cpdsaorg
Guru
Joined: 16 Oct 2003
Posts: 359
|
 Posted: Mon Nov 22, 2004 8:53 pm Post subject: need help with firewall_rules script. |
 |
|
I run this script on my laptop to set my iptables rules to hopefully protect from and log intrusion attempts. I also would like to configure syslog-ng to put these warnings in a firewall.log
any suggestions/comments welcome..
| Code: |
# cat firewall_rules
#!/bin/sh
/etc/init.d/iptables stop
# flush everything
iptables -F
#Catch portscanners
#"Creating portscan detection chain"
iptables -N check-flags
iptables -F check-flags
iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
iptables -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
iptables -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Apply
iptables -P INPUT DROP
iptables -A INPUT -j check-flags
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port ssh -j ACCEPT
iptables -A INPUT -p udp --destination-port ssh -j ACCEPT
iptables -A INPUT -j DROP
iptables -P FORWARD DROP
# Save and start
/etc/init.d/iptables save
/etc/init.d/iptables start
|
and my syslog-ng.conf
| Code: | # Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
filter f_firewall { match("XMAS") or match("NULL_SCAN") or match("SYN/RST") or match("SYN/FIN"); };
filter f_no_firewall { not match("XMAS") or not match("NULL_SCAN") or not match("SYN/RST") or not match("SYN/FIN"); };
destination firewall { file("/var/log/firewall.log" owner("root") group("adm") perm(0640)); };
destination f_no_firewall { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
# i'm not sure of these lines below... if someone could break it down....
log { source(src); filter(f_no_firewall); destination(console_all); };
log { source(src); filter(f_firewall); destination(firewall); };
# I think the lines above replace the lines below...
#log { source(src); destination(messages); };
#log { source(src); destination(console_all); };
|
and the output of iptables -L
| Code: | # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
check-flags all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain check-flags (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 5/min burst 5 LOG level alert prefix `NMAP-XMAS:'
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 5/min burst 5 LOG level alert prefix `XMAS:'
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 5/min burst 5 LOG level alert prefix `XMAS-PSH:'
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 5/min burst 5 LOG level alert prefix `NULL_SCAN:'
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 5/min burst 5 LOG level notice prefix `SYN/RST:'
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 5/min burst 5 LOG level notice prefix `SYN/FIN:'
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
|
_________________
PentiumM 2.0 GHz, MSI 915GM Speedster-FA4, Seagate ST3500641AS SATA 400GB |
|
Networking & Security
