From 549fa35bd35c5e6356099ad3ac6f4392aa0acd23 Mon Sep 17 00:00:00 2001
From: root <root@pompom.softgrouphosting.net>
Date: Fri, 20 Nov 2009 14:26:26 -0500
Subject: Splitting from dev_urandom

---
 firewall      | 179 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 firewall.conf |  60 ++++++++++++++++++++
 2 files changed, 239 insertions(+)
 create mode 100644 firewall
 create mode 100644 firewall.conf

diff --git a/firewall b/firewall
new file mode 100644
index 0000000..d19f0ce
--- /dev/null
+++ b/firewall
@@ -0,0 +1,179 @@
+# Make sure we have all the commands to continue
+if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then
+	echo 'Essential commands are missing. Can not continue.'
+	exit 1
+fi
+
+# Check for root
+if [[ $UID != 0 ]]; then
+	echo 'You are not root.'
+	exit 1
+fi
+
+# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
+export LC_ALL="en"
+
+# Source our configuration file
+source /etc/firewall.conf
+
+# Go into lockdown mode while we setup the rules
+iptables -P INPUT   DROP
+iptables -P OUTPUT  DROP
+iptables -P FORWARD DROP
+
+# Flush all existing chains and erase personal chains
+CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
+for i in $CHAINS; do
+	iptables -t $i -F
+	iptables -t $i -X
+done
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+
+# Source Address Verification
+for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+	echo 1 > $f
+done
+
+# Disable IP source routing and ICMP redirects
+for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
+	echo 0 > $f
+done
+for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
+	echo 0 > $f
+done
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# Determine the IP/Broadcast/Netmask for the outside interface
+# dynamically by grepping ifconfig commands
+#
+# Due to absence of EXTBC in ifconfig output I manually set it 
+# to 255.255.255.255 this hopefully will serve the same purpose
+EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
+EXTBC="255.255.255.255"
+EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
+EXTNET="$EXTIP/$EXTMSK"
+echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
+
+# Determine the IP/Broadcast/Netmask for the outside interface
+# dynamically by grepping ifconfig commands
+INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
+INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`"
+INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
+INTNET="$INTIP/$INTMSK"
+echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
+
+# We are now going to create a few custom chains that will result in
+# logging of dropped packets. This will enable us to avoid having to
+# enter a log command prior to every drop we wish to log. The
+# first will be first log drops the other will log rejects.
+# Do not complain if chain already exists (so restart is clean)
+iptables -N DROPl   2> /dev/null
+iptables -A DROPl   -j LOG --log-prefix 'DROPl:'
+iptables -A DROPl   -j DROP
+iptables -N REJECTl 2> /dev/null
+iptables -A REJECTl -j LOG --log-prefix 'REJECTl:'
+iptables -A REJECTl -j REJECT
+
+# Now we are going to accpet all traffic from our loopback device
+# if the IP matches any of our interfaces.
+iptables -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
+iptables -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
+iptables -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT
+
+# Blocking Broadcasts
+iptables -A INPUT   -i $EXTIF -d   $EXTBC -j DROPl
+iptables -A INPUT   -i $INTIF -d   $INTBC -j DROPl
+iptables -A OUTPUT  -o $EXTIF -d   $EXTBC -j DROPl
+iptables -A OUTPUT  -o $INTIF -d   $INTBC -j DROPl
+iptables -A FORWARD -o $EXTIF -d   $EXTBC -j DROPl
+iptables -A FORWARD -o $INTIF -d   $INTBC -j DROPl
+
+# Block WAN access to internal network
+#
+# This also stops nefarious crackers from using our network as a
+# launching point to attack other people
+iptables -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
+
+# Now we will block internal addresses originating from anything but our
+# two predefined interfaces... just remember that if you jack your
+# your laptop or another pc into one of these NIC's directly, you'll need
+# to ensure that they either have the same ip or that you add a line explicitly
+# for that IP as well
+iptables -A INPUT   -i $INTIF -s ! $INTNET -j DROPl
+iptables -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl
+iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
+iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl
+
+# An additional Egress check
+iptables -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
+
+# Block outbound ICMP (except for PING)
+iptables -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
+iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
+
+# Explicitly block TCP ports
+for i in $TCPBLOCK; do
+  iptables -A INPUT   -p tcp --dport $i  -j DROPl
+  iptables -A OUTPUT  -p tcp --dport $i  -j DROPl
+  iptables -A FORWARD -p tcp --dport $i  -j DROPl
+done
+
+# Explicitly block UDP ports
+for i in $UDPBLOCK; do
+  iptables -A INPUT   -p udp --dport $i  -j DROPl
+  iptables -A OUTPUT  -p udp --dport $i  -j DROPl
+  iptables -A FORWARD -p udp --dport $i  -j DROPl
+done
+
+# Open inbound service ports
+for i in $INPORTS; do 
+	iptables -A INPUT -p tcp --dport $i -j ACCEPT	
+done
+
+iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+
+# Opening up ftp connection tracking
+MODULES="ip_nat_ftp ip_conntrack_ftp"
+for i in $MODULES; do
+	modprobe $i
+done
+
+# Allow inside systems to use external services
+for i in $TCPSERV; do
+  iptables -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --dport $i --syn -m state --state NEW -j ACCEPT
+  iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
+done
+
+for i in $UDPSERV; do
+  iptables -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   --dport $i -m state --state NEW -j ACCEPT
+  iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT
+done
+
+# Allow to ping out
+iptables -A OUTPUT  -o $EXTIF  -p icmp -s $EXTIP   --icmp-type 8 -m state --state NEW -j ACCEPT
+iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
+
+# Allow firewall to ping internal systems
+iptables -A OUTPUT  -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
+
+# Allow a few services internally
+iptables -A OUTPUT  -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT
+iptables -A OUTPUT  -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT
+iptables -A INPUT   -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
+
+# Setup dynamic NAT
+iptables -t nat -A PREROUTING  -j ACCEPT
+iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
+iptables -t nat -A POSTROUTING -j ACCEPT
+iptables -t nat -A OUTPUT -j ACCEPT
+iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
+iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Block and log what me may have forgot
+iptables -A INPUT   -j DROPl
+iptables -A OUTPUT  -j REJECTl
+iptables -A FORWARD -j DROPl
\ No newline at end of file
diff --git a/firewall.conf b/firewall.conf
new file mode 100644
index 0000000..78f873b
--- /dev/null
+++ b/firewall.conf
@@ -0,0 +1,60 @@
+EXTIF=eth1 # External interface
+INTIF=eth0 # Internal interface
+
+# Loop device/localhost
+LPDIF=lo
+LPDIP=127.0.0.1
+LPDMSK=255.0.0.0
+LPDNET="$LPDIP/$LPDMSK"
+
+# Defining some common chat clients. Remove these from your accepted list for better security.
+# ICQ and AOL are 5190
+# MSN is 1863
+# Y! is 5050
+# Jabber is 5222
+# Y! and Jabber ports not added by author and therefore left out of the script
+IRC='ircd'
+MSN=1863
+ICQ=5190
+YIM=5050
+AIM=5190
+NFS='sunrpc'
+PORTAGE='rsync'
+OpenPGP_HTTP_Keyserver=11371
+
+# All services ports are read from /etc/services
+TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time $PORTAGE $YIM $AIM"
+UDPSERV="domain time"
+
+INPORTS="ssh http"
+
+# COMmon ports:
+# 0 is tcpmux; SGI had vulnerability, 1 is common attack
+# 13 is daytime
+# 98 is Linuxconf
+# 111 is sunrpc (portmap)
+# 137:139, 445 is Microsoft
+# SNMP: 161,2
+# Squid flotilla: 3128, 8000, 8008, 8080
+# 1214 is Morpheus or KaZaA
+# 2049 is NFS
+# 3049 is very virulent Linux Trojan, mistakable for NFS
+# Common attacks: 1999, 4329, 6346
+# Common Trojans 12345 65535
+COMBLOCK="0:1 13 98 111 113 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
+
+# TCP ports:
+# 98 is Linuxconf
+# 512-515 is rexec, rlogin, rsh, printer(lpd)
+#   [very serious vulnerabilities; attacks continue daily]
+# 1080 is Socks proxy server
+# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
+# Block 6112 (Sun's/HP's CDE)
+TCPBLOCK="$COMBLOCK 98 512:515 1080 3330 1128 3054 6000:6009 6112"
+
+# UDP ports:
+# 161:162 is SNMP
+# 520 is RIP
+# 9000 is Sangoma
+# 517:518 are talk and ntalk (more annoying than anything)
+UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
\ No newline at end of file
-- 
cgit v1.2.3