Adding new changes from pompom

author: root <root@pompom.softgrouphosting.net> 2009-11-20 14:28:12 -0500
committer: root <root@pompom.softgrouphosting.net> 2009-11-20 14:28:12 -0500
commit: 5f73cc6cde571cd52f317d56fb1087169ebea7e0 (patch)
tree: 737401e4d466135bddc0f4f4e3bf58edacedff2a
parent: 549fa35bd35c5e6356099ad3ac6f4392aa0acd23 (diff)
download: iptables_scripts-5f73cc6cde571cd52f317d56fb1087169ebea7e0.tar.bz2
iptables_scripts-5f73cc6cde571cd52f317d56fb1087169ebea7e0.tar.xz
iptables_scripts-5f73cc6cde571cd52f317d56fb1087169ebea7e0.zip
8 files changed, 282 insertions, 236 deletions
diff --git a/filterwall.sh b/filterwall.sh
new file mode 100755
index 0000000..deba71f
--- /dev/null
+++ b/filterwall.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# Log Filter/Firewall Generator
+# by Mike Crute (mcrute@gmail.com)
+# on November 20, 2009
+#
+# Script to scrape over logfiles and generate blocked-ip
+# list for people abusing machine services. This is designed
+# to be run as a cron.
+#
+BLOCK_FILE=/etc/firewall/blocked-ips
+# Filter SSHD Abusers
+egrep "sshd\[[0-9]+\]: Failed password for" /var/log/auth.log | \
+        egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \
+        awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
+>> $BLOCK_FILE
+# Filter FTP Abusers
+grep 'FAIL LOGIN: Client' /var/log/vsftpd.log | \
+        egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \
+        awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
+>> $BLOCK_FILE
+# De-dup the filter file.
+cat $BLOCK_FILE | sort -u > $BLOCK_FILE.tmp
+mv $BLOCK_FILE.tmp $BLOCK_FILE
+# Refresh the firewall
+/root/bin/firewall
diff --git a/firewall b/firewall
index d19f0ce..9661098 100644
--- a/firewall
+++ b/firewall
@@ -1,179 +1,184 @@
-# Make sure we have all the commands to continue
+#!/bin/bash
-if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then
+#
-        echo 'Essential commands are missing. Can not continue.'
+# Iptables Setup and Initialization Script
-        exit 1
+# Version 1.0
-fi
+#
+# Written by Michael Crute (mcrute@gmail.com)
+# for SoftGroup Interactive on July 10, 2006
+# Last updated: same
+#
-# Check for root
+if [ $UID != 0 ]; then
-if [[ $UID != 0 ]]; then
+    echo "You are not root. Goodbye."
-        echo 'You are not root.'
+    exit 1
-        exit 1
 fi
-# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
+IPT='/sbin/iptables'
-export LC_ALL="en"
+GREEN='\033[0;32m'
-# Source our configuration file
+WHITE='\033[0m'
-source /etc/firewall.conf
+RED='\033[0;31m'
-# Go into lockdown mode while we setup the rules
+ALLOW_PING=0
-iptables -P INPUT   DROP
-iptables -P OUTPUT  DROP
+function do_log 
-iptables -P FORWARD DROP
+{
+    timestamp=`date +"[%Y-%m-%d %H:%M:%S]"`
-# Flush all existing chains and erase personal chains
+    if [ $2 == 0 ]; then
-CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
+        echo -e "$timestamp $1: [$GREEN OK $WHITE]"
-for i in $CHAINS; do
+    else
-        iptables -t $i -F
+        echo -e "$timestamp $1: [$RED FAILED $WHITE]"
-        iptables -t $i -X
+    fi
-done
+}
-echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+function flush_all 
+{
-# Source Address Verification
+    # Flush all existing chains and erase personal chains
-for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+    CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
-        echo 1 > $f
+    for i in $CHAINS; do
-done
+        $IPT -t $i -F
+        $IPT -t $i -X
-# Disable IP source routing and ICMP redirects
+        do_log "Flushing chain $i" $? 
-for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
+    done
-        echo 0 > $f
-done
+    # Flush the conntrack database if we can
-for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
+    if [ `which conntrack > /dev/null 2>&1` ]; then
-        echo 0 > $f
+        conntrack -F
-done
+        do_log "Flushing conntrack" $?
-echo 1 > /proc/sys/net/ipv4/ip_forward
+    fi
-# Determine the IP/Broadcast/Netmask for the outside interface
+    $IPT -P INPUT ACCEPT
-# dynamically by grepping ifconfig commands
+    do_log "All chains flushed" $?
-#
+}
-# Due to absence of EXTBC in ifconfig output I manually set it 
-# to 255.255.255.255 this hopefully will serve the same purpose
+function set_ping
-EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
+{
-EXTBC="255.255.255.255"
+    policy="ACCEPT"
-EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
+    [[ $1 == 0 ]] && policy="DROP"
-EXTNET="$EXTIP/$EXTMSK"
-echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
+    $IPT -A INPUT -p icmp --icmp-type 8 -j $policy
+    do_log "$policy pings" $?
-# Determine the IP/Broadcast/Netmask for the outside interface
+}
-# dynamically by grepping ifconfig commands
-INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
+function block_port
-INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`"
+{
-INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
+    $IPT -A INPUT -p $1 -m state --state NEW -m $1 --dport $2 -j DROP
-INTNET="$INTIP/$INTMSK"
+    $IPT -A OUTPUT -p $1 -m state --state NEW -m $1 --dport $2 -j DROP
-echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
+    do_log "Blocking $1 port $2" $?
+}
-# We are now going to create a few custom chains that will result in
-# logging of dropped packets. This will enable us to avoid having to
+function load_policy
-# enter a log command prior to every drop we wish to log. The
+{
-# first will be first log drops the other will log rejects.
+    policy=`cat /etc/firewall/profile 2>/dev/null || echo 'default'`
-# Do not complain if chain already exists (so restart is clean)
+    [[ ! -z "$1" ]] && policy=$1
-iptables -N DROPl   2> /dev/null
+    LOADFILE="/etc/firewall/iptables-$policy"
-iptables -A DROPl   -j LOG --log-prefix 'DROPl:'
-iptables -A DROPl   -j DROP
+    if [ -r $LOADFILE ]; then
-iptables -N REJECTl 2> /dev/null
+        . $LOADFILE
-iptables -A REJECTl -j LOG --log-prefix 'REJECTl:'
+        flush_all
-iptables -A REJECTl -j REJECT
+        do_log "Loading ruleset $LOADFILE" $?
+    else
-# Now we are going to accpet all traffic from our loopback device
+        do_log "Could not load a ruleset" 1
-# if the IP matches any of our interfaces.
+        exit 1
-iptables -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
+    fi
-iptables -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
+}
-iptables -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT
+function filter_host
-# Blocking Broadcasts
+{
-iptables -A INPUT   -i $EXTIF -d   $EXTBC -j DROPl
+    $IPT -I INPUT -s $2 -j $1
-iptables -A INPUT   -i $INTIF -d   $INTBC -j DROPl
+    do_log "$1 host $2" $?
-iptables -A OUTPUT  -o $EXTIF -d   $EXTBC -j DROPl
+}
-iptables -A OUTPUT  -o $INTIF -d   $INTBC -j DROPl
-iptables -A FORWARD -o $EXTIF -d   $EXTBC -j DROPl
+function filter_port 
-iptables -A FORWARD -o $INTIF -d   $INTBC -j DROPl
+{
+    $IPT -A INPUT -p $2 -m state --state NEW -m $2 --dport $1 -j $3
-# Block WAN access to internal network
+    do_log "$3 $2 port $1" $?
-#
+}
-# This also stops nefarious crackers from using our network as a
-# launching point to attack other people
+function add_exception
-iptables -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
+{
+    ip=`echo $1 | cut -d' ' -f1`
-# Now we will block internal addresses originating from anything but our
+    prot=`echo $1 | cut -d' ' -f2`
-# two predefined interfaces... just remember that if you jack your
+    port=`echo $1 | cut -d' ' -f3`
-# your laptop or another pc into one of these NIC's directly, you'll need
-# to ensure that they either have the same ip or that you add a line explicitly
+    $IPT -A INPUT -p $prot -m state --state NEW -s $ip -m $prot --dport $port -j ACCEPT
-# for that IP as well
-iptables -A INPUT   -i $INTIF -s ! $INTNET -j DROPl
+    do_log "Allowing $ip for $prot $port" $?
-iptables -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl
+}
-iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
-iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl
+function set_defaults
+{
-# An additional Egress check
+    $IPT -A INPUT -s 127.0.0.1 -j ACCEPT
-iptables -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
+    $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -P INPUT DROP
-# Block outbound ICMP (except for PING)
+    $IPT -P FORWARD DROP
-iptables -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
+    $IPT -P OUTPUT ACCEPT 
-iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
+}
-# Explicitly block TCP ports
+# Lockdown is the most strict policy that only passes
-for i in $TCPBLOCK; do
+# ssh traffic. This is good for new servers and emergencies
-  iptables -A INPUT   -p tcp --dport $i  -j DROPl
+function lockdown
-  iptables -A OUTPUT  -p tcp --dport $i  -j DROPl
+{
-  iptables -A FORWARD -p tcp --dport $i  -j DROPl
+    flush_all
-done
+    $IPT -P INPUT DROP
-# Explicitly block UDP ports
+    $IPT -P FORWARD DROP
-for i in $UDPBLOCK; do
+    $IPT -P OUTPUT DROP
-  iptables -A INPUT   -p udp --dport $i  -j DROPl
+    do_log "All chains set to drop" $?
-  iptables -A OUTPUT  -p udp --dport $i  -j DROPl
-  iptables -A FORWARD -p udp --dport $i  -j DROPl
+    $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-done
+    $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-# Open inbound service ports
+    $IPT -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-for i in $INPORTS; do 
+    do_log "Allowing ssh only" $?
-        iptables -A INPUT -p tcp --dport $i -j ACCEPT   
-done
+    do_log "Firewall locked down" $?
+}
-iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+function build_firewall
+{
-# Opening up ftp connection tracking
+    load_policy $1
-MODULES="ip_nat_ftp ip_conntrack_ftp"
+    set_defaults
-for i in $MODULES; do
+    set_ping $ALLOW_PING
-        modprobe $i
+    
-done
+    # Set exceptions
+    for idx in $(seq ${#RULES[@]}); do
-# Allow inside systems to use external services
+        item=${RULES[$idx]}
-for i in $TCPSERV; do
+        add_exception $item
-  iptables -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --dport $i --syn -m state --state NEW -j ACCEPT
+    done;
-  iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
-done
+    # Allow or deny hosts
+    for host in $HOSTS_DENY; do
-for i in $UDPSERV; do
+        filter_host "DROP" $host
-  iptables -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   --dport $i -m state --state NEW -j ACCEPT
+    done
-  iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT
+    for host in $HOSTS_ALLOW; do
-done
+        filter_host "ALLOW" $host
+    done
-# Allow to ping out
+    
-iptables -A OUTPUT  -o $EXTIF  -p icmp -s $EXTIP   --icmp-type 8 -m state --state NEW -j ACCEPT
+    # Allow or deny tcp ports
-iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
+    for port in $TCP_DENY; do
+        block_port "tcp" $port
-# Allow firewall to ping internal systems
+    done
-iptables -A OUTPUT  -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
+    for port in $TCP_ALLOW; do
+        filter_port $port "tcp" "ACCEPT"
-# Allow a few services internally
+    done
-iptables -A OUTPUT  -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT
-iptables -A OUTPUT  -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT
+    # Allow or deny udp ports
-iptables -A INPUT   -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
+    for port in $UDP_DENY; do
+        block_port "udp" $port
-# Setup dynamic NAT
+    done
-iptables -t nat -A PREROUTING  -j ACCEPT
+    for i in $UDP_ALLOW; do
-iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
+        filter_port $port "udp" "ACCEPT"
-iptables -t nat -A POSTROUTING -j ACCEPT
+    done
-iptables -t nat -A OUTPUT -j ACCEPT
+}
-iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
-iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
+if [[ $1 == "--flush" ]]; then
-iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
+    flush_all
-iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+    exit 0
+elif [[ $1 == "--lockdown" ]]; then
-# Block and log what me may have forgot
+    lockdown
-iptables -A INPUT   -j DROPl
+    exit 0
-iptables -A OUTPUT  -j REJECTl
+else
-iptables -A FORWARD -j DROPl
-\ No newline at end of file
+    build_firewall $1
+    do_log "Firewall started" $?
+fi
diff --git a/firewall.conf b/firewall.conf
deleted file mode 100644
index 78f873b..0000000
--- a/firewall.conf
+++ /dev/null
@@ -1,60 +0,0 @@
-EXTIF=eth1 # External interface
-INTIF=eth0 # Internal interface
-# Loop device/localhost
-LPDIF=lo
-LPDIP=127.0.0.1
-LPDMSK=255.0.0.0
-LPDNET="$LPDIP/$LPDMSK"
-# Defining some common chat clients. Remove these from your accepted list for better security.
-# ICQ and AOL are 5190
-# MSN is 1863
-# Y! is 5050
-# Jabber is 5222
-# Y! and Jabber ports not added by author and therefore left out of the script
-IRC='ircd'
-MSN=1863
-ICQ=5190
-YIM=5050
-AIM=5190
-NFS='sunrpc'
-PORTAGE='rsync'
-OpenPGP_HTTP_Keyserver=11371
-# All services ports are read from /etc/services
-TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time $PORTAGE $YIM $AIM"
-UDPSERV="domain time"
-INPORTS="ssh http"
-# COMmon ports:
-# 0 is tcpmux; SGI had vulnerability, 1 is common attack
-# 13 is daytime
-# 98 is Linuxconf
-# 111 is sunrpc (portmap)
-# 137:139, 445 is Microsoft
-# SNMP: 161,2
-# Squid flotilla: 3128, 8000, 8008, 8080
-# 1214 is Morpheus or KaZaA
-# 2049 is NFS
-# 3049 is very virulent Linux Trojan, mistakable for NFS
-# Common attacks: 1999, 4329, 6346
-# Common Trojans 12345 65535
-COMBLOCK="0:1 13 98 111 113 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
-# TCP ports:
-# 98 is Linuxconf
-# 512-515 is rexec, rlogin, rsh, printer(lpd)
-#   [very serious vulnerabilities; attacks continue daily]
-# 1080 is Socks proxy server
-# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
-# Block 6112 (Sun's/HP's CDE)
-TCPBLOCK="$COMBLOCK 98 512:515 1080 3330 1128 3054 6000:6009 6112"
-# UDP ports:
-# 161:162 is SNMP
-# 520 is RIP
-# 9000 is Sangoma
-# 517:518 are talk and ntalk (more annoying than anything)
-UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
-\ No newline at end of file
diff --git a/policies/blocked-ips b/policies/blocked-ips
new file mode 100644
index 0000000..ceed910
--- /dev/null
+++ b/policies/blocked-ips
@@ -0,0 +1,15 @@
+115.47.3.229
+116.11.253.154
+118.129.166.149
+122.225.226.67
+125.46.15.194
+202.99.42.188
+218.145.128.230
+220.189.246.26
+222.68.199.238
+59.125.229.74
+60.217.229.222
+61.129.60.23
+70.85.215.42
+87.121.75.179
+88.220.70.24
diff --git a/policies/iptables-default b/policies/iptables-default
new file mode 100644
index 0000000..8f2377f
--- /dev/null
+++ b/policies/iptables-default
@@ -0,0 +1,17 @@
+#
+# iptables Firewall Policy
+# by Mike Crute (mcrute@gmail.com)
+# on September 19, 2009
+#
+ALLOW_PING=1
+TCP_ALLOW="22" # SSH
+#TCP_ALLOW=""
+#HOSTS_ALLOW=""
+#HOSTS_DENY=""
+#TCP_DENY=""
+#UDP_ALLOW="53"
+#UDP_DENY=""
+#RULES=""
diff --git a/policies/iptables-web b/policies/iptables-web
new file mode 100644
index 0000000..9dc9ca5
--- /dev/null
+++ b/policies/iptables-web
@@ -0,0 +1,19 @@
+#
+# iptables Firewall Policy
+# by Mike Crute (mcrute@gmail.com)
+# on September 19, 2009
+#
+ALLOW_PING=1
+TCP_ALLOW="22" # SSH
+TCP_ALLOW="${TCP_ALLOW} 80 443" # Web Ports
+TCP_ALLOW="${TCP_ALLOW} 20 21" # FTP Ports
+TCP_ALLOW="${TCP_ALLOW} 5870 5871" # Inbound tunnels 
+HOSTS_DENY=$(cat /etc/firewall/blocked-ips)
+#HOSTS_ALLOW=""
+#TCP_DENY=""
+#UDP_ALLOW="53"
+#UDP_DENY=""
+#RULES=""
diff --git a/policies/iptables-webrestricted b/policies/iptables-webrestricted
new file mode 100644
index 0000000..149cb82
--- /dev/null
+++ b/policies/iptables-webrestricted
@@ -0,0 +1,18 @@
+#
+# iptables Firewall Policy
+# by Mike Crute (mcrute@gmail.com)
+# on September 19, 2009
+#
+ALLOW_PING=1
+TCP_ALLOW="22" # SSH
+TCP_ALLOW="${TCP_ALLOW} 80" # Web Ports
+TCP_ALLOW="${TCP_ALLOW} 20 21" # FTP Ports
+#HOSTS_ALLOW=""
+#HOSTS_DENY=""
+#TCP_DENY=""
+#UDP_ALLOW="53"
+#UDP_DENY=""
+#RULES=""
diff --git a/policies/profile b/policies/profile
new file mode 100644
index 0000000..c077218
--- /dev/null
+++ b/policies/profile
@@ -0,0 +1 @@
+web
author	root <root@pompom.softgrouphosting.net>	2009-11-20 14:28:12 -0500
committer	root <root@pompom.softgrouphosting.net>	2009-11-20 14:28:12 -0500
commit	5f73cc6cde571cd52f317d56fb1087169ebea7e0 (patch)
tree	737401e4d466135bddc0f4f4e3bf58edacedff2a
parent	549fa35bd35c5e6356099ad3ac6f4392aa0acd23 (diff)
download	iptables_scripts-5f73cc6cde571cd52f317d56fb1087169ebea7e0.tar.bz2 iptables_scripts-5f73cc6cde571cd52f317d56fb1087169ebea7e0.tar.xz iptables_scripts-5f73cc6cde571cd52f317d56fb1087169ebea7e0.zip

diff --git a/filterwall.sh b/filterwall.sh new file mode 100755 index 0000000..deba71f --- /dev/null +++ b/filterwall.sh
@@ -0,0 +1,31 @@
		1	#!/bin/bash
		2	#
		3	# Log Filter/Firewall Generator
		4	# by Mike Crute (mcrute@gmail.com)
		5	# on November 20, 2009
		6	#
		7	# Script to scrape over logfiles and generate blocked-ip
		8	# list for people abusing machine services. This is designed
		9	# to be run as a cron.
		10	#
		11
		12	BLOCK_FILE=/etc/firewall/blocked-ips
		13
		14	# Filter SSHD Abusers
		15	egrep "sshd\[[0-9]+\]: Failed password for" /var/log/auth.log \| \
		16	egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' \| \
		17	awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
		18	>> $BLOCK_FILE
		19
		20	# Filter FTP Abusers
		21	grep 'FAIL LOGIN: Client' /var/log/vsftpd.log \| \
		22	egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' \| \
		23	awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
		24	>> $BLOCK_FILE
		25
		26	# De-dup the filter file.
		27	cat $BLOCK_FILE \| sort -u > $BLOCK_FILE.tmp
		28	mv $BLOCK_FILE.tmp $BLOCK_FILE
		29
		30	# Refresh the firewall
		31	/root/bin/firewall


diff --git a/firewall b/firewall index d19f0ce..9661098 100644 --- a/firewall +++ b/firewall
@@ -1,179 +1,184 @@
1	# Make sure we have all the commands to continue	1	#!/bin/bash
2	if [[ ! `which iptables` \|\| ! `which ifconfig` \|\| ! `which grep` \|\| ! `which sed` ]]; then	2	#
3	echo 'Essential commands are missing. Can not continue.'	3	# Iptables Setup and Initialization Script
4	exit 1	4	# Version 1.0
5	fi	5	#
		6	# Written by Michael Crute (mcrute@gmail.com)
		7	# for SoftGroup Interactive on July 10, 2006
		8	# Last updated: same
		9	#
6		10
7	# Check for root	11	if [ $UID != 0 ]; then
8	if [[ $UID != 0 ]]; then	12	echo "You are not root. Goodbye."
9	echo 'You are not root.'	13	exit 1
10	exit 1
11	fi	14	fi
12		15
13	# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.	16	IPT='/sbin/iptables'
14	export LC_ALL="en"	17
15		18	GREEN='\033[0;32m'
16	# Source our configuration file	19	WHITE='\033[0m'
17	source /etc/firewall.conf	20	RED='\033[0;31m'
18		21
19	# Go into lockdown mode while we setup the rules	22	ALLOW_PING=0
20	iptables -P INPUT DROP	23
21	iptables -P OUTPUT DROP	24	function do_log
22	iptables -P FORWARD DROP	25	{
23		26	timestamp=`date +"[%Y-%m-%d %H:%M:%S]"`
24	# Flush all existing chains and erase personal chains	27	if [ $2 == 0 ]; then
25	CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`	28	echo -e "$timestamp $1: [$GREEN OK $WHITE]"
26	for i in $CHAINS; do	29	else
27	iptables -t $i -F	30	echo -e "$timestamp $1: [$RED FAILED $WHITE]"
28	iptables -t $i -X	31	fi
29	done	32	}
30	echo 1 > /proc/sys/net/ipv4/tcp_syncookies	33
31	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts	34	function flush_all
32		35	{
33	# Source Address Verification	36	# Flush all existing chains and erase personal chains
34	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do	37	CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
35	echo 1 > $f	38	for i in $CHAINS; do
36	done	39	$IPT -t $i -F
37		40	$IPT -t $i -X
38	# Disable IP source routing and ICMP redirects	41	do_log "Flushing chain $i" $?
39	for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do	42	done
40	echo 0 > $f	43
41	done	44	# Flush the conntrack database if we can
42	for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do	45	if [ `which conntrack > /dev/null 2>&1` ]; then
43	echo 0 > $f	46	conntrack -F
44	done	47	do_log "Flushing conntrack" $?
45	echo 1 > /proc/sys/net/ipv4/ip_forward	48	fi
46		49
47	# Determine the IP/Broadcast/Netmask for the outside interface	50	$IPT -P INPUT ACCEPT
48	# dynamically by grepping ifconfig commands	51	do_log "All chains flushed" $?
49	#	52	}
50	# Due to absence of EXTBC in ifconfig output I manually set it	53
51	# to 255.255.255.255 this hopefully will serve the same purpose	54	function set_ping
52	EXTIP="`ifconfig $EXTIF\|grep addr:\|sed 's/.addr:\([^ ]\) .*/\1/'`"	55	{
53	EXTBC="255.255.255.255"	56	policy="ACCEPT"
54	EXTMSK="`ifconfig $EXTIF\|grep Mask:\|sed 's/.Mask:\([^ ]\)/\1/'`"	57	[[ $1 == 0 ]] && policy="DROP"
55	EXTNET="$EXTIP/$EXTMSK"	58
56	echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"	59	$IPT -A INPUT -p icmp --icmp-type 8 -j $policy
57		60	do_log "$policy pings" $?
58	# Determine the IP/Broadcast/Netmask for the outside interface	61	}
59	# dynamically by grepping ifconfig commands	62
60	INTIP="`ifconfig $INTIF\|grep addr:\|sed 's/.addr:\([^ ]\) .*/\1/'`"	63	function block_port
61	INTBC="`ifconfig $INTIF\|grep Bcast:\|sed 's/.Bcast:\([^ ]\) .*/\1/'`"	64	{
62	INTMSK="`ifconfig $INTIF\|grep Mask:\|sed 's/.Mask:\([^ ]\)/\1/'`"	65	$IPT -A INPUT -p $1 -m state --state NEW -m $1 --dport $2 -j DROP
63	INTNET="$INTIP/$INTMSK"	66	$IPT -A OUTPUT -p $1 -m state --state NEW -m $1 --dport $2 -j DROP
64	echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"	67	do_log "Blocking $1 port $2" $?
65		68	}
66	# We are now going to create a few custom chains that will result in	69
67	# logging of dropped packets. This will enable us to avoid having to	70	function load_policy
68	# enter a log command prior to every drop we wish to log. The	71	{
69	# first will be first log drops the other will log rejects.	72	policy=`cat /etc/firewall/profile 2>/dev/null \|\| echo 'default'`
70	# Do not complain if chain already exists (so restart is clean)	73	[[ ! -z "$1" ]] && policy=$1
71	iptables -N DROPl 2> /dev/null	74	LOADFILE="/etc/firewall/iptables-$policy"
72	iptables -A DROPl -j LOG --log-prefix 'DROPl:'	75
73	iptables -A DROPl -j DROP	76	if [ -r $LOADFILE ]; then
74	iptables -N REJECTl 2> /dev/null	77	. $LOADFILE
75	iptables -A REJECTl -j LOG --log-prefix 'REJECTl:'	78	flush_all
76	iptables -A REJECTl -j REJECT	79	do_log "Loading ruleset $LOADFILE" $?
77		80	else
78	# Now we are going to accpet all traffic from our loopback device	81	do_log "Could not load a ruleset" 1
79	# if the IP matches any of our interfaces.	82	exit 1
80	iptables -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT	83	fi
81	iptables -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT	84	}
82	iptables -A INPUT -i $LPDIF -s $INTIP -j ACCEPT	85
83		86	function filter_host
84	# Blocking Broadcasts	87	{
85	iptables -A INPUT -i $EXTIF -d $EXTBC -j DROPl	88	$IPT -I INPUT -s $2 -j $1
86	iptables -A INPUT -i $INTIF -d $INTBC -j DROPl	89	do_log "$1 host $2" $?
87	iptables -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl	90	}
88	iptables -A OUTPUT -o $INTIF -d $INTBC -j DROPl	91
89	iptables -A FORWARD -o $EXTIF -d $EXTBC -j DROPl	92	function filter_port
90	iptables -A FORWARD -o $INTIF -d $INTBC -j DROPl	93	{
91		94	$IPT -A INPUT -p $2 -m state --state NEW -m $2 --dport $1 -j $3
92	# Block WAN access to internal network	95	do_log "$3 $2 port $1" $?
93	#	96	}
94	# This also stops nefarious crackers from using our network as a	97
95	# launching point to attack other people	98	function add_exception
96	iptables -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl	99	{
97		100	ip=`echo $1 \| cut -d' ' -f1`
98	# Now we will block internal addresses originating from anything but our	101	prot=`echo $1 \| cut -d' ' -f2`
99	# two predefined interfaces... just remember that if you jack your	102	port=`echo $1 \| cut -d' ' -f3`
100	# your laptop or another pc into one of these NIC's directly, you'll need	103
101	# to ensure that they either have the same ip or that you add a line explicitly	104	$IPT -A INPUT -p $prot -m state --state NEW -s $ip -m $prot --dport $port -j ACCEPT
102	# for that IP as well	105
103	iptables -A INPUT -i $INTIF -s ! $INTNET -j DROPl	106	do_log "Allowing $ip for $prot $port" $?
104	iptables -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl	107	}
105	iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl	108
106	iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl	109	function set_defaults
107		110	{
108	# An additional Egress check	111	$IPT -A INPUT -s 127.0.0.1 -j ACCEPT
109	iptables -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl	112	$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
110		113	$IPT -P INPUT DROP
111	# Block outbound ICMP (except for PING)	114	$IPT -P FORWARD DROP
112	iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl	115	$IPT -P OUTPUT ACCEPT
113	iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl	116	}
114		117
115	# Explicitly block TCP ports	118	# Lockdown is the most strict policy that only passes
116	for i in $TCPBLOCK; do	119	# ssh traffic. This is good for new servers and emergencies
117	iptables -A INPUT -p tcp --dport $i -j DROPl	120	function lockdown
118	iptables -A OUTPUT -p tcp --dport $i -j DROPl	121	{
119	iptables -A FORWARD -p tcp --dport $i -j DROPl	122	flush_all
120	done	123
121		124	$IPT -P INPUT DROP
122	# Explicitly block UDP ports	125	$IPT -P FORWARD DROP
123	for i in $UDPBLOCK; do	126	$IPT -P OUTPUT DROP
124	iptables -A INPUT -p udp --dport $i -j DROPl	127	do_log "All chains set to drop" $?
125	iptables -A OUTPUT -p udp --dport $i -j DROPl	128
126	iptables -A FORWARD -p udp --dport $i -j DROPl	129	$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
127	done	130	$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
128		131	$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
129	# Open inbound service ports	132	$IPT -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
130	for i in $INPORTS; do	133	do_log "Allowing ssh only" $?
131	iptables -A INPUT -p tcp --dport $i -j ACCEPT	134
132	done	135	do_log "Firewall locked down" $?
133		136	}
134	iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT	137
135	iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT	138	function build_firewall
136		139	{
137	# Opening up ftp connection tracking	140	load_policy $1
138	MODULES="ip_nat_ftp ip_conntrack_ftp"	141	set_defaults
139	for i in $MODULES; do	142	set_ping $ALLOW_PING
140	modprobe $i	143
141	done	144	# Set exceptions
142		145	for idx in $(seq ${#RULES[@]}); do
143	# Allow inside systems to use external services	146	item=${RULES[$idx]}
144	for i in $TCPSERV; do	147	add_exception $item
145	iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT	148	done;
146	iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT	149
147	done	150	# Allow or deny hosts
148		151	for host in $HOSTS_DENY; do
149	for i in $UDPSERV; do	152	filter_host "DROP" $host
150	iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT	153	done
151	iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT	154	for host in $HOSTS_ALLOW; do
152	done	155	filter_host "ALLOW" $host
153		156	done
154	# Allow to ping out	157
155	iptables -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT	158	# Allow or deny tcp ports
156	iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT	159	for port in $TCP_DENY; do
157		160	block_port "tcp" $port
158	# Allow firewall to ping internal systems	161	done
159	iptables -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT	162	for port in $TCP_ALLOW; do
160		163	filter_port $port "tcp" "ACCEPT"
161	# Allow a few services internally	164	done
162	iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT	165
163	iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT	166	# Allow or deny udp ports
164	iptables -A INPUT -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT	167	for port in $UDP_DENY; do
165		168	block_port "udp" $port
166	# Setup dynamic NAT	169	done
167	iptables -t nat -A PREROUTING -j ACCEPT	170	for i in $UDP_ALLOW; do
168	iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE	171	filter_port $port "udp" "ACCEPT"
169	iptables -t nat -A POSTROUTING -j ACCEPT	172	done
170	iptables -t nat -A OUTPUT -j ACCEPT	173	}
171	iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT	174
172	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT	175	if [[ $1 == "--flush" ]]; then
173	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT	176	flush_all
174	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT	177	exit 0
175		178	elif [[ $1 == "--lockdown" ]]; then
176	# Block and log what me may have forgot	179	lockdown
177	iptables -A INPUT -j DROPl	180	exit 0
178	iptables -A OUTPUT -j REJECTl	181	else
179	iptables -A FORWARD -j DROPl \ No newline at end of file	182	build_firewall $1
		183	do_log "Firewall started" $?
		184	fi


diff --git a/firewall.conf b/firewall.conf deleted file mode 100644 index 78f873b..0000000 --- a/firewall.conf +++ /dev/null
@@ -1,60 +0,0 @@
1	EXTIF=eth1 # External interface
2	INTIF=eth0 # Internal interface
3
4	# Loop device/localhost
5	LPDIF=lo
6	LPDIP=127.0.0.1
7	LPDMSK=255.0.0.0
8	LPDNET="$LPDIP/$LPDMSK"
9
10	# Defining some common chat clients. Remove these from your accepted list for better security.
11	# ICQ and AOL are 5190
12	# MSN is 1863
13	# Y! is 5050
14	# Jabber is 5222
15	# Y! and Jabber ports not added by author and therefore left out of the script
16	IRC='ircd'
17	MSN=1863
18	ICQ=5190
19	YIM=5050
20	AIM=5190
21	NFS='sunrpc'
22	PORTAGE='rsync'
23	OpenPGP_HTTP_Keyserver=11371
24
25	# All services ports are read from /etc/services
26	TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time $PORTAGE $YIM $AIM"
27	UDPSERV="domain time"
28
29	INPORTS="ssh http"
30
31	# COMmon ports:
32	# 0 is tcpmux; SGI had vulnerability, 1 is common attack
33	# 13 is daytime
34	# 98 is Linuxconf
35	# 111 is sunrpc (portmap)
36	# 137:139, 445 is Microsoft
37	# SNMP: 161,2
38	# Squid flotilla: 3128, 8000, 8008, 8080
39	# 1214 is Morpheus or KaZaA
40	# 2049 is NFS
41	# 3049 is very virulent Linux Trojan, mistakable for NFS
42	# Common attacks: 1999, 4329, 6346
43	# Common Trojans 12345 65535
44	COMBLOCK="0:1 13 98 111 113 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
45
46	# TCP ports:
47	# 98 is Linuxconf
48	# 512-515 is rexec, rlogin, rsh, printer(lpd)
49	# [very serious vulnerabilities; attacks continue daily]
50	# 1080 is Socks proxy server
51	# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
52	# Block 6112 (Sun's/HP's CDE)
53	TCPBLOCK="$COMBLOCK 98 512:515 1080 3330 1128 3054 6000:6009 6112"
54
55	# UDP ports:
56	# 161:162 is SNMP
57	# 520 is RIP
58	# 9000 is Sangoma
59	# 517:518 are talk and ntalk (more annoying than anything)
60	UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000" \ No newline at end of file


diff --git a/policies/blocked-ips b/policies/blocked-ips new file mode 100644 index 0000000..ceed910 --- /dev/null +++ b/policies/blocked-ips
@@ -0,0 +1,15 @@
		1	115.47.3.229
		2	116.11.253.154
		3	118.129.166.149
		4	122.225.226.67
		5	125.46.15.194
		6	202.99.42.188
		7	218.145.128.230
		8	220.189.246.26
		9	222.68.199.238
		10	59.125.229.74
		11	60.217.229.222
		12	61.129.60.23
		13	70.85.215.42
		14	87.121.75.179
		15	88.220.70.24


diff --git a/policies/iptables-default b/policies/iptables-default new file mode 100644 index 0000000..8f2377f --- /dev/null +++ b/policies/iptables-default
@@ -0,0 +1,17 @@
		1	#
		2	# iptables Firewall Policy
		3	# by Mike Crute (mcrute@gmail.com)
		4	# on September 19, 2009
		5	#
		6
		7	ALLOW_PING=1
		8
		9	TCP_ALLOW="22" # SSH
		10
		11	#TCP_ALLOW=""
		12	#HOSTS_ALLOW=""
		13	#HOSTS_DENY=""
		14	#TCP_DENY=""
		15	#UDP_ALLOW="53"
		16	#UDP_DENY=""
		17	#RULES=""


diff --git a/policies/iptables-web b/policies/iptables-web new file mode 100644 index 0000000..9dc9ca5 --- /dev/null +++ b/policies/iptables-web
@@ -0,0 +1,19 @@
		1	#
		2	# iptables Firewall Policy
		3	# by Mike Crute (mcrute@gmail.com)
		4	# on September 19, 2009
		5	#
		6
		7	ALLOW_PING=1
		8
		9	TCP_ALLOW="22" # SSH
		10	TCP_ALLOW="${TCP_ALLOW} 80 443" # Web Ports
		11	TCP_ALLOW="${TCP_ALLOW} 20 21" # FTP Ports
		12	TCP_ALLOW="${TCP_ALLOW} 5870 5871" # Inbound tunnels
		13	HOSTS_DENY=$(cat /etc/firewall/blocked-ips)
		14
		15	#HOSTS_ALLOW=""
		16	#TCP_DENY=""
		17	#UDP_ALLOW="53"
		18	#UDP_DENY=""
		19	#RULES=""


diff --git a/policies/iptables-webrestricted b/policies/iptables-webrestricted new file mode 100644 index 0000000..149cb82 --- /dev/null +++ b/policies/iptables-webrestricted
@@ -0,0 +1,18 @@
		1	#
		2	# iptables Firewall Policy
		3	# by Mike Crute (mcrute@gmail.com)
		4	# on September 19, 2009
		5	#
		6
		7	ALLOW_PING=1
		8
		9	TCP_ALLOW="22" # SSH
		10	TCP_ALLOW="${TCP_ALLOW} 80" # Web Ports
		11	TCP_ALLOW="${TCP_ALLOW} 20 21" # FTP Ports
		12
		13	#HOSTS_ALLOW=""
		14	#HOSTS_DENY=""
		15	#TCP_DENY=""
		16	#UDP_ALLOW="53"
		17	#UDP_DENY=""
		18	#RULES=""


diff --git a/policies/profile b/policies/profile new file mode 100644 index 0000000..c077218 --- /dev/null +++ b/policies/profile
@@ -0,0 +1 @@
			web