[SLUG] Newbie Sysadmin's Journal - firewall

From: Paul M Foster (paulf@quillandmouse.com)
Date: Wed Jul 11 2007 - 10:41:24 EDT


Here's what I've come up with for firewall rules (in iptables-save
format). (Some of these rules were basic rules set by johncompanies's
Virtuozzo control panel.)

# Inserted by Virtuozzo
*mangle
:PREROUTING ACCEPT [7:360]
:INPUT ACCEPT [7:360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:364]
:POSTROUTING ACCEPT [3:364]
COMMIT

*filter
# Set default policies
:INPUT DROP [1:48]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# New chains
:TCP_SCANS - [0:0]
:SYNFLOOD - [0:0]

# Allow loopback traffic
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT

# Allow pings and such
-A INPUT -p icmp -j ACCEPT

# Back door, so I can get in via SSH in case it all goes to hell
-A INPUT -s w.x.y.z -p tcp -m tcp --dport 22 -j ACCEPT

# Cracking attempts
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j TCP_SCANS
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j TCP_SCANS
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j TCP_SCANS
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j TCP_SCANS
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j TCP_SCANS
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j TCP_SCANS
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j TCP_SCANS
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCP_SCANS

# Allow already established traffic, kill bad traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

# Syn flood attacks
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYNFLOOD

# Normal services
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# DNS/BIND
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# Web/HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# POP3
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Unprivileged ports inserted by Virtuozzo. Why?
-A INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
-A INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT

# Pings, etc.
-A FORWARD -p icmp -j ACCEPT

# Loopback traffic
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT

# Pings, etc.
-A OUTPUT -p icmp -j ACCEPT

# Backdoor for my SSH sessions
-A OUTPUT -d w.x.y.z -p tcp -m tcp --sport 22 -j ACCEPT

# Accept related and established, kill invalid
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP

# FTP
-A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT
# SSH
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
# SMTP
-A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
# DNS/BIND
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
# Web/HTTP
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
# POP3
-A OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
# HTTPS
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT

# What do we do with syn flood attacks?
-A SYNFLOOD -m limit --limit 5/sec --limit-burst 10 -j RETURN
-A SYNFLOOD -j DROP

# What do we do with TCP Scans?
-A TCP_SCANS -j DROP
COMMIT

# Inserted by Virtuozzo
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Paul

-- 
Paul M. Foster
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:56:24 EDT