[ale] Lets design a firewall "baseline"....

Jonathan Rickman jonathan at xcorps.net
Wed Oct 3 11:43:51 EDT 2001 

On Tue, 2 Oct 2001, Robert L. Harris wrote:

> Would anyone be interested in creating a "generic" template of sorts?
> This way when someone sends "hey, I need a firewall" we can point them
> at the achives, or even forward them a current "master" copy?
>
> Just throwing out a thought.  I could put mine up as a starter, or we
> could use someone elses.  I'd be happy to host a "site" of sorts
> with revisions and all.  My html works but isn't very pretty generally.

Here's one of the scripts I use on workstations. Note Class B reserved
address space commented out...adjust to suit taste. Replace eth0 with your
interface name. Remove all opened ports for a workstation with no
services.

================================================
================================================
#!/bin/sh

# flush tables
/usr/sbin/iptables -F

# set default policies
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP

# create DUMP table
/usr/sbin/iptables -N DUMP > /dev/null
/usr/sbin/iptables -F DUMP
/usr/sbin/iptables -A DUMP -j LOG --log-tcp-options --log-ip-options
/usr/sbin/iptables -A DUMP -j DROP

# create Stateful table
/usr/sbin/iptables -N STATEFUL > /dev/null
/usr/sbin/iptables -F STATEFUL
/usr/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT
/usr/sbin/iptables -A STATEFUL -j DUMP

# loopback rules
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# drop reserved addresses incoming
/usr/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP
/usr/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP
#/usr/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP
/usr/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP

# allow ICMP
/usr/sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT

#allow DNS
/usr/sbin/iptables -A INPUT -p udp -i eth0 -s 166.102.165.11 --sport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -i eth0 -s 166.102.165.13 --sport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -i eth0 -s 205.152.0.5 --sport 53 -j ACCEPT

# opened ports

# ssh on non-standard port
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8380 -j ACCEPT
# www server on standard port
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT

# Sneaky portscan catchers--Lets snort see traffic (fake services)
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 79 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 81 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 110 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 111 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 143 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -i eth0 --dport 161 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 23 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 109 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -i eth0 --dport 137 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 445 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 6667 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8080 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 17 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 19 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 5000:8379 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8381:10000 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 10000:60000 -j ACCEPT

#Broadcast Filters
/usr/sbin/iptables -A INPUT -i eth0 -d 216.76.72.95 -j DROP
/usr/sbin/iptables -A INPUT -i eth0 -d 255.255.255.255 -j DROP

# push everything else to state table
/usr/sbin/iptables -A INPUT -j STATEFUL
=====================================================
=====================================================

I'm willing to host any templates the group comes up with at my site.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

More information about the Ale mailing list