element-x
03-26-2001, 01:44 PM
Ok, when I flush my ruleset, ftp whether in passive or port(normal) mode, it's fine, as soon as I bring all my rules in, I can only ftp using passive, attempting to use the port mode ends up in failed/timed out responses from servers and what not.
Here is my firewall ruleset
#!/bin/sh
#Last updated Feb 20 2001
#Selected portions based on firewall from
#Craig McPherson's Firewall (craig@bsu-hog.org)
echo "Starting firewall script..."
################################################## ###################
echo "Setting firewall parameters..."
IP=`ifconfig eth0 | grep inet | cut -b 21-34`
EXT_INTERFACE="eth0" # External Interface
INT_INTERFACE="eth1" # Internal Interface
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
DHCP_SERVER="24.*.*.12" # dhcp server
NAMESERVER_1="24.*.*.11" # everyone must have at least one
NAMESERVER_2="24.215.0.12" # cool people have two
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
XWINDOW_PORTS="6000:6063" # (TCP) X winows
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
################################################## ###################
echo "Loading modules..."
#modprobe ip_conntrack
#modprobe ipt_MIRROR
#modprobe ipt_mac
#modprobe ipt_tos
#modprobe ip_conntrack_ftp
#modprobe ipt_REDIRECT
#modprobe ipt_mark
#modprobe ipt_unclean
#modprobe ip_nat_ftp
modprobe ipt_REJECT
#modprobe ipt_multiport
#modprobe iptable_mangle
#modprobe ipt_MARK
#modprobe ipt_TOS
#modprobe ipt_owner
#modprobe iptable_nat
#modprobe ipt_MASQUERADE
modprobe ipt_limit
#modprobe ipt_state
################################################## ###################
echo "Setting default policies..."
#Reset all firewall rules
iptables -F
#Delete all tables
iptables -X
#Reset all NAT rules
#iptables -F -t nat
#Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
################################################## ###################
# LOGGING TABLES
################################################## ###################
iptables -N ldrop
iptables -F ldrop
iptables -A ldrop -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "D
ROPPED:: "
iptables -A ldrop -j DROP
iptables -N lreject
iptables -F lreject
iptables -A lreject -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix
"REJECTED:: "
iptables -A lreject -j REJECT
################################################## ###################
echo "Enabling IP forwarding and spoof protection..."
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/$EXT_INTERFACE/log_martians
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
################################################## ###################
echo "Locking out bad people..."
#Check and source the ban list
if [ -f /etc/firewall.ban ]; then
. /etc/firewall.ban
fi
################################################## ###################
echo "Activating basic firewall rules, set 1..."
#Unlimited traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Unlimited traffic on local interface
#iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A OUTPUT -o eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A FORWARD -o eth1 -j ACCEPT
#echo "Activating transparent proxy server..."
#iptables -A PREROUTING -t nat -i eth1 --proto TCP --dport 80 -j DNAT \
# --to 192.168.1.1:8000
#echo "Activating IP masquerading..."
#iptables -A POSTROUTING -t nat -o $EXT_INTERFACE -j MASQUERADE
################################################## ###################
#iptables -A INPUT -s 10.80.0.1 -d $IP -j ACCEPT
################################################## ###################
echo "Setting up anti-spoofing rules..."
#Drop requests from spoofed, local, or invalid IP's
iptables -A INPUT -s $IP -j ldrop
iptables -A INPUT -s $CLASS_A -j ldrop
iptables -A INPUT -s $CLASS_B -j ldrop
iptables -A INPUT -s $CLASS_C -j ldrop
iptables -A INPUT -s $BROADCAST_DEST -j ldrop
iptables -A INPUT -d $BROADCAST_SRC -j ldrop
iptables -A INPUT -s $CLASS_D_MULTICAST -j ldrop
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j ldrop
iptables -A INPUT -s 1.0.0.0/8 -j ldrop
iptables -A INPUT -s 2.0.0.0/8 -j ldrop
iptables -A INPUT -s 5.0.0.0/8 -j ldrop
iptables -A INPUT -s 7.0.0.0/8 -j ldrop
iptables -A INPUT -s 23.0.0.0/8 -j ldrop
iptables -A INPUT -s 27.0.0.0/8 -j ldrop
iptables -A INPUT -s 31.0.0.0/8 -j ldrop
iptables -A INPUT -s 37.0.0.0/8 -j ldrop
iptables -A INPUT -s 39.0.0.0/8 -j ldrop
iptables -A INPUT -s 41.0.0.0/8 -j ldrop
iptables -A INPUT -s 42.0.0.0/8 -j ldrop
iptables -A INPUT -s 58.0.0.0/7 -j ldrop
iptables -A INPUT -s 60.0.0.0/8 -j ldrop
# iptables -A INPUT -s 65.0.0.0/8 -j ldrop
# iptables -A INPUT -s 66.0.0.0/7 -j ldrop
iptables -A INPUT -s 68.0.0.0/6 -j ldrop
iptables -A INPUT -s 72.0.0.0/5 -j ldrop
iptables -A INPUT -s 80.0.0.0/4 -j ldrop
iptables -A INPUT -s 96.0.0.0/3 -j ldrop
iptables -A INPUT -s 169.254.0.0/16 -j ldrop
iptables -A INPUT -s 192.0.2.0/24 -j ldrop
# iptables -A INPUT -s 217.0.0.0/8 -j ldrop
iptables -A INPUT -s 218.0.0.0/7 -j ldrop
iptables -A INPUT -s 220.0.0.0/6 -j ldrop
iptables -A INPUT -s 248.0.0.0/5 -j ldrop
#Drop requests addressed to impossible IP's
iptables -A INPUT -d $CLASS_A -j ldrop
iptables -A INPUT -d $CLASS_B -j ldrop
iptables -A INPUT -d $CLASS_C -j ldrop
iptables -A INPUT -d $LOOPBACK -j ldrop
#Don't let us send from impossible IP's
iptables -A OUTPUT -s $CLASS_A -j lreject
iptables -A OUTPUT -s $CLASS_B -j lreject
iptables -A OUTPUT -s $CLASS_C -j lreject
iptables -A OUTPUT -s $LOOPBACK -j lreject
#Don't let us send to impossible IP's
iptables -A OUTPUT -d $CLASS_A -j lreject
iptables -A OUTPUT -d $CLASS_B -j lreject
iptables -A OUTPUT -d $CLASS_C -j lreject
iptables -A OUTPUT -d $LOOPBACK -j lreject
################################################## ###################
echo "FIREWALL RULE: Banning external NFS"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $NFS_PORT --syn -j ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $NFS_PORT --syn -j lr
eject
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport $NFS_PORT -j ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP --dport $NFS_PORT -j lreject
echo "FIREWALL RULE: Banning external X/OpenWindow"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport 2000 --syn -j ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $XWINDOW_PORTS --syn -j
ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport 2000 --syn -j lreject
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $XWINDOW_PORTS --syn
-j lreject
echo "FIREWALL RULE: Banning external SOCKS"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $SOCKS_PORT --syn -j ldr
op
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $SOCKS_PORT --syn -j
lreject
echo "FIREWALL RULE: Banning UDP traceroute"
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 32769:65535 --dport 3343
4:33523 -j ldrop
echo "FIREWALL RULE: FTP server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 20:
21 -j ACCEPT
echo "FIREWALL RULE: Secure SHell server [port 22]"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $SSH_REMOTE_PORTS --dpor
t 22 -j ACCEPT
#echo "FIREWALL RULE: Secure SHell server [port 23]"
#iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $SSH_REMOTE_PORTS --dpo
rt 23 -j ACCEPT
echo "FIREWALL RULE: SMTP client/server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 25
-j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 25 --dport 25 -j ACCEPT
echo "FIREWALL RULE: DNS client/server"
#iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport $UNPRIVPORTS --dport 53
-j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 53
! --syn -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 53 --dport 53 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 53 --dport 53 ! --syn -
j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport 53 -j ACCEPT
echo "FIREWALL RULE: Web server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 80
-j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 80 --dport $UNPRIVPORTS
! --syn -j ACCEPT
echo "FIREWALL RULE: AUTH/IDENT requests"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 113
-j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport $UNPRIVPORTS --dport 113
-j ACCEPT
echo "FIREWALL RULE: POP3 server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 110
-j ACCEPT
echo "FIREWALL RULE: DHCP client"
#This section probably has more than it needs to -- but I was having
#problems with DHCP, so I went ahead with this overkill just to make sure
#I'd get it to work.
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -s $DHCP_SERVER --dport 67:68 -j
ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 --dpo
rt 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $IP --sport 68 -d $DHCP_SERV
ER --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 -d $B
ROADCAST_DEST --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 68 -d
$DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 67 -d
$BROADCAST_DEST --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 68 -d
$BROADCAST_DEST --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 --dp
ort 68 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 67 -d $IP --dport 68 -j
ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -d $IP --dport 8000:8001 -j ACCE
PT
echo "FIREWALL RULE: Logging assorted trouble ports"
#Block and log NetBUS
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 12345:12346 -j ldrop
#Block and log BackOrifice
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 31335:31339 -j ldrop
#Block and log common DDoS ports
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 27444 -j ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 27665 -j ldrop
################################################## ###################
echo "Activating Denial-of-Service protection..."
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# * 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# * 4: source-quench
# 5: redirect
# * 8: echo-request (ping)
# * 11: time-exceeded
# 12: parameter-problem
echo "FIREWALL RULE: Banning ICMP redirect"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 5 -j ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 3 -j ACCEPT
# echo "FIREWALL RULE: Banning incoming traceroute"
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 11 -j lreject
echo "FIREWALL RULE: Allowing outgoing traceroute"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 11 -j ACCEPT
echo "FIREWALL RULE: Allowing bidirectional pinging"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 8 -j ACCEPT
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 0 -j ACCEPT
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 8 -j ACCEPT
echo "FIREWALL RULE: Disabling other ICMP messages"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP -j lreject
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP -j lreject
################################################## ###################
echo "Activating basic firewall rules, set 2..."
#Allow established TCP connections
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -d $IP --dport $UNPRIVPORTS ! --
syn -j ACCEPT
#Allow connections to unpriv UDP ports not otherwise banned
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -d $IP --dport $UNPRIVPORTS -j A
CCEPT
################################################## ###################
echo "Finishing firewalling... done"
exit 0
I posted my entire firewall script, just in case I've messed up somewhere along the lines. Thanks obviously goto Craig, otherwise I'd still be struggling with the first few lines ;op
Here is my firewall ruleset
#!/bin/sh
#Last updated Feb 20 2001
#Selected portions based on firewall from
#Craig McPherson's Firewall (craig@bsu-hog.org)
echo "Starting firewall script..."
################################################## ###################
echo "Setting firewall parameters..."
IP=`ifconfig eth0 | grep inet | cut -b 21-34`
EXT_INTERFACE="eth0" # External Interface
INT_INTERFACE="eth1" # Internal Interface
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
DHCP_SERVER="24.*.*.12" # dhcp server
NAMESERVER_1="24.*.*.11" # everyone must have at least one
NAMESERVER_2="24.215.0.12" # cool people have two
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
XWINDOW_PORTS="6000:6063" # (TCP) X winows
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
################################################## ###################
echo "Loading modules..."
#modprobe ip_conntrack
#modprobe ipt_MIRROR
#modprobe ipt_mac
#modprobe ipt_tos
#modprobe ip_conntrack_ftp
#modprobe ipt_REDIRECT
#modprobe ipt_mark
#modprobe ipt_unclean
#modprobe ip_nat_ftp
modprobe ipt_REJECT
#modprobe ipt_multiport
#modprobe iptable_mangle
#modprobe ipt_MARK
#modprobe ipt_TOS
#modprobe ipt_owner
#modprobe iptable_nat
#modprobe ipt_MASQUERADE
modprobe ipt_limit
#modprobe ipt_state
################################################## ###################
echo "Setting default policies..."
#Reset all firewall rules
iptables -F
#Delete all tables
iptables -X
#Reset all NAT rules
#iptables -F -t nat
#Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
################################################## ###################
# LOGGING TABLES
################################################## ###################
iptables -N ldrop
iptables -F ldrop
iptables -A ldrop -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "D
ROPPED:: "
iptables -A ldrop -j DROP
iptables -N lreject
iptables -F lreject
iptables -A lreject -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix
"REJECTED:: "
iptables -A lreject -j REJECT
################################################## ###################
echo "Enabling IP forwarding and spoof protection..."
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/$EXT_INTERFACE/log_martians
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
################################################## ###################
echo "Locking out bad people..."
#Check and source the ban list
if [ -f /etc/firewall.ban ]; then
. /etc/firewall.ban
fi
################################################## ###################
echo "Activating basic firewall rules, set 1..."
#Unlimited traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Unlimited traffic on local interface
#iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A OUTPUT -o eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A FORWARD -o eth1 -j ACCEPT
#echo "Activating transparent proxy server..."
#iptables -A PREROUTING -t nat -i eth1 --proto TCP --dport 80 -j DNAT \
# --to 192.168.1.1:8000
#echo "Activating IP masquerading..."
#iptables -A POSTROUTING -t nat -o $EXT_INTERFACE -j MASQUERADE
################################################## ###################
#iptables -A INPUT -s 10.80.0.1 -d $IP -j ACCEPT
################################################## ###################
echo "Setting up anti-spoofing rules..."
#Drop requests from spoofed, local, or invalid IP's
iptables -A INPUT -s $IP -j ldrop
iptables -A INPUT -s $CLASS_A -j ldrop
iptables -A INPUT -s $CLASS_B -j ldrop
iptables -A INPUT -s $CLASS_C -j ldrop
iptables -A INPUT -s $BROADCAST_DEST -j ldrop
iptables -A INPUT -d $BROADCAST_SRC -j ldrop
iptables -A INPUT -s $CLASS_D_MULTICAST -j ldrop
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j ldrop
iptables -A INPUT -s 1.0.0.0/8 -j ldrop
iptables -A INPUT -s 2.0.0.0/8 -j ldrop
iptables -A INPUT -s 5.0.0.0/8 -j ldrop
iptables -A INPUT -s 7.0.0.0/8 -j ldrop
iptables -A INPUT -s 23.0.0.0/8 -j ldrop
iptables -A INPUT -s 27.0.0.0/8 -j ldrop
iptables -A INPUT -s 31.0.0.0/8 -j ldrop
iptables -A INPUT -s 37.0.0.0/8 -j ldrop
iptables -A INPUT -s 39.0.0.0/8 -j ldrop
iptables -A INPUT -s 41.0.0.0/8 -j ldrop
iptables -A INPUT -s 42.0.0.0/8 -j ldrop
iptables -A INPUT -s 58.0.0.0/7 -j ldrop
iptables -A INPUT -s 60.0.0.0/8 -j ldrop
# iptables -A INPUT -s 65.0.0.0/8 -j ldrop
# iptables -A INPUT -s 66.0.0.0/7 -j ldrop
iptables -A INPUT -s 68.0.0.0/6 -j ldrop
iptables -A INPUT -s 72.0.0.0/5 -j ldrop
iptables -A INPUT -s 80.0.0.0/4 -j ldrop
iptables -A INPUT -s 96.0.0.0/3 -j ldrop
iptables -A INPUT -s 169.254.0.0/16 -j ldrop
iptables -A INPUT -s 192.0.2.0/24 -j ldrop
# iptables -A INPUT -s 217.0.0.0/8 -j ldrop
iptables -A INPUT -s 218.0.0.0/7 -j ldrop
iptables -A INPUT -s 220.0.0.0/6 -j ldrop
iptables -A INPUT -s 248.0.0.0/5 -j ldrop
#Drop requests addressed to impossible IP's
iptables -A INPUT -d $CLASS_A -j ldrop
iptables -A INPUT -d $CLASS_B -j ldrop
iptables -A INPUT -d $CLASS_C -j ldrop
iptables -A INPUT -d $LOOPBACK -j ldrop
#Don't let us send from impossible IP's
iptables -A OUTPUT -s $CLASS_A -j lreject
iptables -A OUTPUT -s $CLASS_B -j lreject
iptables -A OUTPUT -s $CLASS_C -j lreject
iptables -A OUTPUT -s $LOOPBACK -j lreject
#Don't let us send to impossible IP's
iptables -A OUTPUT -d $CLASS_A -j lreject
iptables -A OUTPUT -d $CLASS_B -j lreject
iptables -A OUTPUT -d $CLASS_C -j lreject
iptables -A OUTPUT -d $LOOPBACK -j lreject
################################################## ###################
echo "FIREWALL RULE: Banning external NFS"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $NFS_PORT --syn -j ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $NFS_PORT --syn -j lr
eject
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport $NFS_PORT -j ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP --dport $NFS_PORT -j lreject
echo "FIREWALL RULE: Banning external X/OpenWindow"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport 2000 --syn -j ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $XWINDOW_PORTS --syn -j
ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport 2000 --syn -j lreject
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $XWINDOW_PORTS --syn
-j lreject
echo "FIREWALL RULE: Banning external SOCKS"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport $SOCKS_PORT --syn -j ldr
op
# iptables -A OUTPUT -o $EXT_INTERFACE --proto TCP --dport $SOCKS_PORT --syn -j
lreject
echo "FIREWALL RULE: Banning UDP traceroute"
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 32769:65535 --dport 3343
4:33523 -j ldrop
echo "FIREWALL RULE: FTP server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 20:
21 -j ACCEPT
echo "FIREWALL RULE: Secure SHell server [port 22]"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $SSH_REMOTE_PORTS --dpor
t 22 -j ACCEPT
#echo "FIREWALL RULE: Secure SHell server [port 23]"
#iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $SSH_REMOTE_PORTS --dpo
rt 23 -j ACCEPT
echo "FIREWALL RULE: SMTP client/server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 25
-j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 25 --dport 25 -j ACCEPT
echo "FIREWALL RULE: DNS client/server"
#iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport $UNPRIVPORTS --dport 53
-j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 53
! --syn -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 53 --dport 53 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 53 --dport 53 ! --syn -
j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --dport 53 -j ACCEPT
echo "FIREWALL RULE: Web server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 80
-j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport 80 --dport $UNPRIVPORTS
! --syn -j ACCEPT
echo "FIREWALL RULE: AUTH/IDENT requests"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 113
-j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport $UNPRIVPORTS --dport 113
-j ACCEPT
echo "FIREWALL RULE: POP3 server"
iptables -A INPUT -i $EXT_INTERFACE --proto TCP --sport $UNPRIVPORTS --dport 110
-j ACCEPT
echo "FIREWALL RULE: DHCP client"
#This section probably has more than it needs to -- but I was having
#problems with DHCP, so I went ahead with this overkill just to make sure
#I'd get it to work.
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -s $DHCP_SERVER --dport 67:68 -j
ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 --dpo
rt 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $IP --sport 68 -d $DHCP_SERV
ER --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 -d $B
ROADCAST_DEST --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 68 -d
$DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 67 -d
$BROADCAST_DEST --dport 68 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE --proto UDP -s $BROADCAST_SRC --sport 68 -d
$BROADCAST_DEST --dport 67 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -s $DHCP_SERVER --sport 67 --dp
ort 68 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --sport 67 -d $IP --dport 68 -j
ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -d $IP --dport 8000:8001 -j ACCE
PT
echo "FIREWALL RULE: Logging assorted trouble ports"
#Block and log NetBUS
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 12345:12346 -j ldrop
#Block and log BackOrifice
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 31335:31339 -j ldrop
#Block and log common DDoS ports
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 27444 -j ldrop
iptables -A INPUT -i $EXT_INTERFACE --proto UDP --dport 27665 -j ldrop
################################################## ###################
echo "Activating Denial-of-Service protection..."
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# * 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# * 4: source-quench
# 5: redirect
# * 8: echo-request (ping)
# * 11: time-exceeded
# 12: parameter-problem
echo "FIREWALL RULE: Banning ICMP redirect"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 5 -j ldrop
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 3 -j ACCEPT
# echo "FIREWALL RULE: Banning incoming traceroute"
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 11 -j lreject
echo "FIREWALL RULE: Allowing outgoing traceroute"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 11 -j ACCEPT
echo "FIREWALL RULE: Allowing bidirectional pinging"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP --icmp-type 8 -j ACCEPT
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 0 -j ACCEPT
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP --icmp-type 8 -j ACCEPT
echo "FIREWALL RULE: Disabling other ICMP messages"
iptables -A INPUT -i $EXT_INTERFACE --proto ICMP -j lreject
# iptables -A OUTPUT -o $EXT_INTERFACE --proto ICMP -j lreject
################################################## ###################
echo "Activating basic firewall rules, set 2..."
#Allow established TCP connections
iptables -A INPUT -i $EXT_INTERFACE --proto TCP -d $IP --dport $UNPRIVPORTS ! --
syn -j ACCEPT
#Allow connections to unpriv UDP ports not otherwise banned
iptables -A INPUT -i $EXT_INTERFACE --proto UDP -d $IP --dport $UNPRIVPORTS -j A
CCEPT
################################################## ###################
echo "Finishing firewalling... done"
exit 0
I posted my entire firewall script, just in case I've messed up somewhere along the lines. Thanks obviously goto Craig, otherwise I'd still be struggling with the first few lines ;op