My first script, could use some professional advice!
Hello everyone!
Ok, first, a big thanks goes out to Ansgar Wiechers
for pointing me into the right direction for
Bash-shell scripting, a that was a great place for
info.
Now, please go easy on me... very little exp. with
*nix and first time scripting, but I'm trying :)
I hope this turns out right, I can attach a zip if
needed.
FILE NETGATE.SH
---
#!/bin/sh
#
# created by Jayotis Diggory
#
# NOTICE: the following modules are used;
CONFIG_NETFILTER;CONFIG_IP_NF_CONNTRACK;
#
CONFIG_IP_NF_FTP;CONFIG_IP_NF_IPTABLES;CONFIG_IP_NF_MATCH_LIMIT;
#
CONFIG_IP_NF_MATCH_MAC;CONFIG_IP_NF_MATCH_STATE;CONFIG_IP_NF_MATCH_OWNER;
#
CONFIG_IP_NF_FILTER;CONFIG_IP_NF_TARGET_REJECT;CONFIG_IP_NF_TARGET_MIRROR;TARPIT;MPORT
# Apply Michael's little netfilter patch to
ipt_MIRROR.c
# I don't do any modprobes, they're already in the
kernel ;).
# Also, ulogd must be installed and the Ulog module
present for packet parsing. not used yet
#
# Now Set the location of iptables and related shells.
IPTABLES=/sbin/iptables
# Construct a call method
case "$1" in
start)
/etc/ocb_networking/firewall.sh
/etc/ocb_networking/masquerade.sh
;;
stop)
echo -e "\nFlushing firewall and setting default
policies to
CLEAR\n"
/etc/init.d/iptables clear
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L
;;
mlist)
cat /proc/net/ip_conntrack
;;
*)
echo "Usage: NetGate
{start|stop|restart|status|mlist}"
exit 1
esac
exit 0
FILE FIREWALL.SH
#!/bin/sh
echo -n "NetGate is now building the firewall....
please wait one moment.\n"
#### Global variable for the network interface(s).
ExNet=""
IntNet=""
#### All Ports that will be used and considered open
to the public
# none at the moment
#### All ports that will be used as TARPITS
TarPits="80,21,23,79,110,25,107,389,119,43,22"
#HTTPport=80
#FTPport=21
#TELNETport=23
#FINGERport=79
#POP3port=110 #haha, only because this is a dual boot
environment on the mail is over there
#SMTPport=25
#RTELNETport=107
#LDAPport=389
#NNTPport=119
#WHOISport=43
#SSHport=22
# ????any more suggestions?
#### Subnet(s)
SubMask[3]="" #I'm going to put the network limit
at 3 for some extra networks later
#### Important IP addresses
DNSaddress[3]="" #DNS servers
DHCPaddress[3]="" #IP Servers for each network
ExitPoint="" #From local network To external
network
LogHost="" #The brains of the bunch
#### Important MAC addresses
DNSmac[3]=""
DHCPmac[3]=""
ExitPointmac=""
LogHost=""
#### Trusted process ID's
ProcessID[10]=0 # I don't need 10 right now, but
whatever
# Initialize the Iptables command path
TPath=/sbin/iptables
# assign network values, TODO incorporate this into a
command line
# deal with a for() loop for all networks and values
# ???? Do these two go here?
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/ip_dynaddr #for static
address, yes?
Ipaddress="192.168.0.101"
ExitPoint="192.168.0.1"
SubMask="255.255.255.0"
DNSaddress[0]="64.59.135.133"
DNSaddress[1]="64.59.135.135"
DNSmac[0]="" #hummm, can't find this value right now,
mac module will not be used
ExNet="eth0"
# Flush the filters
$TPath -t filter -F
$TPath -t filter -X
####### LOGGING SYSTEM
# I'm really thinking of editing my syslog.conf so
that the logs are in another
# location other then standard praticies(i.e.
!/var/log/messages) and also change
# the Selectors and Actions so the logs go to the
right place based on level.
# Important messages such as limit matches and certain
DOS signatures get logged to a
# file, someone's console and to another host...
Especially when there is a break in
# the PID rule (trojan!)
#
# TODO: use Ulog module because right now I'm
capturing the whole packet and that
# sucks! I only want the headers and not any of the
message body.
# ???? do I need to match the protocol in these
tables? I have already done that in INPUT.
# Create a log table for new outgoing connections by
PID.
# I am logging all the processes for general
troubleshooting information
# i.e. if a process is able to communicate with
Netfilter or not.
# This log event occurs when a legal process makes a
NEW connection in OUTPUT.
$TPath -N LOGPID 2>/dev/null
$TPath -A LOGPID -p * -m --limit 20/minute -j LOG
--log-level 5 --logprefix "Process connected
successfully"
$TPath -A LOGPID -j ACCEPT
# I'm going to need some help passing the proper
$ProcessID to this log, other wise I'm not doing any
debuging... just
# redundant logging. This will be scraped if its not
possiable.
# * is all protocols.
# Create a log table for NEW OUTPUT connections with
illegal PID's
$TPath -N LOGBADPID
$TPath -A LOGBADPID -p * -m --limit 20/minute -j LOG
--log-level 9 --logprefix "Illegal PID activity!"
$TPath -A LOGBADPID -j DROP
## Create log tables for Limits exceeded, very
important that the system can tell the
## difference between types.
# *Flood prevention
$TPath -N LOGFLOOD
$TPath -A LOGFLOOD -p ICMP -m --limit 20/minute -j LOG
--log-level 9 --logprefix "ATTACK Ping Flood!"
$TPath -A LOGFLOOD -j MIRROR
# *SYN scan detection
$TPath -N LOGSYNSCAN
$TPath -A LOGSYNSCAN -p TCP -m --limit 20/minute -j
LOG --log-level 9 --logprefix "Connection scan
detected."
# ???? I would like to include were the scan is
coming from, internal|external node to see if
# an Idle scan is at work. Its level 9 to notifiy
the LogHost so a check can be made.
$TPath -A LOGSYNSCAN -j DROP
# ????I need a way to check for a 0 byte packet and
I don't know how to do that, yet.
# For now it is just a limit check.
# *UDP Scan detection
$TPath -N LOGUDPSCAN
$TPath -A LOGUDPSCAN -p UDP -m --limit 20/minute -j
LOG --log-level 7 --logprefix "UDP scan detected."
$TPath -A LOGUDPSCAN -j MIRROR
# ACK scan detection
$TPath -N LOGACKSCAN
$TPath -A LOGACKSCAN -p TCP -m --limit 20/minute -j
LOG --log-level 7 --logprefix "ACK packets received."
$TPath -A LOGACKSCAN -j REJECT --reject-with
icmp-proto-unreachable # haha, yep crazy!
# ???? I would like to send attack type packets as a
reply, i.e. buffer overflow, mass
# fragments, etc. Custom responces... Can it be
done?
# SYN/ACK scan detection
$TPath -N LOGSYNACK
$TPath -A LOGSYNACK -p TCP -m --limit 20/minute -j LOG
--log-level 7 --logprefix "SYN/ACK packets received."
$TPath -A LOGSYNACK -j MIRROR
# Fin Probe fingerprinting detection
$TPath -N LOGFINPROBE
$TPath -A LOGFINPROBE -p TCP -m --limit 20/minute -j
LOG --log-level 7 --logprefix "FIN Probe detected."
$TPath -A LOGFINPROBE -j MIRROR
# Stealth scan detection
$TPath -N LOGXSCAN
$TPath -A LOGXSCAN -p TCP -m --limit 20/minute -j LOG
--log-level 7 --logprefix "Xmas packets received."
$TPath -A LOGXSCAN -j MIRROR
# NULL scan dectection
$TPath -N LOGNULLSCAN
$TPath -A LOGNULLSCAN -p TCP -m --limit 20/minute -j
LOG --log-level 7 --logprefix "NULL packets received."
$TPath -A LOGNULLSCAN -j MIRROR
########## phew! FILTER TABLES
# Now that the logging is finished we can start on the
fun stuff, packet picking :)
# First make a table for all NEW TCP packets to and a
table for legitimate
# port traffic.
$TPath -N NEWTCP
$TPath -N OPEN
## OPEN table. I don't have any open ports so this
table is empty right now
## here are some possiable ports to have open.
#AUTH Authentication Service
#[tcp:113]
#$TPath -A OPEN -p tcp -s $someip --dport 113 -j
ACCEPT
#BOOTPC Bootstrap Protocol Client
#[udp:68]
#$FW -A OPEN -p udp -s $someip --dport 68 -j ACCEPT
#NAMESERVER Host Name Server
#[tcp:42]
#$FW -A OPEN -p tcp -s $someip --dport 42 -j ACCEPT
#TIME
#[tcp:37; udp:37]
#$FW -A OPEN -p tcp -s $someip --dport 37 -j ACCEPT
#$FW -A OPEN -p udp -s $someip --dport 37 -j ACCEPT
#VNC VNC Virtual Network Computer
#[tcp:5900=display0-viewer;tcp:5800=display0-http]
#[tcp:5901=display1-viewer;tcp:5801=display1-http]
#[tcp:5902=display2-viewer;tcp:5802=display2-http]
#$FW -A OPEN -p tcp -s --dport 5900 -j ACCEPT # :0
viewer
#$FW -A OPEN -p tcp -s --dport 5800 -j ACCEPT # :0
http
#$FW -A OPEN -p tcp -s --dport 5901 -j ACCEPT # :1
viewer
#$FW -A OPEN -p tcp -s --dport 5801 -j ACCEPT # :1
http
#$FW -A OPEN -p tcp -s --dport 5902 -j ACCEPT # :2
viewer
#$FW -A OPEN -p tcp -s --dport 5802 -j ACCEPT # :2
http
## NEWTCP table
## Here we decide what type of NEW packet it is and
log it because this person does
## not know how to talk to this network and may be
trying something.
# Pick out TCP packets
$TPath -A NEWTCP -p tcp --tcp-flags ALL FIN -j
LOGFINPROBE
$TPath -A NEWTCP -p tcp --tcp-flags ALL SYN,ACK -j
LOGSYNACK$TPath -A NEWTCP -p tcp --tcp-flags NONE -j
LOGNULLSCAN
$TPath -A NEWTCP -p tcp --tcp-flags ALL FIN,URG,PUSH
-j LOGXSCAN
$TPath -A NEWTCP -p tcp --tcp-flags ALL ACK -j
LOGACKSCAN
$TPath -A NEWTCP -p tcp -j DROP
## cool, now I structure my INPUT table for maximum
efficiency
$TPath -A INPUT -p ALL -m state --state
ESTABLISHED,RELATED -j ACCEPT #now I am only left
with NEW packets
$TPath -A INPUT -p ALL -i $ExNet -d 255.255.255.255 -j
DROP # kill all broadcasts!
#$TPath -A INPUT -p ALL -m multiport
--destination-port 22,53,80,110 -j OPEN #this line
is out because I have no open ports
$TPath -A INPUT -m multiport --destination-port
$TarPit -j TARPIT #can I use match without a
protocol?? TARPIT any proto??
$TPath -A INPUT -p icmp -m --limit 1/s -j LOGFLOOD
$TPath -A INPUT -p icmp -j REJECT --reject-with
icmp-net-unreachable #maybe update all the routers so
my network dissappear?
#that would not be good...
$TPath -A INPUT -p udp -m --limit 30/minute -j
LOGUDPSCAN
$TPath -A INPUT -p udp -j DROP
$TPath -A INPUT -p tcp -j NEWTCP
$TPath -A INPUT -p ALL -j DROP
# TODO add some additional randomness to the initial
sequence numbers and figure out
# how to launch my apps that need to access the net
and get their PID!
# TODO regulate Don't Fragment bit usage
# TODO stop spoofing, accept no internal addresses on
external interface vise-versa
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Reply to: