Add IpTables to secure the seedbox


#1

Hi,

I want to add an Iptables to secure more the quickbox ;

#!/bin/bash
### BEGIN INIT INFO
# Provides: firewall rules
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable service provided by daemon.
### END INIT INFO
#!/bin/sh

# On vire tout

iptables -t filter -F
iptables -L
iptables -Z

# Vider les règles personnelles

iptables -t filter -X
echo - Vidage : [OK]

# Interdire toute connexion entrante et sortante

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo - Interdire toute connexion : [OK]

#Filtres Anti Hadopi et Autres Lourds

iptables -t filter -I INPUT -p all -s 61.174.51.0/24,61.64.128.0/17,116.10.191.0/24,122.120.0.0/13,168.95.0.0/16 -j DROP
iptables -t filter -I INPUT -p all -s 5.23.42.12/30,90.80.100.192/28,195.5.217.72/29,194.79.189.240/29 -j DROP
iptables -t filter -I INPUT -p all -s 82.138.70.128/26,82.138.74.0/25,91.189.104.0/21,193.107.240.0/22,195.191.244.0/23,193.105.197.0/24 -j DROP
iptables -t filter -A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
echo - Blocage indésirable : [OK]

# On garde les connexions etablies

iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - Connexion actuelle : [OK]

# Autoriser le loopback (reseau local)

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - LOOPBACK : [OK]

# ICMP (ping)

iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - ICMP : [OK]

# DNS (bind)

iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 953 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 953 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 953 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 953 -j ACCEPT
echo - BIND : [OK]

# APACHE : HTTP + HTTPS

iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo - web : [OK]

# Mail SMTP:25 - Pour acces gmail ajouter 587

iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
echo - SMTP : [OK]

# NTP Horloge synchro

iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : [OK]

# SSH numeros de Port a changer (XXXX) en rapport avec : : "/etc/ssh/sshd_config" on remplace XXXX par votre port ssh par exemple 22

iptables -t filter -A INPUT -p tcp --dport 4747 -m recent --rcheck --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "SSH REJECT"
iptables -t filter -A INPUT -p tcp --dport 4747 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -t filter -A INPUT -p tcp --dport 4747 -m state --state NEW -m recent --set --name SSH -j ACCEPT
echo - Autoriser SSH : [OK]

# OUVERTURE QUICKBOX
# RPORT

iptables -t filter -A INPUT -p tcp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 2000:61000 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 2000:61000 -j ACCEPT

# WEBPORT

iptables -t filter -A INPUT -p tcp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 8115:8145 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 8115:8145 -j ACCEPT

# Rtorrent a vous de mettre les bons ports surtout pour le port d'annonce tracker

iptables -t filter -A INPUT -p tcp --dport 6890:6999 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 6890:6999 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 6881:6999 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 6881:6999 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 6400 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 6400 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 6400 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 6400 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 35000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 35000 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 35000 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 35000 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 2086 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 2086 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2086 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 2086 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
echo - RTORRENT : [OK]

#Decommenter ci-dessous les services que vous utilisez

# FTP (BACKUP)
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT

# Mail POP3:110
# iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# Mail IMAP:143

# iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Mail POP3S:995

# iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT

# WEBMIN
# iptables -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 10000 -m state --state ESTABLISHED -j ACCEPT

But about this :

RPORT

iptables -t filter -A INPUT -p tcp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 2000:61000 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 2000:61000 -j ACCEPT

WEBPORT

iptables -t filter -A INPUT -p tcp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 8115:8145 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 8115:8145 -j ACCEPT

the plage port seems to be a bit to large . 2000:61000 if i want to do it smaller . i have to change it in /etc/QuickBox/setup/templates/bashrc.template ?

any idea ?
what d you thnk about this script ?