I’ve been running Fedora Core 1 for about, hmm…5 years(?) on my little ‘ole work-horse server, but this reliable/stable OS has started showing its age. Repository issues, keeping software and everything else up-to-date. Ugh. =0(
I was initially sold on installing RHEL ES 4 (I had the disks already), but my server had problems with the “transferring image to install…” phase. So, I took it as a sign to stick with Fedora, which I was happy about since I’m used to it. More importantly, however, it was an opportunity to try out the new Fedora Core release.
So with tools in hand, I backed up all my scripts and website files and installed Fedora Core 6 last night. It took about 4 hours to install and configure – in fact, I started a “how-to” on my wiki, just in case I have to do it all over again.
OK, so enough of the rambling. This post is, after all, about iptables (hats off to to the netfilter.org guys/gals and thanks to Dan Farino for helping out with this). BTW, I had to disable the security firewall on Fedora to have more control over the firewall.
Steps to take:
- Open up a terminal
- cd /usr/local/src
- mkdir iptables
- vi iptables
- Copy and paste the script below
- chmod 777 scriptname
- ./scriptname
Verify no errors occurred, then once done, type the following:
tail -f /var/log/messages
From this point, watch for some interesting stuff. =0)
Simple enough, huh? Hopefully, you can make use of this script to build your personal *nix firewall. Take care.
Make sure /proc/sys/net/ipv4/p_forward is ‘1’ and both ip_conntrack_ftp & ip_nat_ftp modules are loaded (use modprobe modulename).
#————————————————-#
# flush and delete chains
iptables -F
iptables -X
iptables -t nat -F
# default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat –policy PREROUTING ACCEPT
iptables -t nat –policy POSTROUTING ACCEPT
iptables -t nat –policy OUTPUT ACCEPT
# new user-defined chains
iptables -N tcp-state-flags
iptables -N fragments
iptables -N spoof
iptables -N syn-flood
iptables -N log-tcp-state
iptables -N log-drop-spoof
iptables -N log-input-accept
iptables -N log-input-drop
iptables -N log-fwd-drop
#————————————————-#
# input rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! eth0 -j ACCEPT
iptables -A INPUT -p tcp -j tcp-state-flags
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -f -j fragments
iptables -A INPUT -m state –state NEW -j spoof
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A INPUT -j log-input-drop
# forward rules
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j log-fwd-drop
# output rules
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state INVALID -j DROP
#————————————————-#
# tcp-state-flags rules
iptables -A tcp-state-flags -p tcp –tcp-flags ALL NONE -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,FIN SYN,FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,RST SYN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags FIN,RST FIN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,FIN FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,PSH PSH -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,URG URG -j log-tcp-state
# fragments rules
iptables -A fragments -f -j LOG –log-level info –log-prefix “___ipt:fragment___: “
iptables -A fragments -f -j DROP
# spoof rules
iptables -A spoof -s 127.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 10.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 255.255.255.255 -j log-drop-spoof
iptables -A spoof -s 0.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 169.254.0.0/16 -j log-drop-spoof
iptables -A spoof -s 172.16.0.0/12 -j log-drop-spoof
iptables -A spoof -s 192.0.2.0/24 -j log-drop-spoof
iptables -A spoof -s 192.168.0.0/16 -j log-drop-spoof
iptables -A spoof -s 224.0.0.0/4 -j log-drop-spoof
iptables -A spoof -s 248.0.0.0/5 -j log-drop-spoof
iptables -A spoof -s 240.0.0.0/5 -j log-drop-spoof
# syn-flood rules
iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG –log-level info –log-prefix “___ipt-fw:syn-flood___: “
iptables -A syn-flood -j DROP
# log-tcp-state rules
iptables -A log-tcp-state -j LOG –log-level info –log-prefix “___ipt:invalid-tcp-flag___: “
iptables -A log-tcp-state -j DROP
# log-drop-spoof rules
iptables -A log-drop-spoof -j LOG –log-level info –log-prefix “___ipt:spoof,mcast___: “
iptables -A log-drop-spoof -j DROP
# log-input-accept rules
iptables -A log-input-accept -j LOG –log-level info –log-prefix “___ipt:input-accept___: “
iptables -A log-input-accept -j ACCEPT
# log-input-drop
iptables -A log-input-drop -j LOG –log-level info –log-prefix “___ipt:input-drop___: “
iptables -A log-input-drop -j DROP
# log-fwd-drop
iptables -A log-fwd-drop -j LOG –log-level info –log-prefix “___ipt:fwd-drop___: “
iptables -A log-fwd-drop -j DROP
#————————————————-#
# postrouting
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#————————————————-#
# activate rules
iptables-save
iptables-save > /etc/sysconfig/iptables
service iptables restart
#————————————————-#