Teddys iptables firewall script needs tweaking

Keith Mastin kmastin-PzQIwG9Jn9VAFePFGvp55w at public.gmane.org
Sat Nov 22 17:18:48 UTC 2003 

> Okay...heres the firewall script i am using.
> I was not an openrelay, but somehow someone from Asia found a way to
> use my qmail as an openrelay until I enabled some iptable rules. (not
> sure what rule stopped them) Most everything here works, they only
> thing I notice now is that the internet is slower now and I cannot
> send out email using my squirrelmail/qmail.

Where is this script run? Is it on a dedicated firewall box, your desktop,
...the mail server? What are the hardware resources (CPU and RAM) it has
available?

> So the things I need advice on are...
>
> Q1. Is this script slowing me down?
> I would like to keep all the rules together according to their network
> interfaces...ie all ppp0 and eth1 rules together.

Mmmm... not necessarily a good idea. See below...

> However if I do that, is it a performance hit? Is iptables is
> top-down?
> Do packets start at the top of the script and keep flowing down the
> script until they match a rule?

Yes, the order of the rules *_is_everything_*

> Q2. How can I optimize or make this script cleaner?

>From what I could see, it looks to be disordered. Generally, we load the
modules, define the chains, set the policies, lay out the rules. Yours is
all over the place.

Another thing is all the echos. Just comment those out and use them as
markers for when you edit the script, but echoing them in the script
doesn't make any sense.

> Q3. Can you see anything that prevents mail being sent out ?

... Maybe this? /sbin/iptables -A OUTPUT -o ppp0 -j DROP

> I want to prevent all incoming traffic on ppp0 except for
> 22,25,53,80,143.
> Outgoing traffic should be pretty clean?

Outgoing traffic should pretty much all be above port 1024

> NETWORK INTERFACES
> ppp0 is adsl connection to the internet
> eth0  is dhcp and required by the adsl (but nothing exciting seems to
> happen on eth0)
> eth1  is 192.168.1.2 my linux MASQ/NAT internal ip

Generally, I put eth0 on the INT_IFACE as it comes up first and I don't
want the computer connecting to the 'net if I'm not there too. It could
just be a personal thing, but it makes sense to me.

As a side note Teddy, if someone can use your qmail as an open relay it
has some serious configuration problems that don't normally exist for
qmail. I think this is enough of an issue to take to the qmail list. The
guys there will want to see some logs (and don't change any info or
they'll disregard your post) and will ask some pointed questions, but they
will help you solve it. If, on the other hand, someone in china has found
a way to exploit an otherwise unknown vulnerability in qmail, that list
should be made aware of it.

I would be suprised to find that qmail was compromised without
compromising another service daemon first and after entrance was gained
that qmail was simply reconfigured. If you were running sans-firewall, I
would suggest a full system audit and some heavy monitoring for a while.
You don't necessarily need to look for a rootkit, as I suspect you were
unknowingly running a honeypot as a server.

-- 
Keith
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list