Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

iptables firewall script - help and freelancers needed.

Status
Not open for further replies.

Guest_imported

New member
Jan 1, 1970
0
Hi, We are working on a co-located RedHat 7.1 server running plesk. We are trying to install a iptables firewall and keep loosing connection to the server each time it loads. It locks everyone out. We just need a simple firewall to block the unused ports.
This is a copy of the script.

###################################################################################
# IPTABLES Firewalll script
# written by ts
###################################################################################
#!/bin/sh

IPTABLES="//sbin/iptables"

echo "Flushing rules..."
$IPTABLES -F
$IPTABLES -X

#Set default policies to DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT


LOOP_IF="lo"


###########################################################################
#----Set network sysctl options-----#
echo "--Setting sysctl options--"

echo "Disabling IP Spoofing attacks"
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

echo "Disabling respond to broadcast pings"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "Blocking source routing"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "Kill timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo "Enable SYN Cookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo "Kill redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "Enabling bad error message protection"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "Logging martians (packets with impossible addresses)"
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo "Reducing DoS'ing ability by reducing timeouts"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "Done..."

#########################################################################
echo "--Setting up standard rules--"

echo "Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

echo "Enabling SYN-FLOODING PROTECTION"
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP

echo "Making sure NEW tcp connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

echo "Logging fragments caught"
$IPTABLES -N fragments
$IPTABLES -A INPUT -f -j fragments
$IPTABLES -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPTABLES -A fragments -j DROP

echo "Refusing spoofed packets pretending to be from your IP address"
#$IPTABLES -A INPUT -s $NET_IPADDR -j DROP
echo "Done..."

##########################################################################
echo "--Setting up user defined chains--"

echo "Allow SSH(22/tcp)"
$IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT


echo "Allow ftp"
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

echo "Passive ftp"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT


echo "Allow DNS(53/tcp&udp)"
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT

echo "Allow SFTP(115/tcp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT

echo "Allow IMAP2"
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT

echo "Allow HTTP(80)(tcp&udp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT


echo "Allow https"
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT


echo "Allow plesk admin"
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 8443 -j ACCEPT


echo "Rejecting all connections to 137:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -p udp --sport 137:139 -j NETBIOS
$IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
$IPTABLES -A NETBIOS -j DROP

echo "Allowing SMTP"
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT

echo "Allowing POP3"
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT

echo "Allowing Ident"
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT

echo "Rejecting all other packets"
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP

echo "Done..."

#################################################################################
echo "Firewall construction completed"


We are looking for freelance unix admins to work with us and our clients, If you can correct this issue we will want to use you for other projects. Payments and rates can worked out.

contact tsilver@matr1x.com


 
The user chains strike me as being all right, except that you already have set INPUT and OUTPUT to accept as the default rule... maybe you'll want to specify that they're to drop at the start of the script. Will clean it up a bit, anyway.

Have you tried running this script one line at a time, to see when the connection drops?
 
I'm not 100% sure about this but I think your SSH rule is the problem. In the OUTPUT chain, the destination port will be your source port, not 22. Shouldn't you change that to --sport 22 ??

Just a suggestion.

Regards,
Gonzalo
(gonzalo@REMOVE-THIS-BIT.linuxaus.com)
 
Here is your problem (which is not a problem but a future of iptables )
echo "Making sure NEW tcp connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

This will drop all connections as soon as you load your script. The reason is simple - your firewall doesn't know about connections that already been opened and when Iptables sees the packet coming say to port 22 (ssh ) it marks it as new (it doesn't know it has been established)
then it it sees that the SYN bit is not set - it drops it.
You need to reconnect to your server and this should be fine.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top