Teddys iptables firewall script needs tweaking

Teddy Mills teddymills-VFlxZYho3OA at public.gmane.org
Sat Nov 22 08:06:05 UTC 2003 

Okay...heres the firewall script i am using.
I was not an openrelay, but somehow someone from Asia found a way to use my
qmail as an openrelay
until I enabled some iptable rules. (not sure what rule stopped them)
Most everything here works, they only thing I notice now is that the
internet is slower now and I cannot send
out email using my squirrelmail/qmail.

So the things I need advice on are...

Q1. Is this script slowing me down?
    I would like to keep all the rules together according to their network
interfaces...ie all ppp0 and eth1 rules together.
    However if I do that, is it a performance hit? Is iptables is top-down?
    Do packets start at the top of the script and keep flowing down the
script until they match a rule?

Q2. How can I optimize or make this script cleaner?
Q3. Can you see anything that prevents mail being sent out ?



I want to prevent all incoming traffic on ppp0 except for 22,25,53,80,143.
Outgoing traffic should be pretty clean?


NETWORK INTERFACES
ppp0 is adsl connection to the internet
eth0  is dhcp and required by the adsl (but nothing exciting seems to happen
on eth0)
eth1  is 192.168.1.2 my linux MASQ/NAT internal ip

Thanks in advance to all TLUG members!

/teddy

[root-v+aXH1h/sVw at public.gmane.org scripts]# cat firewall
 #!/bin/sh
echo "Firewall 5.00 starting..."

# ****************************************
# Flushing all chains and reset iptables
# ****************************************


/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD

/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -Z



# **********************************************
# Now drop all packets on INPUT OUTPUT FORWARD
# *********************************************

echo DROP INPUT chain
/sbin/iptables -P INPUT DROP

echo ACCEPT OUTPUT chain
/sbin/iptables -P OUTPUT ACCEPt

echo ACCEPT FORWARD chain
/sbin/iptables -P FORWARD ACCEPT



# ****************************************************************
# ACCEPT established tcp session packets and fragmentated packets
# ****************************************************************

echo Accept fragmented packets
/sbin/iptables -A FORWARD -f -j ACCEPT

echo accept packets from an already established TCP connection
/sbin/iptables -A FORWARD -m state -p tcp --state ESTABLISHED,RELATED -j
ACCEPT





# **********************************************************
# ppp0 INPUT and FORWARD rules
# **********************************************************

echo SPOOF DROP incoming 192.168.0.0 packets from ppp0
/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/24 -j DROP

echo Dropping all incoming traffic on ppp0
/sbin/iptables -A INPUT -i ppp0 -j DROP

echo allow incoming traffic only for ports 22 25 53 80 110 143 993
/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 22  -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 25  -j ACCEPT

/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 53  -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i ppp0 --dport 53  -j ACCEPT

/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 80  -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 110 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 143 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 993 -j ACCEPT






# ***************************************************************
# ppp0 OUTPUT and FORWARD rules
# ***************************************************************

echo Dropping all outgoing traffic on ppp0
/sbin/iptables -A OUTPUT -o ppp0 -j DROP

echo allow outgoing ppp0 traffic only for ports 22 25 53 80 110 143 993
/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 22  -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 25  -j ACCEPT

/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 53  -j ACCEPT
/sbin/iptables -A FORWARD -p udp -o ppp0 --dport 53  -j ACCEPT
/sbin/iptables -A OUTPUT  -p tcp -o ppp0 --dport 53  -j ACCEPT

/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 80  -j ACCEPT

/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 110 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 143 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 993 -j ACCEPT



echo allow everything on eth1 network
/sbin/iptables -A INPUT   -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT  -o eth1 -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT



echo allow everything on the loopback interface
/sbin/iptables -A INPUT   -i lo -j ACCEPT
/sbin/iptables -A OUTPUT  -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -j ACCEPT


# *****************************************************
# Loading Iptable modules (enable if not kernel builtin)
# *****************************************************

# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack   #Added this module
# /sbin/modprobe ip_nat_ftp
# /sbin/modprobe ip_conntrack_ftp



# ***************************************
# Kernel netfilter variables
# ***************************************


# echo Prevent SYN floods
# echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo Enable antispoofing filtering
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo enable IP Dynamic address
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo Enabling IP forwarding by kernel
echo "1" > /proc/sys/net/ipv4/ip_forward

echo Disable ICMP ping
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo Disable ICMP redirect acceptance
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

echo Disable response to broadcasts
echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo Dont accept source routed packets
echo "0" /proc/sys/net/ipv4/conf/all/accept_source_route

echo Enable bad error message protection
echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo Log spoofed packets, source routed packets, redirect packets
echo "1" /proc/sys/net/ipv4/conf/all/log_martians



# **********************************************
# drop these nutbars
# *********************************************

echo Drop that spammer  bitch from China 218.70.8.186
/sbin/iptables -A INPUT -s 218.70.8.186/24 -j DROP
/sbin/iptables -A INPUT -s 218.70.0.0/24   -j DROP




# *****************************************
# NAT IPForwarding and  Catchall and misc
# *****************************************

echo Enable NAT/MASQUERADING and IPforwarding
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


# echo Catchall In case a packet made it here, drop all other traffic.
# /sbin/iptables -A FORWARD -j DROP


# echo Drop any incoming SMTP packets
# /sbin/iptables -A INPUT -p tcp -i ppp0 -s 0/0 --dport 25 -j DROP



---------------------------------------------------------------
teddy mills
http://www.vger.ca

Mad Magazine VGER directives...
To collect...all that is collectable. To sell...all that is saleable.To
merchandise...all that is merchandisable.

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list