Networks iptables firewall script for home router

Firstly, I'll admit that this firewall script is rather overly complex. (Though, I could make it even more complex if I added some ipt_recent rules, even ones not commented out below.)

I should also point out that this isn't quite complete yet. But mostly done.
Any questions, comments, etc are well appreciated. Most of the code is commented to show what the rules are doing, but feel free to ask if unsure.


Well, here goes the massive paste of code:

Code:

# Firewall ruleset for main home router.
# eth0 is the outside interface, connected to the cable modem
# eth1 is the internal interface, connected to computers, and NAS, xbox.
# eth2 is connected to a dd-wrt router for laptop wifi. This is assumed
# to be hacked. (room mate plugged in to actual router or wifi hacked.) This is located in a common area of the house.
# eth2 and eth0 accept connections from port 443 for SSH and SSH-VPN.
# eth1 and tun0 have specific rules allowing web, chat, game access to the web on eth0.
# note that tun0 is commented out and not expanded to save space.

###
### Flush ALL rules
###
iptables -F

#
# Drop all packets by default
# If a packet does not match one of the other rules below
# these ones, then it gets dropped.
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

###
### Flush all specific rules.
###
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -F MAC_FILTER

###
### Enable NAT Masquerading on eth0
###
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE


###
### MAC FILTERING.
###

# Allow broadcasts
iptables -A MAC_FILTER -d 255.255.255.255 -j RETURN

# Why are these two lines commented? (may need uncommenting)
#iptables -A MAC_FILTER -m pkttype --pkt-type ! unicast -j RETURN
#iptables -A MAC_FILTER -m addrtype --dst-type BROADCAST -j RETURN

# Allow internal broadcasts.
iptables -A MAC_FILTER -d 192.168.12.255 -j RETURN
iptables -A MAC_FILTER -d 192.168.123.255 -j RETURN

# Allow these mac addresses
# I need to add more mac addresses in here!
#iptables -A MAC_FILTER -s eth1 -m mac --mac-source 00:00:00:00:00:00 -j RETURN

# Drop all mac addresses not allowed above
iptables -A MAC_FILTER -j DROP

###
### END OF MAC FILTERING SECTION
###


###
### TOS MANGLING SECTION
###

# Mangles the TOS on standard ports so they get priority in routers
# NOTE: this needs stuff added, games, chat, etc.
###################################################################
# TOS table
# Options:
#               Normal-Service = 0 (0x00)
#               Minimize-Cost = 2 (0x02)
#               Maximize-Reliability = 4 (0x04)
#               Maximize-Throughput = 8 (0x08)
#               Minimize-Delay = 16 (0x10)
# ToS: Client Applications; data => tos_client
# Most of these are the RFC 1060/1349 suggested TOS values.
# To view mangle table, type: iptables -L -t mangle

# Mangle values of packets created locally.
iptables -t mangle -A OUTPUT -o eth0 -p tcp --sport 443 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 6667 -j TOS --set-tos Maximize-Reliability


# Rules to mangle TOS values of packets routed through the firewall
iptables -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay
#iptables -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput
#iptables -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput
#iptables -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay
#iptables -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport 6667 -j TOS --set-tos Maximize-Reliability

###
### END OF TOS MANGLING SECTION
###


###
### Accept packets of ESTABLISHED connections
###
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth2 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i tun0 -o eth1 -m state --state ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i eth1 -o tun0 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth2 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -m state --state ESTABLISHED -j ACCEPT


###
### Accept packets of RELATED connections
###
iptables -A INPUT -i eth0 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A INPUT -i eth1 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A INPUT -i eth2 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT

iptables -A INPUT -i eth0 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A INPUT -i eth1 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A INPUT -i eth2 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED -p udp --dport 1024: -j ACCEPT

iptables -A INPUT -i eth0 -m state --state RELATED -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -m state --state RELATED -p icmp -j DROP
iptables -A INPUT -i eth2 -m state --state RELATED -p icmp -j DROP
iptables -A INPUT -i tun0 -m state --state RELATED -p icmp -j DROP

iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
#iptables -A FORWARD -i eth1 -o tun0 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT
#iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED -p tcp --dport 1024: -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
#iptables -A FORWARD -i eth1 -o tun0 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED -p udp --dport 1024: -j ACCEPT
#iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED -p udp --dport 1024: -j ACCEPT

###
### END PACKETS OF ESTABLISHED AND RELATED CONNECTIONS SECTION
###



###
### Drop any data packets from eth0 and eth2 that are spoofed internal ip addresses.
###
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth2 -s 192.168.12.0/24 -j DROP
iptables -A INPUT -i eth2 -s 127.0.0.0/8 -j DROP





###
### PORT FORWARDING RULES
###
# these rules forward an external port from the external ip of eth0 to an internal ip.

# forward port 443 from eth0 to inside port 443 (example)
#iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 443 -j DNAT --to 192.168.12.x:443
#iptables -A FORWARD -p tcp -i eth0 -d 192.168.12.x --dport 443 -j ACCEPT

###
### END PORT FORWARDING RULES
###



###
### Forward syn packets from internal network(s) to the internet,
###
# for typical internet use (web, games, chat, etc.)


##
## Fowarding for tun0
##

# Temporay allow-all rule for tun0 to access the web
#iptables -A FORWARD -i tun0 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --syn -j ACCEPT

##
## END Fowarding for tun0
##


##
## Forwarding for eth1
##

# web
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 80 --syn -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 443 --syn -j ACCEPT

# ssh
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 22 --syn -j ACCEPT

# ftp (UFTP commented out due to lack of use)
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 20 --syn -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 21 --syn -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -p udp -s 192.168.12.0/24 -d 0/0 --destination-port 20 -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -p udp -s 192.168.12.0/24 -d 0/0 --destination-port 21 -j ACCEPT


# email (commented out due to lack of use)
#iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 25 --syn -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 110 --syn -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 143 --syn -j ACCEPT

# email using ssl/tls (imap4 then pop3s) (commented out due to lack of use)
#iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 993 --syn -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 995 --syn -j ACCEPT

# DNS
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 53 --syn -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p udp -s 192.168.12.0/24 -d 0/0 --destination-port 53 -j ACCEPT

# google talk (via gaim / pidgin)
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 5222 --syn -j ACCEPT

# MSN
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 1863 --syn -j ACCEPT

# IRC (and ident) (Commented out because irssi is used on this box, see output rules)
# iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 113 --syn -j ACCEPT
# quakenet servers to be added in to this list. don't forget the syn packets

# NTP
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 123 --syn -j ACCEPT

# rsync (add in specific IP of external backup server later)
# maybe make this an output rule and only backup the backed up files.
# iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 873 --syn -j ACCEPT

# Half-Life
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.12.0/24 -d 0/0 --destination-port 27015 --syn -j ACCEPT



##
## END Forwarding for eth1
##

###
### END Forwarding Rules
###



###
### OUTPUT TABLES
###

# allow icmp/tcp ping/traceroute from this box, going out.
iptables -A OUTPUT -p icmp -d 0/0 --syn -j ACCEPT
iptables -A OUTPUT -p udp -d 0/0 --destination-port 33434 -j ACCEPT

# allow connections outbound to main file server for rsync
iptables -A OUTPUT -o eth1 -p tcp -d 192.168.12.55/32 --destination-port 873 --syn -j ACCEPT

# allow connections outbound to other internal servers for ssh
iptables -A OUTPUT -o eth1 -p tcp -d 192.168.12.0/24 --destination-port 22 --syn -j ACCEPT

# allow connections outbound to the web for SSH / SSH on 443
iptables -A OUTPUT -o eth0 -p tcp -d 0/0 --destination-port 22 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 0/0 --destination-port 443 --syn -j ACCEPT

# allow IRC connectivity to quakenet IRC servers (uk, followed by us)
# (even though I'm in Canada, I find I have better reliability from UK servers)
iptables -A OUTPUT -o eth0 -p tcp -d 213.48.150.5/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 195.68.221.111/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 194.159.164.211/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 193.138.95.129/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 85.236.110.226/32 --destination-port 6667 --syn -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -d 8.9.17.72/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 8.7.233.36/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 69.12.25.9/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 69.12.72.132/32 --destination-port 6667 --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 66.225.225.66/32 --destination-port 6667 --syn -j ACCEPT

###
### END OF OUTPUT TABLES
###


###
### SSH Brute Force Protection
###
# note that I'm actually running ssh on port 443 (to get around hotel firewalls, etc.)
# ipt_recent module would be VERY nice for this (and other stuff)
# because it is not loaded, most of below is commented
# some of this section came from http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# in the 50_ssh_brute_force_protection script

# Create new SSH_LOG_DROP chain for logging and dropping:
#iptables -N SSH_LOG_DROP
#iptables -F SSH_LOG_DROP
#iptables -A SSH_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j DROP

# SSH Whitelist
#iptables -N SSH_CHK
#iptables -A SSH_CHK -s [accepted_IP] -j RETURN
#iptables -A SSH_CHK -s 0/0 -j SSH_LOG_DROP

## Create rate1 & rate2 checker:
#iptables -A SSH_CHK -m recent --name sshchk --set
#iptables -A SSH_CHK -m recent --name sshchk --update \
#          --seconds 60 --hitcount 4 -j SSH_LOG_DROP
#iptables -A SSH_CHK -m recent --name sshchk --update \
#         --seconds 1800 --hitcount 10 -j SSH_LOG_DROP

# For now, I use a simpler version of the brute force protection until I get ipt_recent loaded properly
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 1/m --limit-burst 1 -j DROP

###
### END SSH Brute Force Protection
###


###
### INPUT TABLES
###

# allow main fileserver to connect to local rsync server
# (I use this router as a secondary backup server)
iptables -A INPUT -i eth1 -p tcp -s 192.168.12.55/32 --destination-port 873 --syn -j ACCEPT

# allow inbound connections to local ssh server
iptables -A INPUT -i eth0 -p tcp -s [colo_server_IP]/32 --destination-port 443 --syn -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s 192.168.12.0/24 --destination-port 443 --syn -j ACCEPT
iptables -A INPUT -i eth2 -p tcp -s 192.168.123.5/32 --destination-port 443 --syn -j ACCEPT
iptables -A INPUT -i tun0 -p tcp -s 192.168.12.48/32 --destination-port 443 --syn -j ACCEPT

###
### END OF INPUT TABLES
###




# links to read?
#
# http://www.badpenguin.co.uk/main/content/view/14/35/ ssh-vpn how-to!
# Basics of above linked article:
#
# pppd tunnel:
# pppd updetach noauth passive pty "ssh root@<hostname> pppd nodetach notty noauth" <localIP>:<RemoteIP>
#
# tun device:
# open up the tunnel:
#  ssh user@host -w tun0:tun0
#
# setup routing locally:
#  - (switch tun0 for ppp0 if using pppd)
#  ifconfig tun0 172.16.0.1 up
#  route add -net 172.16.0.0/24 tun0
#  route add -net 192.168.x.y gw 172.16.0.2
#
# setup routing remotely:
#  ifconfig tun0 172.16.0.2 up
#  route add -net 172.16.0.0/24 tun0
#  route add -net 192.168.a.b gw 172.16.0.1
#
# done, enjoy.



# eof (not really)




###
### Rules to organize in to propper place up top.
###


# Many of these are to drop nmap scans, etc.

# NMAP FIN/URG/PSH
iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# SYN/RST/ACK/FIN/URG
iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# ALL/ALL Scan
iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL -j DROP

# NMAP FIN Stealth
iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN -j DROP

# SYN/RST
iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# SYN/FIN -- Scan(probably)
iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# NMAP Null Scan
iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE -j DROP

# Drop packets with bad tcp flags
iptables -A VALID_CHK -p tcp --tcp-option 64 -j DROP
iptables -A VALID_CHK -p tcp --tcp-option 128 -j DROP

# Drop invalid packets
iptables -A VALID_CHK -m state --state INVALID -j DROP


# Do NOT allow DRDOS abuse (Distributed Reflection Denial Of Service attack)
iptables -A INPUT -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DROP
iptables -A INPUT -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DROP

###
### END OF Rules to organize in to propper place up top.
###


# eof (no really, it is this time )

EDIT: I think I should also mention that not all of this is in production right now.

 

hrrm you are making me get back to work on my dedicated router box

 

And in case you are a GUI kind of person: http://www.fwbuilder.org/ to the rescue