A Simple Firewall for Linux Server

Sun 29 July 2007

The firewall below will let in SSH, HTTP and FTP. To avoid SSH brute force dictionary attacks it uses the iptables recent match module for connection rate limiting. It is intended for a Host with a single interface connected to the net, eg. a webserver.

Hint before enabling it add this to your /etc/crontab:

*/5 *   * * *   root /etc/init.d/simplefirewall stop >> /var/log/firewall.stop

And check /var/log/firewall.stop to make sure it runs. This will open your firewall again after 5 minutes to avoid locking yourself out. When everything works as expected comment it out.

#!/bin/bash

# Very simple firewall for a single interface

IF="eth0"   #Interface
HIPORT="1024:65535" #Highports (dont change)

IPTABLES=`which iptables` || IPTABLES="/usr/sbin/iptables"

case $1 in
  close)
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -F INPUT
  $IPTABLES -F OUTPUT
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
  $IPTABLES -A INPUT -i lo -j ACCEPT
  echo "Firewall closed, all connections blocked"
  exit 0
  ;;

  stop)
  $IPTABLES -F 
  $IPTABLES -X 
  $IPTABLES -F INPUT
  $IPTABLES -F OUTPUT
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -P OUTPUT ACCEPT
  echo "Firewall closed, all connections allowed"
  exit 0
  ;;

  start)
  # First of all, flush all rules
  $IPTABLES -F
  $IPTABLES -F -t nat
  $IPTABLES -X 
  $IPTABLES -F INPUT
  $IPTABLES -F OUTPUT
  $IPTABLES -F FORWARD

  # set default policy and create additional chains
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
  $IPTABLES -P FORWARD DROP
  $IPTABLES -N dropchain
  $IPTABLES -N ssh
  $IPTABLES -N blacklist

  # enable additional kernel security
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter
  echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay
  echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians

  # tune tcp params see for info:
  # http://www.ussg.iu.edu/hypermail/linux/kernel/0202.1/0436.html
  echo "30"  > /proc/sys/net/ipv4/tcp_keepalive_intvl
  echo "5"   > /proc/sys/net/ipv4/tcp_keepalive_probes
  echo "900" > /proc/sys/net/ipv4/tcp_keepalive_time

  # local processes:
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  # icmp stuff:
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-request -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-reply -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type source-quench -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type time-exceeded -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type parameter-problem -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type parameter-problem -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT

  # let answers out:
  $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -o $IF -p tcp -j ACCEPT
  $IPTABLES -A OUTPUT -m state --state ESTABLISHED -o $IF -p udp -j ACCEPT

  # let all answers in:
  $IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -i $IF -p tcp -j ACCEPT
  $IPTABLES -A INPUT  -m state --state ESTABLISHED -i $IF -p udp -j ACCEPT

  # ssh rate limit support - iptables recent module needed!
  # see http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/

  # prepare blacklist
  $IPTABLES -A blacklist -m recent --name blacklist --set
  $IPTABLES -A blacklist -j LOG --log-level info --log-prefix "FW log BLACKLIST: "
  $IPTABLES -A blacklist -j DROP

  # drop everyone currently on the blacklist
  $IPTABLES -A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP

  # count incomers
  $IPTABLES -A ssh -m recent --set    --name counting1
  $IPTABLES -A ssh -m recent --set    --name counting2
  $IPTABLES -A ssh -m recent --set    --name counting3
  $IPTABLES -A ssh -m recent --set    --name counting4

  # add to blacklist on rate exceed
  $IPTABLES -A ssh -m recent --update --name counting1 --seconds    20 --hitcount   5 -j blacklist
  $IPTABLES -A ssh -m recent --update --name counting2 --seconds   200 --hitcount  15 -j blacklist
  $IPTABLES -A ssh -m recent --update --name counting3 --seconds  2000 --hitcount  80 -j blacklist
  $IPTABLES -A ssh -m recent --update --name counting4 --seconds 20000 --hitcount 400 -j blacklist

  # accept at the end of SSH chain
  $IPTABLES -A ssh -j ACCEPT

  # put all SSH traffic in the ssh chain
  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ssh -j ssh

  ########### start of custom rules ############

  # let HTTP in
  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport http -j ACCEPT

  # let FTP in (needs loaded ip_conntrack_ftp module)
  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ftp -j ACCEPT

  ########### end of custom rules ############

  # drop & log everything else
  $IPTABLES -A INPUT  -j dropchain
  $IPTABLES -A OUTPUT -j dropchain

  # dropchain: every packet will be dropped, and, if defined logged...
  $IPTABLES -A dropchain -p icmp -j DROP      #dont log outgoing icmp
  $IPTABLES -A dropchain -p tcp -m state --state INVALID -j LOG --log-level info --log-prefix "FW log INVALID: "
  $IPTABLES -A dropchain -j LOG --log-level info --log-prefix "FW log: "      #log everything
  $IPTABLES -A dropchain -j DROP

  #done
  echo "Firewall up and running..."
  exit 0
  ;;

  *)
  echo "usage: start | stop | close"
  exit 1
  ;;
esac

exit 1;