Firewall Critique - IPTables For Router

Firewall Critique - IPTables For Router

am 12.10.2006 16:03:50 von idgarad

The following is a firewall written via BASH and IPTABLES. There is a
DHCP assigned WAN interface, and a single physical connection for the
internal network with two IPs bound to is, one for the real network,
the 192.168.1.xxx network and a network 10.0.0.xxx which is populated
by VMWare Server machines. How well written is this firewall, scored by
US acedemic scores? (A,B,C,D,F, No credit go to the principle's office
now!!!)

---- START -----
######WRAPTEXTBAR########################################### ######################
# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
export LC_ALL="en"

############################################################ ############
# VARIABLE DEFINITION
############################################################ ############
INTIF1=eth0
EXTIF=eth1
VIRIF=eth0

# ****** Loop device/localhost ******
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"

# ****** Text tools variables ******
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'

# ****** Markable Priorities ******
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"

# ****** Rates ******
UPRATE="256kbit"
P2PRATE="128kbit"
PRIORATE1="65kbit"
PRIORATE2="46kbit"
PRIORATE3="27kbit"
PRIORATE4="8kbit"

# ****** Quantum ******
QUANTUM1="12187"
QUANTUM2="8625"
QUANTUM3="5062"
QUANTUM4="1500"

# ****** Burst ******
BURST1="6k"
BURST2="4k"
BURST3="2k"
BURST4="0k"
CBURST1="3k"
CBURST2="2k"
CBURST3="1k"
CBURST4="0k"

# ****** Port Definitions ******
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
PORTAGE='rsync'
BT='50000:50100'
NATRANGES='2222 2223 2224 51100:51200 51300:51400 51500:51600
51700:51800'
OpenPGP_HTTP_Keyserver=11371

TCPSERV="8080 domain rsync ssh http https ftp ftp-data mail pop3 pop3s
imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver
$BTi $NATRANGES"

UDPSERV="8080 domain time rsync $BT $NATRANGES"

############################################################ ############
# PORT BLOCKING RULES
############################################################ ############
# ****** Common Ports For both UDP and TCP ******
COMBLOCK="0:1 13 98 111 137:139 1214 1999 2049 3049 4329 6346 3128 8000
8008 12345 65535"

# ****** TCP Ports to Block ******
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"

# ***** UDP Ports To Block ******
UDPBLOCK="$COMBLOCK 520 123 517:518 1427 9000"


############################################################ ############
# QoS Config
# "QoS is not complete yet as we still need to mark our traffic"
# ***** Example for ICMP *****
# iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
# iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
# We will echo this out rather then internal comments for this
# section only...
############################################################ ############
echo "STARTING QoS Config"

echo "******Set queue length for $EXTIF******"

ifconfig $EXTIF txqueuelen 16

echo "******Specify queue discipline******"
tc qdisc add dev $EXTIF root handle 1:0 htb default 103 r2q 1

echo "******Set root class******"
tc class add dev $EXTIF parent 1:0 classid 1:1 htb rate $UPRATE burst
$BURST1 cburst $CBURST1

echo "******Specify sub classes*******"
tc class add dev $EXTIF parent 1:1 classid 1:101 htb rate $PRIORATE1
ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0

tc class add dev $EXTIF parent 1:1 classid 1:102 htb rate $PRIORATE2
ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1

tc class add dev $EXTIF parent 1:1 classid 1:103 htb rate $PRIORATE3
ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2

tc class add dev $EXTIF parent 1:1 classid 1:104 htb rate $PRIORATE4
ceil $P2PRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3

echo "******Filter packets (Effectivly Translate the Priority to a
class ID******"
tc filter add dev $EXTIF parent 1:0 protocol ip prio 0 handle
$MARKPRIO1 fw classid 1:101

tc filter add dev $EXTIF parent 1:0 protocol ip prio 1 handle
$MARKPRIO2 fw classid 1:102

tc filter add dev $EXTIF parent 1:0 protocol ip prio 2 handle
$MARKPRIO3 fw classid 1:103

tc filter add dev $EXTIF parent 1:0 protocol ip prio 3 handle
$MARKPRIO4 fw classid 1:104

echo "******Add queuing disciplines******"
tc qdisc add dev $EXTIF parent 1:101 sfq perturb 16 quantum $QUANTUM1
tc qdisc add dev $EXTIF parent 1:102 sfq perturb 16 quantum $QUANTUM2
tc qdisc add dev $EXTIF parent 1:103 sfq perturb 16 quantum $QUANTUM3
tc qdisc add dev $EXTIF parent 1:104 sfq perturb 16 quantum $QUANTUM4

############################################################ ############
# Deny then accept: this keeps holes from opening up
# while we close ports and such. Effectivly this means any unmatched
# traffic is DROPPED.
############################################################ ############
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

############################################################ ############
# Flush all existing chains and erase personal chains
# "This is to reset the Fail2Ban chain"
############################################################ ############
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done

############################################################ ############
# Ensure Firewall Option are on in the kernel
############################################################ ############
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

############################################################ ############
# Source Address Verification
############################################################ ############
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $f
done
############################################################ ############
# Disable IP source routing and ICMP redirects
############################################################ ############
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_forward

############################################################ #############
# Setting up external interface environment variables
# and output Network Settings
############################################################ #############
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

VIRIP="`$IFC $VIRIF:1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
VIRBC="`$IFC $VIRIF:1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
VIRMSK="`$IFC $VIRIF:1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
VIRNET="$VIRIP/$VIRMSK"
echo "VIRIP=$VIRIP VIRBC=$VIRBC VIRMSK=$VIRMSK VIRNET=$VIRNET"


###########################################
# !!!! BEGIN FIREWALL RULES !!!!
###########################################
#
# ####### #######
# ####### #######
# ####### #######
# ####### #######
# ####### #######
# ####### #######
# ####### #######
# ####### #######
# ####### #######
# ####### #######
# ############### ###############
# ############# #############
# ########### ###########
# ######### #########
# ####### #######
# ##### #####
# ### ###
# # #
#
###########################################


#0########################################################## ############
# CUSTOM LOGGING GROUPS
############################################################ ############

# ****** Drop LOG *******
# Anything Dropped
# ***********************
$IPT -N LOGDROP 2> /dev/null
$IPT -A LOGDROP -j LOG --log-prefix 'DROP:'
$IPT -A LOGDROP -j DROP

# ****** Reject LOG *******
# Anything Rejected
# ***********************
$IPT -N LOGREJECT 2> /dev/null
$IPT -A LOGREJECT -j LOG --log-prefix 'LOGREJECT:'
$IPT -A LOGREJECT -j REJECT

# ****** Broadcast LOG *******
# Anything Broadcast
# ***********************
$IPT -N LOGBROADCAST 2> /dev/null
$IPT -A LOGBROADCAST -j LOG --log-prefix 'LOGBROADCAST:'
$IPT -A LOGBROADCAST -j REJECT

# ****** Foreign LOG *******
# Wrong Subnet traffic
# ***********************
$IPT -N LOGFOREIGN 2> /dev/null
$IPT -A LOGFOREIGN -j LOG --log-prefix 'LOGFOREIGN:'
$IPT -A LOGFOREIGN -j REJECT


#Q#########################################
# QoS Prioritize Traffic Types
# This section will need a rewrite eventually
###########################################

# ****** Priority 1 *******
# * Critical and System
# *************************

# **********
# ***** icmp
# **********
$IPT -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
$IPT -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1

# **********
# ***** SSH
# **********
$IPT -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark
$MARKPRIO1
$IPT -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark
$MARKPRIO1

# **********
# ***** NON-TCP
# **********
$IPT -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1
$IPT -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1

# ****** Priority 2 *******
# * Reserved For Future
# *************************


# ****** Priority 3 *******
# * HTTP Traffic
# *************************

# **********
# ***** HTTP
# **********
$IPT -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark
$MARKPRIO3

$IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark
$MARKPRIO3

# **********
# ***** HTTPS
# **********
$IPT -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark
$MARKPRIO3
$IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark
$MARKPRIO3
# **********
# ***** SMTP
# **********
$IPT -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark
$MARKPRIO3
$IPT -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark
$MARKPRIO3

# ****** Priority 4 *******
# * packets > 1024 bytes
# *************************
$IPT -t mangle -A FORWARD -p tcp -m length --length 1024: -j
MARK --set-mark $MARKPRIO4

# **********
# ***** Bittorrent
# **********
$IPT -t mangle -A FORWARD -i $EXTIF -p tcp --sport $BT -j MARK
--set-mark $MARKPRIO4

$IPT -t mangle -A FORWARD -i $EXTIF -p tcp --dport $BT -j MARK
--set-mark $MARKPRIO4

# ****** TOS Priority *******
# Remaining packets are marked according to TOS
# ***************************
$IPT -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark
--mark 0 -j MARK --set-mark $MARKPRIO1
$IPT -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m
mark --mark 0 -j MARK --set-mark $MARKPRIO2
$IPT -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark
--mark 0 -j MARK --set-mark $MARKPRIO4



#Keep Existing Connections Alive on a re-run
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# MASQURADE RULES
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT

# MASQURADE RULES
$IPT -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT

# Backup SSH
$IPT -A INPUT -p tcp -m tcp -s 192.168.1.180 --dport 22 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -d 192.168.1.180 --sport 22 -m state
--state ESTABLISHED,RELATED -j ACCEPT
# Backup EXT SSH
$IPT -A INPUT -p tcp -m tcp -i $EXTIF --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -o $EXTIF --sport 22 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#11######################################################### ############
# NAT RULES
############################################################ ############
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $VIRNET -j MASQUERADE

$IPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#1########################################################## ############
# LOOPBACK RULES
# --------------
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
############################################################ ############
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $VIRIP -j ACCEPT

#2########################################################## ############
# BROADCAST RULES (LOG TO LOGBROADCAST)
# ---------------
# Blocking Broadcasts
############################################################ ############
$IPT -A INPUT -i $EXTIF -d $EXTBC -j LOGBROADCAST
$IPT -A INPUT -i $INTIF1 -d $INTBC1 -j LOGBROADCAST
$IPT -A INPUT -i $VIRIF -d $VIRBC -j LOGBROADCAST

$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j LOGBROADCAST
$IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j LOGBROADCAST
$IPT -A OUTPUT -o $VIRIF -d $VIRBC -j LOGBROADCAST

$IPT -A FORWARD -o $EXTIF -d $EXTBC -j LOGBROADCAST
$IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j LOGBROADCAST
$IPT -A FORWARD -o $VIRIF -d $VIRBC -j LOGBROADCAST


#3########################################################## ############
# WAN TO LAN RULES (LOG TO LOGDROP)
# ----------------
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not originate from
our isp assigned
# ip address, drop it like a hot potato
############################################################ ############
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j LOGDROP

#5########################################################## ############
# ALLOW DNS
############################################################ ############
$IPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j
ACCEPT
$IPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j
ACCEPT
$IPT -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j
ACCEPT
$IPT -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j
ACCEPT

#6########################################################## ############
# Block outbound ICMP (except for PING)
############################################################ ############
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP

#7########################################################## ############
# Loop and Block Ports
############################################################ ############
echo -n "FW: Blocking attacks to TCP port "
for i in $TCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp --dport $i -j LOGDROP -m comment --comment
"Rule Block 7-1-$i"
$IPT -A OUTPUT -p tcp --dport $i -j LOGDROP -m comment --comment
"Rule Block 7-2-$i"
$IPT -A FORWARD -p tcp --dport $i -j LOGDROP -m comment --comment
"Rule Block 7-3-$i"
done
echo ""
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp --dport $i -j LOGDROP -m comment --comment
"Rule Block 7-4-$i"
$IPT -A OUTPUT -p udp --dport $i -j LOGDROP -m comment --comment
"Rule Block 7-5-$i"
$IPT -A FORWARD -p udp --dport $i -j LOGDROP -m comment --comment
"Rule Block 7-6-$i"
done
echo ""

#8########################################################## ############
# Loop and Allow Ports to be used from LAN THESE ARE NOT NAT RULES!!
# If you are going to NAT a port range you have to add it here also
# All services ports are read from /etc/services
# WHAT DO WE ALLOW PEOPLE INSIDE OUR NETWORK TO USE
############################################################ ############
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m
state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-1-$i"
$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m
state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-2-$i"
$IPT -A FORWARD -i $VIRIF -p tcp -s $VIRNET --dport $i --syn -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-3-$i"

done
echo ""
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-4-$i"
$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-5-$i"
$IPT -A FORWARD -i $VIRIF -p udp -s $VIRNET --dport $i -m state
--state NEW -j ACCEPT -m comment --comment "Rule Block 8-6-$i"
done
echo ""

#9########################################################## ############
# Allow to ping out
############################################################ ############
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state
--state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state
--state NEW -j ACCEPT
$IPT -A FORWARD -i $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state
--state NEW -j ACCEPT

#10######################################################### ############
# Allow firewall to ping internal systems
############################################################ ############
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state
--state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW
-j ACCEPT

$IPT -A OUTPUT -o $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state
--state NEW -j ACCEPT
$IPT -A INPUT -i $VIRIF -p tcp --dport 22 --syn -m state --state NEW
-j ACCEPT

#12######################################################### ############
# NAT Translations (INSERT ON THE FORWARD)
############################################################ ############

#*********************************************************** ************
#*Bit Torrent to
MOAT***************************************************
#*********************************************************** ************
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport $BT -j DNAT
--to-destination 192.168.1.180
$IPT -A FORWARD -s 192.168.1.180 -p tcp --dport $BT -j ACCEPT
$IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport $BT -j DNAT
--to-destination 192.168.1.180
$IPT -A FORWARD -s 192.168.1.180 -p udp --dport $BT -j ACCEPT
#*********************************************************** ************
#*SSH To Internal
Servers***********************************************
#*********************************************************** ************
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2222 -j DNAT
--to-destination 10.0.0.1
$IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 2222 -j ACCEPT
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2223 -j DNAT
--to-destination 10.0.0.101
$IPT -A FORWARD -s 10.0.0.101 -p tcp --dport 2223 -j ACCEPT
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 2224 -j DNAT
--to-destination 10.0.0.102
$IPT -A FORWARD -s 10.0.0.102 -p tcp --dport 2224 -j ACCEPT

$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 'rsync' -j DNAT
--to-destination 10.0.0.1
$IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 'rsync' -j ACCEPT
$IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 'rsync' -j DNAT
--to-destination 10.0.0.1
$IPT -A FORWARD -s 10.0.0.1 -p tcp --dport 'rsync' -j ACCEPT
############################################################ ############



#Comms between the Local Lan and the VM lan For now, unrestricted
$IPT -A FORWARD -s $INTNET1 -d $VIRNET -j ACCEPT
$IPT -A FORWARD -s $VIRNET -d $INTNET1 -j ACCEPT





#4########################################################## ############
# FOREIGN LAN RULES (LOG TO LOGFORIEGN)
# Now we will block internal addresses originating from anything but
our
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll
need
# to ensure that they either have the same ip or that you add a line
explicitly
# for that IP as well
# Interface one/internal net one
# These rules don't seem to work as the source should be a network not
an address
# plus with two different subnets bound to the same IF these would
implode and
# possess the toaster resulting in meyhem, anarchy, and a 3's Company
revival
############################################################ ############
#$IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j LOGFOREIGN
#$IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j LOGFOREIGN
#$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j LOGFOREIGN
#$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j LOGFOREIGN

#$IPT -A INPUT -i $VIRIF -s ! $VIRNET -j LOGFOREIGN
#$IPT -A OUTPUT -o $VIRIF -d ! $VIRNET -j LOGFOREIGN
#$IPT -A FORWARD -i $VIRIF -s ! $VIRNET -j LOGFOREIGN
#$IPT -A FORWARD -o $VIRIF -d ! $VIRNET -j LOGFOREIGN

# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j LOGFOREIGN

#13######################################################### #############
# Block and log what me may have forgot (APPEND)
############################################################ ############
$IPT -A INPUT -j LOGDROP
$IPT -A OUTPUT -j LOGREJECT
$IPT -A FORWARD -j LOGDROP

--- SNIP----

Re: Firewall Critique - IPTables For Router

am 12.10.2006 19:45:37 von Ansgar -59cobalt- Wiechers

Idgarad wrote:
> The following is a firewall written via BASH and IPTABLES. There is a
> DHCP assigned WAN interface, and a single physical connection for the
> internal network with two IPs bound to is, one for the real network,
> the 192.168.1.xxx network and a network 10.0.0.xxx which is populated
> by VMWare Server machines. How well written is this firewall, scored by
> US acedemic scores? (A,B,C,D,F, No credit go to the principle's office
> now!!!)

I'm not going to grade this, but rather comment on some points I
noticed.

> ---- START -----
> ######WRAPTEXTBAR########################################### ############
> # First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
> export LC_ALL="en"
>
> ############################################################ ############
> # VARIABLE DEFINITION
> ############################################################ ############
[...]
> ############################################################ ############
> # Deny then accept: this keeps holes from opening up
> # while we close ports and such. Effectivly this means any unmatched
> # traffic is DROPPED.
> ############################################################ ############
> $IPT -P INPUT DROP
> $IPT -P OUTPUT DROP
> $IPT -P FORWARD DROP

Setting the default policies to DROP is good. However, you don't set
default polices for the other chains (e.g. the PRE- and POSTROUTING
chains in the nat and mangle table). Also the very first thing you
should do after variable definitions (IMHO) is to disable IP-forwarding.
You can re-enable it after the default policies are set.

[...]
> ############################################################ ############
> # Ensure Firewall Option are on in the kernel
> ############################################################ ############
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> ############################################################ ############
> # Source Address Verification
> ############################################################ ############
> for f in /proc/sys/net/ipv4/conf/*/rp_filter;
> do
> echo 1 > $f
> done

I prefer to set the options before I set the default policies, but
that's probably just a personal preference. Aside from that here's a
nice little something I've seen a while ago, which makes setting the
options a little more human-readable:

enable() {
for option in "$@"; do
echo "1" > $option
done
}

disable() {
for option in "$@"; do
echo "0" > $option
done
}

disable /proc/sys/net/ipv4/ip_forward

enable /proc/sys/net/ipv4/tcp_syncookies
enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
enable /proc/sys/net/ipv4/conf/*/rp_filter
....

enable /proc/sys/net/ipv4/ip_forward

[...]
> # ****** Reject LOG *******
> # Anything Rejected
> # ***********************
> $IPT -N LOGREJECT 2> /dev/null
> $IPT -A LOGREJECT -j LOG --log-prefix 'LOGREJECT:'
> $IPT -A LOGREJECT -j REJECT

I'd be more specific about the rejections:

$IPT -A LOGREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A LOGREJECT -p udp -j REJECT --reject-with icmp-port-unreachable

[...]
> #Keep Existing Connections Alive on a re-run
> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

I prefer to sort my rules by chain (i.e. first set all the rules for the
INPUT chain, then all the rules for the OUTPUT chain, ...).

> # MASQURADE RULES
> $IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
> $IPT -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
>
> # MASQURADE RULES
> $IPT -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
> $IPT -A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT

Above you set a great deal of variables, but here you write addresses as
literals. I'd rather set variables for these as well. Also you're using
"/24" as the netmask here, whereas you have used "/255.0.0.0" above. I
suggest to use either one or the other to keep the notation consistent.

> # Backup SSH
> $IPT -A INPUT -p tcp -m tcp -s 192.168.1.180 --dport 22 -m state \
> --state NEW,ESTABLISHED -j ACCEPT
> $IPT -A OUTPUT -p tcp -m tcp -d 192.168.1.180 --sport 22 -m state \
> --state ESTABLISHED,RELATED -j ACCEPT
> # Backup EXT SSH
> $IPT -A INPUT -p tcp -m tcp -i $EXTIF --dport 22 -m state \
> --state NEW,ESTABLISHED -j ACCEPT
> $IPT -A OUTPUT -p tcp -m tcp -o $EXTIF --sport 22 -m state \
> --state ESTABLISHED,RELATED -j ACCEPT

The OUTPUT rules are superfluous since you already allowed all
ESTABLISHED,RELATED traffic. And since you allow SSH from any host on
the external interface I'd just allow SSH from any host on the internal
interface as well (unless there are serious reasons not to).

[...]
> #1########################################################## ############
> # LOOPBACK RULES
> # --------------
> # Now we are going to accpet all traffic from our loopback device
> # if the IP matches any of our interfaces.
> ############################################################ ############
> $IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
> $IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
> $IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
> $IPT -A INPUT -i $LPDIF -s $VIRIP -j ACCEPT

Is there any reason to not just accept any traffic on the loopback
interface and be done with it?

[...]
> #5########################################################## ############
> # ALLOW DNS
> ############################################################ ############
> $IPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j
> ACCEPT
> $IPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j
> ACCEPT
> $IPT -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j
> ACCEPT
> $IPT -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j
> ACCEPT
>
> #6########################################################## ############
> # Block outbound ICMP (except for PING)
> ############################################################ ############
> $IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP
> $IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j LOGDROP

Ping needs not only ICMP type 8 (echo-request) but also ICMP type 0
(echo-reply). You may want to allow some other types (e.g. 3 or 12) as
well.

> #7########################################################## ############
> # Loop and Block Ports
> ############################################################ ############
> echo -n "FW: Blocking attacks to TCP port "
> for i in $TCPBLOCK;
> do
> echo -n "$i "
> $IPT -A INPUT -p tcp --dport $i -j LOGDROP -m comment --comment
> "Rule Block 7-1-$i"
> $IPT -A OUTPUT -p tcp --dport $i -j LOGDROP -m comment --comment
> "Rule Block 7-2-$i"
> $IPT -A FORWARD -p tcp --dport $i -j LOGDROP -m comment --comment
> "Rule Block 7-3-$i"
> done

Use REJECT rather than DROP, and unless you are in dire need of knowing
when access to these ports was denied I wouldn't log it anyway. It just
increases the size of your logs.

[...]
> #8########################################################## ############
> # Loop and Allow Ports to be used from LAN THESE ARE NOT NAT RULES!!
> # If you are going to NAT a port range you have to add it here also
> # All services ports are read from /etc/services
> # WHAT DO WE ALLOW PEOPLE INSIDE OUR NETWORK TO USE
> ############################################################ ############
> echo -n "FW: Allowing inside systems to use service:"
> for i in $TCPSERV;
> do
> echo -n "$i "
> $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m
> state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-1-$i"
> $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m
> state --state NEW -j ACCEPT -m comment --comment "Rule Block 8-2-$i"
> $IPT -A FORWARD -i $VIRIF -p tcp -s $VIRNET --dport $i --syn -m state
> --state NEW -j ACCEPT -m comment --comment "Rule Block 8-3-$i"
>
> done
> echo ""

"--syn" and "--state NEW" are equivalent. You need only one of them.

[...]
> #9#########################################################V ############
> # Allow to ping out
> ############################################################ ############
> $IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state \
> --state NEW -j ACCEPT
> $IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state \
> --state NEW -j ACCEPT
> $IPT -A FORWARD -i $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state \
> --state NEW -j ACCEPT

I'm not sure if "state" applies to ICMP packets.

> #10######################################################### ############
> # Allow firewall to ping internal systems
> ############################################################ ############
> $IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state \
> --state NEW -j ACCEPT
> $IPT -A INPUT -i $INTIF1 -p tcp --dport 22 --syn -m state \
> --state NEW -j ACCEPT
>
> $IPT -A OUTPUT -o $VIRIF -p icmp -s $VIRNET --icmp-type 8 -m state \
> --state NEW -j ACCEPT
> $IPT -A INPUT -i $VIRIF -p tcp --dport 22 --syn -m state \
> --state NEW -j ACCEPT

So you're allowing SSH from any host on the other interfaces as well.
Why did you make four rules instead of just one?

$IPT -A INPUT -p tcp --dport 22 -m state NEW -j ACCEPT

Aside from that: keep your rules simple. You're making things way too
complicated.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Firewall Critique - IPTables For Router

am 12.10.2006 21:51:51 von Greg Hennessy

On 12 Oct 2006 07:03:50 -0700, "Idgarad" wrote:

>The following is a firewall written via BASH and IPTABLES. There is a
>DHCP assigned WAN interface, and a single physical connection for the
>internal network with two IPs bound to is, one for the real network,
>the 192.168.1.xxx network and a network 10.0.0.xxx which is populated
>by VMWare Server machines. How well written is this firewall, scored by
>US acedemic scores?

No disrespect, but....

Like all hand crafted IPTables policies of more than 5 lines it's an
unmaintainable nightmare when compared to the alternatives.

I would prefer to have teeth pulled with a rusty molegrips than to have to
face managing it everyday.


greg
--
"Hello, 911? It's Quagmire. Yeah... it's in a window this time."

Re: Firewall Critique - IPTables For Router

am 12.10.2006 22:18:01 von Ansgar -59cobalt- Wiechers

Greg Hennessy wrote:
> On 12 Oct 2006 07:03:50 -0700, "Idgarad" wrote:
>> The following is a firewall written via BASH and IPTABLES. There is a
>> DHCP assigned WAN interface, and a single physical connection for the
>> internal network with two IPs bound to is, one for the real network,
>> the 192.168.1.xxx network and a network 10.0.0.xxx which is populated
>> by VMWare Server machines. How well written is this firewall, scored
>> by US acedemic scores?
>
> No disrespect, but....
>
> Like all hand crafted IPTables policies of more than 5 lines it's an
> unmaintainable nightmare when compared to the alternatives.

Wrong. It can be if you do it the wrong way (like the OP did), but
that's not necessarily so.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Firewall Critique - IPTables For Router

am 13.10.2006 00:08:52 von Greg Hennessy

On 12 Oct 2006 20:18:01 GMT, Ansgar -59cobalt- Wiechers
wrote:


>> Like all hand crafted IPTables policies of more than 5 lines it's an
>> unmaintainable nightmare when compared to the alternatives.
>
>Wrong. It can be if you do it the wrong way (like the OP did),

Which, considering the exerable unintuitive user interface is not
surprising.

> but that's not necessarily so.
>

Au contraire, it cannot be syntax checked before loading the policy,
therefore a simple typo has the very real potential to completely hose a
production installation.

Enterprise change management of anything other than a trivial IPTables
policy is a nightmare, especially when that policy is managed by more than
one set of eyes.


BTDTGTTS.


greg
--
"Hello, 911? It's Quagmire. Yeah... it's in a window this time."

Re: Firewall Critique - IPTables For Router

am 13.10.2006 15:56:21 von Volker Birk

Greg Hennessy wrote:
[IPTables]
> Au contraire, it cannot be syntax checked before loading the policy

Of course it can.

> therefore a simple typo has the very real potential to completely hose a
> production installation.

Only if you're very dumb.

> Enterprise change management of anything other than a trivial IPTables
> policy is a nightmare, especially when that policy is managed by more than
> one set of eyes.

To script has many advantages. You know what you're doing.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Firewall Critique - IPTables For Router

am 13.10.2006 16:52:53 von Greg Hennessy

On 13 Oct 2006 15:56:21 +0200, Volker Birk wrote:

>Greg Hennessy wrote:
>[IPTables]
>> Au contraire, it cannot be syntax checked before loading the policy
>
>Of course it can.

Are you really going to claim that the above mishmash of shell and random
macro expanded line noise can be syntax checked in its entirety before any
part of it is loaded to replace the currently running policy ?

Please elucidate.

Anyone who suggests loading a.n. other piece of software to provide
functionality which should be there by default will be laughed at
derisively.


>> therefore a simple typo has the very real potential to completely hose a
>> production installation.
>
>Only if you're very dumb.

Ahh, the stock retort of those who allegedly know it all.

Meanwhile back in the real world typos can and do happen with annoying
regularity.

To assert otherwise is asinine.

There are far better packet filtering solutions than IPtables out there,
get over it.



greg


--
"Hello, 911? It's Quagmire. Yeah... it's in a window this time."

Re: Firewall Critique - IPTables For Router

am 13.10.2006 17:02:19 von Volker Birk

Greg Hennessy wrote:
> On 13 Oct 2006 15:56:21 +0200, Volker Birk wrote:
> >Greg Hennessy wrote:
> >[IPTables]
> >> Au contraire, it cannot be syntax checked before loading the policy
> >Of course it can.
> Are you really going to claim that the above mishmash of shell and random
> macro expanded line noise can be syntax checked in its entirety before any
> part of it is loaded to replace the currently running policy ?

Yes. But this would not be sensible. There are much more sensible ways
to script it.

> There are far better packet filtering solutions than IPtables out there,
> get over it.

Maybe. But netfilter is very practical. And it's Free Software.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Firewall Critique - IPTables For Router

am 16.10.2006 14:35:21 von idgarad

Volker Birk wrote:
> Greg Hennessy wrote:
> > On 13 Oct 2006 15:56:21 +0200, Volker Birk wrote:
> > >Greg Hennessy wrote:
> > >[IPTables]
> > >> Au contraire, it cannot be syntax checked before loading the policy
> > >Of course it can.
> > Are you really going to claim that the above mishmash of shell and random
> > macro expanded line noise can be syntax checked in its entirety before any
> > part of it is loaded to replace the currently running policy ?
>
> Yes. But this would not be sensible. There are much more sensible ways
> to script it.
>
> > There are far better packet filtering solutions than IPtables out there,
> > get over it.
>
> Maybe. But netfilter is very practical. And it's Free Software.
>
> Yours,
> VB.
> --
> Viel schlimmer als die Implementation von PHP ist jedoch das Design.
>
> Rudolf Polzer in de.comp.security.misc

You know you could have avoided the whole argument by simple replying
with "F" or "D-" :)

Part of the reason to use a script (it interject some additional ammo
for you two) was to integrate the HTB and QoS options into a single
script. While I am open to any suggestions on better ways to manage it,
IPTables is a requirement. Originally we were using FWBuilder to manage
it but when, over time, strange things began to happen the way
FWBuilder crafts it's script was a support nightmare. Thus they wanted
something more hand-crafted for easier support.

Concerning Greg and VB's mini-flame I can add one thing for the two of
you to bounce around per your comments regarding production
environments. Regardless of the approach taken, who in their right mind
would promote untested configurations (regardless of what it is) into
production without testing? Regardless of the implementation I would
assume that it would first be put through some paces either in a test
environment (we use a VMWare virutal network hosted on a machine in the
DMZ to test configurations, those systems also serve as our
honey-pots.) or at least some form of change control. Even when we used
hardware firewalls like those bloddy Watchguards and Pix we had two and
always tested configurations on the secondary firewall.

Now please continue your ethusiastic discussion. I am learning quite a
bit...

Re: Firewall Critique - IPTables For Router

am 16.10.2006 14:44:39 von Volker Birk

Idgarad wrote:
> Concerning Greg and VB's mini-flame

Sorry, but I did not want to flame.

Yours,
VB.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.