Zimbra: Firewall Script

May 9, 2009 Zimbra

Zimbra is a great mail server replacement for Exchange.  When you install Zimbra it suggests that you do not install a firewall…well, that sounds like they want their program to work at your expense.  Anyway, here is a firewall that I am currently using that works fine.   Note as an administrator you can limit access to the Administrator port which is a good idea as well as I often limit access to the web interface as well.  The firewall has a number of variables that you can edit so you can drop it into your system.  Of course…use at your own risk.

Place the script in a file  /etc/rc.d/rc.firewall and make it executable with chmod 755 rc.firewall.  Then place a line in your /etc/rc.d/rc.local so that it starts up each time you boot, the line should look like this:

sh  /etc/rc.d/rc.firewall

#!/bin/bash
# This script comes with no warranty …use at own risk
# Copyright (C) 2009  Mike Weber
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#
LAN_INTERFACE=”eth0″
LOOPBACK_INTERFACE=”lo”
########################################
# Enter Your LAN IP Address            #
########################################
LAN_IP=”mail_server_ip”
########################################
# Enter LAN Subnet                     #
########################################
LAN_ADDRESSES=”cidr_subnet..ex. 192.168.5.0/24″
LAN_NET=”subnet..ex. 192.168.5.0/255.255.255.0″
########################################
# Enter Broadcast Address              #
########################################
LAN_BROADCAST=”network_broadcast”
########################################
# Enter Your Netmask                   #
########################################
LAN_NETMASK=”netmask…ex. 255.255.255.0″
########################################
# Enter Your DNS Server                #
########################################
NAMESERVER=”ip_dns_server”

LOOPBACK=”127.0.0.0/8″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″

#############################################
# Enter the IP Address of the Administrator #
# The only IP to Access the Hardware Node   #
#############################################
ADMIN=”admin_ip_address”

#############################################
# Speical Temporary Access Site             #
############################################
SPECIAL=”2nd_admin_ip”

##################################################
# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#Drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
##################################################
# remove existing rules
iptables –flush
iptables -t mangle –flush

# Unlimited traffic on the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set default policy to Drop
iptables –policy INPUT DROP
iptables –policy OUTPUT DROP

# Remove pre-existent chains
iptables –delete-chain
###################################################
# DNS to SERVER                                   #
###################################################
iptables -A INPUT -p udp –sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -j ACCEPT
##################################################
# Stealth Scans and TCP State Flags              #
##################################################
# All bits cleared
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SY and RSY set
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST set
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is inly bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH isn only bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is only bit without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
#######################################################
# Connection State to By-Pass Rule Checking
iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
######################################################
# SSH ACCESS TO SERVER                               #
######################################################
iptables -A INPUT -p tcp -s $ADMIN –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $ADMIN -j ACCEPT
iptables -A INPUT -p tcp -s $SPECIAL –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $SPECIAL -j ACCEPT
######################################################
# Zimbra Access
iptables -A INPUT -p tcp -s $ADMIN –dport 7071 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT

######################################################
# Limit Access to DNS Server                         #

######################################################
#if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -m state –state NEW -j ACCEPT
#fi
iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -j ACCEPT

iptables -A INPUT -i $LAN_INTERFACE -p udp -s $NAMESERVER –sport 53 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp –sport 1024:65535 –destination $LAN_IP –dport 53 -j ACCEPT
iptables -A INPUT -p udp –destination $LAN_IP –dport 53 -j ACCEPT

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -m state –state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -j ACCEPT
iptables -A INPUT -i $LAN_INTERFACE -p tcp -s $NAMESERVER –sport 53 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -p udp –sport 53 –dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp –sport 1024:65535 –dport 53 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p udp –sport 1024:65535 –dport 53 -j ACCEPT
iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
#######################################################
# Mail Server                                         #
#######################################################
iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 25 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 25 -j ACCEPT
iptables -A INPUT -p tcp ! –syn –sport 25 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 25 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -$LAN_IP –sport 25 –dport 1024:65535 -j ACCEPT
#######################################################
# IMAP                                                #
#######################################################
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 993 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -s $LAN_IP –sport 993 -d 0.0.0.0/0 –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp -s 0.0.0.0/0 –sport 1024:65535 -d $LAN_IP –dport 143 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 –sport 1024:65535 -d $LAN_IP –dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -s $LAN_IP –sport 143 -d 0.0.0.0/0 –dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP –dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s $ADMIN –destination $LAN_IP –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –destination $LAN_IP -j DROP
#iptables -A INPUT -p udp –destination $LAN_IP -j DROP
#iptables -A INPUT -p icmp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p tcp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p udp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p icmp –destination $LAN_IP -j DROP
#####################################################
# ClamAv
iptables -A OUTPUT -p tcp -d 208.67.80.27 –dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d 209.8.40.140 –dport 80 -j ACCEPT
iptables -A INPUT  -p tcp -s 208.67.80.27 -j ACCEPT
iptables -A OUTPUT -p tcp -d 65.120.238.2 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 209.8.40.140 -j ACCEPT
iptables -A INPUT -p tcp -s 128.121.60.235 -j ACCEPT
iptables -A OUTPUT -p tcp -d 128.121.60.235 –dport 80 -j ACCEPT

#########################################################
#iptables -A INPUT -m state –state INVALID -j LOG –log-prefix “INVALID input: ”
#iptables -A INPUT -m state –state INVALID -j DROP
#iptables -A OUTPUT -m state –state INVALID -j LOG –log-prefix “INVALID output: ”
#iptables -A OUTPUT -m state –state INVALID -j DROP
###########################################################
#Source Address Spoofing/Bad Addresses
# Refuse spoofed packets
iptables -A INPUT -s $LAN_IP -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP -j DROP
# Refuse malformed broadcast packets
iptables -A INPUT -i $LAN_INTERFACE -d $BROADCAST_SRC -j DROP
# Don’t forward limited broadcast either way
iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
#########################################################
# ICMP control and status messages
# Log and drop initial ICMP fragments
iptables -A INPUT –fragment -p icmp -j LOG –log-prefix “Fragmented incoming ICMP: ”
iptables -A INPUT –fragment -p icmp -j DROP

iptables -A OUTPUT –fragment -p icmp -j LOG –log-prefix “Fragmented outgoing ICMP: ”
iptables -A OUTPUT –fragment -p icmp -j DROP
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP -j ACCEPT

iptables -A OUTPUT -p icmp –icmp-type source-quench -j ACCEPT

iptables -A INPUT -p icmp –icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type parameter-problem -j ACCEPT

iptables -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -o $LAN_INTERFACE -p icmp –icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT

iptables -A OUTPUT -p icmp –icmp-type fragmentation-needed -j ACCEPT

# Don’t Log outgoing ICMP error messages
iptables -A OUTPUT -p icmp –icmp-type destination-unreachable -j DROP
# Intermediate traceroute resposes
#iptables -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
#–destination $LAN_ADDRESSES -j ACCEPT
#################################################
# LOGS                                          #
#################################################
iptables -A INPUT -i $LAN_INTERFACE -j LOG
iptables -A OUTPUT -j LOG
exit 0

Tags: , ,

Comments (1)

 

  1. uberVU - social comments says:
    November 25, 2009 at 2:49 am

    Social comments and analytics for this post…

    This post was mentioned on Twitter by postfixmail: iptables firewall script for Zimbra using Postfix http://bit.ly/4mMSVB