Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have the following firewall call by /etc/rc.d/rc.local:
It run failed with "no such file and directory"
using manual run and syntax check , sh -n firewall, it complaint
problem in the first for loop.
Can anyone show me how to correct? I am newbie in linux and iptables.
Quote:
#! /bin/sh
#
# Original Script Reference
# http://www.sns.ias.edu/~jns/security...les/rules.html
# http://www.study-area.org/linux/servers/linux_nat.htm
#
# Modified by - Matthew Chin
# Date - 2004/06/05
# Version - 1.0
#
# Redistribution of this file is permitted under the terms of
# the GNU General Public License (GPL).
#
#
# --------------- Start of Script ---------------
#
# --------------- Some definitions ---------------
echo "Set up definitions..."
IFACE="eth0"
IPADDR="192.168.1.5"
BROADCAST="192.168.1.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/4"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
TR_TCP_PORTS="20 21 22 23 25 53 80 110 113 139 143 220 443 445 465 515 631 783 993 995 000 3306 6000 10000 10001"
TR_UDP_PORTS="53 137 138 445"
# --------------- Allow TCP, UDP port deswcription ---------------
# 20 - ftp data
# 21 - ftp control
# 22 - SSH
# 23 - Telnet
# 25 - SMTP
# 53 - DNS
# 80 - WWW
# 110 - POP3
# 113 - auth
# 137 - samba
# 138 - samba
# 139 - samba
# 143 - ?
# 220 - ?
# 443 - https
# 445 - samba
# 465 - ?
# 515 - printer
# 631 - ipp (CUPS)
# 783 - hp-alarm-mgr
# 993 - ?
# 995 - ?
# 3000 - palantir - webcam
# 3306 - mysql
# 6000 - X11
# 10000 - webmin
# 10001 - router remote
#
# --------------- Load appropriate modules ---------------
echo "Loading modules..."
#
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
#
# --------------- ip forwarding ---------------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# --------------- anti spoofing etc ---------------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $file
done
#
# Disable response to ping.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > ${interface}
done
#
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
# Log spoofed packets, source routed packets, redirect packets.
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
# ---------- Remove all rules ----------
echo "Cleaning up..."
iptables -F
iptables -X
iptables -Z
#
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
#
# ------------- Policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# --------------- Rules ---------------
echo "Creating rules ..."
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again. The default limit
# is 3/hour. The default limit burst is 5.
#
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
#
#
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i $IFACE -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
# iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
#
# --------------- ICMP ---------------
echo "Creating ICMP chain...."
# We prefilter icmp by pulling it off to user-dfined chains so that we can restrict which
# types are allowed from the beginning rather than leaving it to the connection tracking.
# For instance, we don't want redirects whatever happens.
# In case you hadn't realised, ICMP scares me ...................
#
# 0: echo reply (pong)
# 3: destination-unreachable (port-unreachable, fragmentation-needed etc).
# 4: source quench
# 5: redirect
# 8: echo request (ping)
# 9: router advertisement
# 10: router solicitation
# 11: time-exceeded
# 12: parameter-problem
# 13: timestamp request
# 14: timestamp reply
# 15: information request
# 16: information reply
# 17: address mask request
# 18: address mask reply
#
iptables -N icmp-in
iptables -N icmp-out
#
iptables -A INPUT -i $IFACE -p icmp -j icmp-in
iptables -A OUTPUT -o $IFACE -p icmp -j icmp-out
#
# Accept 0,3,4,11,12,14,16,18 in.
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 0 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 3 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 4 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 11 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 12 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 14 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 16 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 18 -s 0/0 -d $IPADDR -j RETURN
# Allow 4,8,12,13,15,17 out.
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 4 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 8 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 12 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 13 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 15 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 17 -s $IPADDR -d 0/0 -j RETURN
#
# Any ICMP not already allowed is logged and then dropped.
iptables -A icmp-in -i $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-IN: "
iptables -A icmp-in -i $IFACE -j DROP
iptables -A icmp-out -o $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-OUT: "
iptables -A icmp-out -o $IFACE -j DROP
#
# Now we have returned from the icmp-in chain allowing only certain types
# of icmp inbound, we can accept it if it is related to other connections
# (e.g a time exceed from a traceroute) or part of an established one
# (e.g. an echo reply)
iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Now we have returned from the icmp-out chain allowing only certain types
# of icmp outbound, we can just accept it under all circumstances.
iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# --------------- services ---------------
echo "Creating services chain...."
iptables -N services
for PORT in $TR_TCP_PORTS; do
iptables -A services -i $IFACE -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TR_UDP_PORTS; do
iptables -A services -i $IFACE -p udp --dport $PORT -j ACCEPT
done
#
# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $IFACE -j ACCEPT
iptables -A block -j DROP
#
# ------------- filter -------------
echo "Filtering packets..."
#
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j block
#
# FTP
echo "FTP control..."
# Allow ftp outbound.
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Now for the connection tracking part of ftp. This is discussed more completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine, to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes
# the connection as RELATED to the original outgoing connection to port 21 so we don't
# need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing
# connection to port 21 so we don't need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
# TRACEROUTE
echo "TRACEROUTE control..."
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.
iptables -A OUTPUT -o $IFACE -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS \
-m state --state NEW -j ACCEPT
#
# FORWARD
echo "Forward control..."
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -A FORWARD -j ACCEPT
#
iptables -A FORWARD -j LOG --log-prefix "IPTABLES FORWARD: "
#
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
#
# ------------- Logging -------------
echo "Logging..."
# You don't have to split up your logging like I do below, but I prefer to do it this way
# because I can then grep for things in the logs more easily. One thing you probably want
# to do is rate-limit the logging. I didn't do that here because it is probably best not too
# when you first set things up ................. you actually really want to see everything going to
# the logs to work out what isn't working and why. You can implement logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case.
#
# Any udp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
#
echo "Firewall Setup is Completed..."
#
# --------------- End of Script ---------------
#
using manual run and syntax check , sh -n firewall, it complaint problem in the first for loop.
The first loop works for me. Verify that the paths used in the script are correct for your system ( ie make sure the directory /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ exists) and that you have the proper permissions when executing the script (ie. normal users can't execute modprobe).
> sh -n firewall
firewall: line 67: syntax error near unexpected token `do
'
firewall: line 67: `for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o; do
'
Are you absolutely sure the script is 100% identical to what you've posted? Maybe highlight and copy the posted script, then paste it into a new file and diff them. Aside from that, I'm not sure why it isn't working for you. I did notice, that for me the for loop and the do statement are on different line numbers, with no semicolon. That doesn't seem to make a difference by itself, but it does lead me to think that maybe the version you're running is different somehow
/bin/sh and /bin/bash are both *NIX shells. /bin/sh refers to the bourne shell, while /bin/bash is the bourne again shell. They are very similar, but do have some slight differences. There are all kinds of other shells available: csh, ksh, zsh, etc. If you are really curious, here is a little history about the different shells.
I'm with heema on this one. Get a more mainstream, easier to use firewall that is already debugged.
Trying to debug your script from a forum post is somewhat time consuming.
Why re-invent the wheel? The two best firewalls I've seen are Shorewall
and homeLANsecurity .
Of the two, homeLANsecurity is the easiest to use. Why not start with one of
these and only script something if they don't already have it built in?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.