Differences

This shows you the differences between two versions of the page.

--- linux:firewall [2010/01/28 20:54]
greebo
+++ linux:firewall [2010/12/29 10:16]
greebo
@@ Line 1: / Line 1: @@
 [[linux:firewall6|Linux IPV6 firewall]]\\
-[[linux:firewall_blocktor| how to block TOR networ in realtime]]\\
+[[linux:firewall_blocktor| how to block TOR network in realtime]]\\
 [[http://www.fs-security.com/|FS security]]\\
@@ Line 11: / Line 10: @@
 echo "* Running $0"
 echo "*************"
+echo "* http://tnt.aufbix.org/ linux firewall script"
 echo
@@ Line 51: / Line 51: @@
 # what UDP ports/services we allow (and FORWARD) from Internet
 # use "," as delimiter
-UDP_PORTS="53"
+UDP_PORTS="53,123"
 # which ports we forward into our intranet
@@ Line 60: / Line 60: @@
 WE_HAVE_INTRANET="0"
+#
 TRUSTED_HOSTS="193.77.1.1/32 \
 .93.224.0/19 \
@@ Line 75: / Line 76: @@
 $IPTB -t nat -F
+# new chain for SSH and HTTP access
 $IPTB -N ssh-access
 $IPTB -N http-access
 # port redirection (transparent proxy)
 # redirect all outgoing traffic that is NOT for the GW to local (GW) ports
+# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
@@ Line 91: / Line 93: @@
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP!
+# move all SSH and HTTP traffic to apropriate chains
-# it is wise to use sshaccess input table (TRUSTED_HOSTS)
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
-# ssh
+# ssh chain
 for sshhostese in $TRUSTED_HOSTS;
         do
         $IPTB -A ssh-access -s $sshhostese -j ACCEPT
         done
+ # Connection limit for SSH connections (1 connection per minute) - usefull against ssh scanners if you MUST open SSH for every IP!
+ # it is wise to use sshaccess input table (TRUSTED_HOSTS)
+$IPTB -A ssh-access -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
+$IPTB -A ssh-access -j DROP
 # ssh
@@ Line 112: / Line 114: @@
         done
 # http
 # IPSEC
@@ Line 160: / Line 161: @@
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
 $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "
@@ Line 181: / Line 181: @@
 $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+# what we allow from Internet - TCP ports
-# what we allow from Internet
 for i in $TCP_PORTS
 	do
 		$IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
-    done
+        done
+# what we allow from Internet - UDP ports
 $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
@@ Line 242: / Line 242: @@
 $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP
-# adsl
+# ADSL (PPPoE connections)
 #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
@@ Line 249: / Line 249: @@
 # in "valid-macs" file
 #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done
+# OUTPUT
+$IPTB -P OUTPUT DROP
+# only allow NEW and related connections out
+$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 # list the rules