NSLU2-Linux
view · edit · print · history

OpenSlug.IptablesConnTrack History

Hide minor edits - Show changes to markup

May 10, 2008, at 04:36 AM by jchau -- formatting change back
Changed lines 16-17 from:

kernel-module-nf-conntrack-ipv4 for IPV4?

to:

kernel-module-nf-conntrack-ipv4 (for IPV4?)

May 10, 2008, at 04:35 AM by jchau -- formatting change
Changed lines 16-17 from:

kernel-module-nf-conntrack-ipv4 (for IPV4?)

to:

kernel-module-nf-conntrack-ipv4 for IPV4?

May 10, 2008, at 04:33 AM by jchau -- Bringing the required packages up-to-date
Added lines 11-17:

As of SlugOS/BE 4.8, the following packages (and dependencies) are needed to use conntrack (additional packages may be necessary to use the script below):
iptables
kernel-module-ip-tables
kernel-module-iptable-filter
kernel-module-xt-state
kernel-module-nf-conntrack-ipv4 (for IPV4?)

October 21, 2006, at 12:13 PM by norm --
Changed line 8 from:

kernel-module-ipt-log

to:

kernel-module-ipt-log \\

October 21, 2006, at 12:13 PM by norm --
Changed lines 9-10 from:
to:

kernel-module-xt-tcpudp

October 21, 2006, at 12:12 PM by norm --
Changed line 7 from:

kernel-module-ipt-state - Module not found on IPKG system?? \\

to:

kernel-module-ipt-state - kernel-module-xt-state \\

October 20, 2006, at 02:12 AM by norm --
Changed line 7 from:

kernel-module-ipt-state underlineModule not found on IPKG system??

to:

kernel-module-ipt-state - Module not found on IPKG system?? \\

October 20, 2006, at 02:11 AM by norm --
Changed line 7 from:

kernel-module-ipt-state \\

to:

kernel-module-ipt-state underlineModule not found on IPKG system??

August 17, 2005, at 03:55 PM by blaster8 -- more tweaks
Changed lines 13-15 from:

ipkg install should grab all of these packages from the OpenSlug feed.

1) Edit the firewall rules to suit your configuration\\

to:

ipkg install should grab all of the above packages from the OpenSlug feed.

1) Edit the firewall rules to suit your configuration, and make the script executable (chmod 755)\\

August 17, 2005, at 09:20 AM by blaster8 -- Removed pointless comment
Deleted lines 21-22:

This commands in the file below which require Connection Tracking are commented with # ConnTrack.

August 17, 2005, at 09:05 AM by blaster8 -- Added page with info about Connection Tracking (Stateless) Firewall
Added lines 1-378:

Requirements
Openslug 2.6 (currently HEAD) or later, with kernel 2.6.12-r12 or later.
iptables
kernel-module-ip-tables
kernel-module-iptable-filter
kernel-module-ip-conntrack
kernel-module-ipt-state
kernel-module-ipt-log

Installation
Like the basic firewall script provided on the previous page, this script is dual purpose - it can be used to test the firewall, and it also can be used as a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access. Again, I should point out that having the firewall being configured by a purpose-built init script, as below, without using iptables-utils, is the recommended method.

ipkg install should grab all of these packages from the OpenSlug feed.

1) Edit the firewall rules to suit your configuration
2) Copy it to /etc/firewall
3) Run with /etc/firewall start to test
4) Test SSH by exiting the shell and reconnecting. If this fails, reboot Openslug to clear the rules and reconfigure.
5) If you are sure you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall ; update-rc.d firewall defaults 05
6) If you want to edit the firewall rules at a later date, make sure that you update-rc.d -f firewall remove before changing /etc/firewall. Then test the firewall again as above, and if satisfied, re-run update-rc.d firewall defaults 05 to run the firewall by default on startup.

This commands in the file below which require Connection Tracking are commented with # ConnTrack.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
#!/bin/sh
###############################################################################
# 
# STATELESS iptables firewall for Openslug
# Requirements
# Openslug 2.6 or later, kernel 2.6.12-r11 or later. 
# iptables kernel-module-ip-tables kernel-module-iptable-filter
# kernel-module-ip-conntrack kernel-module-ipt-state kernel-module-ipt-log
#
###############################################################################
# 
# Local Settings
#

# iptables Location - adjust if needed
IPT="/usr/sbin/iptables"

# Internet Interface
INET_IFACE="ixp0"

# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"


flush_existing() {
# Flush Any Existing Rules or Chains
echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# Flush all rules
$IPT -F

# Erase all non-default chains
$IPT -X
}


create_chains() {
echo "Create custom rule chains ..."

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
}

populate_chains() {
echo "Populate custom rule chains ..."

# bad_packets chain

# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP  # ConnTrack

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet.  If it doesn't, it is likely a
# port scan.  This drops packets in state
# NEW that are not flagged as syn packets.

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "New not syn: "  #ConnTrack
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP  #ConnTrack

# Stealth scans
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (echo Request) is accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule.  Applied to INPUT on the external interface.
# 
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented.  Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# Uncomment the LOG command if you want to log all PING attempts
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
#    --log-prefix "Ping detected: "

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# comment out above and uncomment below to drop pings without logging.
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# see ping reply packets
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
#    http://www.chebucto.ns.ca/~rakerman/port-table.html
#    http://www.iana.org/assignments/port-numbers

#
# ADD UDP-based services here
#

# udp_inbound chain
# ports you want to accept udp packets on

# netbios/samba
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

# Network Time Protocol (NTP) Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT

# External DHCP Server
# Allow DHCP client request packets inbound from external network
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 68 --destination-port 67 -j ACCEPT

# DNS in
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 53 -j ACCEPT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
# ports you send udp packets to

# netbios/samba
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

# Network Time Protocol (NTP) Server
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT

# DHCP out
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 68 -j ACCEPT

# DNS out
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT

# No match, so ACCEPT
# make this DROP if you want to block any other outbound udp traffic
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain
#
# This chain is used to allow inbound connections to the slug

# smb
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 139 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 445 -j ACCEPT

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# FTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port ftp -j ACCEPT
# Passive
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 33201:33210 -j ACCEPT

# Ctorrent incoming ports. Uncomment if you use ctorrent.
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 2706:2700 -j ACCEPT

# DNS
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# If you have 2 ssh daemons running, add the second here
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 999 -j ACCEPT

# telnet (not normally used in Openslug)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 23 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
#
# This chain controlls what tcp traffic is allowed out

# http
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# DNS
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT
# sshd
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# No match, so ACCEPT
# Note, you could make this DROP to block any other outbound traffic
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
}


process_input_chain() {
echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# Inbound Internet Packet Rules

# Accept Established Connections
# Needs conntrack module
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
    -j ACCEPT  # ConnTrack

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Comment this line if testing new rules that impact
# broadcast protocols.
#$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
}


process_output_chain() {
echo "Process OUTPUT chain ..."

# Generally trust the firewall on output

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# If you want to block outbound connections, uncomment first section below,
# comment out second section, and add rules to tcp_outbound/udp_outbound

# To internet - filtered
#$IPT -A OUTPUT -p TCP -o $INET_IFACE -j tcp_outbound
#$IPT -A OUTPUT -p UDP -o $INET_IFACE -j udp_outbound

# To internet - unfiltered
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
}

case "$1" in
  start)
    echo "Starting stateless iptables firewall"
        flush_existing
        create_chains
        populate_chains
        process_input_chain
        process_output_chain
        ;;
  stop)
    echo "Stopping stateless iptables firewall"
        flush_existing
    echo "Firewall rules flushed"
        ;;
  reload|force-reload)
    echo "Reloading stateless iptables firewall"
        flush_existing
        create_chains
        populate_chains
        process_input_chain
        process_output_chain
        ;;
  restart)
    echo "Restarting stateless iptables firewall"
        flush_existing
        create_chains
        populate_chains
        process_input_chain
        process_output_chain
        ;;
  *)
        echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
        exit 1
esac

exit 0


(:tableend:)

If you are running vsftpd and want to be able to accept passive connections, you will need to add this to /etc/vsftpd.conf. The corresponding ports are already opened in the default firewall script.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
# for our firewall, only use this range of ports
pasv_min_port=33201
pasv_max_port=33210

(:tableend:)

This script has been adapted from the EnableFirewall page.

An introduction to some advanced iptables configuration can be found in the Gentoo Security Handbook. Note that the example firewall script in the above link needs modification to run in Openslug, at least partially because the Gentoo init script system is not used by Openslug, and that you will need to install many more iptables kernel modules than above!

view · edit · print · history · Last edited by jchau.
Based on work by jchau, norm, and blaster8.
Originally by blaster8.
Page last modified on May 10, 2008, at 04:36 AM