+------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery | | Published by Onsight, Inc. | | | | 09-July-2003 | | http://www.hackinglinuxexposed.com/articles/20030709.html | +------------------------------------------------------------------+ This issue sponsored by ... you. Intrested in sponsoring the Linux Security: Tips, Tricks, and Hackery newsletter? Just drop us a line. Special low low rates ($0) are available for worthy Open Source projects and companies that stand up to the DMCA, IP abuses, and fight for our online freedoms. -------------------------------------------------------------------- Ten minute host firewall, Part 2 By Brian Hatch Summary: Create a simple but effective host firewall for your machine in ten minutes or less. Last week I explained how to run iptables rules to create a simplistic inbound-access-limiting firewall. Now you certainly don't want to run all these commands every time you start up your computer, so how do you have them run on reboot? The easiest and most portable solution is to slap the iptables commands into a shell script which you place in the appropriate rc.d directory, for example # cd /etc/init.d # vi inbound_firewall (create it) # cd /etc/rc2.d # assuming you boot to runlevel 2 # ln -s ../init.d/inbound_firewall S99inbound_firewall Alternatively you can load your rules manually and use iptables-save to save them to a file, and iptables-restore to read them back in next time. # iptables-save> /etc/iptables-save # save the current rules # iptables-restore < /etc/iptables-save # restore the previous rules. You'd need to put these iptables-{save,restore} commands into a suitable startup script as well. Many Linux distributions have startup scripts already that will read these files automatically if they exist, so you should check out the scripts in /etc/init.d to see if it has something in place already. For example Debian has an /etc/init.d/iptables script that will save and load your rules automatically. After running your iptables commands, you run /etc/init.d/iptables save active to save the current ruleset. You should check out the source of the iptables-loading scripts for your Linux distribution to see what they suggest and if there are any 'gotchas'. Here's a script that will create a firewall configuration that matches our theory from last week. #!/bin/sh # # Copyright 2003, Brian Hatch, released under the GPL. # # Very minimalistic host firewall: # # allows all outbound access # # allows inbound # DNS replies (udp) but no other UDP packets # important ICMP packets (time exceeded, etc) # TCP packets that are responses to our outbound connections # (prevents inbound connections to ssh servers, active FTP, etc) # # doesn't muck with forward chain, nor do any connection tracking, etc. # easy to modify to support older ipchains - replace INPUT with input, # and DROP with DENY # Flush all tables iptables -F INPUT # Set the default policy for the INPUT chain to be 'DROP' # which means that the packets are discarded, and no message # is sent to the remote machine in response. iptables -P INPUT DROP # enable Reverse Path filtering for interface in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1> $interface done # Allow unrestricted connections over the local interface iptables -A INPUT -i lo -j ACCEPT # Allow tcp packets associated with established connections (and Nmap scans...) iptables -A INPUT -p tcp ! --syn -j ACCEPT # Allow all DNS replies # This will break UDP-based streaming media protocols, etc. iptables -A INPUT -p udp --source-port 53 -j ACCEPT # If your machine doesn't uses BOOTP or DHCPD, comment out the following line iptables -A INPUT -p udp --destination-port 68 -j ACCEPT # Allow helpful ICMP packets. (Feel free to remove some of these) iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # If you want to see dropped packets, uncomment the following # iptables -A INPUT -j LOG # Yes, this is redundant since the policy is to DROP, but I'm paranoid. iptables -A INPUT -j DROP # Show our tables for grins. iptables -vnL # # End of script. That's it, have fun. Next week, creating new iptables chains, to make temporary modifications easier. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He always prefers to build a firewall on his own than use a commercial product. He has this expensive Cisco PIX lying around with six tempting ethernet ports - anyone know how to install Linux on it? Brian can be reached at brianat_private -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-requestat_private Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2003, Brian Hatch. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 03:04:20 PDT