This document is created withtrialversion of CHM2PDF Pilot 21572

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done

# Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done

# Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done

# Drop Spoofed Packets coming in on an interface, which, if replied to,

# would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done

# Log packets with impossible addresses.

for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done

###############################################################

# Remove any existing rules from all chains $IPT --flush

$IPT -t mangle --flush

$IPT --policy INPUT ACCEPT

$IPT --policy OUTPUT ACCEPT

$IPT --policy FORWARD ACCEPT

$IPT -t nat —policy PREROUTING ACCEPT

$IPT -t nat —policy OUTPUT ACCEPT

$IPT -t nat —policy POSTROUTING ACCEPT

$IPT -t mangle --policy PREROUTING ACCEPT

$IPT -t mangle --policy OUTPUT ACCEPT

then echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."

exit 0 fi

# Unlimited traffic on the loopback interface $IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT $IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Set the default policy to drop $IPT --policy INPUT REJECT

$IPT --policy OUTPUT REJECT

$IPT --policy FORWARD REJECT ###############################################################

# Stealth Scans and TCP State Flags

# All of the bits are cleared

$IPT -A INPUT -p tcp —tcp-flags ALL NONE -j DROP $IPT -A FORWARD -p tcp —tcp-flags ALL NONE -j DROP

$IPT -A INPUT -p tcp —tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A FORWARD -p tcp —tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set

SYN,RST SYN,RST -j DROP SYN,RST SYN,RST -j DROP

# FIN and RST are both set

FIN,RST FIN,RST -j DROP FIN,RST FIN,RST -j DROP

# FIN is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp —tcp-flags ACK,FIN FIN -j DROP

$IPT -A FORWARD -p tcp —tcp-flags ACK,FIN FIN -j DROP

# PSH is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp —tcp-flags ACK,PSH PSH -j DROP

$IPT -A FORWARD -p tcp —tcp-flags ACK,PSH PSH -j DROP

# URG is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp —tcp-flags ACK,URG URG -j DROP

$IPT -A FORWARD -p tcp —tcp-flags ACK,URG URG -j DROP

############################################################### # Using Connection State to By-pass Rule Checking

# Using the state module alone, INVALID will break protocols that use

# bidirectional connections or multiple connections or exchanges,

# unless an ALG is provided for the protocol. At this time, FTP is the

# only protocol with ALG support.

$IPT -A INPUT -m state —state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state —state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state —state ESTABLISHED,RELATED -j ACCEPT

--log-prefix "INVALID input: " $IPT -A INPUT -m state —state INVALID -j DROP

--log-prefix "INVALID output: " $IPT -A OUTPUT -m state —state INVALID -j DROP

--log-prefix "INVALID forward: " $IPT -A FORWARD -m state —state INVALID -j DROP

###############################################################

# Source Address Spoofing and Other Bad Addresses

# Refuse spoofed packets pretending to be from you $IPT -A INPUT -s $DMZ_IPADDR -j DROP

$IPT -A FORWARD -s $DMZ_IPADDR -j DROP $IPT -A FORWARD -s $LAN_IPADDR -j DROP

-s $LAN_ADDRESSES -j DROP $IPT -A FORWARD -i $DMZ_INTERFACE \ -s $LAN_ADDRESSES -j DROP

$IPT -A FORWARD -i $LAN_INTERFACE \ -s ! $LAN_ADDRESSES -j DROP

$IPT -A OUTPUT -o $DMZ_INTERFACE -s ! $DMZ_IPADDR -j DROP $IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP

if [ "$DHCP_SERVER" = "1" ]; then

-d $BROADCAST_DEST --dport 68 -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP

# Refuse malformed broadcast packets

$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $BROADCAST_SRC -j DROP

$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $BROADCAST_SRC -j DROP

# Don't forward directed broadcasts

$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $DMZ_NETWORK -j DROP

$IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $DMZ_BROADCAST -j DROP

# Don't forward limited broadcasts in either direction

$IPT -A FORWARD -d $BROADCAST_DEST -j DROP

$IPT -A INPUT -p ! udp -d $ CLAS S_D_MULT ICAST -j DROP

$IPT -A FORWARD -p ! udp -d $ CLAS S_D_MULT ICAST -j DROP

###############################################################

# ICMP Control and Status Messages

# Log and drop initial ICMP fragments $IPT -A INPUT --fragment -p icmp -j LOG \

--log-prefix "Fragmented incoming ICMP: " $IPT -A INPUT --fragment -p icmp -j DROP

--log-prefix "Fragmented outgoing ICMP: $IPT -A OUTPUT --fragment -p icmp -j DROP

--log-prefix "Fragmented forwarded ICMP: $IPT -A FORWARD --fragment -p icmp -j DROP

--icmp-type source-quench -d $DMZ_IPADDR -j ACCEPT

--icmp-type source-quench -j ACCEPT $IPT -A FORWARD -p icmp \

--icmp-type source-quench -j ACCEPT

--icmp-type parameter-problem -j ACCEPT

--icmp-type parameter-problem -j ACCEPT

--icmp-type parameter-problem -j ACCEPT

--icmp-type destination-unreachable -j ACCEPT

--icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT

--icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT

--icmp-type fragmentation-needed -j ACCEPT

# Don't log dropped outgoing ICMP error messages

--icmp-type destination-unreachable -j DROP

--icmp-type destination-unreachable -j DROP

# Intermediate traceroute responses

--icmp-type time-exceeded -j ACCEPT

--icmp-type time-exceeded -d $LAN_ADDRESSES -j ACCEPT

# allow outgoing pings to anywhere if [ "$CONNECTION_TRACKING" = "1" ]; then

--icmp-type echo-request \ -m state --state NEW -j ACCEPT

--icmp-type echo-request -s $LAN_ADDRESSES \ -m state --state NEW -j ACCEPT

# allow incoming pings from trusted hosts if [ "$CONNECTION_TRACKING" = "1" ]; then

-s $GATEWAY_IPADDR --icmp-type echo-request -d $DMZ_IPADDR \ -m state --state NEW -j ACCEPT

-s $LAN_ADDRESSES --icmp-type echo-request -d $LAN_IPADDR \ -m state --state NEW -j ACCEPT

###############################################################

# DNS Name Server

# DNS LAN clients to private server (53)

-s $LAN_ADDRESSES —sport $UNPRIVPORTS \ -d $LAN_IPADDR --dport 53 \ -m state --state NEW -j ACCEPT

-s $LAN_ADDRESSES —sport $UNPRIVPORTS \ -d $LAN_IPADDR --dport 53 \ -m state --state NEW -j ACCEPT

-s $DMZ_ADDRESSES —sport $UNPRIVPORTS \ -d $DMZ_IPADDR --dport 53 \ -m state --state NEW -j ACCEPT

# DNS caching & forwarding name server (53)

$IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \ -s $DMZ_IPADDR --sport 53 \ -d $ NAME S E RVE R --dport 53 \ -m state --state NEW -j ACCEPT

-s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $ NAME S E RVE R --dport 53 \ -m state --state NEW -j ACCEPT

-d $ NAME S E RVE R --dport 53 \ -m state --state NEW -j ACCEPT

###############################################################

# Filtering the AUTH User Identification Service (TCP Port 113)

$IPT -A FORWARD -i $ LAN_INTERFACE -o $ DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS --dport 113 \ -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $ DMZ_INTERFACE -o $ LAN_INTERFACE -p tcp \ --sport $UNPRIVPORTS -d $LAN_ADDRESSES --dport 113 \ -m state --state NEW -j ACCEPT

-s $LAN_ADDRESSES —sport $UNPRIVPORTS -d $LAN_IPADDR --dport 113 \ -m state --state NEW -j ACCEPT

-s $DMZ_ADDRESSES —sport $UNPRIVPORTS -d $DMZ_IPADDR --dport 113 \ -m state --state NEW -j ACCEPT

###############################################################

# Sending Mail to the Mail Gateway Server (TCP Port 25)

$IPT -A FORWARD -i $ LAN_INTERFACE -o $ DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS \ -d $MAIL_SERVER --dport 2 5 \ -m state --state NEW -j ACCEPT

-s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $MAIL_SERVER --dport 2 5 \ -m state --state NEW -j ACCEPT

###############################################################

# Retrieving Mail as a POP Client (TCP Port 110)

$IPT -A FORWARD -i $ LAN_INTERFACE -o $ DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS \ -d $ POP_SERVER --dport 110 \ -m state --state NEW -j ACCEPT

-s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $ POP_SERVER --dport 110 \ -m state --state NEW -j ACCEPT

###############################################################

# Accessing Usenet News Services (TCP NNTP Port 119)

$IPT -A FORWARD -i $ LAN_INTERFACE -o $ DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS \ -d $NEWS_SERVER --dport 119 \

-m state --state NEW -j ACCEPT ###############################################################

-s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $DMZ_ADDRESSES —dport 22 \ -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $ LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS --dport 22 \ -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $ DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \ -s $SSH_CLIENT --sport $UNPRIVPORTS \

This document is created withtrialversionof CHM2PDF Pilot 2.15.72.

-m state --state NEW -j ACCEPT

###############################################################

# Outgoing Local Client Requests to Remote Servers

$IPT -A FORWARD -i $ LAN_INTERFACE -o $ DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS --dport 21 \ -m state --state NEW -j ACCEPT

-s $DMZ_IPADDR --sport $UNPRIVPORTS —dport 21 \ -m state --state NEW -j ACCEPT

###############################################################

# HTTP Web Traffic (TCP Port 80)

$IPT -A FORWARD -i $ LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS —dport 80 \ -m state --state NEW -j ACCEPT

-m state --state NEW -j ACCEPT ###############################################################

# SSL Web Traffic (TCP Port 443)

$IPT -A FORWARD -i $ LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS —dport 443 \ -m state --state NEW -j ACCEPT

-m state --state NEW -j ACCEPT ###############################################################

$IPT -A FORWARD -i $ LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES —sport $UNPRIVPORTS --dport 43 \ -m state --state NEW -j ACCEPT

-m state --state NEW -j ACCEPT ###############################################################

# Networked Printer (TCP Port 515)

-s $LAN_IPADDR --sport $PRIVPORTS \ -d $PRINTER_ADDRESS --dport 515 \ -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $ DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \ -s $DMZ_ADDRESSES —sport $UNPRIVPORTS \ -d $PRINTER_ADDRESS --dport 515 \

-m state --state NEW -j ACCEPT ###############################################################

# Accessing Network Time Server (UDP 123)

# Note: Some client and servers use source port 123

# when querying a remote server on destination port 123.

-s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $ GATEWAY_IPADDR —dport 12 3 \ -m state --state NEW -j ACCEPT

This d°cument is created withtrialversion ofCHM2PDF Pilot 2.15.72.

-s $LAN_ADDRESSES —sport $UNPRIVPORTS \ -d $LAN_IPADDR --dport 123 \ -m state --state NEW -j ACCEPT

$IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $LAN_ADDRESSES —sport 12 3 \ -d $LAN_IPADDR --dport 123 \

-m state --state NEW -j ACCEPT ###############################################################

# Accessing a Local DHCP Server (UDP Ports 67, 68)

$IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $BROADCAST_SRC —sport 68 \ -d $BROADCAST_DEST —dport 67 -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $BROADCAST_SRC —sport 67 \ -d $BROADCAST_DEST —dport 68 -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $LAN_IPADDR --sport 67 \ -d $BROADCAST DEST —dport 68 -j ACCEPT

$IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $BROADCAST_SRC —sport 68 \ -d $LAN_IPADDR --dport 67 -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $LAN_IPADDR --sport 67 \ -d $LAN_ADDRESSES —dport 68 -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $LAN_IPADDR --sport 67 \ -d $LAN_ADDRESSES —dport 68 -j ACCEPT

$IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $LAN_ADDRESSES —sport 68 \ -d $LAN_IPADDR --dport 67 -j ACCEPT

###############################################################

# Logging Dropped Packets

$IPT -A FORWARD -i $ LAN_INTERFACE -o $DMZ_INTERFACE -j LOG

$IPT -A FORWARD -i $ DMZ_INTERFACE -o $LAN_INTERFACE -j LOG

exit 0

4 PREV

PREV NEXT

Continue reading here: Appendix C VPNs

Was this article helpful?

0 0