Search This Blog

Tuesday, July 05, 2005

Re: browser problem from inside firewall

Hi, I have posted my first firewall script previously.. this is basically
the same script but it is optimized..

#! /bin/bash

#modprobe ip_conntrack_FTP

### SYMBOLIC CONSTANTS ###

CONNECTION_TRACKING="1"
DHCP_CLIENT="1"
INTERNET="eth1"
LOOPBACK_INTERFACE="lo"
IPADDR=`ifconfig eth0|awk '/inet/{print $2}'|awk -F ':' '{print $2}'`
INTERNAL_IP=`ifconfig eth1|awk '/inet/{print $2}'|awk -F ':' '{print $2}'`
SUBNET_BASE="192.168.3.0"
SUBNET_BROADCAST="192.168.3.255"
MY_ISP="24.156.100.1"
LOCAL="eth0"

NAMESERVER_1="value not shown"
NAMESERVER_2="value not shown"
NAMESERVER_3="value not shown"
POP_SERVER_1="value not shown"
POP_SERVER_2="value not shown"
POP_SERVER_3="value not shown"
POP_SERVER_4="value not shown"
POP_SERVER_5="value not shown"
IMAP_SERVER_1="value not shown"
IMAP_SERVER_2="value not shown"
SMTP_SERVER_1="value not shown"
SMTP_SERVER_2="value not shown"
TIME_SERVER="value not shown"
DHCP_SERVER="value not shown"
SSH_CLIENT="value not shown"

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

## Hosts
DESKTOP="192.168.3.41"
DESKTOP2="192.168.3.40"
WWW="192.168.3.42"

## PORTS
IRC_PORT="6667"
WEB_PORT="80"
SSL_PORT="443"
SSH_PORT="22"
DK_PORT="4660:4661"
XWINDOW_PORTS="6000:6063"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

USER_CHAINS="EXT-input EXT-output
tcp-state-flags connection-tracking
source-address-check destination-address-check
local-dns-server-query remote-dns-server-response
local-tcp-client-request remote-tcp-server-response
remote-tcp-client-request local-tcp-server-response
local-udp-client-request remote-udp-server-response
local-dhcp-client-query remote-dhcp-server-response
EXT-icmp-out EXT-icmp-in
EXT-log-in EXT-log-out
log-tcp-state"

#############################################################################

## Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

echo 1 > /proc/sys/net/ipv4/ip_forward
## Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

## Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

## Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

## Drop spoofed packets with resulting reply to another interface
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

echo "Done Protection Scripting"
##########################################################################

# Remove any existing
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT

# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

# Create the user-defined chains
for i in $USER_CHAINS; do
iptables -N $i
done

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
######################################################################

#iptables -A INPUT -i $INTERNET -d $IPADDR -j EXT-input
#iptables -A OUTPUT -o $INTERNET -j EXT-output

# DNS Caching Name Server

iptables -A EXT-output -p udp --sport 53 --dport 53 -j local-dns-server-query
iptables -A EXT-input -p udp --sport 53 --dport 53 -j
remote-dns-server-response

# DNS over tcp

iptables -A EXT-output -p tcp --sport $UNPRIVPORTS --dport 53 -j
local-dns-server-query
iptables -A EXT-input -p tcp ! --syn --sport 53 --dport $UNPRIVPORTS -j
remote-dns-server-response
echo " DNS Caching done"
#######################################################################
# DNS Forwarding Name Server or client requests

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A local-dns-server-query -d $NAMESERVER_1 -m state --state NEW
-j ACCEPT
iptables -A local-dns-server-query -d $NAMESERVER_2 -m state --state NEW
-j ACCEPT
iptables -A local-dns-server-query -d $NAMESERVER_3 -m state --state NEW
-j ACCEPT
fi

iptables -A local-dns-server-query -d $NAMESERVER_1 -j ACCEPT
iptables -A local-dns-server-query -d $NAMESERVER_2 -j ACCEPT
iptables -A local-dns-server-query -d $NAMESERVER_3 -j ACCEPT

# DNS response to local requests

iptables -A INPUT -i $INTERNET -s $NAMESERVER_1 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -d $NAMESERVER_1 -j ACCEPT

iptables -A remote-dns-server-response -s $NAMESERVER_1 -j ACCEPT
iptables -A remote-dns-server-response -s $NAMESERVER_2 -j ACCEPT
iptables -A remote-dns-server-response -s $NAMESERVER_3 -j ACCEPT

echo " DNS forwarding and response to local requests"

###########################################################################
# Local TCP client output and remote server input chains

iptables -A EXT-output -p tcp --sport $UNPRIVPORTS -j local-tcp-client-request
iptables -A EXT-input -p tcp ! --syn --dport $UNPRIVPORTS -j
remote-tcp-server-response

#SSH client

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A local-tcp-client-request -p tcp -d $SSH_CLIENT --dport 22
--syn -m state --state NEW -j ACCEPT
fi

iptables -A local-tcp-client-request -p tcp -d $SSH_CLIENT --dport 22 -j ACCEPT
iptables -A remote-tcp-server-response -p tcp ! --syn -s $SSH_CLIENT
--sport 22 -j ACCEPT

#.............................................................................................
# Client rules for HTTP, HTTPS

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A local-tcp-client-request -p tcp -m multiport
--destination-port 80,443 --syn -m state --state NEW -j ACCEPT
fi

iptables -A local-tcp-client-request -p tcp -m multiport --destination-port
80,443 -j ACCEPT
iptables -A remote-tcp-server-response -p tcp -m multiport --source-port
80,443 ! --syn -j ACCEPT

#...............................................................................................
# POP client
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_1 --dport 110
--syn -m state --state NEW -j ACCEPT
iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_2 --dport 110
--syn -m state --state NEW -j ACCEPT
iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_3 --dport 110
--syn -m state --state NEW -j ACCEPT
fi

iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_1 --dport 110 -j
ACCEPT
iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_2 --dport 110 -j
ACCEPT
iptables -A local-tcp-client-request -p tcp -d $POP_SERVER_3 --dport 110 -j
ACCEPT

iptables -A remote-tcp-server-response -p tcp ! --syn -s $POP_SERVER_1
--sport 110 -j ACCEPT
iptables -A remote-tcp-server-response -p tcp ! --syn -s $POP_SERVER_2
--sport 110 -j ACCEPT
iptables -A remote-tcp-server-response -p tcp ! --syn -s $POP_SERVER_3
--sport 110 -j ACCEPT

#...............................................................................................
# SMTP mail Client

if [ " $CONNECTION_TRACKING" = "1" ]; then
iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_1 --dport 25
--syn -m state --state NEW -j ACCEPT
iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_2 --dport 25
--syn -m state --state NEW -j ACCEPT
fi

iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_1 --dport 25 -j
ACCEPT
iptables -A local-tcp-client-request -p tcp -d $SMTP_SERVER_2 --dport 25 -j
ACCEPT

iptables -A remote-tcp-server-response -p tcp ! --syn -s $SMTP_SERVER_1
--sport 25 -j ACCEPT
iptables -A remote-tcp-server-response -p tcp ! --syn -s $SMTP_SERVER_2
--sport 25 -j ACCEPT

echo "Client Rules Setup"

################################################################################################
# Local TCP server, remote client

#iptables -A EXT-input -p tcp --sport $UNPIRVPORTS -j remote-tcp-client-request
iptables -A EXT-output -p tcp ! --syn --dport $UNPRIVPORTS -j
local-tcp-server-response

echo "TCP server, remote client"
################################################################################################
# Remote TCP client input and local server output chains

# SSH server

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A remote-tcp-client-request -p tcp -s $SSH_CLIENT
--destination-port 22 -m state --state NEW -j ACCEPT
fi

iptables -A remote-tcp-client-request -p tcp -s $SSH_CLIENT
--destination-port 22 -j ACCEPT
iptables -A local-tcp-server-response -p tcp ! --syn --source-port 22 -d
$SSH_CLIENT -j ACCEPT

echo "Input and local server output chains"
################################################################################################
## Local UDP client, remote server

iptables -A EXT-output -p udp --sport $UNPRIVPORTS -j local-udp-client-request
iptables -A EXT-input -p udp --dport $UNPRIVPORTS -j remote-udp-server-response

################################################################################################
# NTP time client

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A local-udp-client-request -p udp -d $TIME_SERVER --dport 123
-m state --state NEW -j ACCEPT
fi

iptables -A local-udp-client-request -p udp -d $TIME_SERVER --dport 123 -j
ACCEPT
iptables -A remote-udp-server-response -p udp -s $TIME_SERVER --sport 123
-j ACCEPT

echo "NTP time client"
################################################################################################
# ICMP

iptables -A EXT-input -p icmp -j EXT-icmp-in
iptables -A EXT-output -p icmp -j EXT-icmp-out

#################################################################################################
# ICMP traffic

# Log and drop intial ICMP fragments
iptables -A EXT-icmp-in --fragment -j LOG --log-prefix "Fragmented incoming
ICMP: "
iptables -A EXT-icmp-in --fragment -j DROP
iptables -A EXT-icmp-out --fragment -j LOG --log-prefix "Fragmented
outgoing ICMP: "
iptables -A EXT-icmp-out --fragment -j DROP

# Outgoing ping

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A EXT-icmp-out -p icmp --icmp-type echo-request -m state
--state NEW -j ACCEPT
fi

iptables -A EXT-icmp-out -p icmp --icmp-type echo-request -j ACCEPT
iptables -A EXT-icmp-in -p icmp --icmp-type echo-reply -j ACCEPT

# Incoming ping

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A EXT-icmp-in -p icmp -s $MY_ISP --icmp-type echo-request -m
state --state NEW -j ACCEPT
fi

iptables -A EXT-icmp-in -p icmp --icmp-type echo-request -s $MY_ISP -j ACCEPT
iptables -A EXT-icmp-out -p icmp --icmp-type echo-reply -d $MY_ISP -j ACCEPT

iptables -A EXT-icmp-out -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A EXT-icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A EXT-icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A EXT-icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -A EXT-icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A EXT-icmp-out -p icmp --icmp-type source-quench -j ACCEPT
iptables -A EXT-icmp-in -p icmp --icmp-type source-quench -j ACCEPT

####################################################################################################
# TCP State Flags

# All of the bits are cleared
iptables -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state
iptables -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j log-tcp-state
iptables -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j log-tcp-state

echo "TCP state done"
####################################################################################################
# Log and drop tcp packets with bad state combinations

iptables -A log-tcp-state -p tcp -j LOG --log-prefix "Illegal TCP state: "
--log-ip-options --log-tcp-options
iptables -A log-tcp-state -j DROP

#####################################################################################################
# By-pass rule checking for ESTABLISHED exchanges

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A connection-tracking -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A connection-tracking -m state --state INVALID -j LOG
--log-prefix "INVALID packet:"
iptables -A connection-tracking -m state --state INVALID -j DROP
fi
#####################################################################################################
# DHCP traffic

if [ "$DHCP_CLIENT" = "1" ]; then
iptables -A local-dhcp-client-query -s $BROADCAST_SRC -d $BROADCAST_DEST
-j ACCEPT
iptables -A remote-dhcp-server-response -s $BROADCAST_SRC -d
$BROADCAST_DEST -j ACCEPT
iptables -A local-dhcp-client-query -s $BROADCAST_SRC -d $DHCP_SERVER -j
ACCEPT
iptables -A remote-dhcp-server-response -s $DHCP_SERVER -d
$BROADCAST_DEST -j ACCEPT
iptables -A remote-dhcp-server-response -s $DHCP_SERVER -j ACCEPT
iptables -A local-dhcp-client-query -s $IPADDR -d $DHCP_SERVER -j ACCEPT
fi
echo "DHCP traffic"

#######################################################################################################
# Source address spoof checks

iptables -A source-address-check -s $CLASS_A -j DROP
iptables -A source-address-check -s $CLASS_B -j DROP
iptables -A source-address-check -s $CLASS_C -j DROP
iptables -A source-address-check -s $CLASS_D_MULTICAST -j DROP
iptables -A source-address-check -s $CLASS_E_RESERVED_NET -j DROP
iptables -A source-address-check -s $LOOPBACK -j DROP

iptables -A source-address-check -s 0.0.0.0/8 -j DROP
iptables -A source-address-check -s 169.254.0.0/16 -j DROP
iptables -A source-address-check -s 192.0.2.0/24 -j DROP

########################################################################################################
# Bad Destination Address and Port Checks

iptables -A destination-address-check -d $BROADCAST_DEST -j DROP
iptables -A destination-address-check -d $SUBNET_BASE -j DROP
iptables -A destination-address-check -d $SUBNET_BROADCAST -j DROP
iptables -A destination-address-check -p ! udp -d $CLASS_D_MULTICAST -j DROP
iptables -A destination-address-check -p tcp --destination-port
$XWINDOW_PORTS --syn -j DROP

#########################################################################################################
# Logging rules prior to Dropping

iptables -A EXT-log-in -p icmp --icmp-type ! echo-request -m limit -j LOG
iptables -A EXT-log-in -p tcp --dport 0:650 -j LOG
iptables -A EXT-log-in -p udp --dport 0:110 -j LOG
iptables -A EXT-log-out -j LOG
echo " LOG ESTABLISHED"
####################################################################################################
# User defined chains

iptables -A INPUT -p tcp -j tcp-state-flags
iptables -A OUTPUT -p tcp -j tcp-state-flags

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -j connection-tracking
iptables -A OUTPUT -j connection-tracking
fi

if [ "$DHCP_CLIENT" = "1" ]; then
iptables -A INPUT -i $INTERNET -p udp --sport 67 --dport 68 -j
remote-dhcp-server-response
iptables -A OUTPUT -o $INTERNET -p udp --sport 68 --dport 67 -j
local-dhcp-client-query
fi

# Test for illegal source and destination addresses incoming

iptables -A INPUT -p ! tcp -j source-address-check
iptables -A INPUT -p tcp --syn -j source-address-check
iptables -A INPUT -j destination-address-check

iptables -A OUTPUT -j destination-address-check
iptables -A INPUT -i $INTERNET -d $IPADDR -j EXT-input
iptables -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j DROP
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR -d $CLASS_D_MULTICAST -j DROP
iptables -A OUTPUT -o $INTERNET -s $IPADDR -j EXT-output

echo "Setting connection timeouts"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

echo "Enabling AntiPortscanning Rules"
echo "*NULL Scan"
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
echo "*NMAP FIN/URG/PSH (Xmas scan)"
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
echo "*SYN/RST Scan"
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
echo "*SYN/FIN Scan"
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP

iptables -A FORWARD -s 192.168.3.0/24 -d 0/0 -i $LOCAL -j ACCEPT
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 80 -j DNAT --to
$WWW:80
#iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 6112 -j DNAT --to
$WWW:22
iptables -t nat -A PREROUTING -p udp -d $IPADDR --dport 4660 -j DNAT --to
$DESKTOP:4660
iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 4660 -j DNAT --to
$DESKTOP:4660
iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 4661 -j DNAT --to
$DESKTOP2:4661
iptables -t nat -A PREROUTING -p udp -d $IPADDR --dport 4661 -j DNAT --to
$DESKTOP2:4661
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 81 -j DNAT
--to $DESKTOP:22
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 6667 -j DNAT
--to $IRC:6667
iptables -t nat -A PREROUTING -p tcp -d $IPADDR --dport 215 -j DNAT --to
$DESKTOP:22

# Log anything that fell through before it drops

iptables -A INPUT -j EXT-log-in
iptables -A OUTPUT -j EXT-log-out

exit 0

Dave Ewart wrote:
> On Monday, 04.07.2005 at 10:40 +0100, jpff@codemist.co.uk wrote:
>
>
>>I have just (well yesterday) changed by firewall from an aging RedHat
>>system to Debian. Most things seem OK (couple of minor spamassassin
>>problems) but there is one MAJOR problem that I do not understand.
>>
>>The simplest form is when a user inside the firewall attempts to
>>upload a photo to flickr.com it just hangs and eventually times out.
>>If the same thing is done from the firewall itself it works instantly.
>>I deduce that something in Debian is being very cautious, but I do not
>>know what. The iptables I have as the same as on previous system, and
>>it used to work.
>>
>>Any suggestions as were to look? This is a major problem as it also
>>affects on-line banking which is important for the company..
>
>
> We might be able to assist if you show us the firewall rulesets and some
> log files ...
>
> Dave.

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: