# Make sure we have all the commands to continue if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then echo 'Essential commands are missing. Can not continue.' exit 1 fi # Check for root if [[ $UID != 0 ]]; then echo 'You are not root.' exit 1 fi # First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc. export LC_ALL="en" # Source our configuration file source /etc/firewall.conf # Go into lockdown mode while we setup the rules iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Flush all existing chains and erase personal chains CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $CHAINS; do iptables -t $i -F iptables -t $i -X done echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable IP source routing and ICMP redirects for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done echo 1 > /proc/sys/net/ipv4/ip_forward # Determine the IP/Broadcast/Netmask for the outside interface # dynamically by grepping ifconfig commands # # Due to absence of EXTBC in ifconfig output I manually set it # to 255.255.255.255 this hopefully will serve the same purpose EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" EXTBC="255.255.255.255" EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" EXTNET="$EXTIP/$EXTMSK" echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET" # Determine the IP/Broadcast/Netmask for the outside interface # dynamically by grepping ifconfig commands INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`" INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" INTNET="$INTIP/$INTMSK" echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET" # We are now going to create a few custom chains that will result in # logging of dropped packets. This will enable us to avoid having to # enter a log command prior to every drop we wish to log. The # first will be first log drops the other will log rejects. # Do not complain if chain already exists (so restart is clean) iptables -N DROPl 2> /dev/null iptables -A DROPl -j LOG --log-prefix 'DROPl:' iptables -A DROPl -j DROP iptables -N REJECTl 2> /dev/null iptables -A REJECTl -j LOG --log-prefix 'REJECTl:' iptables -A REJECTl -j REJECT # Now we are going to accpet all traffic from our loopback device # if the IP matches any of our interfaces. iptables -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT iptables -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT iptables -A INPUT -i $LPDIF -s $INTIP -j ACCEPT # Blocking Broadcasts iptables -A INPUT -i $EXTIF -d $EXTBC -j DROPl iptables -A INPUT -i $INTIF -d $INTBC -j DROPl iptables -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl iptables -A OUTPUT -o $INTIF -d $INTBC -j DROPl iptables -A FORWARD -o $EXTIF -d $EXTBC -j DROPl iptables -A FORWARD -o $INTIF -d $INTBC -j DROPl # Block WAN access to internal network # # This also stops nefarious crackers from using our network as a # launching point to attack other people iptables -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl # Now we will block internal addresses originating from anything but our # two predefined interfaces... just remember that if you jack your # your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly # for that IP as well iptables -A INPUT -i $INTIF -s ! $INTNET -j DROPl iptables -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl # An additional Egress check iptables -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl # Block outbound ICMP (except for PING) iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl # Explicitly block TCP ports for i in $TCPBLOCK; do iptables -A INPUT -p tcp --dport $i -j DROPl iptables -A OUTPUT -p tcp --dport $i -j DROPl iptables -A FORWARD -p tcp --dport $i -j DROPl done # Explicitly block UDP ports for i in $UDPBLOCK; do iptables -A INPUT -p udp --dport $i -j DROPl iptables -A OUTPUT -p udp --dport $i -j DROPl iptables -A FORWARD -p udp --dport $i -j DROPl done # Open inbound service ports for i in $INPORTS; do iptables -A INPUT -p tcp --dport $i -j ACCEPT done iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Opening up ftp connection tracking MODULES="ip_nat_ftp ip_conntrack_ftp" for i in $MODULES; do modprobe $i done # Allow inside systems to use external services for i in $TCPSERV; do iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT done for i in $UDPSERV; do iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT done # Allow to ping out iptables -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT # Allow firewall to ping internal systems iptables -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT # Allow a few services internally iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT iptables -A INPUT -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT # Setup dynamic NAT iptables -t nat -A PREROUTING -j ACCEPT iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE iptables -t nat -A POSTROUTING -j ACCEPT iptables -t nat -A OUTPUT -j ACCEPT iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Block and log what me may have forgot iptables -A INPUT -j DROPl iptables -A OUTPUT -j REJECTl iptables -A FORWARD -j DROPl