[ale] Lets design a firewall "baseline"....

Robert L. Harris Robert.L.Harris at rdlg.net
Wed Oct 3 13:11:36 EDT 2001 


I've been attaching my rules to those curious.  I'll attach and CC now.

So far I have a Maintainer for ipchains and a maintainer for iptables.
How about the others?  Anyone wanna take those, preferably after we
get a base for iptables and ipchains working?  Lets get something stable
and then add on.

One concern I have.  Make sure that if we specify our Internet/Public
side IP it has to deal with dynamics.  I'm on a cable modem and was stable
with the same IP for about 5 months then it changed out of the blue.  My
script didn't ahve anything hardcoded I believe, but I did have some other
things that bit me.



Thus spake Dow Hurst (dhurst at kennesaw.edu):

> Thanks Jonathon!
> This is a great place to start for the iptables!  A set of variables can
> be added at the front end to simplify static parts of the rules and ease
> configuration.  I'll be looking into the SuSE ipchains setup to see what
> I can do to create an explanation on setting it up or replacing it. 
> Note from Bob Toxen's book how the interface settings can be extracted
> into variables for dealing with more than one interface or differing
> netmasks.
> 
> Robert, can you post your rules?  My email to you last night bounced
> twice so I am not sure you got my reply, but I would like to see your
> ruleset.
> Dow
> 
> Jonathan Rickman wrote:
> > 
> > On Tue, 2 Oct 2001, Robert L. Harris wrote:
> > 
> > > Would anyone be interested in creating a "generic" template of sorts?
> > > This way when someone sends "hey, I need a firewall" we can point them
> > > at the achives, or even forward them a current "master" copy?
> > >
> > > Just throwing out a thought.  I could put mine up as a starter, or we
> > > could use someone elses.  I'd be happy to host a "site" of sorts
> > > with revisions and all.  My html works but isn't very pretty generally.
> > 
> > Here's one of the scripts I use on workstations. Note Class B reserved
> > address space commented out...adjust to suit taste. Replace eth0 with your
> > interface name. Remove all opened ports for a workstation with no
> > services.
> > 
> > ================================================
> > ================================================
> > #!/bin/sh
> > 
> > # flush tables
> > /usr/sbin/iptables -F
> > 
> > # set default policies
> > /usr/sbin/iptables -P INPUT DROP
> > /usr/sbin/iptables -P OUTPUT ACCEPT
> > /usr/sbin/iptables -P FORWARD DROP
> > 
> > # create DUMP table
> > /usr/sbin/iptables -N DUMP > /dev/null
> > /usr/sbin/iptables -F DUMP
> > /usr/sbin/iptables -A DUMP -j LOG --log-tcp-options --log-ip-options
> > /usr/sbin/iptables -A DUMP -j DROP
> > 
> > # create Stateful table
> > /usr/sbin/iptables -N STATEFUL > /dev/null
> > /usr/sbin/iptables -F STATEFUL
> > /usr/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
> > /usr/sbin/iptables -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT
> > /usr/sbin/iptables -A STATEFUL -j DUMP
> > 
> > # loopback rules
> > /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
> > /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
> > 
> > # drop reserved addresses incoming
> > /usr/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP
> > /usr/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP
> > #/usr/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP
> > /usr/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP
> > 
> > # allow ICMP
> > /usr/sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT
> > 
> > #allow DNS
> > /usr/sbin/iptables -A INPUT -p udp -i eth0 -s 166.102.165.11 --sport 53 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p udp -i eth0 -s 166.102.165.13 --sport 53 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p udp -i eth0 -s 205.152.0.5 --sport 53 -j ACCEPT
> > 
> > # opened ports
> > 
> > # ssh on non-standard port
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8380 -j ACCEPT
> > # www server on standard port
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> > 
> > # Sneaky portscan catchers--Lets snort see traffic (fake services)
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 79 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 81 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 110 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 111 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 143 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p udp -i eth0 --dport 161 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 23 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 109 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p udp -i eth0 --dport 137 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 445 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 6667 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8080 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 17 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 19 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 5000:8379 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8381:10000 -j ACCEPT
> > /usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 10000:60000 -j ACCEPT
> > 
> > #Broadcast Filters
> > /usr/sbin/iptables -A INPUT -i eth0 -d 216.76.72.95 -j DROP
> > /usr/sbin/iptables -A INPUT -i eth0 -d 255.255.255.255 -j DROP
> > 
> > # push everything else to state table
> > /usr/sbin/iptables -A INPUT -j STATEFUL
> > =====================================================
> > =====================================================
> > 
> > I'm willing to host any templates the group comes up with at my site.
> > 
> > --
> > Jonathan Rickman
> > X Corps Security
> > http://www.xcorps.net
> 
> -- 
> __________________________________________________________
> Dow Hurst                   Office: 770-499-3428
> Systems Support Specialist  Fax:    770-423-6744
> 1000 Chastain Rd.
> Chemistry Department SC428  Email:dhurst at kennesaw.edu
> Kennesaw State University         Dow.Hurst at mindspring.com
> Kennesaw, GA 30144
> *********************************
> *Computational Chemistry is fun!*
> *********************************
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.



:wq!
---------------------------------------------------------------------------
Robert L. Harris                |  Micros~1 :  
Senior System Engineer          |    For when quality, reliability 
  at RnD Consulting             |      and security just aren't
                                \_       that important!
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'


 NAT.sh

More information about the Ale mailing list