The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables script

Discussion in 'General Discussion' started by bobbybobbertson, Sep 11, 2003.

  1. bobbybobbertson

    bobbybobbertson Well-Known Member

    Joined:
    May 30, 2003
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I just want to contribute something back. I have noticed that no one has posted a basic iptables script. Here is mine:

    (I have to post it in 3 parts because its a little long)


    #!/bin/bash
    #
    # Load appropriate modules.
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp

    # These lines are here in case rules are already in place and the script is ever rerun on the fly.
    # We want to remove all rules and pre-exisiting user defined chains and zero the counters
    # before we implement new rules.
    iptables -F
    iptables -F -t nat
    iptables -X
    iptables -Z

    # Set up a default DROP policy for the built-in chains.
    # If we modify and re-run the script mid-session then (because we have a default DROP
    # policy), what happens is that there is a small time period when packets are denied until
    # the new rules are back in place. There is no period, however small, when packets we
    # don't want are allowed.
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP


    ## ===========================================================
    ## Some definitions:
    LO_IFACE="lo"
    WAN_IFACE="eth0"

    BROADCAST="192.168.0.255"
    LOOPBACK="127.0.0.0/8"
    CLASS_A="10.0.0.0/8"
    CLASS_B="172.16.0.0/12"
    CLASS_C="192.168.0.0/16"
    CLASS_D_MULTICAST="224.0.0.0/4"
    CLASS_E_RESERVED_NET="240.0.0.0/5"



    ######################################################################################
    ############### good stuff i found at: http://www.sns.ias.edu/~jns/security/iptables/
    ######################################################################################

    ## Kernel flags
    # To dynamically change kernel parameters and variables on the fly you need
    # CONFIG_SYSCTL defined in your kernel. I would advise the following:

    #response to ping.
    #/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
    /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

    iptables -N icmp_packets
    iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
    iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
    iptables -A INPUT -p ICMP -i $WAN_IFACE -j icmp_packets


    # Disable response to broadcasts.
    # You don't want yourself becoming a Smurf amplifier.
    /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Don't accept source routed packets. Attackers can use source routing to generate
    # traffic pretending to be from inside your network, but which is routed back along
    # the path from which it came, namely outside, so attackers can compromise your
    # network. Source routing is rarely used for legitimate purposes.
    /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

    # Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
    # tables, possibly to a bad end.
    /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

    # Enable bad error message protection.
    /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Turn on reverse path filtering. This helps make sure that packets use
    # legitimate source addresses, by automatically rejecting incoming packets
    # if the routing table entry for their source address doesn't match the network
    # interface they're arriving on. This has security advantages because it prevents
    # so-called IP spoofing, however it can pose problems if you use asymmetric routing
    # (packets from you to a host take a different path than packets from that host to you)
    # or if you operate a non-routing host which has several IP addresses on different
    # interfaces. (Note - If you turn on IP forwarding, you will also get this).
    for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
    /bin/echo "1" > ${interface}
    done

    # Log spoofed packets, source routed packets, redirect packets.
    /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

    # Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
    /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

    # Note: With connection tracking, all fragments are reassembled before being
    # passed to the packet-filtering code so there is no ip_always_defrag switch as there
    # was in the 2.2 kernel.



    ## SYN-FLOODING PROTECTION
    # This rule maximises the rate of incoming connections. In order to do this we divert tcp
    # packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections
    # can arrive in 1/limit seconds ..... in this case 50 connections in one second. After this, one
    # of the burst is regained every second and connections are allowed again. The default limit
    # is 3/hour. The default limit burst is 5.
    #
    iptables -N syn-flood
    iptables -A INPUT -i $WAN_IFACE -p tcp --syn -j syn-flood
    iptables -A syn-flood -m limit --limit 50/s --limit-burst 50 -j RETURN
    iptables -A syn-flood -j DROP

    ## Make sure NEW tcp connections are SYN packets
    iptables -A INPUT -i $WAN_IFACE -p tcp ! --syn -m state --state NEW -j REJECT



    ## FRAGMENTS
    # I have to say that fragments scare me more than anything.
    # Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
    # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
    # fragments is very OS-dependent (see this paper for details).
    # I am not going to trust any fragments.
    # Log fragments just to see if we get any, and deny them too.
    #####################
    #### my notes:
    ### sometimes packets are too large so fragmentation is necessary and may need to be allowed for a server
    ### See "specifying Fragments" at: http://www.telematik.informatik.uni...Sem/downloads/netfilter/iptables-HOWTO-6.html
    #iptables -A INPUT -i $WAN_IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
    #iptables -A INPUT -i $WAN_IFACE -f -j REJECT




    ## SPOOFING
    # Most of this anti-spoofing stuff is theoretically not really necessary with the flags we
    # have set in the kernel above ........... but you never know there isn't a bug somewhere in
    # your IP stack.
    #
    # Refuse packets claiming to be from a Class A private network.
    iptables -A INPUT -i $WAN_IFACE -s $CLASS_A -j REJECT
    # Refuse packets claiming to be from a Class B private network.
    iptables -A INPUT -i $WAN_IFACE -s $CLASS_B -j REJECT
    # Refuse packets claiming to be from a Class C private network.
    #iptables -A INPUT -i $WAN_IFACE -s $CLASS_C -j REJECT
    # Refuse Class D multicast addresses. Multicast is illegal as a source address.
    iptables -A INPUT -i $WAN_IFACE -s $CLASS_D_MULTICAST -j REJECT
    # Refuse Class E reserved IP addresses.
    iptables -A INPUT -i $WAN_IFACE -s $CLASS_E_RESERVED_NET -j REJECT

    # Refuse packets claiming to be to the loopback interface.
    # Refusing packets claiming to be to the loopback interface protects against
    # source quench, whereby a machine can be told to slow itself down by an icmp source
    # quench to the loopback.
    iptables -A INPUT -i $WAN_IFACE -d $LOOPBACK -j REJECT
    # Refuse broadcast address packets.
    iptables -A INPUT -i $WAN_IFACE -d $BROADCAST -j REJECT

    cPanel.net Support Ticket Number:
     
    #1 bobbybobbertson, Sep 11, 2003
    Last edited: Sep 13, 2003
  2. bobbybobbertson

    bobbybobbertson Well-Known Member

    Joined:
    May 30, 2003
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    ####################################################################################
    ###################### my stuff
    ####################################################################################




    ## allow server to a create outgoing connections and receive them back
    iptables -A OUTPUT -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i $WAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

    ## allow all outgoing connections on selected interfaces
    #iptables -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
    #iptables -A OUTPUT -p ALL -s localhost -j ACCEPT
    #iptables -A OUTPUT -p ALL -o $WAN_IFACE -j ACCEPT

    ## LOOPBACK
    # Allow unlimited traffic on the loopback interface.
    iptables -A INPUT -i $LO_IFACE -j ACCEPT
    iptables -A OUTPUT -o $LO_IFACE -j ACCEPT


    ######## ports as defined by thread: http://forums.cpanel.net/showthread.php?s=&threadid=5108&highlight=iptables+ports
    #20 ---& FTP ---& TCP
    #20 ---& FTP ---& UDP
    #21 ---& FTP ---& TCP
    #21 ---& FTP ---& UDP
    #22 ---& SSH ---& TCP
    #25 ---& SMTP ---& TCP
    #53 ---& DNS ---& TCP & UDP
    #80 ---& HTTP ---& TCP
    #110 ---& POP3 ---& TCP
    #143 ---& IMAP ---& TCP
    #443 ---& HTTPs ---& TCP
    #465 ---& sSMTP ---& TCP
    #993 ---& sIMAP ---& TCP
    #995 ---& sPOP3 ---& TCP
    #2082 ---& Cpanel ---& TCP
    #2083 ---& secure Cpanel
    #2086 ---& WHM ---& TCP
    #2087 ---& secure WHM
    #2095 ---& WebMail ---& TCP
    #2096 ---& secure WebMail
    #3306 ---& MySQL ---& TCP
    #7786 ---& Ichange ---& TCP
    #6666 ---& Melange ---& TCP

    # Allow ftp inbound
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT


    # Allow ssh inbound
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

    # Allow smtp inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

    ## DNS
    # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512 bytes (possible, but unusual), and on certain
    # platforms like AIX (I am told), so you might have to add a copy of this rule for tcp if you need it
    # Allow UDP packets in for DNS client from nameservers.
    iptables -A INPUT -i $WAN_IFACE -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    # Allow UDP packets to DNS servers from client.
    iptables -A OUTPUT -o $WAN_IFACE -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT


    ## WWW INBOUND
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

    # Allow pop3 inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

    # Allow imap inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

    ## WWW Secure INBOUND
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT


    # Allow ssmtp inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT

    # Allow simap inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

    # Allow spop3 inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

    # Allow cpanel inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 2082 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 2082 -m state --state ESTABLISHED -j ACCEPT

    # Allow secure cpanel inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 2083 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 2083 -m state --state ESTABLISHED -j ACCEPT

    # Allow whm inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 2086 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 2086 -m state --state ESTABLISHED -j ACCEPT

    # Allow secure whm inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 2087 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 2087 -m state --state ESTABLISHED -j ACCEPT

    # Allow webmail inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 2095 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 2095 -m state --state ESTABLISHED -j ACCEPT

    # Allow secure webmail inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 2096 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 2096 -m state --state ESTABLISHED -j ACCEPT

    # Allow mysql inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

    # Allow ichange inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 7786 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 7786 -m state --state ESTABLISHED -j ACCEPT

    # Allow melange inbound.
    iptables -A INPUT -i $WAN_IFACE -p tcp --dport 6666 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $WAN_IFACE -p tcp --sport 6666 -m state --state ESTABLISHED -j ACCEPT

    cPanel.net Support Ticket Number:
     
  3. bobbybobbertson

    bobbybobbertson Well-Known Member

    Joined:
    May 30, 2003
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    ######################################################################################
    ############### good stuff i found at: http://www.sns.ias.edu/~jns/security/iptables/
    ######################################################################################

    ## LOGGING
    # You don't have to split up your logging like I do below, but I prefer to do it this way
    # because I can then grep for things in the logs more easily. One thing you probably want
    # to do is rate-limit the logging. I didn't do that here because it is probably best not too
    # when you first set things up ................. you actually really want to see everything going to
    # the logs to work out what isn't working and why. You cam implement logging with
    # "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case.
    #
    # Any udp not already allowed is logged and then dropped.
    iptables -A INPUT -i $WAN_IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
    iptables -A INPUT -i $WAN_IFACE -p udp -j DROP
    iptables -A OUTPUT -o $WAN_IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
    iptables -A OUTPUT -o $WAN_IFACE -p udp -j DROP
    # Any icmp not already allowed is logged and then dropped.
    iptables -A INPUT -i $WAN_IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
    iptables -A INPUT -i $WAN_IFACE -p icmp -j DROP
    iptables -A OUTPUT -o $WAN_IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
    iptables -A OUTPUT -o $WAN_IFACE -p icmp -j DROP
    # Any tcp not already allowed is logged and then dropped.
    iptables -A INPUT -i $WAN_IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
    iptables -A INPUT -i $WAN_IFACE -p tcp -j DROP
    iptables -A OUTPUT -o $WAN_IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
    iptables -A OUTPUT -o $WAN_IFACE -p tcp -j DROP
    # Anything else not already allowed is logged and then dropped.
    # It will be dropped by the default policy anyway ........ but let's be paranoid.
    iptables -A INPUT -i $WAN_IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
    iptables -A INPUT -i $WAN_IFACE -j DROP
    iptables -A OUTPUT -o $WAN_IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
    iptables -A OUTPUT -o $WAN_IFACE -j DROP

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page