Linux Security Dengan Firewall IP Chains

Ipchains adalah suatu utility yang meng-handle 'packet filtering' di Linux berbasis kernel 2.2.x. Pada Linux berbasis kernel 2.4.x, fungsi ipchains digantikan dengan iptables yang merupakan pengembangan dari ipchains itu sendiri serta ditambah beberapa fungsi baru untuk meningkatkan security.

Ipchains dapat meng-handle port blocking, logging, NAT (network address translation), port forwarding dan masih banyak lagi yang kesemua sangat flexible. Untuk itu, saya lampirkan juga contoh ipchains script yang saya gunakan yang cukup handal untuk menjaga network anda. Script aslinya saya ambil dari nerdnerd.net ditambah modifikasi di sana sini ;-)

Script ini dapat di run dari rc.local atau sebagai init script dari SysV style. Kalau menggunakan PPP, saya sarankan untuk meletakkan script ini di /etc/ppp/ip-up.local, sehingga aka di run setiap kali melakukan koneksi. Kalau menggunakan DHCP, anda bisa me-run script ini setiap kali nge-pump atau request untuk me-lease IP dari DHCP server. 

Untuk menggunakan ipchains (baik dengan script ini atau tidak), sebaiknya anda memeriksa interface keluar anda (eth0, ppp0 dll.). Periksa IP range anda, tentukan mana internal network anda, mana yang external. Tentukan juga service-service apa yang akan anda buka atau anda tutup. Suatu hal yang menarik tentang Linux adalah operating system ini sangat 'configurable' ;-), jadi semuanya tergantung konsep security policy anda. Script ini juga dapat digunakan pada kernel yang sudah di-kompile dengan IP masquerading (NAT). Untuk jelasnya IP masquerading, dapat dilihat di http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html

Beberapa hal mudah yang dapat anda lakukan untuk meningkatkan security system/network anda (disamping firewalling) adalah MATIKAN service-service yang tidak anda gunakan. Carilah menggunakan 'ps -aef' atau 'netstat -a | grep LISTEN' untuk melihat service-service apa yang running di system anda. Kemudian 'Shutdown' service yang anda tidak butuhkan. Apakah anda butuh untuk run 'named' (DNS server)? jika ya, perlukan di-access oleh external? Jika tidak, block-lah koneksi tsb kecuali dari internal network. Untuk jelasnya dari jenis-jenis service ini dapat dilihat di http://www.linuxdoc.org/HOWTO/Net-HOWTO/

Hal terakhir adalah : UPDATE TERUS SYSTEM ANDA!, karena network dan system security sebetulnya secara gamblang adalah kejar-kejaran dengan cracker. Jika ada exploit baru yang ditemukan, cracker akan dengan cepat mengetahui dan menyebarkannya. Bukanlah hal yang baik jika mereka tahu lebih dulu dan mencobanya ke-system/network anda sebelum anda juga tahu. Jadi, 'stay in-touch' dengan distribusi Linux anda, update-lah daemon-daemon yang anda gunakan setiap ada versi baru. Umumnya, banyak distribusi
Linux yang menyediakan mailing-list. Atau, ikutlah mailing dari bugtraq!

ps. Jangan lupa di 'chmod +x firewall.sh' agar script ini bisa di-run ;-)


--------------------------------------------------------------------------------
#!/bin/sh
#
# IPCHAINS-FIREWALL
###############################################################################
#
# -------------------------------------------------- Ipchains Firewall Script -
#
# Original script by Ian Hall-Beyer (manuka@nerdherd.net)
#
# Contributors:
# terminus (cpm@dotquad.com) (ICQ and DHCP, @home testing)
#
# Mon 7/22/00 03:32:07 AM. virtue (virtue@sdf.lonestar.org). 
# Various changes, additions and additional comments.
#
# This script handles ipmasquerading, portforwarding, and has been designed
# with dynamic IP addressing in mind.
#
################################################################################
#
#
# ---------------------------------------------------------------- Interfaces -
# Local Interfaces
# This is the WAN interface that is your link to the outside world.
# WAN_IFACE="ppp0"
WAN_IFACE="eth0"

# Our local network Interface
#LAN_IFACE="eth1"

## ----------------------------------------------------------------------------

# ------------------------------------------------------------- Test for root -
#
## HB
## Just because I sometimes forget if I am root or that other guy ...

if [ "$UID" != "0" ]; then
#This is here because sometimes I forget who I am logged in as ...
echo 'You MUST be root, dummy. Bugging out!'
exit 1
fi

## -----------------------------------------------------------------------------

## -------------------------------------------------------- Test for valid IF --
if ! [ "$1" = "down" ] && ! ifconfig | grep $WAN_IFACE > /dev/null
then
logger -i -t firewall Firewall failed. No network.
echo WARNING: Failed\!\!\!
echo '$WAN_IFACE is not up, exiting.'
echo 'Rules are unchanged.'
sleep 2
exit 1
fi

## ----------------------------------------------------------------------------

# ------------------------------------------------------ Variable definitions -
#
# Set the location of ipchains and vars.
IPCHAINS="/sbin/ipchains"

# for masquerading ...
# This is our internal, private network ... on our LAN_IFACE
INTERNALNET=192.168.0.0/24 

# You shouldn't need to change anything in the rest of this section
LOCALIP=`ifconfig $WAN_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALMASK=`ifconfig $WAN_IFACE | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"

# I like to save my IP ...
echo "IP: $LOCALNET, Saving IP to /home/ "
echo $LOCALIP > ~/myip

# any and all addresses from wherever ...
REMOTENET="0/0"

## ---------------------------------------------------------------------------

# ------------------------------------- Flush everything, start from scratch -

echo -n "Flushing all rulesets.."

$IPCHAINS -X
echo -n "."

# flushing all chains ..
$IPCHAINS -F 
echo -n "."

# clear portforwarding rules ...
#ipmasqadm portfw -f
#echo -n "."

echo "Done!"

## --------------------------------------------------------------------------

# -------------------------------------- turn off ipchains/firewalling ----
## Just so we can stop ipchains if we want. Call as 'firewall down'.
## HB

if [ "$1" = "down" ]; then
logger -i -t firewall Firewall is down.
echo "Firewall is Down `date`."
exit 0
fi

## ---------------------------------------------------------------------------

# -------------------------------------------------- Allow loopback interface -

echo -n "Loopback.."

$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."

echo "Done!"

## ---------------------------------------------------------------------------


# ----------------------------------------------------IP Masquerading --------
#
## HB. Masquerading and related stuff.
# If not doing IP masquerading (NAT), comment this first part out...

echo -n "Masquerading.."

$IPCHAINS -P forward DENY

# allows all our internal boxes access to outside world ...
$IPCHAINS -A forward -j MASQ -s $INTERNALNET -d 0.0.0.0/0

# set masquerading timeouts for tcp, fin, and udp ...

echo -n "setting timeouts ... " 
# MASQ timeouts
#
# 1 hr timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
$IPCHAINS -M -S 3600 10 160 


## HB 
# These modules are required for masquerading clients ...
echo -n "special modules..."

# modprobe ip_masq_autofw
# modprobe ip_masq_portfw
# modprobe ip_masq_mfw
# modprobe ip_masq_user
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
# modprobe ip_masq_quake
# modprobe ip_masq_vdolive
# modprobe ip_masq_cuseeme

# allow forwarding for masqueraders ...
echo 1 > /proc/sys/net/ipv4/ip_forward


########################################################################
## The following section is not related to masquerading...

echo -n "/proc tweaks.."

# If you get your IP address dynamically via PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with of some programs easier. If static IP, then comment out.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# IP Spoof protections ...
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $i

done

fi


# SYN Flood protection ...
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

fi

# Blocking ALL ICMP echo requests ...
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > $i

done

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $i

done


# Starting IP Fragment Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Starting IP ICMP Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Starting IP Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses


echo "Done!"

## HB dynamic DNS update stuff here ...
# Put this here since everytime my IP changes I better be running 
# this script anyway ;)
#echo dyndns..
#eyepnet-updaterv1.0.sh
#echo "Done!"

## ---------------------------------------------------------------------------


# ------------------------------------------------------- Port Forwarding ----
## HB
## ipmasqadm is in a separate package from ipchains.

# # ipmasqadm portfw --help
# portfw: invalid option -- -
# Usage: portfw -a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF] add entry
# portfw -d -P PROTO -L LADDR LPORT [-R RADDR RPORT] delete entry
# portfw -f clear table

# PROTO is the protocol, can be "tcp" or "udp"
# LADDR is the local interface receiving packets to be forwarded.
# LPORT is the port being redirected .
# RADDR is the remote address.
# RPORT is the port being redirected to.
# PREF is the preference level (load balancing, default=10)

#HTTP=80
#WEBSERVER=192.168.0.3
#ipmasqadm portfw -f
#ipmasqadm portfw -a -P tcp -L $LOCALIP $HTTP -R $WEBSERVER $HTTP


## ---------------------------------------------------------------------------

# ----------------------------------Set telnet, www and FTP for minimum delay -
# This section manipulates the Type Of Service (TOS) bits of the 
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel. (I don't really see much difference on my DSL connection FWIW.)

# echo -n "TOS flags.."
# 
# $IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
# $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 
# $IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
# echo -n "..."

# # Set ftp-data for maximum throughput
# $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
# echo -n "."
# 
# echo "Done!"

## ---------------------------------------------------------------------

# ---------------------------------------------------- Illegal Private IPs ---
## Just in case someone wants in with an invalid IP ...
## HB.
## Private IPs:
#
#10.0.0.0/8 
#172.16.0.0/12
#192.168.0.0/16
#
## We should never see these non-routable IPs over the WAN iface.
## We'll log this stuff too ...

echo -n "Illegal IPs.."

$IPCHAINS -l -A input -i $WAN_IFACE -s 10.0.0.0/8 -d 0/0 -j DENY
$IPCHAINS -l -A input -i $WAN_IFACE -s 172.16.0.0/12 -d 0/0 -j DENY
$IPCHAINS -l -A input -i $WAN_IFACE -s 192.168.0.0/16 -d 0/0 -j DENY
$IPCHAINS -l -A input -i $WAN_IFACE -s 127.0.0.0/8 -d 0/0 -j DENY

echo -n "."

echo "Done!"

## -------------------------------------------------------------------------


# -------------------------------------- Trusted Networks and Services -
# Add in any rules to unconditionally allow connections from hosts/nets that
# might otherwise be blocked. Also any services that we want global, 
# unfiltered access to (not too many!) go here ....

echo -n "Trusted Networks.."

# $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET [ports] -j ACCEPT 
# echo -n "."

## Our internal net ...
echo -n "internal...network...."
$IPCHAINS -A input -i eth1 -s 192.168.0.2 -d $REMOTENET -j ACCEPT 

## from Harry at Image Works...
#$IPCHAINS -A input -s 204.255.224.233 -d $LOCALNET -j ACCEPT 

echo -n "global services.."

# http (80)
## Let everybody access our web server ...
## putting it here since we block @home completely below.
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT

# smtp (25)
## Let everybody access smtp server ...
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT

# ftp (21)
## Let everybody access ftp server ...
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT


echo "Done!"

## -------------------------------------------------------------------------


# -------------------------------------------------------- Banned Networks -
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause problems, IOW known trouble makers. These packets
# are logged.

# echo -n "Banned Networks.."

# This one is generic
# $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET [ports] -j DENY
# echo -n "."

# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $WAN_IFACE -p icmp -s [host/net] -d $LOCALNET -j DENY
# echo -n "."

# echo "Done!"

## ---------------------------------------------------------------------------

# ----------------------------------------------------- @home-specific rules -
# This @home stuff is pretty specific to me (terminus). I get massive port
# scans from my neigHBors and from pokey admins at @home, so I just got harsh
# and blocked all their stuff, with a few exceptions, listed below.
#
## HB -- I find an inordinate number of scans from this IP range as well.

echo -n "@HOME Nets.."

# so we can check mail, use the proxy server, hit @home's webpage.
# you will want to set these to your local servers, and uncomment them

# $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET 1023:65355 -j ACCEPT
# $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# echo -n "...."

# so we can resolve the above hostnames, allow dns queries back to us
# $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# echo -n ".."

# linux ipchains building script page (I think)
# $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j ACCEPT
# echo -n "."

# Non-@home users may want to leave this uncommented, just to block all
# the wannabe crackers. Add any @home hosts you want to allow BEFORE this line.

# Blast all other @home connections into infinity and log them.
## HB -- This is good to leave in! Lots o' crackers ...
$IPCHAINS -A input -l -p tcp -s 24.0.0.0/8 -d $LOCALNET 0:1024 -j DENY
$IPCHAINS -A input -l -p udp -s 24.0.0.0/8 -d $LOCALNET 0:1024 -j DENY
$IPCHAINS -A input -l -p icmp -s 24.0.0.0/8 -d $LOCALNET 0:1024 -j DENY

echo -n "."

echo "Done!"

## ----------------------------------------------------------------------------

# -------------------------------------------------- High Unprivileged ports -
# These are opened up to allow sockets created by connections allowed by 
# ipchains, IOW 'reverse' connections. Not a good idea to block these as many
# are dynamically assigned. We will block any SYNs here though. There are someone 
# else trying to initiate a connection to us.


echo -n "High Ports.."

# allow active ftp data connections ...
$IPCHAINS -A input -p tcp -s $REMOTENET 20 -d $LOCALNET 1024:65535 -y -j ACCEPT

# deny all other other attempted connections from remote to us ... and log.
$IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 1024:65535 -y -j DENY 

# allow all other traffic (connections originated by us)...
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1024:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1024:65535 -j ACCEPT

echo -n "."

echo "Done!"

## ----------------------------------------------------------------------------

# ------------------------------------------------------------ Basic Services -
# These services can be accessed by anyone excepted those nets/hosts that
# are explicity blocked above. Open these up only if you really need to have 
# the service running.

echo -n "Services.."

# ftp-data (20) and ftp (21)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
# echo -n ".."

# ssh (22)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT
# echo -n "."

# telnet (23)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
# echo -n "."

# smtp (25)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALIP 25 -j ACCEPT
# echo -n "."

# DNS (53)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
# $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
# echo -n ".."

# DHCP Server (67)
## Allow this one only. If you are DHCP, you probably will need to open this up.
#$IPCHAINS -A input -p udp -s 205.151.131.254 67 -d $LOCALNET -j ACCEPT
#echo -n "."

# http (80)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
# echo -n "."

# POP-3 (110)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
# echo -n "."

# identd (113)
## HB -- suggested to leave this open for mail, irc, etc...
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT
echo -n "."

# nntp (119)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALIP 119 -j ACCEPT
# echo -n "."

# https (443)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT
# echo -n "."

# ICQ Services (it's a server service) (4000)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT
# echo -n "."

echo "Done!"

## ----------------------------------------------------------------------------

# ---------------------------------------------------------------------- ICMP -
# echo. It is probably a good idea to leave this open. Certain protocols may 
# work better with ICMP available.

echo -n "ICMP Rules.."

# Log who is pinging me...
$IPCHAINS -l -A input -p icmp --icmp-type echo-request -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."

# Alternately, don't allow direct pings, and log it ...
#$IPCHAINS -l -A input -p icmp --icmp-type echo-request -s $REMOTENET -d $LOCALNET -j DENY
#echo -n ".."

# Allow incoming all other ICMP types (eg destination unreachable)...
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."

# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
echo -n "...."

echo "Done!"

## ---------------------------------------------------------------------------

# -------------------------------------------------------- set default rules -
# ie, *everything* else winds up here, including privileged ports ...
# Deny everything and anything else from outside -- except what is explictitly
# allowed from above rules ...

$IPCHAINS -l -A input -j DENY
$IPCHAINS -A output -j ACCEPT

## HB
logger -i -t firewall Firewall is up.
echo ""
echo "Firewall is up `date`."

## finis
## ---------------------------------------------------------------------------


##-- eof firewall.sh -------##






--------------------------------------------------------------------------------


Script kedua ini berfungsi sebagai 'wrapper' dari script diatas. Script kedua dapat digunakan sebagai 'init script'untuk system yang meng-acu ke Sys V style. Kalau di Redhat, script ini umumnya bernama "/etc/rc.d/init.d/firewall". Jangan lupa untuk memastikan bahwa flag +x nya aktif ;-)

--------------------------------------------------------------------------------


#!/bin/sh
#
## Brings ipchains firewall up and/or down.
## Calls a secondary script where the firewall rules reside
# Mon 7/22/00 04:02:33 AM. virtue (virtue@sdf.lonestar.org). 
#
# chkconfig: 35 90 40
# description: firewall.sh is a program to control ipchains.
# processname: firewall.sh
# config: /usr/local/bin/firewall.sh
# pidfile:
#
#########################################################
#
# The "RULES" script is where all the real work is done.
# It needs to be executable (chmod +x)

RULES=/usr/local/bin/firewall.sh

if ! [ -f $RULES ]; then
echo "$RULES cannot be found, yikes!"
exit 1
fi


if ! [ -x $RULES ]; then
echo "$RULES is not an executable file!"
exit 1
fi


case "$1" in

start)
$RULES
exit $?
;;

stop)
$RULES down
exit $?
;;

status)
ipchains -n -v -L
exit 0
;;

*)
echo "Usage: $0 [start|stop|status]"
exit 1
;;

esac

#--- eof firewall