Text 7676, 233 rader
Skriven 2006-10-22 12:43:00 av MARTIN ATKINS (1:123/140)
Kommentar till en text av PAUL ROGERS
Ärende: Latest firewall script
==============================
-=> PAUL ROGERS wrote to ALL <=-
PR> #!/bin/bash
PR> # firewall.sh - Configurable per-host firewall for workstations
PR> # Parts James Stephens (jns@ias.edu)
PR> # PGR was here
PR> # PGR Workstation firewall, not appropriate for server
PR> # PGR Attitude: Tight limitations to protect us from the big, bad
PR> world, # as well as our local network from rogue processes. Access
PR> to the # big, wide, world is limited to well-known ports as much as
PR> possible. # Passive mode FTP is allowed, but is a potential
PR> security risk. If # you uncomment DHCP rules, you might want to
PR> tell kernel not to log # "martians".
PR> # PGR Sources of some variables are: "/etc/sysconfig/rc",
PR> # "/etc/sysconfig/network", & "$network_devices/ifconfig.eth0",
PR> # including $IP (my IP address), & $BASEIP (the first 3 octets).
PR> # PGR Blacklisted IP addresses/CIDR's in /etc/blacklisted_ip
PR> # PGR No warranties, expressed or implied!
PR> ######################################################################
Is the above your comment or the original script writer?
I'm going to take it at face value and assume it is a work station
on a local network that has access to the outside world.
Take what i say as casual observation as i have no idea of your personal
set up or what version of iptables you are using.
PR> NAMESERVER_1=209.102.124.14 # change as necessary
PR> NAMESERVER_2=209.102.124.15 # change as necessary
Fair enough if your local net is routing you to the outside world.
Nameservers are not my strong point as i only have a small home network
and the other machines routed to the outside world yet.
PR> LOOPBACK="127.0.0.0/8"
Why define loopback this way? Loopback is for testing your own machine
and normally will only be 127.0.0.0. Iptables accepts "lo" and so _normally_
does not require defining.
PR> CLASS_A="10.0.0.0/8"
PR> CLASS_B="172.16.0.0/12"
PR> CLASS_C="192.168.0.0/16"
PR> CLASS_D_MULTICAST="224.0.0.0/4"
PR> CLASS_E_RESERVED_NET="240.0.0.0/5"
None of these are necessary. Since INPUT policy is DROP they never
get through.
PR> KNOWN="0:1023" # "well known" ports
Ok but if you have NFS you may need to DROP port 2049 later. SSH
is covered.
PR> EPHEM="1024:65535" # ephemeral ports
If as /proc/sys/net/ipv4/ip_local_port_range or what is appropriate
for your distro.
PR> TR_SRC_PORTS="32769:65535"
PR> TR_DEST_PORTS="33434:33523"
This is a worry. $EPHEM is now defined so these ports are as far as i
know safe. There may be some reason for defining these ports but it is not
obvious from this script.
PR> #PGR source our variables, i.e. IP address
PR> . /etc/sysconfig/rc
PR> . /etc/sysconfig/network
PR> . $network_devices/ifconfig.eth0$ # Changes in LFS-6.x
PR> LOCAL_NET=$BASEIP.0/24
This doesn't make sense to me. $BASEIP has not been defined in this
script nor has $network_devices/ifconfig.eth0$network_devices
/ifconfig.eth0
PR> function on {
PR> echo "Firewall: enabling filtering"
PR> # Set up a default DROP policy for the built-in chains. If we modify
PR> and
PR> # re-run the script mid-session then (because we have a default DROP
PR> # policy), what happens is that there is a small time period when
PR> # packets are denied until the new rules are back in place. There is
PR> # no
PR> # period, however small, when packets we don't want are allowed.
PR> iptables -P INPUT DROP
PR> iptables -P FORWARD DROP
PR> iptables -P OUTPUT DROP
Unless you are intending to block yourself or a terminal on your network
from the communicating with the outside world then:-
iptables -P OUTPUT ACCEPT
Even if you do intend to restrict output from certain terminals there
are better ways of doing it.
PR> # These lines are here in case rules are already in place and the
PR> script
PR> # is ever rerun on the fly. We want to remove all rules and
PR> # pre-exisiting user defined chains and zero the counters before we
PR> # implement new rules.
PR> iptables -F
PR> iptables -X
PR> iptables -Z
Ok but don't forget you have user defined chains in this script so they
may need flushing as well.
PR> ## LOOPBACK
PR> # Allow my own traffic on the loopback interface.
PR> iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT
PR> iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT
Remember what i said about defining loopback earlier in the script.
There is no need to define loopback so these two lines can be replaced
with:-
iptables -A INPUT -i lo -j ACCEPT
If you insist on defining loopback then:-
iptables -A INPUT -i $LOOPBACK -j ACCEPT
These both work with:-
iptables -P OUTPUT ACCEPT
PR> iptables -A INPUT -i lo -s $IP -j ACCEPT
PR> iptables -A OUTPUT -o lo -d $IP -j ACCEPT
As far as i can see $IP has not been defined in this script. Even if
it was $IP cannot under normal circumstances request "lo" on a remote
machine.
PR> # Everything else comes from an external interface. This firewall is
PR> # for a network workstation, so in the default case that's one
PR> # ethernet
PR> # interface, eth0. But rules apply to all!
PR> #### USER DEFINED CHAINS
PR> # Syn-flood limiting
PR> # Up to limit-burst connections can arrive in 1/limit seconds .....
PR> in
PR> # this case 4 connections in one second. After this, one of the
PR> burst
PR> # is regained every second and connections are allowed again.
PR> # The default limit is 3/hour. The default limit burst is 5.
PR> iptables -N syn-flood
PR> iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
PR> iptables -A syn-flood -j DROP
Ok but as i said you may need to flush this chain if you want clear the
decks.
PR> ##PGR User-defined chain to log & drop packets
PR> iptables -N log-it
PR> iptables -A log-it -j LOG -m limit --limit 40/minute --log-prefix
PR> "firewall: "
PR> iptables -A log-it -j DROP
PR> #### PGR: BLACKLIST CHECKING (comes early)
PR> for BAD_BOY in `cat /etc/blacklisted_ip`
PR> do
PR> echo "Blacklisting " $BAD_BOY
PR> # Input packets are logged & forgotten
PR> iptables -A INPUT -s $BAD_BOY -j log-it
PR> # Output packets from internal processes receive an error code,
PR> # but they still don't go through.
PR> iptables -A OUTPUT -d $BAD_BOY -j REJECT --reject-with
PR> icmp-host-unreachable
PR> done
Why not cover all this with the input policy?
PR> # icmp source quench to the loopback.
PR> iptables -A INPUT -d $LOOPBACK -j DROP
< LOTS CUT >
You are now effectively trying to block yourself from pinging your own
machine after first allowing it. This chain will do nothing.
It is as far as i am concerned an extrodanaraly messy firewall.
I think you need work on a flow chart and map exacly what you are
trying to achieve.
PR> ## =============================================
PR> #### FALL-THROUGH
PR> #PGR be nice to local network processes
PR> iptables -A INPUT -s $LOCAL_NET -j REJECT
PR> iptables -A OUTPUT -d $LOCAL_NET -j REJECT
PR> #PGR log & drop the rest
PR> iptables -A INPUT -j log-it
PR> iptables -A OUTPUT -j log-it
PR> }
There is no "FALL-THROUGH" on a correctly written script.
Use "nmap" to test your setup or http://hackerwhacker.com/freetools.php
PR> ######################################################################
PR> function off {
PR> # stop firewall
PR> echo "Firewall: disabling filtering (allowing all access)"
PR> echo "Are you sure? Really sure?"
PR> read ans
PR> if [ $ans = "y" -o $ans = "Y" ]; then
PR> iptables -P INPUT ACCEPT
PR> iptables -P OUTPUT ACCEPT
PR> iptables -P FORWARD ACCEPT
PR> iptables -F
PR> iptables -X
PR> echo "The gates to the citadel are wide open!"
PR> echo "Welcome, sailor!"
PR> else
PR> echo "Good idea! Firewall stop, cancelled."
PR> fi
PR> }
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
No need to complicate things.
--- MultiMail/Linux v0.47
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|