diff options
author | root <root@pompom.softgrouphosting.net> | 2009-11-20 14:26:26 -0500 |
---|---|---|
committer | root <root@pompom.softgrouphosting.net> | 2009-11-20 14:26:26 -0500 |
commit | 549fa35bd35c5e6356099ad3ac6f4392aa0acd23 (patch) | |
tree | 44eb51894096d5cecbb1344b6f1705ba6dd2228d | |
download | iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.tar.bz2 iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.tar.xz iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.zip |
Splitting from dev_urandom
-rw-r--r-- | firewall | 179 | ||||
-rw-r--r-- | firewall.conf | 60 |
2 files changed, 239 insertions, 0 deletions
diff --git a/firewall b/firewall new file mode 100644 index 0000000..d19f0ce --- /dev/null +++ b/firewall | |||
@@ -0,0 +1,179 @@ | |||
1 | # Make sure we have all the commands to continue | ||
2 | if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then | ||
3 | echo 'Essential commands are missing. Can not continue.' | ||
4 | exit 1 | ||
5 | fi | ||
6 | |||
7 | # Check for root | ||
8 | if [[ $UID != 0 ]]; then | ||
9 | echo 'You are not root.' | ||
10 | exit 1 | ||
11 | fi | ||
12 | |||
13 | # First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc. | ||
14 | export LC_ALL="en" | ||
15 | |||
16 | # Source our configuration file | ||
17 | source /etc/firewall.conf | ||
18 | |||
19 | # Go into lockdown mode while we setup the rules | ||
20 | iptables -P INPUT DROP | ||
21 | iptables -P OUTPUT DROP | ||
22 | iptables -P FORWARD DROP | ||
23 | |||
24 | # Flush all existing chains and erase personal chains | ||
25 | CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` | ||
26 | for i in $CHAINS; do | ||
27 | iptables -t $i -F | ||
28 | iptables -t $i -X | ||
29 | done | ||
30 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies | ||
31 | echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | ||
32 | |||
33 | # Source Address Verification | ||
34 | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do | ||
35 | echo 1 > $f | ||
36 | done | ||
37 | |||
38 | # Disable IP source routing and ICMP redirects | ||
39 | for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do | ||
40 | echo 0 > $f | ||
41 | done | ||
42 | for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do | ||
43 | echo 0 > $f | ||
44 | done | ||
45 | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
46 | |||
47 | # Determine the IP/Broadcast/Netmask for the outside interface | ||
48 | # dynamically by grepping ifconfig commands | ||
49 | # | ||
50 | # Due to absence of EXTBC in ifconfig output I manually set it | ||
51 | # to 255.255.255.255 this hopefully will serve the same purpose | ||
52 | EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" | ||
53 | EXTBC="255.255.255.255" | ||
54 | EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" | ||
55 | EXTNET="$EXTIP/$EXTMSK" | ||
56 | echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET" | ||
57 | |||
58 | # Determine the IP/Broadcast/Netmask for the outside interface | ||
59 | # dynamically by grepping ifconfig commands | ||
60 | INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" | ||
61 | INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`" | ||
62 | INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" | ||
63 | INTNET="$INTIP/$INTMSK" | ||
64 | echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET" | ||
65 | |||
66 | # We are now going to create a few custom chains that will result in | ||
67 | # logging of dropped packets. This will enable us to avoid having to | ||
68 | # enter a log command prior to every drop we wish to log. The | ||
69 | # first will be first log drops the other will log rejects. | ||
70 | # Do not complain if chain already exists (so restart is clean) | ||
71 | iptables -N DROPl 2> /dev/null | ||
72 | iptables -A DROPl -j LOG --log-prefix 'DROPl:' | ||
73 | iptables -A DROPl -j DROP | ||
74 | iptables -N REJECTl 2> /dev/null | ||
75 | iptables -A REJECTl -j LOG --log-prefix 'REJECTl:' | ||
76 | iptables -A REJECTl -j REJECT | ||
77 | |||
78 | # Now we are going to accpet all traffic from our loopback device | ||
79 | # if the IP matches any of our interfaces. | ||
80 | iptables -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT | ||
81 | iptables -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT | ||
82 | iptables -A INPUT -i $LPDIF -s $INTIP -j ACCEPT | ||
83 | |||
84 | # Blocking Broadcasts | ||
85 | iptables -A INPUT -i $EXTIF -d $EXTBC -j DROPl | ||
86 | iptables -A INPUT -i $INTIF -d $INTBC -j DROPl | ||
87 | iptables -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl | ||
88 | iptables -A OUTPUT -o $INTIF -d $INTBC -j DROPl | ||
89 | iptables -A FORWARD -o $EXTIF -d $EXTBC -j DROPl | ||
90 | iptables -A FORWARD -o $INTIF -d $INTBC -j DROPl | ||
91 | |||
92 | # Block WAN access to internal network | ||
93 | # | ||
94 | # This also stops nefarious crackers from using our network as a | ||
95 | # launching point to attack other people | ||
96 | iptables -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl | ||
97 | |||
98 | # Now we will block internal addresses originating from anything but our | ||
99 | # two predefined interfaces... just remember that if you jack your | ||
100 | # your laptop or another pc into one of these NIC's directly, you'll need | ||
101 | # to ensure that they either have the same ip or that you add a line explicitly | ||
102 | # for that IP as well | ||
103 | iptables -A INPUT -i $INTIF -s ! $INTNET -j DROPl | ||
104 | iptables -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl | ||
105 | iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl | ||
106 | iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl | ||
107 | |||
108 | # An additional Egress check | ||
109 | iptables -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl | ||
110 | |||
111 | # Block outbound ICMP (except for PING) | ||
112 | iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl | ||
113 | iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl | ||
114 | |||
115 | # Explicitly block TCP ports | ||
116 | for i in $TCPBLOCK; do | ||
117 | iptables -A INPUT -p tcp --dport $i -j DROPl | ||
118 | iptables -A OUTPUT -p tcp --dport $i -j DROPl | ||
119 | iptables -A FORWARD -p tcp --dport $i -j DROPl | ||
120 | done | ||
121 | |||
122 | # Explicitly block UDP ports | ||
123 | for i in $UDPBLOCK; do | ||
124 | iptables -A INPUT -p udp --dport $i -j DROPl | ||
125 | iptables -A OUTPUT -p udp --dport $i -j DROPl | ||
126 | iptables -A FORWARD -p udp --dport $i -j DROPl | ||
127 | done | ||
128 | |||
129 | # Open inbound service ports | ||
130 | for i in $INPORTS; do | ||
131 | iptables -A INPUT -p tcp --dport $i -j ACCEPT | ||
132 | done | ||
133 | |||
134 | iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
135 | iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
136 | |||
137 | # Opening up ftp connection tracking | ||
138 | MODULES="ip_nat_ftp ip_conntrack_ftp" | ||
139 | for i in $MODULES; do | ||
140 | modprobe $i | ||
141 | done | ||
142 | |||
143 | # Allow inside systems to use external services | ||
144 | for i in $TCPSERV; do | ||
145 | iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT | ||
146 | iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT | ||
147 | done | ||
148 | |||
149 | for i in $UDPSERV; do | ||
150 | iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT | ||
151 | iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT | ||
152 | done | ||
153 | |||
154 | # Allow to ping out | ||
155 | iptables -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT | ||
156 | iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT | ||
157 | |||
158 | # Allow firewall to ping internal systems | ||
159 | iptables -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT | ||
160 | |||
161 | # Allow a few services internally | ||
162 | iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT | ||
163 | iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT | ||
164 | iptables -A INPUT -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT | ||
165 | |||
166 | # Setup dynamic NAT | ||
167 | iptables -t nat -A PREROUTING -j ACCEPT | ||
168 | iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE | ||
169 | iptables -t nat -A POSTROUTING -j ACCEPT | ||
170 | iptables -t nat -A OUTPUT -j ACCEPT | ||
171 | iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT | ||
172 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
173 | iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
174 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
175 | |||
176 | # Block and log what me may have forgot | ||
177 | iptables -A INPUT -j DROPl | ||
178 | iptables -A OUTPUT -j REJECTl | ||
179 | iptables -A FORWARD -j DROPl \ No newline at end of file | ||
diff --git a/firewall.conf b/firewall.conf new file mode 100644 index 0000000..78f873b --- /dev/null +++ b/firewall.conf | |||
@@ -0,0 +1,60 @@ | |||
1 | EXTIF=eth1 # External interface | ||
2 | INTIF=eth0 # Internal interface | ||
3 | |||
4 | # Loop device/localhost | ||
5 | LPDIF=lo | ||
6 | LPDIP=127.0.0.1 | ||
7 | LPDMSK=255.0.0.0 | ||
8 | LPDNET="$LPDIP/$LPDMSK" | ||
9 | |||
10 | # Defining some common chat clients. Remove these from your accepted list for better security. | ||
11 | # ICQ and AOL are 5190 | ||
12 | # MSN is 1863 | ||
13 | # Y! is 5050 | ||
14 | # Jabber is 5222 | ||
15 | # Y! and Jabber ports not added by author and therefore left out of the script | ||
16 | IRC='ircd' | ||
17 | MSN=1863 | ||
18 | ICQ=5190 | ||
19 | YIM=5050 | ||
20 | AIM=5190 | ||
21 | NFS='sunrpc' | ||
22 | PORTAGE='rsync' | ||
23 | OpenPGP_HTTP_Keyserver=11371 | ||
24 | |||
25 | # All services ports are read from /etc/services | ||
26 | TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time $PORTAGE $YIM $AIM" | ||
27 | UDPSERV="domain time" | ||
28 | |||
29 | INPORTS="ssh http" | ||
30 | |||
31 | # COMmon ports: | ||
32 | # 0 is tcpmux; SGI had vulnerability, 1 is common attack | ||
33 | # 13 is daytime | ||
34 | # 98 is Linuxconf | ||
35 | # 111 is sunrpc (portmap) | ||
36 | # 137:139, 445 is Microsoft | ||
37 | # SNMP: 161,2 | ||
38 | # Squid flotilla: 3128, 8000, 8008, 8080 | ||
39 | # 1214 is Morpheus or KaZaA | ||
40 | # 2049 is NFS | ||
41 | # 3049 is very virulent Linux Trojan, mistakable for NFS | ||
42 | # Common attacks: 1999, 4329, 6346 | ||
43 | # Common Trojans 12345 65535 | ||
44 | COMBLOCK="0:1 13 98 111 113 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535" | ||
45 | |||
46 | # TCP ports: | ||
47 | # 98 is Linuxconf | ||
48 | # 512-515 is rexec, rlogin, rsh, printer(lpd) | ||
49 | # [very serious vulnerabilities; attacks continue daily] | ||
50 | # 1080 is Socks proxy server | ||
51 | # 6000 is X (NOTE X over SSH is secure and runs on TCP 22) | ||
52 | # Block 6112 (Sun's/HP's CDE) | ||
53 | TCPBLOCK="$COMBLOCK 98 512:515 1080 3330 1128 3054 6000:6009 6112" | ||
54 | |||
55 | # UDP ports: | ||
56 | # 161:162 is SNMP | ||
57 | # 520 is RIP | ||
58 | # 9000 is Sangoma | ||
59 | # 517:518 are talk and ntalk (more annoying than anything) | ||
60 | UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000" \ No newline at end of file | ||