Hello.
I installed rh7.2 and iptables,I never used iptables before and I had done my script
for one machine only
and when i execute "iptables -L" is terrible slow,maybe one line per minute for list
all rules
in a pII350 with 320RAM and more of 180 RAM free and only me as terminal user,no X
loaded!!
I would like know is this is usual,ipchains was very quickly listing rules!!
I have all packages updated till yesterday.
Josep
PS: this is the script,i planned add nat in some days,so is usual if You see
forwarding rules enabled.
#
###!###/###bin/sh
#
# Falta SSL POP3S
#
#
# Load the ip_tables module
echo Loading ip_tables module.
###/sbin/modprobe ip_tables || exit 1
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ipt_owner
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
# I let the kernel dynamically load the other modules
IPTABLES="/sbin/iptables"
#Time to clean house
#Clear out any existing firewall rules, and any chains that might have
#been created
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#$IPTABLES -P FORWARD ACCEPT
#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
#echo 1 > /proc/sys/net/ipv4/ip_forward
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix FIREWALL-BLOCK:
$IPTABLES -A firewall -j DROP
#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix FIREWALL-DROP:
$IPTABLES -A dropwall -j DROP
#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix FIREWALL-BADFLAGS:
$IPTABLES -A badflags -j DROP
#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP
# Create a table for watching some accepting rules
$IPTABLES --new watch 2>/dev/null
$IPTABLES -A watch -m limit --limit 1/second -j LOG --log-level warn --log-prefix
FIREWALL-ICMP-WATCH:
$IPTABLES -A watch -j ACCEPT
#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT
************ this example sucks. need to add rules to flush and clear chains first
#
# These rules block a number of reserved networks.
# For example 10.* is used for non routable internal networks
# For example 224.* and up is used for multi-cast
# We use drop since these networks are not active and the response
# will go nowhere
#
$IPTABLES -A INPUT -s 0.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 1.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 41.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 58.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 60.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 68.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 72.0.0.0/248.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 82.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 84.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 88.0.0.0/248.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 219.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 220.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## DROP packets associated with an "INVALID" connection.
$IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP
#
#
## UNCLEAN match target, somewhat experimental at this point.
# $IPTABLES -A KEEP_STATE -m unclean -j DROP
#
# ACCEPT packets which are related to an established connection.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
#
#Closed Ports.We donīt want people from outside in our machine:)
#
#Samba use this ports.
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 137:139 -j DROP
$IPTABLES -A INPUT -i eth0 -d 0/0 -p udp --dport 137:139 -j DROP
#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
#echo Enforcing up ICMP policies, use iptables -L ICMP to check.
# If you deny all ICMP messages you head for trouble since it would
# break lots of tcp/ip algorythm (acz)
$IPTABLES --new ICMP 2>/dev/null
$IPTABLES -A INPUT --proto icmp -j ICMP
# This rule, suposedly, would log Ping of Death
$IPTABLES -A INPUT -p icmp -f -j LOG --log-prefix "PINGOFD: "
#ICMP Type 0 - Echo Reply
$IPTABLES -A ICMP -p icmp --icmp-type 0 -j ACCEPT
#ICMP Type 3 - Destination Unreachable
$IPTABLES -A ICMP -p icmp --icmp-type 3 -j watch
#ICMP Type 8 - Echo Request
$IPTABLES -A ICMP -p icmp --icmp-type 8 -j watch
#ICMP Type 11 - Time Exceeded
$IPTABLES -A ICMP -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A ICMP -p icmp -j firewall
#Accept FTP connections from everywhere.
#Uncomment this if you're running FTP Server and want to be able to
#access it from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 21 -j ACCEPT
#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH Server and want to be able to
#access it from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
#Accept Telnet connections from everywhere.
#Uncomment this if you're running TelnetServer and want to be able to
#access it from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 23 -j ACCEPT
#Accept SMTP connections from everywhere.
#Uncomment this if you're running SMTP Email Server and want to be able
#to access it from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
#Accept POP3 connections from everywhere.
#Uncomment this if you're running POP3 Email Server and want to be able
#to access it from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 110 -j ACCEPT
#Accept DNS connections from everywhere.
#Uncomment this if you're running DNS and want to be able to access it
#from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -d 0/0 -p udp --dport 53 -j ACCEPT
#Accept Web connections from everywhere.
#Uncomment this if you're running Web Server and want to be able
#to access it from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
## AUTH server
# Reject ident probes with a tcp reset.I need to do this for a broken mailhost
# that won't accept my mail if I just drop its ident probe.
#$IPTABLES -A INPUT -i eth0 -p tcp --dport 113 -j REJECT --reject-with tcp-reset
#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's way too spammy with windows machines on
#the network.
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j silent
# Now we block all incoming traffic to ports between 1 and 59999. For your system
# to behave it is suggested you modify ip_local_port_range in /proc
#
$IPTABLES -A INPUT -s 0/0 -d 0/0 -i eth0 -p tcp -m tcp --dport 1:59999 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d 0/0 -i eth0 -p udp -m udp --dport 1:59999 -j REJECT
#
#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall
# Disable IP spoofing attacks.
#
# This drops traffic addressed for one network though it is being received on a
# different interface.
#
echo " - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "2" > $file
done
# Comment the following out of you are not using a dynamic address
#
echo " - Enabling dynamic TCP/IP address hacking."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable TCP SYN Cookie protection:
#
echo " - Enable TCP SYN Cookie protection"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Ensure that various ICMP sanity settings are there
#
echo " - Enable ICMP sanity settings"
# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ICMP Re-directs
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $file
done
#
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
