12-03-2011, 05:33 AM
Okay, I am trying to make an iptable for the network I am working with at my job. I am right now just following a guide in a book called Linux Server Security 2nd Edition. Unfortunately, the iptable it provides mess with my computer. Essentially, when I try to run it, I am unable to interact with anything (I can still move my mouse though, so it isn't a complete lock-up). Here is the code for the table
The following:
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
was not in the book (I found that on some other online tutorial that really didn't help). I know that everything executes fine until the part where it tells netfilter that all TCP sessions begin with SYN. Anyway, can someone tell me what a potential solution might be? Any help is greatly appreciated.
Code:
case"$1" in
start_
echo -n "Loading Woofgang's Packet Filters"
# SETUP -- stuff necessary for any host
# Load kernel modules first
modprobe ip_tables
modprobe ip_conntrack_ftp
# Flush old rules, old custom tables
iptables --flush
iptables --delete-chain
# Set default-deny policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Give free reign to loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Do some rudimentary anti-IP-spoofing drops
iptables -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
iptables -A INPUT -s 255.0.0.0/8 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP!"
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed source IP!"
iptables -A INPUT -s 127.16.0.0/12 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 208.13.201.2 -j LOG --log-prefix "Spoofed source IP!"
iptables -A INPUT -s 208.13.201.2 -j DROP
# Tell netfilter that all TCP sessions do indeed begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan attempt?"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Finally, the meat of our packet-filter policy:
# INBOUND POLICY
# Accept inbound packets that are part of previously-OK'ed sessions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept inbound packets which initiate SSH sessions
iptables -A INPUT -p tcp -j ACCEPT --dport 22 -m state --stae NEW
# Accept inbound packets which initiate FTP sessiosn
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --stae NEW
# Accept inbound packets which initiate HTTP sessions
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --stae NEW
# Log anything not accepted above
iptables -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"
############################################################################
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
#############################################################################
# OUTBOUND POLICY
# If it's part of an approved connection, let it output
iptables -I OUTPUT 1 -m state --state RELATED<ESTABLISHED -j ACCEPT
# Allow outbound ping (comment-out when not needed!)
iptables -A OUTPUT -p icmp -j ACCEPT --icmp-type echo-request
# Allow outbound DNS queries, e.g. to resolve IPs in logs
iptables -A OUTPUT -p udp ---dport 53 -m state --state NEW -j ACCEPT
# Log anything not accepted above - if nothing else, for t-shooting
iptables -A OUTPUT -j LOG --log-prefix "Dropped by default (OUTPUT):"
;;
wide_open)
echo -n "DANGER!! Unloading Woofgang's Packet Filters!!"
# Unload filters and reset default policies to ACCEPT.
# FOR EMERGENCY USE ONLY -- else use 'stop'!!
iptables --flush
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;
stop)
echo -n "Portcullis rope CUT..."
# Unload all fw rules, leaving default-drop policies
iptables --flush
;;
status)
echo "Querying iptables status (via iptables --list)..."
iptables --line-numbers -v --list
;;
*)
echo "Usage: $0 {start|stop|wide_open|status}"
exit 1
;;
esacThe following:
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
was not in the book (I found that on some other online tutorial that really didn't help). I know that everything executes fine until the part where it tells netfilter that all TCP sessions begin with SYN. Anyway, can someone tell me what a potential solution might be? Any help is greatly appreciated.