Heya guys.
I need help configuring my hardware firewall. My router is the Westell Versalink 7500, and it appears to follow the IPTables syntax.
Now, I am aware that the firewall works when I scan the ports with GRC Shields Up! (by not responding to the ICMP ping), but I am unable to get ports 20 & 21 stealthed.
Here are my current rules:
#! /bin/sh
#
# Author: Stanley Chan
#
# Version 06/27/08
#
# /etc/init.d/firewall
#
#
### Based on rules from:
### http://www.novell.com/coolsolutions/feature/18139.html
### http://www.linuxquestions.org/questions/linux-security-4/stealth-iptables-ruleset-21338/
### http://fixunix.com/security/17626-shields-up-reports-one-open-port-through-iptables.html
### http://www.dslreports.com/forum/r20642422-Help-Configuring-Router-IPTables-to-stealth-all-ports-
#
#
### BEGIN INIT INFO
# Provides: Firewall for Router/Modem/Switch [Westell Versalink 7500]
# Required-Start: $network syslog
# Required-Stop:
# Should-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Firewall Configuration
### END INIT INFO
#
#
##############################################################################
# DEFAULT POLICY
SetDefaultPolicy() {
# Drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
}
##############################################################################
# FLUSH TABLES
FlushTables() {
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
iptables -X
}
##############################################################################
# ROUTING
EnableRouting() {
echo 1 > /proc/sys/net/ipv4/ip_forward
}
DisableRouting() {
echo 0 > /proc/sys/net/ipv4/ip_forward
}
##############################################################################
# FORWARDING
SetForwardingRules() {
iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}
##############################################################################
# Stan's Custom Rules
SetCustomRules() {
iptables -N inbound
iptables -A INPUT -i eth0 -j inbound
iptables -A INPUT -i eth0 -p tcp --syn -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP
iptables -A INPUT -i eth0 -p udp --syn -j DROP
iptables -A INPUT -i eth0 -p udp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 1 -j DROP
# Drop all traffic that's not allowed
iptables -A INPUT -i eth0 -d $YOURBOX -j LOG --log-level 7 --log-prefix "Default Deny"
iptables -A INPUT -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
}
##############################################################################
# LOOPBACK
SetLoopbackRules() {
# Allow everything
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
}
##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
# Allow everything
iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}
#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}
##############################################################################
# SOURCE NAT
EnableSourceNAT() {
# Then source NAT everything else
iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
}
# Various ICMP
SetICMP_Open() {
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}
# SSH (on a non-standard port)
SetSSH_Open() {
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}
##############################################################################
# Destination NAT
# smtp
SetSMTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport smtp -j ACCEPT
}
# pop3
SetPOP3_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j DNAT --to 192.168.10.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport pop3 -j ACCEPT
}
# Webmail (444->443)
SetWebmail_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.10.254:443
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT
}
# http
SetHTTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.10.253
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT
}
# Blocked protocols
SetBlockedProtocols() {
# Block all normal irc (used by botnets)
iptables -A INPUT -p tcp --dport irc -j DROP
iptables -A INPUT -p udp --dport irc -j DROP
iptables -A INPUT -p tcp --dport irc-serv -j DROP
iptables -A INPUT -p udp --dport irc-serv -j DROP
iptables -A INPUT -p tcp --dport ircs -j DROP
iptables -A INPUT -p udp --dport ircs -j DROP
}
# Blocked hosts
SetBlockedHosts() {
iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited
iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited
}
# Blocked networks
SetBlockedNetworks() {
iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited
iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited
}
# Specify things to drop before logging
SetPrelogDropRules() {
# DHCP
iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}
# Log those on the public interface
SetLoggingRules() {
iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT "
iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT "
iptables -A FORWARD -j LOG --log-prefix="FORWARD "
# iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre "
# iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost "
# iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}
# Drop them all
SetDropRules() {
# Reset tcp connection attempts on all other ports
# This is the standard TCP behaviour for a closed port. Reading
# suggests there is no value in stealthing ports and since some are
# open on this host it doesn't seem to matter. Therefore, let's be a
# good TCP citizen
### Stan- Changed rule from REJECT to DROP for stealthing
iptables -A INPUT -p tcp -j DROP --reject-with tcp-reset
}
##############################################################################
# SCRIPT ENTRY POINT
echo -n "Firewall Configuration..."
echo $1
##############################################################################
# ENVIRONMENT
# Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24
# Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24
# Others
ANYWHERE=0.0.0.0/0
. /etc/rc.status
rc_reset
##############################################################################
# COMMAND LINE
case "$1" in
start)
SetDefaultPolicy
FlushTables
EnableRouting
SetBlockedProtocols
SetBlockedNetworks
SetBlockedHosts
SetForwardingRules
SetCustomRules
SetLoopbackRules
SetPrivateInterfaceRules
SetPublicInterfaceRules
EnableSourceNAT
SetICMP_Open
SetSSH_Open
SetSMTP_DNAT
SetPOP3_DNAT
SetWebmail_DNAT
SetHTTP_DNAT
SetPrelogDropRules
SetLoggingRules
SetDropRules
;;
stop)
SetDefaultPolicy
FlushTables
SetPrivateInterfaceRules
SetPublicInterfaceRules
;;
restart)
$0 stop
$0 start
;;
*)
;;
esac
rc_exit
Now, I understand that the firewall accepts packets once connections have been established and related. Can port 21 be reported closed because of some application that established the connection?
Thanks for your help, guys. Here are other threads that report my progress on this: http://www.dslreports.com/forum/r20642422-Help-Configuring-Router-IPTables-to-stealth-all-ports- & http://www.dslreports.com/forum/r20021710-Help-Tweaking-Westell-Versalink-327W-Firewall-for-Starcraft
EDIT- Updated rules. Still unable to stealth all ports .
GRC (of other few scanners) reports ports 20 & 21 closed and not stealth. Individual port scan from GRC of 500 reports closed (while service port scanning of first 1056 ports reports stealthed). Huh? Can anyone help?