Hi All, I am trying to get a firewall running, but I am no networking expert. I use Debian Sid, and kernel 2.4.25-1-386 (yes I need to upgrade ;)).
Anyway. I got my fw script from a webpage, and it looks pretty ok to me. When I run it, it certainly blocks everything except the ports I want it to allow. Fine. However, I got reports from users that it was not working for them. I asked some 5 different people, and it some 3 of them could not reach the server, while others could. Very weird. They tried it on http, port 80. It is open in the firewall, and Apache is running. I have *no* clues what is wrong. I Googled around a lot, tried to understand the iptables script (I think I do to a degree that I can understand what each line does), but it al looks fine to me. But how on earth does it come it is still blocking traffic from *some* users?? This server is in a 19" rack at an ISP. No NAT, just one IP adress. Very simple setup. Any clues would be highly appreciated, I am really lost here. Here is my script: #!/bin/sh # This is a sample Firewall script made with Citadec Solutions # sample firewall generator at http://www.citadec.com # Remember that this is meant to help you to make your own # firewall. Allways read this script through before using it! IPT=/sbin/iptables LSMOD=/sbin/lsmod # Flushing old rules $IPT -F $IPT -t nat -F # Next is your IP NET=<the public IP of my server> # ICMP Echo-request deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type echo-request -j DROP # ICMP Host-unreachable deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type host-unreachable -j DROP # ICMP Host-redirect deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type redirect -j DROP # ICMP Timestamp-request deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type timestamp-request -j DROP # ICMP Timestamp-reply deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type timestamp-reply -j DROP # ICMP Address-mask-request deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type address-mask-request -j DROP # ICMP Address-mask-reply deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type address-mask-reply -j DROP # ICMP Source-quench deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type source-quench -j DROP # ICMP Destination-unreachable deny $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type destination-unreachable -j DROP # DROP IF NO FLAGS SET OR ALL FLAGS SET (Some scanning methods uses these) $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --tcp-flags ALL NONE -j DROP $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --tcp-flags ALL ALL -j DROP # We dont need ipchains $LSMOD | grep ipchains -q -s && rmmod ipchains # Allow everything on the loopback interface $IPT -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT $IPT -t filter -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT # This is done to enable source verification if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 2 > $f done fi # This one is for syncookies protection if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi # We dont want ICMP Dead Errors if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi # We want to Ignore ICMP Broadcasts if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi # We dont want anyone to play with dynamic TCP/IP if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then echo 0 > /proc/sys/net/ipv4/ip_dynaddr fi # These IP addresses are blocked, because they are not "routable" $IPT -t filter -A INPUT -s 1.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 7.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 23.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 27.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 31.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 41.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 45.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 60.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 68.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 69.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 70.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 71.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 80.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 88.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 90.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 91.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 92.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 100.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 111.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 112.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 127.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 127.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 128.66.0.0/16 -d $NET -j DROP $IPT -t filter -A INPUT -s 172.16.0.0/12 -d $NET -j DROP $IPT -t filter -A INPUT -s 197.0.0.0/16 -d $NET -j DROP $IPT -t filter -A INPUT -s 201.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 220.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 222.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 240.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 242.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 244.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 251.0.0.0/8 -d $NET -j DROP $IPT -t filter -A INPUT -s 254.0.0.0/8 -d $NET -j DROP # In this Firewall we dont want Multicast allowed $IPT -t filter -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP $IPT -t filter -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP $IPT -t filter -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j DROP $IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP $IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP # Block Packets with Stuffed Routing $IPT -t filter -A INPUT -s 255.255.255.255 -j DROP $IPT -t filter -A INPUT -d 0.0.0.0 -j DROP $IPT -t filter -A OUTPUT -s 255.255.255.255 -j DROP $IPT -t filter -A OUTPUT -d 0.0.0.0 -j DROP # ICMP Should be allowed out $IPT -A OUTPUT -p icmp -s $NET -d 0/0 -j ACCEPT # Open inbound established connections (ssh) $IPT -A INPUT -p tcp --sport 22 --destination-port 513:65535 ! --syn -m state --state RELATED -j ACCEPT # FTP Data fix $IPT -A INPUT -p tcp --sport 20 --destination-port 1023:65535 ! --syn -m state --state RELATED -j ACCEPT $IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT $IPT -A INPUT -p udp -s 0/0 -d $NET --destination-port 1023:65535 -j ACCEPT # Open ports for outbound established connections $IPT -A OUTPUT -p tcp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT $IPT -A OUTPUT -p udp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT # FTP allowed $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 20 ! --syn -j ACCEPT $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 21 -j ACCEPT # SSH allowed $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 22 -j ACCEPT # SMTP allowed $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 25 -j ACCEPT # POP allowed $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 110 -j ACCEPT # IMAP allowed $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 143 -j ACCEPT # HTTP allowed $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 80 -j ACCEPT # HTTPS allowed $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 443 -j ACCEPT # These TCP ports are opened also $IPT -t filter -A INPUT -p tcp --destination-port 465 -j ACCEPT $IPT -t filter -A INPUT -p tcp --destination-port 993 -j ACCEPT $IPT -t filter -A INPUT -p tcp --destination-port 995 -j ACCEPT # THESE IPS HAVE FULL ACCESS TO THIS SYSTEM $IPT -A INPUT -s <my admin box's IP> -d $NET # RESTART KLOGD (So we dont get flooded by iptables to tty) killall -9 klogd /sbin/klogd -x -c 4 # Deny everything not let through earlier $IPT -A INPUT -j DROP -- end of script-- Regards, Pim Bliek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
