. I've set policy for INPUT to ACCEPT, so i'm guess that the parts of the script that stop ``bad'' pakcets are blocking it. I have the IPs of my resolve servers, so can i put in a rule at the top of INPUT to allow through packets from this server? What would the line be, as i'm not sure what protocol and what port dns servers use :/

I've tried asking in #linux.uk, but the lazy bastards ignore me. I've come to the conclusion that they're all just increadably anti-social, it's not even like i'm some newbie who goes in there to ask questions - I'm in there over 10 hours a day!

Here's the script:

#!/bin/sh
WAN_IFACE="ppp0"
ANYWHERE="0/0"
IPTABLES="/sbin/iptables"

# This module may need to be loaded:
modprobe ip_conntrack_ftp

# Let's start clean and flush all chains to an empty state.
iptables -F
iptables -X

# Set the default policies of the built-in chains. If no match for any 
# of the rules below, these will be the defaults that IPTABLES uses.
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT

#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT

#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP

#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall

#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall

If someone here uses an iptables script, or knows where there's a good one, i wouldn't mind trying it. Also, while we're on the subject, how possable is it that someone could crack my box without a firewall? I don't think i have anything running which listens on ports besides sendmail...

 

[ShockingAlberto]

And if it makes it easier to see what's happening(does for me),:

[root@celia root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
badflags   tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
badflags   tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
badflags   tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
badflags   tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
badflags   tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN,RST 
badflags   tcp  --  anywhere             anywhere           tcp flags:FIN,SYN/FIN,SYN 
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded 
firewall   icmp --  anywhere             anywhere           
silent     udp  --  anywhere             anywhere           udp spt:netbios-ns dpt:netbios-ns 
dropwall   all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain badflags (6 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain dropwall (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain firewall (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain silent (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere

 

[Testin da Cable]

some things dude:
your script isn't consistant imo. iptables should be replaced by $IPTABLES eveywhere, or nowhere depending on your $PATH.
iirc, the second you start your fw everything you did before that is ignored. the start of the fw is it's 'epoch' and netfilter couldn't care less how many connex you built before that time.
your reference to "lo" as in localhost will only work if your /etc/hosts file has 127.0.0.1 aliased to 'lo'
IRC servers sometimes are started with a need to ident j00. thus if your fw blocks the ident port the connex will either fail or time out
I explicitly allow connections to my DNS servers on udp#53 [you only need tcp#53 if you're going to do zone xfers and stuff] in a special DNS chain like you mentioned, you might want to try that.

as to your crackability heh, look at your /etc/inetd.conf file and comment everything you're not using. in fact don't run stuff you don't really need [tdc's golden rule] run netstat -a and look for stuff you have listening and think about it. if you feel you need to run sendmail make sure you configure it well so that it's not an open relay [spammers paradise] that peeps can use as a spam portal. remember that if you're not running stuff you can't be cracked. oh yeah turn off your telnet server in inetd after you install a nice standalone SSH server. stuff like that makes TdC happy

 

[ShockingAlberto]

I tidied it up to allways use $IPTABLES rather than rely on the path, and i changed `lo' to `loop0' which was in /dev, so i guess that's my loopback interface.

I enabled input from my DNS servers on UDP, which sorted the reolving, however i had to specifically allow all port 80 traffic through, or else it wasn't working. I guess that state line wasn't really doing anything :/

IRC Appears to be working, i'm not sure about the identd, however i think XChat doesn't use it or something, so irc servers allways hold you up while they try to use it. I disabled ssh and something else after looking through a security howto. However i still have:

[root@celia root]# netstat -a|grep LISTEN
tcp        0      0 *:32768                 *:*                     LISTEN      
tcp        0      0 celia.nathntwk:32769    *:*                     LISTEN      
tcp        0      0 *:sunrpc                *:*                     LISTEN      
tcp        0      0 *:x11                   *:*                     LISTEN      
tcp        0      0 celia.nathntwk:smtp     *:*                     LISTEN      
unix  2      [ ACC ]     STREAM     LISTENING     752464 /tmp/afterstep-500.DISPLAY=:0.0
unix  2      [ ACC ]     STREAM     LISTENING     1246   /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     865    /dev/gpmctl
unix  2      [ ACC ]     STREAM     LISTENING     911    /tmp/.font-unix/fs7100

The UNIX ports are all local aren't they, so i don't need to worry about them? X is needed, so there's just sendmail and what's listening on 32769. I haven't a clue what is listening on that port, so i blocked it, and nothing seemed to break, should i just block it perminently in my script?

Also, what about sendmail? Does the internal emailing still work without it? I'm allways getting logwatch emails from/to root internally. Should i disable it?

 

[Testin da Cable]

hmm I wouldn't do the /dev/loop stuff but 'localhost'. in your /etc/hosts file there should be an entry 127.0.0.1 localhost. use that instead. I feel strange about directly talking to the loop device.

it's true that xchat doesn't use ident. it's not the client but the server that tries to ident. that port 80 thing is kinda strange tho. I notice that when I connect to irc, bw for example, I get scanned and my _web_ server writes this to it's log:

213.221.173.2 - - [31/Mar/2002:00:22:31 +0100] "CONNECT 213.221.173.2:6660 HTTP/1.0" 405 232

that comes in on port 80, but my fw tells me that other ports have been scanned as well. I take it that it's the 'proxy scan' quakenet does [specially after a lookup of that ip heh]
unix domain sockets are indeed local in this case so there's no problems there. your X server won't let anyone in but yourself by default so that's covered too. you can check using the xhosts command amongst others.
if you want to find out what is running on port x the best way imo is to telnet to it. try a telnet localhost portnumber and see what you can see.
local mail needs a server to transfer it heh. I hate sendmail tho, postfix is the way and the light.

 

[ShockingAlberto]

Ok, i think i've got it sorted good now, however there's issue, the logging.

As far as i understand it, the logging is part of the kernel logging, which goes through syslogd. I edited /etc/syslog.conf, and told it to send kernel messages to /var/log/kernel, however it's not sticking anything there(i restarted syslogd). Besides the other kernel messages, there should be information coming from netfilter, because i told it to log stuff over port 6667, which is irc.

Am i looking in the right place, or is syslogd not what i'm after? dmesg doesn't have anything after the bootup info in it.

 

[ShockingAlberto]

Ahh, i got it all sorted now

Realised that it was logging when i took the limit off, so i went intot he kernel configuration, and there were several modules that i hand't built that i needed, the limit function being one, and the state matching being another. I guess i can rely on state matching rather than open ports to use the web now

 

[Testin da Cable]

aha. all is working now tho?

 

[ShockingAlberto]

Yea, works fine, ta