Re: IPtables bash script
Hi,
I personally do not block outbound traffic at all, which in my opinion
does not impose a significant risk.
Furthermore, I do not see a good reason to allow all NEW connections
while blocking most RELATED ones. Usually it is done the other way
round: You decide upon a NEW connection whether it shall be allowed and
then you allow all RELATED traffic to pass as well.
In general I can only recommend the guides I (mainly) used:
https://www.linode.com/docs/security/securing-your-server/
https://wiki.archlinux.org/index.php/Simple_stateful_firewall
http://serverfault.com/questions/84963/why-not-block-icmp
By the way, is this a non-server machine? If so, why do you care about
the ports 80 and 443?
On 2016-05-23 01:30, Ralph Sanchez wrote:
> Hello All, I have taken up to writing this bash script to change my
> iptables rules. It seems the only issue I've found is that it seems to
> not want to connect to certain websites at some moments and not
> others, or generally but sometimes it let's it through without
> changing anything. This completely stops if I add RELATED to my OUTPUT
> ACCEPT next to NEW, just not sure how that impacts security exactly.
>
> Also, any advice on making this script better, or stronger per
> secuirty, would be appreciated as this is both my first time scripting
> in bash from scratch and my first IPTABLES venture.
>
> Oh, and don't mind the echo lines, those are solely for my
> entertainment upon running.
>
> #!/bin/sh
>
> IPT=/sbin/iptables
> IP6=/sbin/ip6tables
> echo "[+] ENTRY PLUG EJECTED,
> READY FOR PILOT ENTRY"
> read OK
>
> echo " $OK ENTRY PLUG
> INSERTION COMPLETE"
>
> echo "[+] Flooding the cockpit with LCL. Don't try and hold your
> breath, just breath normal. It's weird at first, but you'll get used
> to it "
>
> $IPT -F
>
> $IPT -F -t nat
>
> $IPT -X
>
> echo "[+] Synch ratio 99%, within permissable parameters..."
>
> $IP6 -P INPUT DROP
>
> $IP6 -P FORWARD DROP
>
> $IP6 -P OUTPUT DROP
>
> $IPT -P INPUT DROP
>
> $IPT -P FORWARD DROP
>
> $IPT -P OUTPUT DROP
> ## INPUT Rules ###
>
> echo "[+] AT Field is active, moving EVA UNIT 1 to elevator 24..."
>
> $IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix
> "INVALID_DROPS" --log-ip-options --log-tcp-options
>
> $IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
> "NEW_DROPS" --log-ip-options --log-tcp-options
>
> $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
>
> $IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
>
> $IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
> $IPT -A INPUT --in-interface lo -j ACCEPT
>
> $IPT -A INPUT -p tcp --dport 443 -j ACCEPT
>
> $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
>
> ## FORWARD Rules ##
>
> #$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix
> "INVALID_FORWARD" --log-ip-options --log-tcp-options
>
> #$IPT -A FORWARD -i lo -j ACCEPT
>
> #$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP
>
> #$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> ## OUTPUT Rules ##
>
> echo "[+] It's up to you now, Shinji..."
>
> $IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL Loopback traffic
>
> $IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only allow NEW
> connection outbound.
>
> $IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
> --uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and HTTPS
>
> $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound https
>
> $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound http (DO
> NOT LEAVE ACTIVE!)
>
> $IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL root requests
>
Reply to: