rada
Apprentice
Joined: 21 Oct 2005
Posts: 202
Location: Ottawa, Canada
|
 Posted: Sun May 25, 2008 3:41 pm Post subject: What do you guys think of my firewall? Secure? |
 |
|
I read the gentoo-wiki page on stateful firewalls and implemeted that final script but modified it a bit and added some stuff from the gentoo router doc to do good ip forwarding. I'm no network expert though so I'm wondering what you guys thoughts are on this script.
Looking at it, I believe it will only accept packets from the WAN if I first initiate a session so they are either ESTABLISHED or RELATED. New packets will only be accepted on 10 tcp and 2 udp ports I have open between port 10000 and 65000 for p2p programs. The router part sets up masquerading on the LAN port, eth0. I cant say I know completely how it works, but it does..
| Code: | #!/bin/bash
ROUTER="yes"
#change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth2 eth1 eth0"
export LAN=eth0
export WAN=eth1
#change this line so that it lists the assigned numbers or symbolic names (from
#/etc/services) of all the services that you'd like to provide to the general
#public. If you don't want any services enabled, set it to ""
SERVICES="gen-p2p0 gen-p2p1 gen-p2p2 gen-p2p3 gen-p2p4 gen-p2p5 gen-p2p6 gen-p2p7 gen-p2p8 gen-p2p9"
SERVICES_UDP="gen10 gen11"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${WAN} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
for x in ${SERVICES_UDP}
do
iptables -A INPUT -p udp --dport ${x} -m state --state NEW -j ACCEPT
done
iptables -A INPUT -p tcp -i ${WAN} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${WAN} -j REJECT --reject-with icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
#(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
fi
exit 0 > /dev/null
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
#First we flush our current rules
iptables -F
iptables -t nat -F
#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
fi |
So what do you guys think? Is the port forwarding ok? Or should I look into implementing UPnP port forwarding?
Lastly, is there any other iptables rules I could look into to make this firewall better?
Thanks,
-Rada |
|
Networking & Security
