Updated iptables host firewall rules

I am working on a wireless security project, which involves bridging, routing, and packet filtering (but not NAT). As I was looking at my current default iptables rule set, I noticed that it could use some cleaning up.

This firewall script is designed for stand alone hosts that provide some services.

The script takes a single argument for the interface to run on, but will default to eth0 if you do nothing.


#!/bin/sh
# firewall-up.sh
#v3.07

if [ "$#" = "0" ]; then
EXT_INT="eth0"
exit 1
else
EXT_INT=$1
fi

PATH=/bin:/sbin:/usr/local/sbin/:/usr/sbin
IPTABLES=/sbin/iptables

# some ports of interest are:
# 139 NETBIOS session service 445 (UDP+TCP) Microsoft Naked CIFS
# 6346,44325 are for frostwire/gnutella

# Set allowed ports here, ranges to be seperated by a colon ":"
ALLOWED_TCP="22 9881" # 80 139 443 445 8881 44325 6346 1194 13724 8500:8600 16379
ALLOWED_UDP="9881 5555 16379"
ANY="0/0"

# disable ICMP echo reply -- disabled as I personally believe that this causes
# more harm than good.
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#disable layer 3 broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

echo "Setting kernel tcp parameters to reduct DoS effects"
#Turn on TCP SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# NUMBER OF CONNECTIONS TO TRACK
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max

#This is the number of half open TCP connections. Default is 128
#A higher setting helps to protect against synfloods
echo 512 > /proc/sys/net/core/somaxconn

#echo "1" > /proc/sys/net/ipv4/ip_always_defrag

# Load modules

/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

#Flush rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

###setup IN_EXT chain
$IPTABLES -F IN_EXT >/dev/null 2>&1
$IPTABLES -X IN_EXT >/dev/null 2>&1
$IPTABLES -N IN_EXT
$IPTABLES -A INPUT -i $EXT_INT -j IN_EXT

##
# Create syn-flood chain for detecting Denial of Service attacks
#
$IPTABLES -t nat -N syn-flood
# Limit 12 connections per second (burst to 24)
$IPTABLES -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN
$IPTABLES -t nat -A syn-flood -j DROP

# Check for DoS attack
#
$IPTABLES -t nat -A PREROUTING -i $EXT_INT -d $ANY -p tcp --syn -j syn-flood

# Try to detect and drop XMAS and NULL port scans
$IPTABLES -t nat -A PREROUTING -p TCP --tcp-flags ALL ALL -j DROP
$IPTABLES -t nat -A PREROUTING -p TCP --tcp-flags ALL NONE -j DROP

###start of IN_EXT
#spoof protect
#iptables -A IN_EXT -s $LAN_NET -j DROP

#accept PING requests
$IPTABLES -A IN_EXT -p icmp -j ACCEPT

#allow established connections back in
$IPTABLES -A IN_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow connections back in
for port in ${ALLOWED_TCP}; do
iptables -A IN_EXT -p tcp --dport $port -j ACCEPT
done
for port in ${ALLOWED_UDP}; do
iptables -A IN_EXT -p udp --dport $port -j ACCEPT
done

# You can start marking packets adding rules to the PREROUTING chain in the mangle table.
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -p icmp -j RETURN

# Block more than 5 ssh attempts in 1 minute.
$IPTABLES -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP

#default drop everything else
$IPTABLES -A IN_EXT -j REJECT

#don't send RIP out
$IPTABLES -A OUT_EXT -p UDP --sport 521 -j REJECT

#Allow anything else to go out
$IPTABLES -A OUT_EXT -j ACCEPT

exit 0