31/01/2008 the tutorial has been reviewed and the given script corrected, the previous given script were opening https and IRC port which was not required.
For advanced users which are comfortable with this guide here is a link to another tutorial on the topic which especially written for advanced users as it explains how to set a firewall with input and output filtering :
http://ubuntuforums.org/showthread.php?t=668148
1- Introduction
After getting some problems with firestarter i decided to get knowledge about iptables and how to set my own firewall script and want to share this experience for users who want to set quickly a custom firewall.
The purpose of this guide is to provide a basic knowledge about iptables and then help to create a firewall script.
The final step will be to make the script running on each boot.
As another great resource you can have a look at bodhi.zazen iptables page on his website:
http://bodhizazen.net/Tutorials/iptables/
This guide will not talk about NAT things.
2- Commands
The first step is to know iptables commands.
2.1- Main commands
* -A --append : Add the rule a the end of the specified chain
Code:
iptables -A INPUT ...
* -D --delete : Allow to delete a chain.
There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete
Code:
iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP
* -R --replace : Allow to replace the specified chain
Code:
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
* -I --insert : Allow to add a chain in a specific area of the global chain
Code:
iptables -I INPUT 1 --dport 80 -j ACCEPT
* -L --list : Display the rules
Code:
iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)
* -F --flush : Delete all the rules of a chain
Code:
iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F # Delete all the rules
* -N --new-chain : Allow to create a new chain
Code:
iptables -N LOG_DROP
* -X --delete-chain : Allow to delete a chain
Code:
iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains
* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
Code:
iptables -P INPUT DROP
2.2- Maching commands
The character "!" can be used to specify the oposite. For example a command to avoid all incomming tcp traffic except from the IP 10.42.42.42 is written as follow :
Code:
iptables -A INPUT -p tcp ! --source 10.42.42.42 -j DROP
IP addresses could be optionally associated with their mask like that : IP-address/mask
* -p --protocol : Specify the protocol : tcp, udp, icmp, all
Example: DROP all icmp traffic
Code:
iptables -A INPUT -p icmp -j DROP
* -m --match : Specify what you want to match : tcp, udp, state, ...
Example: DROP tcp incomming traffic on port 143
Code:
iptables -A INPUT -p tcp -m tcp --sport 143 -j DROP
* -s --source : Specify a source address to match
Example: Allow incoming (the INPUT chain) tcp traffic comming from the IP 192.168.42.42
Code:
iptables -A INPUT -p tcp -s 192.168.42.42 -j ACCEPT
* -d --destination : Specify a destination address
Example : Allow port forwarding for tcp traffic to the IP 10.1.0.1
Code:
iptables -A FORWARD -p tcp -d 10.1.0.1 -j ACCEPT
* -i --in-interface : Specify an input interface (your ethernet card generally) (only for INPUT, FORWARD and PREROUTING chains)
Example : DROP incoming icmp traffic on eth0 input interface
Code:
iptables -A INPUT -p icmp -i eth0 -j DROP
* -o --out-interface : Specify an output interface (only for OUTPUT, FORWARD and PREROUTING chains)
Example : DROP output icmp traffic on eth0 output interface
Code:
iptables -A OUTPUT -p icmp -o eth0 -j DROP
* --sport --source-port : Specify the source port or an array of ports, -m multiport allow to specify more than one port to match.
Examples :
Code:
iptables -A INPUT -p tcp --sport 80 -j ACCEPT iptables -A INPUT -p udp --sport 80 -j DROP iptables -A INPUT -p tcp -m multiport --sport 3128,21,1000 -j DROP iptables -A INPUT -p tcp --sport 1024:2042 -j ACCEPT
* --dport --destination-port : Specify a destination port or an array of ports, -m multiport allow to specify more than one port to match.
Examples :
Code:
iptables -A OUPUT -p tcp --dport 110 -j DROP iptables -A OUPUT -p udp --dport 110 -j DROP iptables -A OUPUT -p tcp -m multiport --dport 110,4242,119 -j DROP iptables -A OUPUT -p tcp --dport 4925:4633 -j ACCEPT
* --tcp-flags : Specify the tcp flag to match : SYN ACK FIN RST URG PSH ALL NONE
Example : Allow tpc packets with SYN,ACK flag and source port 42
Code:
iptables -A INPUT -p tcp --sport 42 --tcp-flags SYN,ACK -j ACCEPT
* --icmp-type : Specify the icmp type to match
Example :
Code:
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
* --mac-source : Specify the MAC address to match
Example : Drop all incoming traffic from MAC address 42:42:AA:42:42:AA
Code:
iptables -A INPUT --mac-source 42:42:AA:42:42:AA -j DROP
* --state : Allow to specify the packet state to match :
ESTABLISHED : packet associated to an established connection
NEW : packet which ask for a new connection
INVALID : Packet associated to an unknown connection
RELATED : new connection but linked, really good for FTP connections
Examples :
Code:
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
2.3- Some examples
in those examples i assumed that your internet interface is eth0 (just replace eth0 by what it is for you).
* Setting the default rules : here is how to set the defeult rules
Code:
iptables -P INPUT DROP iptables -P OUTPUT DROP
iptables -P FORWARD DROP
* Allow loopback access :
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
* Allow web traffic :
Code:
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
* Allow dns :
Code:
iptables -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
* Allow FTP :
Code:
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
* Allow IRC ports :
Code:
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 6667 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 6667 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m tcp --sport 133 -j ACCEPT # identification port iptables -A OUTPUT -o eth0 -p udp -m tcp --dport 133 -j ACCEPT # identification port
* Allow or drop an IP :
Code:
iptables -A INPUT -s 10.123.452.36 -j ACCEPT
iptables -A INPUT -s 10.123.452.36 -j DROP
* Forward your internet (eth0) connection to eth1, in the example we filter incoming packets for the LAN.
Code:
# Forward only established and related connections to the lan for incoming packets
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward all OUT connections from the lan
iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT
# hide computers behind the firewall
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# then DROP all the rest
iptables -A FORWARD -j DROP
* Forward your internet (eth0) connection to eth1 without any filter :
Code:
iptables -A FORWARD -j ACCEPT
# hide computers behind the firewall
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
For other services just open the correponding port(s), if you don't know which port use the service you want to enable have look in the file /etc/services.
* Backlist a list of IPs from a file (gregor171 proposed solution) :
http://ubuntuforums.org/showpost.php...&postcount=263
3- The scripts
Now it's time to write your iptables script.
3.1-The firewall script
This exemple will fit the needs of most users, it blocks all incoming and forward traffic and allows : web browsers, https, amule, bittorent, ftp, gaim, IRC, mail protocols (smtp, pop, imap).
Blocking outgoing access is not needed (incoming is enough).
* We create 2 chain the one called FIREWALL and the second is called TRUSTED
FIREWALL chain : this chain will allow related and established incoming connection (eth0 interface), then send all other packets to the TRUSTED chain and DROP all the rest. We will send in this chain all INPUT packets.
TRUSTED chain : In this chain you will add all the ports you may need to open depending on what you use on your computer.
Now create the firewall script:
Code:
sudo gedit /etc/firewall.bash
Now add that in the file, remove lines that are not needed for you or add some if it's needed (replace eth0 by the name of your internet interface):
Code:
#!/bin/bash
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Remove all rules and chains
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED
# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# DROP all other packets
iptables -A FIREWALL -j DROP
# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL
# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP
# Allow amule
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5349 -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5351 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 5348 -j ACCEPT
# Allow bittorrent
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
# End message
echo " [End iptables rules setting]"
Make the script executable:
Code:
sudo chmod +x /etc/firewall.bash
* What is spoofing ? : http://en.wikipedia.org/wiki/Spoofing_attack
* What is icmp ?: http://en.wikipedia.org/wiki/Icmp
* For amule : http://www.amule.org/wiki/index.php/Firewall
This should be good for most of you, if something doen't work open the port corresponding to the service you want to open (look in /etc/service to know the port number).
To open a new port just add a new rule for the TRUSTED chain like that for tcp :
Code:
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport port_number -j ACCEPT
or for udp :
Code:
iptables -A TRUSTED -i eth0 -p udp -m udp --dport port_number -j ACCEPT
Well you firewall script is OK
3.2-The flush script
This script will allow you to delete all the rules and chains, in other words it delete your firewall.
Open the file :
Code:
sudo gedit /etc/flush_iptables.bash
Put that in the file:
Code:
#!/bin/sh
#
# Set the default policy
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#
# Set the default policy for the NAT table
#
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# Delete all rules
#
iptables -F
iptables -t nat -F
#
# Delete all chains
#
iptables -X
iptables -t nat -X
# End message
echo " [End of flush]"
Make the file executable :
Code:
sudo chmod +x /etc/flush_iptables.bash
3.3-The init.d script
This script will allow you to handle your firewall like all other services.
Open the file:
Code:
sudo gedit /etc/init.d/firewall
Edit it like that:
Code:
#!/bin/bash
RETVAL=0
# To start the firewall
start() {
echo -n "Iptables rules creation: "
/etc/firewall.bash
RETVAL=0
}
# To stop the firewall
stop() {
echo -n "Removing all iptables rules: "
/etc/flush_iptables.bash
RETVAL=0
}
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
/sbin/iptables -L
/sbin/iptables -t nat -L
RETVAL=0
;;
*)
echo "Usage: firewall {start|stop|restart|status}"
RETVAL=1
esac
exit
Make the script executable:
Code:
sudo chmod +x /etc/init.d/firewall
Now you can use these commands to start/stop/restart/status your firewall:
Code:
sudo /etc/init.d/firewall start
sudo /etc/init.d/firewall stop
sudo /etc/init.d/firewall restart
sudo /etc/init.d/firewall status
The final step is to make your script running on each boot of your computer:
Code:
sudo update-rc.d firewall defaults
Well all is done !!!!!
4-Test if your firewall is reliable
I strongly advice you to check your firewall just to see that all is ok.
Perform some udp and tcp scan here :
http://www.hackerwatch.org/probe/
All ports should be seen as blocked
This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2
All port should be seen as stealth
nmap is also a good tool, to install it :
Code:
sudo apt-get install nmap
sudo apt-get install nmapfe
Run the GUI :
Then put your IP as target, all ports should be seen as blocked.
5- Links & Credits
Links :
* http://iptables-tutorial.frozentux.n...-tutorial.html
* http://yolinux.com/TUTORIALS/LinuxTu...rkGateway.html
* http://supermikenews.blogspot.com/20...ll-script.html
Credits :
* Lea linux : http://lea-linux.org/cached/index/Accueil.html
* GTX for showing the way
* Internet
* alexisdm (freenews forum).
Thank you for any kind feedback
Bookmarks