Iptables

From wiki.techunit.org
Jump to: navigation, search

Script creation

  • Edit a script file

First part

#!/bin/bash

IPT="/sbin/iptables"

#FLUSH Rules
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X

#DROP ALL TRAFFIC
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

#ALLOW LOCALHOST
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

#Define vars 
SERVER_IP="149.208.146.13"
VPN_IF="tun0"
EXT_IF="eth0"
VPNNET="10.18.0.0/24"
LOCAL="127.0.0.1"

Security rules

random rules

# Prevent external packets from using loopback addr
$IPT -A INPUT -i $EXT_IF -s $LOCAL -j DROP
$IPT -A FORWARD -i $EXT_IF -s $LOCAL -j DROP
$IPT -A INPUT -i $EXT_IF -d $LOCAL -j DROP
$IPT -A FORWARD -i $EXT_IF -d $LOCAL -j DROP

# Anything coming from the Internet should have a real Internet address
$IPT -A FORWARD -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPT -A FORWARD -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPT -A FORWARD -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPT -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP

# Block outgoing NetBios (if you have windows machines running
# on the private subnet).  This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
$IPT -A FORWARD -p tcp --sport 137:139 -o $EXT_IF -j DROP
$IPT -A FORWARD -p udp --sport 137:139 -o $EXT_IF -j DROP
$IPT -A OUTPUT -p tcp --sport 137:139 -o $EXT_IF -j DROP
$IPT -A OUTPUT -p udp --sport 137:139 -o $EXT_IF -j DROP

# Allow incoming pings (can be disabled)
#$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

#BLOCK COMMON ATTACKS
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#BLOCK BOOTPS
$IPT -A INPUT -i $EXT_IF -p udp --sport bootpc -j DROP

SSH

# SSH
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "SSH "
$IPT -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
$IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

Allow established

$IPT -A OUTPUT -m state --state NEW -o $EXT_IF -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state NEW -o $EXT_IF -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

OpenVPN

# Check source address validity on packets going out to internet
$IPT -A FORWARD ! -s $VPNNET -i $INT_IF -j DROP

# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface.  Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.
$IPT -A INPUT -p udp -i $EXT_IF --dport 20 -m state --state NEW -j ACCEPT
#$IPT -A INPUT -p tcp -i $EXT_IF --dport 443 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp -o $EXT_IF --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -p tcp -o $EXT_IF --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $INT_IF -j ACCEPT
$IPT -A FORWARD -i $INT_IF -j ACCEPT
$IPT -A OUTPUT -o $INT_IF -j ACCEPT

#MASQUERADE VPN
$IPT -t nat -A POSTROUTING -s $VPNNET -j MASQUERADE

Log Drop

#LOG DROP
$IPT -N LOGGING
$IPT -A INPUT -j LOGGING
$IPT -A OUTPUT -j LOGGING
$IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPT -A LOGGING -j DROP

Make the rules persistent - easy way

  • Install package : iptables-persistent
  • Add the following to the end of the script : iptables-save > /etc/iptables/rules.v4

Elliot
techUnit's cofounder