Topic: Some firewalling capability for a server-only installation ?

[arne]

The server only installation does not have firewall that is activated at all. So there might be a question: How to activate some firewalling capability for the server only installation ? I will try to make a few suggestions how this can be done. The first script will be rather simple. If anybody interested, please leave comments and/or suggestions !

Arne.

[arne]

This script can for instance be edited into the /etc/rc.d/rc.local file:

#!/bin/sh

# Flush
iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Open ports on router pc for server/services
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT

# STATE RELATED for local processes on firewall machine
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Explanation: This script is for a server that is used for some internet functions only. The lan server functions is actually running, but they are just "deactivated" as they are "locked in" behind the firewall.

The line that specifies -i lo (local) can be required for some special functions like the web mail function.

The last line is a stateful inspection function for the server so that it also can be used as a client for some functionality (opens input chain dynamically as required.)

In this very easy setup there is no filtering of open ports, control of spoofed pacets, lockout of certain ip's, etc. Can be added as required. For this simple setup output chain is also left open.

[arne]

Found something rather intersting that can / wil be used for further reference:

http://mirror.contribs.org/smeserver/contribs/gordonr/devguide/html/devguide.html

[arne]

Just adding this link for further reference:
http://www.linuxforum.com/linux_tutorials/6/1.php

Guess this sentence can be used for trafic limiting for all ports (preventing dos attacks), if placed up somewhere near the top of the script:

-A INPUT -m limit --limit 3/second --limit-burst 5 -j DROP

(Accept a burst of 5 initial packets, then further on an average of 3 packets per second. By the way these limits seems to be set a bit low ..)


Please anybody that has any ideas or suggestions, leave a msg ..

Of cource accept only one or two souce ip's has to be built in ..
Block any ip's etc, etc ..

[arne]

Some corrections/changes, untested:

# Flush, reset firewall
iptables -F
iptables -X
iptables -Z
# Set the policy, the defult last rule
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Lock out some bad guys:
iptables -A INPUT -s 123.123.123.1 -j DROP
iptables -A INPUT -s 123.123.123.2 -j DROP
iptables -A INPUT -s 123.123.123.3 -j DROP
# Some rate and burst control, preventing dos attacks:

iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -j DROP

# Open ports on router pc for server/services

iptables -A INPUT -i lo -j ACCEPT
# Open port 20 for all souce ip's
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# Open port 22 for only souce ip 123.123.123.9
iptables -A INPUT -p tcp -s 123.123.123.9 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT

# STATE RELATED for local processes on firewall machine
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Anybody who can run a test ?

[arne]

Some minor corrections .. Syntax seems to be working OK ..
(Still untested as firewall.)

# Flush, reset firewall
iptables -F
iptables -X
iptables -Z

# Set the policy, the defult last rule
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Lock out some bad guys:
iptables -A INPUT -s 123.123.123.1 -j DROP
iptables -A INPUT -s 123.123.123.2 -j DROP
iptables -A INPUT -s 123.123.123.3 -j DROP

# Some rate and burst control, preventing dos attacks:
iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -j DROP

# Open ports on router pc for server/services
iptables -A INPUT -i lo -j ACCEPT
# Open port 20 for all souce ip's
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# Open port 22 for only souce ip 123.123.123.9
iptables -A INPUT -p tcp -s 123.123.123.9 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#Just an excample for opening a small whole for som udp protocol
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT

# Dynamic opening / stateful inspection for input chain.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


To check the statur for the firewall: "iptables -L"

[arne]

To open for ping requests, if wanted:

iptables -A INPUT -p icmp -j ACCEPT

Sentece can be located anywhere in script.

[arne]

Some spoofed packet protection:
(For instance after the policy setting.)


# some spoofed packet filtering
# some spoofed souce ip filtering should also be applied
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

[arne]

Some minor corrections .. Syntax seems to be working OK ..
(Still untested as firewall.)

# Flush, reset firewall
iptables -F
iptables -X
iptables -Z

# Set the policy, the defult last rule
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# some spoofed packet filtering
# some spoofed souce ip filtering should also be applied
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Lock out some bad guys:
iptables -A INPUT -s 123.123.123.1 -j DROP
iptables -A INPUT -s 123.123.123.2 -j DROP
iptables -A INPUT -s 123.123.123.3 -j DROP

# Some rate and burst control, preventing dos attacks:
iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -j DROP

# To open for answer to ping requests, if wanted:

iptables -A INPUT -p icmp -j ACCEPT

# Open ports on router pc for server/services
iptables -A INPUT -i lo -j ACCEPT
# Open port 20 for all souce ip's
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# Open port 22 for only souce ip 123.123.123.9
iptables -A INPUT -p tcp -s 123.123.123.9 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#Just an excample for opening a small whole for som udp protocol
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT

# Dynamic opening / stateful inspection for input chain.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


To check the statur for the firewall: "iptables -L"

Just some ideas (that hopefully can be used) during one night ...

Ref to this tread:
http://forums.contribs.org/index.php?topic=33097.0

[raem]

listening

[JonB]

The server only installation does not have firewall that is activated at all.

Arne, where did this come from. SME7 in server only mode does have a firewall that is enabled. Earlier versions of SME did not.

Running

iptables -L

on a server only machine shows the rules that are set up.

Jon

[arne]

Ups, oh, really ? I must admit that when I tested R 7 a cople of times I did not take notice that there was a firewall at all, as I am so used to that it is not, and that I should apply my ovn script.

Where it come from .. actually from nowhere, exept for some thinking in tne middle of the night in a web cafe in Bankok, Thailand, with no literature and nothing exept for the internet.

Actually I think that something like 90 % of making a firewall script should be testing, so with no testing oportunity, it might not be a too good idea to do anything.

If the iptables -L shows someting else that open policies, it has a running firewall.

Still there are issues like if lan functions should be available, to lock out certain bad souce ip's, prevention of dos attack, the oporunity to "adjust the sencibilyty" of dos attack prevention, etc, etc.

I think I do best to just let this "ad hock project" rest for a while, until I'm back home for a week or two, so I can do some testing.

Still I think I got some ideas around how a "easy adjustable" firewall setup could be.

Thanks for your info ..

[gordonr]

Found something rather intersting that can / wil be used for further reference:

http://mirror.contribs.org/smeserver/contribs/gordonr/devguide/html/devguide.html

Yes, I wrote it. Which is why I have tried a number of times to suggest how you could work with us rather than continuing on tangents. I also gave detailed reasons in the previous thread why developing firewalling scripts in the forums is a bad idea.

As JonB has mentioned, there is a firewall in SME7 server-only mode (on fresh installs, but not enabled on upgrades to avoid surprises for existing users). If it needs improvement, please raise a New Feature Request in the bug tracker.

[arne]

Anyhow, some interesting info ..

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

[arne]

And a even bether one ..

http://www.braingia.org/books/linuxfirewalls/