Network Security Rules

Verified

Added on 2019/09/30

AI Summary

This assignment content appears to be a set of iptables rules designed to control and filter incoming and outgoing network traffic. The rules define several chains, including INPUT, FORWARD, OUTPUT, LogAndDrop, ICMP-in, and NAT. These chains are used to accept or reject specific types of traffic, such as established connections, incoming ICMP packets, and Bittorrent traffic. The rules also include specifications for IP addresses, ports, and protocols. Additionally, the content includes references to specific devices and networks, including 'eth1', 'eth0', 'Yosie', and 'Steve'. Overall, this assignment content seems to be a comprehensive set of firewall rules designed to control network traffic on a Linux system.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

#!/bin/bash
#
# Interfaces, IP addresses and networks
#
INET_IF=eth1
LAN_IF=eth0
LAN=192.168.19.0/24
Yosie=192.168.19.1
Whitey=192.168.19.2
Nounours=192.168.19.4
Steve=202.12.89.8/29
Amsat=130.226.195.220
Omicron=130.226.195.126
IPv6_Endpoint=64.71.128.80/29
known_mac=00:04:23:64:5f:2c
#
iptables=/sbin/iptables
rcnetwork=/etc/init.d/net.$INET_IF
#
# Ports
#
NETBIOS=135,137,138,139,445,1025
DHCP=bootpc
VoIP=3478,5060,8000,8001,4569,4520
# stun sip rtp rtcp IAX2 DUNDi
Bittorrent=6881:6889
#
# Stop the external IF while doing this
#
$rcnetwork stop
#
# Clear possible old rules and chains
#
$iptables -F
$iptables -F -t nat
$iptables -X
#
# Create the log-and-drop chain
#
$iptables -N LogAndDrop
$iptables -A LogAndDrop -j LOG --log-prefix 'kernel: '
$iptables -A LogAndDrop -j DROP
#
# Chain for incoming ICMP
#
$iptables -N ICMP-in
$iptables -A ICMP-in -p icmp --icmp-type echo-request -s $IPv6_Endpoint -j
ACCEPT
$iptables -A ICMP-in -p icmp --icmp-type echo-request -j DROP
$iptables -A ICMP-in -p icmp \
--icmp-type destination-unreachable -j ACCEPT
$iptables -A ICMP-in -p icmp \
--icmp-type source-quench -j ACCEPT
$iptables -A ICMP-in -p icmp \
--icmp-type time-exceeded -j ACCEPT
$iptables -A ICMP-in -p icmp \
--icmp-type parameter-problem -j ACCEPT
$iptables -A ICMP-in -j DROP
#
# INPUT chain
#
# Accept established traffic and traffic from inside

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

#
$iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -i $LAN_IF -j ACCEPT
$iptables -A INPUT -i lo -j ACCEPT
# Let Steve and myself get in via SSH
$iptables -A INPUT -i $INET_IF -s $Steve -p tcp --dport ssh -j ACCEPT
$iptables -A INPUT -i $INET_IF -s $Amsat -p tcp --dport ssh -j ACCEPT
$iptables -A INPUT -i $INET_IF -s $Omicron -p tcp --dport ssh -j ACCEPT
#
# Send incoming ICMP to its own chain
#
$iptables -A INPUT -p icmp -i $INET_IF -j ICMP-in
#
# Accept DHCP from the outside
#
$iptables -A INPUT -i $INET_IF -m multiport -p udp \
--dport $DHCP -j ACCEPT
#
# Accept VoIP from the outside
#
$iptables -A INPUT -i $INET_IF -m multiport -p udp \
--dport $VoIP -j ACCEPT
$iptables -A INPUT -i $INET_IF -p udp \
--dport 10000:10100 -j ACCEPT
#
# Accept IPv6 input from the tunnel
#
$iptables -A INPUT -i $INET_IF -p ipv6 -s $IPv6_Endpoint \
-j ACCEPT
#
# Drop explicitely all NetBIOS traffic
#
$iptables -A INPUT -m multiport -i $INET_IF -p udp \
--dport $NETBIOS -j DROP
$iptables -A INPUT -m multiport -i $INET_IF -p tcp
--dport $NETBIOS -j DROP
#
# Log and drop all other traffic
#
$iptables -A INPUT -j LogAndDrop
#
# FORWARD chain
#
# Drop explicitely all NetBIOS traffic
#
$iptables -A FORWARD -m multiport -p udp \
--dport $NETBIOS -j LogAndDrop
$iptables -A FORWARD -m multiport -p tcp \
--dport $NETBIOS -j LogAndDrop
#
# Allow established traffic
#
$iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED \
-j ACCEPT
#
# Block new connections, except if coming from inside.
#
$iptables -A FORWARD -m conntrack --ctstate NEW -i ! $INET_IF <
-j ACCEPT
#
# Allow Bittorrent ports (see above for port definitions)
#

$iptables -A FORWARD -p tcp --dport $Bittorrent -j ACCEPT
$iptables -A FORWARD -p udp --dport $Bittorrent -j ACCEPT
#
# Allow RTP
#
$iptables -A FORWARD -p udp --dport 10000:10100 -j ACCEPT
#
# Log and drop all oher traffic
#
$iptables -A FORWARD -j LogAndDrop
#
#
# OUTPUT chain
#
# Accept everything
#
#
# The NAT table
#
#
# Forward Bittorrent port to Yosie
#
$iptables -t nat -A PREROUTING -i $INET_IF -p tcp \
--dport $Bittorrent -j DNAT --to $Yosie
$iptables -t nat -A PREROUTING -i $INET_IF -p udp \
--dport $Bittorrent -j DNAT --to $Yosie
#
# Start masquerading
#
$iptables -t nat -A POSTROUTING -o $INET_IF -j MASQUERADE
#
# Set ToS bits for Asterisk
#
$iptables -A OUTPUT -t mangle -p udp -m udp \
--dport 4569 -j DSCP --set-dscp 0x28
$iptables -A OUTPUT -t mangle -p udp -m udp \
--dport 5036 -j DSCP --set-dscp 0x28
$iptables -A OUTPUT -t mangle -p udp -m udp \
--dport 5060 -j DSCP --set-dscp 0x28
$iptables -A OUTPUT -t mangle -p udp -m udp \
--sport 10000:10100 -j DSCP --set-dscp 0x28
#
# Start the external IF again
#
$rcnetwork start

1 out of 3

Network Security Rules

Contribute Materials

Secure Best Marks with AI Grader

Related Documents

Securing System for IP Enabled Firewall

Firewall Rules for Network Security: Accessing, Mitigating Virus Attack, VPN Access, VLAN Access, Blocking RFC 1918

Securing System Using IP Table Firewall

Network Security & Forensics Techniques

Advanced Network Security: Installation and Configuration Guide for CentOS, Apache, PHP, MySQL, and More

+13062052269

info@desklib.com