Home » Website Implementation with Midgard » Setting Up Security

Writing a Firewall Script for an Aktiom Virtual Dedicated Server

Submitted by john on 1 August, 2003 - 05:06.

It was a bit of a challenge getting a good working firewall script for the Aktiom Virtual Dedicated Server due to the restricted number of iptable modules that were available. The modules that are available are:

iptable_length

iptable_ttl

iptable_tcpmss

iptable_TCPMSS

iptable_REJECT

iptable_tos

iptable_multiport

iptable_limit

iptable_filter

iptables

Now the lack of NAT or Packet Mangling is not that a big an issue as it is just a standalone box but it would have been useful to have stateful matching as the lack of stateful matching means that you have to write more rules due to the fact that you can't just allow related or established packets through.



Here is the basic script that I wrote to provide a firewall for our Aktiom VDS


#!/bin/bash

#

#Firewall script for rufus version 1.02rc1

#John Habermann

author="John Habermann"

updated_by="John Habermann"

updated_date="1-08-03"



echo "Loading the firewall script for rufus

Last updated by $updated_by $updated_date"

##################### Setting the variables ###########################

echo -n "Setting the variables ........."

#Iptables command

iptables="/sbin/iptables"



#The loopback device

loop="lo"

#The firewalls ipaddress

fw_ip="************"



#Secure ipaddress

tws="203.41.44.106"

net="0/0"



#Reserved Addresses

CLASS_A="10.0.0.0/8" # class A private networks

CLASS_B="172.16.0.0/12" # class B private networks

CLASS_C="192.168.0.0/16" # class C private networks

CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses

CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses

BROADCAST_SRC="0.0.0.0" # broadcast source address

BROADCAST_DEST="255.255.255.255" # broadcast destination address

PRIVPORTS="0:1023" # well-known, privileged port range

UNPRIVPORTS="1024:65535" # unprivileged port range



echo "variables set"

########################################################################



##################### Flush Everything ###############################



echo "Flushing everyhing"

/etc/init.d/iptables clear

#######################################################



##################### Setting the rules for tcp and UDP ######################33

echo

echo "Setting the rules for tcp and udp traffic"



#Allowing unlimited traffic on the loopback device

echo -n "Allowing unlimited traffic on lo ....... "

$iptables -A INPUT -i $loop -j ACCEPT

$iptables -A OUTPUT -o $loop -j ACCEPT

echo "unlimited traffic allowed on the loopback device"



echo "Setting the default Policy ...... "

#Default policies

$iptables -P INPUT DROP

echo -n "INPUT chain set to DROP ....."

$iptables -P OUTPUT ACCEPT

echo -n "OUTPUT chain set to ACCEPT ......."

$iptables -P FORWARD DROP

echo "FORWARD chain set to DROP"

echo "Default policy set"



# Remove any pre-existing user defined chains

#Commented out as it seemed to result in $iptables on rufus giving an error that of "no chain/target/match by this name

$iptables -t filter --delete-chain

#################################################################################



#################### Dealing with stealth scans, TCP State Flags, Source Address Spoofing and Bad Addresses####



# Stealth scans are scans that allow an attacker to check what ports or open on a machine and what services

# are running without being logged. See http://linuxworld.sys-con.com/story/32910.htm for more information



#All of the bits are cleared

echo -n "Clearing all the bits to provide some protection against stealth scans ....... "

$iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

$iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

$iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

$iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

echo "bits cleared"



#Source address spoofing and bad addresses

$iptables -A OUTPUT -s ! $fw_ip -j DROP

$iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP

#########################################################################



#reject outside Auth requests

echo -n "Rejecting outside auth requests ...... "

$iptables -A INPUT -p TCP --sport $UNPRIVPORTS --dport 113 -j REJECT --reject-with tcp-reset

echo "auth requests rejected with tcp-reset"



#To allow ssh from Internet

echo -n "Allowing ssh from internet ..... "

$iptables -A INPUT -p TCP --sport $UNPRIVPORTS --dport 22 -j ACCEPT

echo "ssh allowed in"

#To allow scp to squelchy

echo -n "Allowing scp to squelchy ......... "

iptables -A INPUT -p TCP -s $squelchy --sport 22 -j ACCEPT

echo "scp to squelchy allowed"



#To allow http from internet

echo -n "Allowing http connections from the internet ...... "

#Let connections to our port 80

$iptables -A INPUT -p TCP --sport $UNPRIVPORTS --dport 80 -j ACCEPT

echo "connections to webserver allowed"

#Let connections to the staging server

echo -n "Allowing connections to staging webserver ....... "

$iptables -A INPUT -p TCP --sport $UNPRIVPORTS --dport 8001 -j ACCEPT

echo "connections to staging server allowed"



#To allow smtp connections from the internet

echo -n "Allowing smtp from the internet ..... "

$iptables -A INPUT -p TCP -s $net --sport 25 -j ACCEPT

echo "smtp allowed in"



#To allow tcp and udp connections for the Aktiom DNS server

echo -n "Allowing dns from the Actiom name server ....... "

$iptables -A INPUT -p TCP -s 64.235.238.9 --sport 53 -j ACCEPT

$iptables -A INPUT -p UDP -s 64.235.238.9 --sport 53 -j ACCEPT

$iptables -A INPUT -p TCP -s 64.235.238.11 --sport 53 -j ACCEPT

$iptables -A INPUT -p UDP -s 64.235.238.11 --sport 53 -j ACCEPT

echo -n "dns allowed"

###############################################################################



########################## Setting ICMP rules ###################################

echo

echo "Setting ICMP rules"



#To allow pings

echo -n "Setting pings ...... "

$iptables -A INPUT -p ICMP --icmp-type echo-request -d $fw_ip -j ACCEPT

$iptables -A INPUT -p ICMP --icmp-type echo-reply -d $fw_ip -j ACCEPT

echo "Pings allowed"



#Drop initial ICMP fragments

echo -n "Dropping initial icmp fragments ...."

$iptables -A INPUT -p icmp --fragment -j DROP

echo "initial icmp fragments dropped"



#Allow other useful icmp packets

echo -n "Allow useful icmp packets ...... "

$iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT

$iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

$iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

$iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

echo "useful icmp packets allowed"



# accept TTL exceeded - 4 traceroute

echo -n "Setting TTL ..... "

$iptables -A INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT

echo "traceroute allowed"



################################################################################


‹ Snort - An Intrusion Detection SystemupSpeeding up midgard ›
» login to post comments