Create Filtering Firewall

In this example of a simple setup of a bridge firewall you see how a bridge can protect a server. The router of course, has both an external IP Address to the Internet and an internal address to the the 192.168.7.0/24 network. This means that the router is doing NAT, Network Address Translation.  The bridge is given an IP Address to be able to configure remotely. Note that the two network interfaces do not have IP Addresses. If you look using ifconfig all you will see are MAC Addresses. However you will see that the bridge br0 will have the IP Address 192.168.7.3. A switch is placed between the bridge and the mail server to act as an additional layer of security. This would be especially true if you added workstations or additional servers to that switch.

Lesson 3 / Lesson 5

In order to  set this up create a file called rc.firewall and place it in the /etc directory.  Make it executable with:

chmod 755 /etc/rc.firewall

Here is a sample script, modify and use at your own risk.

###############################################

#!/bin/bash
# This script comes with no warranty ...use at own risk
# Copyright (C) 2006  Mike Weber
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
###########################################
br0="192.168.7.3"
GATEWAY_IP="192.168.7.2"
LAN_NET="192.168.7.0/255.255.255.0"
LAN_BROADCAST="192.168.7.255"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0/4"
CLASS_E_RESERVED_NET="240.0.0/4"
BROADCAST_SRC="O.O.O.0"
BROADCAST_DEST="255.255.255.255"
WEB="192.168.7.120"
WEB2="192.168.7.122"
WEB3="192.168.7.126"
MAIL="192.168.7.123"
ADMIN="192.168.7.119"
###########################################
# Add protection from the kernel
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
###########################################
# Remove existing rules
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set Policies to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Remove pre-existing user defined
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
#############################################
# Stop Stealth Scans and TCP State Flags
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
############################################
# Connection State to By-Pass Rule Checking
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
#####################################################
# SPECIAL
iptables -A INPUT -p tcp -s $ADMIN -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s $ADMIN  --dport 22 -j ACCEPT
#####################################################
#  No Matter What I Want to Block These Ports
iptables -A FORWARD -p tcp --dport 4444 -j DROP
iptables -A FORWARD -p tcp --dport 135 -j DROP
# Don't forward limited broadcast either way
iptables -A FORWARD -d $BROADCAST_DEST -j DROP
iptables -A FORWARD -p ! udp -d $CLASS_D_MULTICAST -j DROP
#########################################################
# ICMP control and status messages
# Log and drop initial ICMP fragments
iptables -A INPUT --fragment -p icmp -j DROP
iptables -A OUTPUT --fragment -p icmp -j DROP
iptables -A FORWARD --fragment -p icmp -j DROP
# Flow Control - Mostly Used on LANs
iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
# Unexpected Data in Header or Checksum Error
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT
# STOP NMAP SCANS
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j DROP
# Disable Traceroute
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j DROP
# Disable Ping
iptables -I FORWARD -p icmp --icmp-type echo-request -j DROP
# Block DHCP Port 68
iptables -A FORWARD -p tcp --dport 68 -j DROP
iptables -A FORWARD -p tcp --dport 1434 -j DROP
#############################################
# BLOCK COUNTRY ATTACKS
BADIP=/etc/banned
BANNED=$( grep -v -E "^#" $BADIP )
for ip in $BANNED
do
iptables -A INPUT -p tcp -s $ip -j DROP
iptables -A FORWARD -p tcp -s $ip -j DROP
done
##############################################

# MAIL Web
iptables -A FORWARD -p tcp -d $MAIL --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $MAIL -m state --state NEW -j ACCEPT
# WEB Web
iptables -A FORWARD -p tcp -d $WEB --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $WEB -m state --state NEW -j ACCEPT
# WEB Web
iptables -A FORWARD -p tcp -d $WEB --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $WEB -m state --state NEW -j ACCEPT
# WEB3 Web
iptables -A FORWARD -p tcp -d $WEB3 --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $WEB3 -m state --state NEW -j ACCEPT
# WEB2 WEB
iptables -A FORWARD -p tcp -d $WEB2 --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $WEB2 -m state --state NEW -j ACCEPT
# ADMIN Web
iptables -A FORWARD -p tcp --src $ADMIN -m state --state NEW -j ACCEPT
iptables -A FORWARD -p udp --src $ADMIN -m state --state NEW -j ACCEPT
###############################################
# MAIL DNS includes settings for Client and Zone Transfers
iptables -A FORWARD -p udp --sport 1024:65535 -d $MAIL --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --sport 53 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -d $MAIL --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p udp --src $MAIL --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $MAIL --sport 53 --dport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p udp --src $MAIL --sport 53 --dport 53 -m state --state NEW -j ACCEPT
##################################
# MAIL SERVER AND CLIENTS FOR POP3 AND IMAP
# MAIL MAIL SERVER SMTP
iptables -A FORWARD -p tcp --sport 25 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 25 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 25 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $MAIL --sport 25 --dport 1024:65535 -m state --state NEW -j ACCEPT
# POP3
iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 110 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 110 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $MAIL --sport 110 --dport 1024:65535 -m state --state NEW -j ACCEPT
# IMAPS
iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 993 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 993 -j ACCEPT
iptables -A FORWARD -p tcp ! --syn -s $MAIL --sport 993 --dport 1024:65535 -j ACCEPT
# IMAP
iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 143 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --sport 143 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 143 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --src $MAIL --sport 143 --dport 1024:65535 -m state --state NEW -j ACCEPT
##################################
# LOGS
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
##########################################
exit 0