webcp.hostinghacks.net/slackware | firewall

home   ·.   download   ·.   install   ·.   faq   ·.   forums   ·.   contribute   ·.   change log   ·.   toolbox
SYNOPSIS:
Firewall a webhosting server with stateful packet filtering. The firewall strategy in a nutshell goes like this:
  1. DROP any suspicious or malformed packets.
  2. Allow HTTP, HTTPS, SMTP, DNS services to/from any IP address in the solar system.
  3. Allow outbound connections to explicitly stated NTP, DNS, SMTP, WHOIS or other predefined servers.
  4. Drop geographically remote packets that should not have access to POP, FTP, or the Control Panel (e.g. anything outside North America).
  5. Allow any packets not dropped by this point to connect to POP, FTP and the Control Panel.
  6. Log and allow outbound connections. When in production use, set to log and deny (if paranoid).
  7. Review the firewall logs and update the firewall.

PREREQUISITES: The firewall included here assumes that you have a single 'real' ip-address exposed to the internet.

INSTALLING A SAFETY NET

If you are working on firewall rules remotely it is a good idea to build in a safety net. The following will flush your firewall rules every 15 minutes to the default accept rules:

cat > /root/firewall_reset << "EOF"
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
EOF


crontab -e 
0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset

when you have finished testing the firewall remove the cronjob with: 'crontab -r'. The crontab settings are stored in /var/spool/cron/root

CONFIGURATION
last updated: July 2005

Copy the contents of the firewall script and make appropriate changes:

#!/bin/sh
#  --- HOSTINGHACKS.NET/FIREWALL.SH ---
#  IPTABLES FIREWALL SCRIPT FOR A
#  WEBHOSTING SERVER.  \\\!!////
#                       ( @ @ )
#   __________o000......000o____________
#   ____] [_____] [_____] [_____] [_____] [_
#   __] [_____] [_____] [_____] [_____] [___
#   ____] [_____] [_____] [_____] [_____] [_

#   note: if you remove any variables,
#   make sure to remove them in the script body.

#   The back-slash "\" may be used as the last
#   character to continue the directive onto the next line.
#   There must be no white space between the back-slash and
#   the end of the line.

iptables -F

# --- eth0
NET=111.112.113.114

# --- Development machines (allow SSH from these):
DEV_1=172.16.208.0/24
DEV_2=172.16.106.0/24
DEV_3=192.168.0.0/16

# --- DNS Secondaries (allow zone xfers to these):
ZONE_XFR_1=192.168.97.97
ZONE_XFR_2=192.168.104.97
ZONE_XFR_3=192.168.100.10
ZONE_XFR_4=192.168.208.165

# --- Time Servers --- (allow NTP queries to these):
TIME_SERVER=128.100.100.128

# --- Resolvers - (allow DNS queries to these):
DNS_1=222.333.444.555
DNS_2=222.333.444.666

# --- A port for the control panel and webmail to run on:
CP_PORT=2081
WEBMAIL_PORT=1081

# --- load the ipconntrack module or ftp will fail
modprobe ip_conntrack_ftp

#------------------------------------------------------------------
# --- If a packet doesn't match the policy is to drop it
#---------------------------------------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

#------------------------------------------------------------------
# --- If a packet is part of a previously established stream
# --- accept it here before making it traverse the firewall rules
#---------------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------
# --- Accept to the LOOPBACK
#---------------------------------------------------------------
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#---------------------------------------------------------------
# http://www.completewhois.com/iana-ipv4-specialuse.txt
#---------------------------------------------------------------
# iptables -A INPUT -s 192.168.0.0/255.255.0.0 -j DROP
iptables -A INPUT -s 10.0.0.0/255.0.0.0      -j DROP
iptables -A INPUT -s 172.16.0.0/12           -j DROP
iptables -A INPUT -s 127.0.0.0/8             -j DROP
iptables -A INPUT -s 0.0.0.0/8               -j DROP
iptables -A INPUT -s 169.254.0.0/16          -j DROP
iptables -A INPUT -s 224.0.0.0/4             -j DROP
iptables -A INPUT -s 240.0.0.0/5             -j DROP
iptables -A INPUT -d 224.0.0.0/4 -p ! udp    -j DROP

#---------------------------------------------------------------
# - Allowing fragments presents a potential security risk.
# - log and deny all fragments.
#----------------------------------------------------------------
iptables -A INPUT -f -j LOG --log-level 7 --log-prefix "TCP FRAGMENT: "
iptables -A INPUT -f -j DROP

#-----------------------------------------------------------------
# --- STEALTH SCANS ---
# --- Many FIN,SYN,RST,PSH,ACK,URG combinations are obvious forgeries.
# --- LOG and DROP bad SYN,RST,ACK combos with prejudice:
#-------------------------------------------------------------------------- #

iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS1 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT   -p tcp --tcp-flags SYN,RST     SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS2 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST,ACK NONE    -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS3 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST     SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS4 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT   -p tcp --tcp-flags SYN,RST,ACK NONE    -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,RST     SYN,RST -j DROP
iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST,ACK NONE    -j DROP
iptables -A OUTPUT  -p tcp --tcp-flags SYN,RST     SYN,RST -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL NONE              -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS5 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags ALL ALL               -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS6 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST       -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS7 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN       -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS8 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN       -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS9 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST       -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS10 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST       -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS11 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN           -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS12 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags ACK,URG URG           -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS13 : " --log-tcp-options --log-tcp-sequence --log-ip-options

iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE        -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS14 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options

iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS15 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options

iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE        -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS16 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST                     -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS17 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options

iptables -A INPUT -p tcp --tcp-flags ALL NONE              -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL               -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST       -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN       -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN       -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST       -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST       -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN           -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG           -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE        -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE        -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST                     -j DROP

#----------------------------------------------------------------
# Allow worldwide access to HTTP, HTTPS, DNS
#---------------------------------------------------------------

iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d 0/0 --dport 1023:65535 -j ACCEPT

# TCP packets to/from specified Secondaries ok (needed for zone xfers)
#---------------------------------------------------------------
iptables -A INPUT -p tcp -s $ZONE_XFR_1 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_2 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_3 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_4 -d $NET --dport 53 -j ACCEPT

iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_1 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_2 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_3 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_4 --dport 1023:65535 -j ACCEPT


#----------------------------------------------------------------
# Drop a few high profile "spam neighborhoods" before allowing SMTP packets to hit
# see http://www.blackholes.us/
# or autogenerate at: http://blacklist.linuxadmin.org/
#---------------------------------------------------------------

iptables -A INPUT -p tcp -s 211.0.0.0/8 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 218.0.0.0/8 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 219.0.0.0/8 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 220.0.0.0/8 --dport 25 -j REJECT

iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# --- If you don't host websites outside of the United States
# --- there is little reason for 'GEO-REMOTE IP' addresses
# --- to connect to ftp, ssh or the control panel.
# --- Only allow packets past this point if the are part of know US address space
# --- see http://ip.ludost.net/raw/country.db.gz 
# --- or http://www.maxmind.com/app/geoip_country
#
# US Address space:
# |3.- 4. | 6.- 9. | 11.- 13. | 16.- 17 | 19.- 21. | 24. | 26. | 28. | 32. |38.
# |40. | 44. | 48. |  52. | 54. | 60.- 72. | 80.- 85. | 128.- 172. | 192.- 196.
# | 198.- 200. | 202.- 210. | 212.- 213. |
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Not US address space:

iptables -A INPUT -s 1.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 2.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 5.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 10.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 14.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 15.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 18.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 22.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 23.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 25.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 27.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 29.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 30.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 31.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 33.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 34.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 35.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 36.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 37.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 39.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 41.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 42.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 43.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 45.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 46.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 47.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 49.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 50.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 51.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 53.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 55.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 56.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 57.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 58.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 59.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 73.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 74.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 75.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 76.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 77.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 78.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 79.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 86.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 87.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 88.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 89.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 90.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 91.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 92.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 93.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 94.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 95.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 96.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 97.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 98.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 99.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 100.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 101.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 102.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 103.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 104.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 105.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 106.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 107.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 108.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 109.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 110.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 111.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 112.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 113.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 114.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 115.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 116.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 117.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 118.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 119.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 110.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 111.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 112.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 113.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 114.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 115.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 116.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 117.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 118.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 119.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 120.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 121.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 122.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 123.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 124.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 125.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 126.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 127.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 173.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 174.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 175.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 176.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 177.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 178.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 179.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 180.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 181.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 182.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 183.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 184.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 185.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 186.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 187.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 188.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 189.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 190.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 191.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 197.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 201.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 211.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 214.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 215.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 216.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 217.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 218.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 219.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 220.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 221.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 222.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 223.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 224.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 225.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 226.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 227.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 228.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 229.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 230.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 231.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 232.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 233.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 234.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 235.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 236.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 237.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 238.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 239.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 240.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 241.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 242.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 243.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 244.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 245.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 246.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 247.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 248.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 249.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 250.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 251.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 252.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 253.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 254.0.0.0/8  -d 0/0 -j DROP
iptables -A INPUT -s 255.0.0.0/8  -d 0/0 -j DROP


#----------------------------------------------------------------
# POP & Secure-POP (110, 995)
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT

#---------------------------------------------------------------
# --- FTP --- make sure that the ip_conntrack_ftp module is loaded
#---------------------------------------------------------------

# --------------INITIAL CONNECT-------------------
#
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 \
-m state --state NEW,ESTABLISHED -j ACCEPT

# --------------PASSIVE IN  --------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535  \
-m state --state ESTABLISHED,RELATED -j ACCEPT

# ----------------PASV OUT--------------------
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535  \
-m state --state ESTABLISHED,RELATED -j ACCEPT

#------------------ACTIVE------------------------------
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT


#---------------------------------------------------------------
# --- SSH - log + allow (from specific networks only)
# --- A dialup can usually be limited to /16 subnet
#---------------------------------------------------------------

iptables -A INPUT -p tcp --syn --dport 22 -j LOG --log-prefix "SSH SYN "

iptables -A INPUT -p tcp -s $DEV_1 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $DEV_2 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $DEV_3 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT


#---------------------------------------------------------------
# --- Accept connections to the control panel ---
#---------------------------------------------------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport $CP_PORT  \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --sport $CP_PORT --dport 1024:65535  \
-m state --state ESTABLISHED,RELATED -j ACCEPT


#----------------------------------------------------------------
# Webmail
#---------------------------------------------------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport $WEBMAIL_PORT  \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --sport $WEBMAIL_PORT --dport 1024:65535  \
-m state --state ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------
# --- ICMP response - The RFCs say to allow ICMP responses
# --- so be prepared to break the rules if you go into stealth mode
#---------------------------------------------------------------
iptables -A INPUT -p icmp -s $DEV_1 -d $NET  -j ACCEPT
iptables -A INPUT  -p icmp -s 0/0 -d $NET  -j DROP


 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# --- OUTBOUND CONNECTIONS ---
# --- logging outbound connections can tell you if your server
# --- is misbehaving.  first allow packet streams that don't need to be monitored:
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

#---------------------------------------
# --- allow (and don't log) outbound DNS queries:
# ---------------------------------------
iptables -A OUTPUT -p udp -s $NET -d $DNS_1 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p udp -s $NET -d $DNS_2 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p udp -s $NET -d 0/0 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p udp --sport 53 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT

#-------------------------------------------
# --- allow NTP packets to query specified public time servers:
#-------------------------------------------
iptables -A OUTPUT  -p udp -s $NET -d $TIME_SERVER --sport 123 --dport 123 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT  -p udp -s $NET -d $TIME_SERVER \
-m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 7 \
--log-prefix "_TIME-OUT_ : "

iptables -A INPUT -p udp -s $TIME_SERVER -d $NET --sport 123 --dport 123 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p udp -s $TIME_SERVER -d $NET \
-m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 7 \
--log-prefix "_TIME-IN_ : "

#---------------------------------------------------------------
# --- Apache initiates outbound connections for keep-alives
#---------------------------------------------------------------
# TBD

#---------------------------------------------------------------
# --- Allow the server to ping out to the world
#---------------------------------------------------------------
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p icmp -m state --state ESTABLISHED     -j ACCEPT

#-------------------------------------------
# --- Other outbound connections - log and allow (or log and deny if paranoid)
#-------------------------------------------
iptables -A OUTPUT -m state --state NEW -j LOG \
--log-level 7 --log-prefix "OUTBOUND-CONNECT : " --log-tcp-options --log-ip-options

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------
# did we miss anything? 
#---------------------------------------------------------------
iptables -A INPUT -p tcp --syn -j DROP

Slackware will find and run a script located in '/etc/rc.d/rc.firewall' if one exists and is executable: 

cp firewall.sh /etc/rc.d/rc.firewall
chmod +x /etc/rc.d/rc.firewall
/etc/rc.d/rc.firewall
LOGGING

IPtables logging

Edit /etc/syslog.conf to log iptables packets. Since iptables is built into the kernel only the kernel can log them:

cat > /etc/syslog.conf << "EOF"

# the '-' prefix ;  this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost

kern.7         /var/log/firewall
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog
*.=debug      -/var/log/debug
authpriv.*    -/var/log/secure
cron.*        -/var/log/cron
mail.*        -/var/log/maillog
mail.notice   -/var/log/mail.notice
*.emerg       *
#kern.*       /dev/console

EOF

touch /var/log/firewall
touch /var/log/messages
touch /var/log/debug
touch /var/log/secure
touch  /var/log/cron
touch  /var/log/maillog
touch  /var/log/mail.notice

chmod 640 /var/log/firewall

/etc/rc.d/rc.syslog restart

Logged packets will look like this:

Oct 23 06:13:32 subzero kernel: HIGH PORT UDP CONNECTION: IN=eth0 OUT= MAC=00:10:4b:c5:6b:65:00:10:67:00:b6:0e:08:00 SRC=211.21.146.210 DST=172.16.0.4 LEN=404 TOS=0x00 PREC=0x00 TTL=112 ID=39911 PROTO=UDP SPT=1053 DPT=1434 LEN=384

Note: Keep the log prefix under 30 characters.

Keep an eye on outbound connections for suspicious activity:

cat > /etc/cron.daily/watch.firewall << "EOF"
#! /bin/sh
tail -100 /var/log/firewall | mail -s "serv1 firewall log" servadmin@localhost
#
EOF

chmod +x /etc/cron.daily/watch.firewall
/etc/cron.daily/watch.firewall
SPECIALTY CONFIGURATIONS:

A simple firewall - Allows no services:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

A non-existant firewall - Allows all traffic:

iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT
iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT

Reset a firewall:

#!/bin/sh
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

If you do the above steps manually from a remote ssh shell you should do them in that order. Issuing iptables -F leaves the policies intact and you will lock yourself out if they are set to DROP!

TESTING THE FIREWALL:

View the current ruleset:

iptables -nvL

Testing your firewall with nmap

SYN STEALTH scan

nmap -sS -PT -PI -O -T 3 172.16.106.196

-sS ::::: TCP SYN scan: Send a SYN packet then wait for a response. A SYN|ACK indicates the port is listening, A RST is indicative of a non-listener. If a SYN|ACK is received, a RST is immedi­ ately sent to disconnect. Very few sites will log these.

-PT ::::: Use TCP "ping" to determine what hosts are up. Instead of sending ICMP echo request packets spew out TCP ACK packets and then wait for responses to trickle back. Hosts that are up should respond with a RST. allows you to scan hosts that block ping packets. The default port is 80.

-PI ::::: True ping (ICMP echo request): Finds hosts and also looks for subnet-directed broadcast addresses. These are IP addresses which translate to a broadcast of incomming IP packets to a subnet of computers. These should be eliminated if found as they allow for numerous denial of service attacks (e.g Smurf).

-O ::::: remote host identification via TCP/IP fingerprinting. Detects subtleties in the OS network stack to create a 'fingerprint'. The TCP timestamp option (RFC 1323) is reported for machines which provide it. When verbose mode (-v) is on with -O, IPID Sequence Generation is also reported. Most machines increment the "ID" field in the IP header for each packet they send. This makes them vulnerable to several advanced information gathering and spoofing attacks. Os passive fingerprinting is typically done with ICMP type 8's as well as TCP SYN packets. Its possible to do it with SYN/ACKs, but its not easy. The TTL is usually the first value keyed in on to do OS detection. The TTL can be changed but it will not fool everyone.

-T |Paranoid|Sneaky|Polite|Normal|Aggressive|Insane|

=============================================

CONNECT Scan

nmap -sT -PT -O -vv -T 3 172.16.0.10

-sT Open a connection to every interesting port on the machine. If the port is listening, connect() will succeed.

================================================

UDP scan - no firewall - selected ports (to save time):

nmap -sU -PT  -p 50-200 -vv -T 3 172.16.0.10

-sU ::::: UDP scans: Send 0 byte udp packets. If get back an ICMP port unreachable message, then the port is closed. Otherwise assume it is open. Some people think UDP scanning is pointless. UDP scanning is sometimes painfully slow since most hosts implement a suggestion in RFC 1812 (section 4.3.2.8) of limiting the ICMP error message rate.

====================================================

ACK scan - no firewall:

nmap -sA -PT -vv -T 3 172.16.0.10

-sA ::::: ACK scan: This advanced method is usually used to map out firewall rulesets. In particular, it can help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets.

More nmap notes

-f ::::: This option causes the requested SYN, FIN, XMAS, or NULL scan to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, and intrusion detection systems to detect what you are doing. Some programs have trouble handling these tiny packets and could crash. While this method won't get by packet filters and firewalls that queue all IP fragments (like the CON­ FIG_IP_ALWAYS_DEFRAG option in the Linux kernel), some networks can't afford the performance hit this causes and thus leave it disabled.

-h ::::: Quick reference

-S {IP_Address} ::::: spoof the scan.

-g {portnumber} ::::: Set the source port used to scan. A UDP scan should try 53 first and TCP scans should try 20 before 53.

-n Tells Nmap to NEVER do reverse DNS resolution this can help speed things up.

NOTES:

punching a hole in an existing iptables firewall to port 1081 or 443:

iptables -I INPUT 25 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 25 -p tcp --dport 1081 -m state --state NEW,ESTABLISHED -j ACCEPT

#---------------------------------------------------------------
# FRAGMENTS can be overlapped, and the interpretation of
# fragments presents a potential security risk.
# A valid packet can also fragment if larger than allowed by some
# router along the path. Here we choose to log and deny all fragments.
#----------------------------------------------------------------
iptables -A INPUT -f -j LOG --log-level 7 --log-prefix "TCP FRAGMENT: "
iptables -A INPUT -f -j DROP

iptables -A INPUT -f indicates a fragment match.

There is no way to tell the source or destination ports of fragments, nor ICMP types. Packet fragments will not be matched by other rules. There are defragmentation options within the kernel that you can use instead. If you use connection tracking you will not see any fragmented packets, since they are dealt with before hitting any chain or table. A "fragment" can occur when someone has attempted to send a single packet that is larger than the maximum allowable by some specific router along the path; since the packet is too large, it's being fragmented, and it would be re-assembled on your host. Not uncommon, but fragments can be overlapped, making for an alphabet soup of possible security risk.

Dropping Stealth Scans

Many FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG combinations are obvious forgeries. Log and drop with prejudice.

Control Bits: 6 bits (from left to right):
URG: Urgent Pointer field significant
ACK: Acknowledgment field significant
PSH: Push Function
RST: Reset the connection
SYN: Synchronize sequence numbers
FIN: No more data from sender

TCP connections start with:
packet 1: SYN (only) from the client
packet 2: SYN/ACK from the server
packet 3: ACK from the client
all further packets have the ACK flag set from both client and server.

and then they end with:
packet n-3: FIN (only) from the side which wants to stop talking
packet n-2: FIN/ACK from the other side
packet n-1: FIN (only) from the other side (to confirm it will stop talking too)
packet n: FIN/ACK from the side which ended the communication

However, the final two packets are optional and often not seen, and in fact are often blocked by netfilter because by that time it thinks the connection is no longer ESTABLISHED.)

Any TCP packet which is not a part of an established connection falls into one of three categories: (1) connection handshake, (2) stray resend, or (3) invalid.

What port scanners are looking for:

Host Detection: Any combination of the ACK bit, except with a RST, would elicit a RST back from a probed machines whether we probe an opened port or a closed one.

SYN+FIN+URG would elicit a RST|ACK back whether we probe an opened port or a closed one.

SYN, SYN+FIN, SYN+PUSH, SYN+URG, SYN+FIN+PUSH, SYN+URG+PUSH, FIN+URG+PUSH+SYN, all will elicit a RST|ACK from a closed port and a SYN|ACK from an opened port.

OS Distinguish: FIN, FIN+URG+PUSH, URG, URG+PUSH, URG+FIN, PUSH, PUSH+FIN and NULL Flags would all elicit a RST|ACK on a closed port, *NIX machines will not respond when probed for an opened port, Windows machines still reply with RST|ACK.

if the firewall is just a simple packet filter that blocks incoming SYN's than some of the combinations I have listed would elicit a reply. If the Firewall is statefull nothing should pass it.

The Push (PSH) field tells the recipient that it does not want the data to remain in the buffer waiting for another segment of data, but to hand over the data to the application at the time of arrival. It indicates that the data within the frame is in its entirety and not segmented.


#----------------------------------------------------------------
# Allow HTTP
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j LOG --log-level 7 \
--log-prefix "PORT-80-PROBLEM: "

-m state: Use -m state prior to a --state match.

Matches may be protocols or connection states. For example:
NEW (the first packet of an as yet unestablished connection)
ESTABLISHED(a connection that is already registered in the kernel)
RELATED (a new connection that was created by an older, established one)
etc.

RFC-793 def: 

A connection progresses through a series of states during its
  lifetime.  The states are:  LISTEN, SYN-SENT, SYN-RECEIVED,
  ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK,
  TIME-WAIT, and the fictional state CLOSED.  CLOSED is fictional
  because it represents the state when there is no TCB, and therefore,
  no connection.  Briefly the meanings of the states are:

    LISTEN - represents waiting for a connection request from any remote
    TCP and port.

    SYN-SENT - represents waiting for a matching connection request
    after having sent a connection request.

    SYN-RECEIVED - represents waiting for a confirming connection
    request acknowledgment after having both received and sent a
    connection request.

    ESTABLISHED - represents an open connection, data received can be
    delivered to the user.  The normal state for the data transfer phase
    of the connection.

    FIN-WAIT-1 - represents waiting for a connection termination request
    from the remote TCP, or an acknowledgment of the connection
    termination request previously sent.

    FIN-WAIT-2 - represents waiting for a connection termination request
    from the remote TCP.

    CLOSE-WAIT - represents waiting for a connection termination request
    from the local user.

    CLOSING - represents waiting for a connection termination request
    acknowledgment from the remote TCP.

    LAST-ACK - represents waiting for an acknowledgment of the
    connection termination request previously sent to the remote TCP
    (which includes an acknowledgment of its connection termination
    request).
 
 
                                    
                              +---------+ ---------\      active OPEN  
                              |  CLOSED |            \    -----------  
                              +---------+<---------\   \   create TCB  
                                |     ^              \   \  snd SYN    
                   passive OPEN |     |   CLOSE        \   \           
                   ------------ |     | ----------       \   \         
                    create TCB  |     | delete TCB         \   \       
                                V     |                      \   \     
                              +---------+            CLOSE    |    \   
                              |  LISTEN |          ---------- |     |  
                              +---------+          delete TCB |     |  
                   rcv SYN      |     |     SEND              |     |  
                  -----------   |     |    -------            |     V  
 +---------+      snd SYN,ACK  /       \   snd SYN          +---------+
 |         |<-----------------           ------------------>|         |
 |   SYN   |                    rcv SYN                     |   SYN   |
 |   RCVD  |<-----------------------------------------------|   SENT  |
 |         |                    snd ACK                     |         |
 |         |------------------           -------------------|         |
 +---------+   rcv ACK of SYN  \       /  rcv SYN,ACK       +---------+
   |           --------------   |     |   -----------                  
   |                  x         |     |     snd ACK                    
   |                            V     V                                
   |  CLOSE                   +---------+                              
   | -------                  |  ESTAB  |                              
   | snd FIN                  +---------+                              
   |                   CLOSE    |     |    rcv FIN                     
   V                  -------   |     |    -------                     
 +---------+          snd FIN  /       \   snd ACK          +---------+
 |  FIN    |<-----------------           ------------------>|  CLOSE  |
 | WAIT-1  |------------------                              |   WAIT  |
 +---------+          rcv FIN  \                            +---------+
   | rcv ACK of FIN   -------   |                            CLOSE  |  
   | --------------   snd ACK   |                           ------- |  
   V        x                   V                           snd FIN V  
 +---------+                  +---------+                   +---------+
 |FINWAIT-2|                  | CLOSING |                   | LAST-ACK|
 +---------+                  +---------+                   +---------+
   |                rcv ACK of FIN |                 rcv ACK of FIN |  
   |  rcv FIN       -------------- |    Timeout=2MSL -------------- |  
   |  -------              x       V    ------------        x       V  
    \ snd ACK                 +---------+delete TCB         +---------+
     ------------------------>|TIME WAIT|------------------>| CLOSED  |
                              +---------+                   +---------+



#-----------------------------------------------------------------
# UDP in to DNS(53) ok
# TCP packets to/from Secondaries ok (needed for zone xfers)
#-----------------------------------------------------------------

iptables -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d 0/0 --dport 1023:65535 -j ACCEPT

iptables -A INPUT -p tcp -s $ZONE_XFR_1 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_2 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_3 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_4 -d $NET --dport 53 -j ACCEPT

iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_1 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_2 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_3 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_4 --dport 1023:65535 -j ACCEPT

There are 2 reasons to answer TCP queries on port 53:

  1. You want to publish record sets larger than 512 bytes. (For most domains this is highly unlikely).
  2. You want to allow outgoing zone transfers.

A slave server will always connect to TCP port 53 of the server it's using for a zone transfer. A BIND[8,9] secondary name server uses a random, unprivileged port as the source of any queries it makes to another server but a 'transfer-source' clause in the slave server's named.conf can be used to fix the source address.

Note: DNS-over-TCP is much slower than DNS-over-UDP and vulnerable to denial-of-service attacks.

#**********************************************************************
#---------------------------------------------------------------
# --- FTP --- first load the ip_conntrack_ftp module
#---------------------------------------------------------------

#
# --------------INITIAL CONNECT-------------------
#
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 \
-m state --state NEW,ESTABLISHED -j ACCEPT
#
# --------------PASSIVE IN  --------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535  \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
# ----------------PASV OUT--------------------
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535  \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
#------------------ACTIVE------------------------------
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#*********************************************************************

To use the above rules make sure that the ip_conntrack_ftp module is loaded:

lsmod
Module                  Size  Used by    Not tainted
ip_conntrack_ftp        5296   0  (unused)
ip_conntrack           19236   1  [ipt_state ip_conntrack_ftp]
ipt_LOG                 3416  29  (autoclean)
iptable_filter          1644   1  (autoclean)
ip_tables              12416   3  [ipt_state ipt_LOG iptable_filter]
pcmcia_core            39972   0
ide-scsi                9328   0
3c59x                  25648   1
agpgart                43940   0  (unused)

The ip_conntrack_ftp allows for stateful firewalling which allows us to track the state of an FTP connection and specify rules for it with the --state flag. You can permit packets that are part of an already established session with --state ESTABLISHED, or packets that are part of a new session based on an old one (as in the case of active FTP) with --state RELATED.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: 

FTP server's port 21 from anywhere (Client initiates connection) 
FTP server's port 21 to ports > 1024 (Server responds to client's control port) 
FTP server's ports > 1024 from anywhere (Client initiates data connection 
to random port specified by server) 
FTP server's ports > 1024 to remote ports > 1024 
(Server sends ACKs (and data) to client's data port)

An FTP client issues a PORT to the FTP server and defines what port the client will be listening on for the data channel connection. the server establishes a new TCP connection to the client using that TCP port value. Numerous PORT commands are issued during a single FTP session – a new data channel must be established to transfer directory listings and perform file GET and PUT operations.

the PORT command looks like: PORT 192,168,0,3,4,15

To interpret and translate the value 4,15 into a port number do a decimal to hex translations:

first number (4) translate to hex (0x04)
second number (15) translate to hex (0x0F)

The port can also be worked out by multiplying the second to last number (4) by 256 and adding the last number (15) to that result: 4*256 + 15 = 1039


opening more ports in an existing ruleset:

iptables -I INPUT 25 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 26 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT

Well Known Ports are numbered from 0 through 1023  
Registered Ports are numbered from 1024 through 49151 
Dynamic Ports are numbered from 49152 through 65535

Adding a new rule chain

iptables -N LOG_DROP #defines a new rule chain
iptables -A LOG_DROP -j LOG --log-level warning --log-prefix "dropped" -m limit
iptables -A LOG_DROP -j DROP
iptables ...specify-rules-here... -j LOG_DROP

LOG usually combined with (-m limit) 
default of 3/hour + bursts of 5
--limit
--limit-burst

:: Tcpdump works "closer to the wire" than netfilter, so it will see all traffic hitting the interface, whether netfilter allows it or not.

Powered By Fat Penguin Hosting   |   Disclaimer