blob: d19f0ced04393b9aafeb50bdf08b605c0717bd7a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
# Make sure we have all the commands to continue
if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then
echo 'Essential commands are missing. Can not continue.'
exit 1
fi
# Check for root
if [[ $UID != 0 ]]; then
echo 'You are not root.'
exit 1
fi
# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
export LC_ALL="en"
# Source our configuration file
source /etc/firewall.conf
# Go into lockdown mode while we setup the rules
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS; do
iptables -t $i -F
iptables -t $i -X
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_forward
# Determine the IP/Broadcast/Netmask for the outside interface
# dynamically by grepping ifconfig commands
#
# Due to absence of EXTBC in ifconfig output I manually set it
# to 255.255.255.255 this hopefully will serve the same purpose
EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Determine the IP/Broadcast/Netmask for the outside interface
# dynamically by grepping ifconfig commands
INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
# Do not complain if chain already exists (so restart is clean)
iptables -N DROPl 2> /dev/null
iptables -A DROPl -j LOG --log-prefix 'DROPl:'
iptables -A DROPl -j DROP
iptables -N REJECTl 2> /dev/null
iptables -A REJECTl -j LOG --log-prefix 'REJECTl:'
iptables -A REJECTl -j REJECT
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
iptables -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
iptables -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
iptables -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
# Blocking Broadcasts
iptables -A INPUT -i $EXTIF -d $EXTBC -j DROPl
iptables -A INPUT -i $INTIF -d $INTBC -j DROPl
iptables -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
iptables -A OUTPUT -o $INTIF -d $INTBC -j DROPl
iptables -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
iptables -A FORWARD -o $INTIF -d $INTBC -j DROPl
# Block WAN access to internal network
#
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
iptables -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
# Now we will block internal addresses originating from anything but our
# two predefined interfaces... just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# for that IP as well
iptables -A INPUT -i $INTIF -s ! $INTNET -j DROPl
iptables -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl
iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl
# An additional Egress check
iptables -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
# Block outbound ICMP (except for PING)
iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
# Explicitly block TCP ports
for i in $TCPBLOCK; do
iptables -A INPUT -p tcp --dport $i -j DROPl
iptables -A OUTPUT -p tcp --dport $i -j DROPl
iptables -A FORWARD -p tcp --dport $i -j DROPl
done
# Explicitly block UDP ports
for i in $UDPBLOCK; do
iptables -A INPUT -p udp --dport $i -j DROPl
iptables -A OUTPUT -p udp --dport $i -j DROPl
iptables -A FORWARD -p udp --dport $i -j DROPl
done
# Open inbound service ports
for i in $INPORTS; do
iptables -A INPUT -p tcp --dport $i -j ACCEPT
done
iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES; do
modprobe $i
done
# Allow inside systems to use external services
for i in $TCPSERV; do
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $UDPSERV; do
iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT
done
# Allow to ping out
iptables -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow firewall to ping internal systems
iptables -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow a few services internally
iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
# Setup dynamic NAT
iptables -t nat -A PREROUTING -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
iptables -t nat -A POSTROUTING -j ACCEPT
iptables -t nat -A OUTPUT -j ACCEPT
iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block and log what me may have forgot
iptables -A INPUT -j DROPl
iptables -A OUTPUT -j REJECTl
iptables -A FORWARD -j DROPl
|
