Hello All, I have taken up to writing this bash script to
change my iptables rules. It seems the only issue I've found is
that it seems to not want to connect to certain websites at
some moments and not others, or generally but sometimes it
let's it through without changing anything. This completely
stops if I add RELATED to my OUTPUT ACCEPT next to NEW, just
not sure how that impacts security exactly.
Also, any advice on making this script better, or stronger per
secuirty, would be appreciated as this is both my first time
scripting in bash from scratch and my first IPTABLES venture.
Oh, and don't mind the echo lines, those are solely for my
entertainment upon running.
#!/bin/sh
IPT=/sbin/iptables
IP6=/sbin/ip6tables
echo "[+] ENTRY PLUG EJECTED, READY FOR PILOT ENTRY" read OK
echo " $OK ENTRY PLUG INSERTION COMPLETE"
echo "[+] Flooding the cockpit with LCL. Don't try and hold
your breath, just breath normal. It's weird at first, but
you'll get used to it "
$IPT -F
$IPT -F -t nat
$IPT -X
echo "[+] Synch ratio 99%, within permissable parameters..."
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
## INPUT Rules ###
echo "[+] AT Field is active, moving EVA UNIT 1 to elevator
24..."
$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG
--log-prefix "INVALID_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
"NEW_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
## FORWARD Rules ##
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG
--log-prefix "INVALID_FORWARD" --log-ip-options
--log-tcp-options
#$IPT -A FORWARD -i lo -j ACCEPT
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP
#$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
## OUTPUT Rules ##
echo "[+] It's up to you now, Shinji..."
$IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL
Loopback traffic
$IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only
allow NEW connection outbound.
$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
--uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and
HTTPS
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound
https
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound
http (DO NOT LEAVE ACTIVE!)
$IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL
root requests
Yes, this is a personal laptop. If you notice, I have default POLICYWhenever you perform an HTTP(S) request, the response should be treated
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
Thanks for the Advice on NEW, I haven't seen much said about it soIt could still connect via 80,443. However, you are right, your setup
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
Thanks for the reading, that's where I'm heading now : )
Hello All, I have taken up to writing this bash script to change my
iptables rules. It seems the only issue I've found is that it seems to
not want to connect to certain websites at some moments and not
others, or generally but sometimes it let's it through without
changing anything. This completely stops if I add RELATED to my OUTPUT
ACCEPT next to NEW, just not sure how that impacts security exactly.
Also, any advice on making this script better, or stronger per
secuirty, would be appreciated as this is both my first time scripting
in bash from scratch and my first IPTABLES venture.
Oh, and don't mind the echo lines, those are solely for my
entertainment upon running.
#!/bin/sh
IPT=/sbin/iptables
IP6=/sbin/ip6tables
echo "[+] ENTRY PLUG EJECTED,
READY FOR PILOT ENTRY"
read OK
echo " $OK ENTRY PLUG
INSERTION COMPLETE"
echo "[+] Flooding the cockpit with LCL. Don't try and hold your
breath, just breath normal. It's weird at first, but you'll get used
to it "
$IPT -F
$IPT -F -t nat
$IPT -X
echo "[+] Synch ratio 99%, within permissable parameters..."
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
## INPUT Rules ###
echo "[+] AT Field is active, moving EVA UNIT 1 to elevator 24..."
$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "INVALID_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
"NEW_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
## FORWARD Rules ##
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "INVALID_FORWARD" --log-ip-options --log-tcp-options
#$IPT -A FORWARD -i lo -j ACCEPT
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP
#$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## OUTPUT Rules ##
echo "[+] It's up to you now, Shinji..."
$IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL Loopback traffic
$IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only allow NEW connection outbound.
$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
--uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and HTTPS
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound https
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound http (DO
NOT LEAVE ACTIVE!)
$IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL root requests
On 2016-05-23 19:54, Ralph Sanchez wrote:
Yes, this is a personal laptop. If you notice, I have default POLICY
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
> Whenever you perform an HTTP(S) request, the response should be treated
as RELATED, hence allowing all RELATED inbound traffic should suffice.
Thanks for the Advice on NEW, I haven't seen much said about it soIt could still connect via 80,443. However, you are right, your setup
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Thanks for the reading, that's where I'm heading now : )
On 2016-05-23 22:32, Ralph Sanchez wrote:
On Mon, May 23, 2016 at 4:13 PM, <deb023@respiranto.de> wrote:As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
On 2016-05-23 19:54, Ralph Sanchez wrote:
Yes, this is a personal laptop. If you notice, I have default POLICYWhenever you perform an HTTP(S) request, the response should be treated
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works, >>>> but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
as RELATED, hence allowing all RELATED inbound traffic should suffice.
So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?
and outbound connections. I might have mixed up RELATED and ESTABLISHED
at little in the former emails, by the way. Apart from that, you may
block as much as you want. And I would suggest blocking any other INPUT (except for icmp (possibly partly) and lo). But again, if you really
want to secure your box, take the time to thoroughly read a few manuals
and possibly even a few RFCs.
Thanks for the Advice on NEW, I haven't seen much said about it soIt could still connect via 80,443. However, you are right, your setup
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement. Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.
Thanks for the reading, that's where I'm heading now : )
Thanks for the clarification : ) And you didn't confuse the twoNo (though I don't know about DNAT and SNAT), hence it must be due to
explicitly, but i wasn't sure if you were advising allow NEW,RELATED/ NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
know.
I have read through quite a few manuals and online forums, although no RFCs...I'm not really sure I know what they are even haha. I have
configured myself pretty wall, editing PAM and my sysctl.conf file rigourously, BIOS passwording and denying USB boots without admin
access to the BIOS, as well as other various activities including
attempting to configure SELinux, which is nigh impossible to do it and
have it have any effect on Jessie right now, at least as far as me and someone else could find.
I have noticed that DROP on invalid first actually drops more packets
then simply allowing Established, related...does this imply a packet
can have more then one state??
On Mon, May 23, 2016 at 4:13 PM, <deb023@respiranto.de> wrote:As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
On 2016-05-23 19:54, Ralph Sanchez wrote:
Yes, this is a personal laptop. If you notice, I have default POLICYWhenever you perform an HTTP(S) request, the response should be treated
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
as RELATED, hence allowing all RELATED inbound traffic should suffice.
So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?
Thanks for the Advice on NEW, I haven't seen much said about it soIt could still connect via 80,443. However, you are right, your setup
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement. Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.
Thanks for the reading, that's where I'm heading now : )
Also, it seems if I only allow Related and Established on OUTPUT I
cannot access the internet, 90 percent of packets get dropped when I
try to connect to anything, but allowing new established allows connection...but also any software would be able to call home.
Thanks for the clarification : ) And you didn't confuse the two
explicitly, but i wasn't sure if you were advising allow NEW,RELATED/ NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
know.
I have read through quite a few manuals and online forums, although no RFCs...I'm not really sure I know what they are even haha. I have
configured myself pretty wall, editing PAM and my sysctl.conf file rigourously, BIOS passwording and denying USB boots without admin
access to the BIOS, as well as other various activities including
attempting to configure SELinux, which is nigh impossible to do it and
have it have any effect on Jessie right now, at least as far as me and someone else could find.
I have noticed that DROP on invalid first actually drops more packets
then simply allowing Established, related...does this imply a packet
can have more then one state??
On Mon, May 23, 2016 at 5:20 PM, Einhard Leichtfuß <el@respiranto.de> wrote:
On 2016-05-23 22:32, Ralph Sanchez wrote:
On Mon, May 23, 2016 at 4:13 PM, <deb023@respiranto.de> wrote:As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
On 2016-05-23 19:54, Ralph Sanchez wrote:
Yes, this is a personal laptop. If you notice, I have default POLICY >>>>> as DROP, which means if I don't accept on ports 80 and 443 I can'tWhenever you perform an HTTP(S) request, the response should be treated >>>> as RELATED, hence allowing all RELATED inbound traffic should suffice.
accept HTTPS and HTTP, correct? I'm still learning how all this works, >>>>> but that's what it seemed to me and was explained in other guides and >>>>> tutorials I needed to do. And if I don't ACCEPT there, i dont get any >>>>> web pages whatsoever so.
So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?
and outbound connections. I might have mixed up RELATED and ESTABLISHED
at little in the former emails, by the way. Apart from that, you may
block as much as you want. And I would suggest blocking any other INPUT
(except for icmp (possibly partly) and lo). But again, if you really
want to secure your box, take the time to thoroughly read a few manuals
and possibly even a few RFCs.
Thanks for the Advice on NEW, I haven't seen much said about it soIt could still connect via 80,443. However, you are right, your setup
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow >>>>> any more data in or out at any moment then is absolutely needed, and >>>>> it should help mitigate some malicious software calling home even if >>>>> it does get through into my system.
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement. Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.
Thanks for the reading, that's where I'm heading now : )
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 293 |
Nodes: | 16 (2 / 14) |
Uptime: | 226:17:14 |
Calls: | 6,624 |
Calls today: | 6 |
Files: | 12,171 |
Messages: | 5,318,698 |