Hi people.. i just " finish " my firewall.. i don't test it, i never run it... it may not work at all... but i spend sooooooooo many hours.. that i wan't to share it. I accept any suggestions and critics... it's not finished and there is a lot of things that i need to add... but for now, i will do something else, i hate iptables for the next two o three days :) any suggestions, welcome :) see ya sorry for my english, never study -- Guido Lorenzutti (Peperino Pomuro) emails: guidolorenzutti@arnet.com.ar gml-bsas@sicemercosur.com.ar peperinopomuro@arnet.com.ar linux user #206665 - http://counter.li.org
#!/bin/bash
#version 1.0 (mayor release! uija!)
#
#history:
# i lost it :)... deal with it.
#to do:
#see if i don't need to discriminate the ports below 1024
#check the need of a "catch all" rule at the end
#depending on the distro check were the script is and scream if it is not on /etc/init.d/
#this is a comment, i like comments, read them for help
##----------------------------initial config---------------------------------##
#-------------system configuration--------------#
IPTABLES=/sbin/iptables #path of the iptables
MODULES=no #yes if your kernel support modules and you need them
#to do, i have to add the modules that you need
#----------network devices settings-------------#
NETNIC=ppp0 #if you change to ethernet you will start using SNAT
IPNETNIC=`ifconfig $NETNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2`
LANNIC=eth1 #the interface connected to your lan
IPLANNIC=`ifconfig $LANNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2`
#-------------/proc sysctl settings-------------#
IP_FORWARD=yes #to enable ipforward, VERY important
ICMPALLIGNORE=no #yes to block ALL the pings from everywhere
ICMPBROADCAST=yes #yes to don't respond to broadcast pings (smurf)
ICMPERRORMESG=yes #yes to protect against bogus error messages
LOGMARTIANS=yes #yes to log packets with impossible addresses
IP_SPOOFING=yes #yes to disable spoofing attacks on ALL interfaces
REDUCEDOS=yes #reduces the timeouts and the posibility of a DOS
SYNCOOKIES=yes #yes to enable tcp syn cookies protection
TIMESTAMPS=yes #yes to enable tcp timestamps protection
SOURCEROUTED=yes #yes to ignore source routed packets
SENDREDIRECTS=yes #yes to ignore redirected packets
#------------adsl specific problems-------------#
PPPOE_PMTU=no #if you have problems with your pppoe connection
PPTP_GRE=no #if you have problems with your pptp connection
#------------------squid setup------------------#
TRANSPARENT=yes #yes if you use the squid on transparent mode
SQUIDINSIDE=yes #yes if you run squid on the device conected to the lan
SQUIDREMOTE= #the ip of the remote squid box on you lan
SQUIDPORT=3128 #the port where squid listen
##--------------------------hosts and ports config---------------------------##
#----------specific TOTALLY banned IPs----------#
USEHATE=no #to start using the next options
MICROSOFT=www.microsoft.com #sample of a banned host
HATEHOSTS="$MICROSOFT" #add the banned hosts here=09
#-------------specific trusted hosts------------#
USETRUST=yes #to start using the next options
SICEAR=sicear.dyndns.org #example of a host to trust
TRUSTED="$SICEAR" #add the hosts to trust here
#-----------local MAC address friends-----------#
USEMAC=yes #to start using the next options
AZRAEL=00:50:BA:86:9F:EC #example of a mac address to trust
DROOPY=00:50:BA:87:32:34
CEREBRO=00:E0:7D:9F:76:A3
MACFRIENDS="$AZRAEL $CEREBRO" #add the hosts to trust here
#---------------ssh administration--------------#
#still living my life
#-----------------flood variables---------------#
TCPSYNLIMIT="5/s" # Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10" # Burst Limit for TCP-SYN-Flood detection
LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains
LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains
PINGLIMIT="5/s" # Overall Limit for Ping-Flood-Detection
PINGLIMITBURST="10" # Burst Limit for Ping-Flood-Detection
##---------------------------testing the config------------------------------##
if [ "$UID" != "0" ]; then
echo " (\___/) "
echo " (=':'=) "
echo " ('']_['') "
echo " "
echo " are you r00t?"
exit 1
fi
if [ -z $IPNETNIC ]; then
echo "ABORTING: Unable to determine the IP-address of the $NETNIC"
exit 1
else
echo "the internet connection is thru the $NETNIC device"
fi
if [ -z $IPLANNIC ]; then
echo "ABORTING: Unable to determine the IP-address of the $LANNIC"
exit 1
else
echo "the lan connection is thru the $LANNIC device"
fi
if [ -x $IPTABLES ]; then
echo "the configuration seems to be OK"
else
echo "ABORTING: $IPTABLES doesn't exist or isn't executable"
exit 1
fi
$IPTABLES -N ICMP
if [ "$?" != "0" ] ; then
echo
echo "you should stop the firewall before start it again"
echo "/etc/init.d/firewall stop"
echo
exit1
fi
##----------------------------modules to load--------------------------------##
if [ $MODULES == "yes" ] ; then
echo "cargando los modulos necesarios"
depmod -a
else
echo "you don't need any modules or your kernel dosen't support them"
fi
##----------------------functions for the firewall---------------------------##
#----------------function closep-----------------#
function closep() {
$IPTABLES -P INPUT DROP #close everything until we are warm
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
}
#-----------------function proc-----------------#
function proc() {
if [ $IP_FORWARD == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "ip_foward activated"
fi
fi
if [ $ICMPALLIGNORE == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "blocking all pings from everywhere"
fi
fi
if [ $ICMPBROADCAST == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "blocking all broadcast pings"
fi
fi
if [ $ICMPERRORMESG == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "enable error message protection"
fi
fi
if [ $LOGMARTIANS == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/log_martinas ] ; then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "logging packets with impossible addresses"
fi
fi
if [ $IP_SPOOFING == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "blocking IP spoofing attacks"
fi
fi
if [ $REDUCEDOS == "yes" ] ; then
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
fi
if [ $SYNCOOKIES == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "tcp syn cookies protection enabled"
fi
fi
if [ $TIMESTAMPS == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "tcp timestamps protection enabled"
fi
fi
if [ $SOURCEROUTED == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "ignore source routed packets"
fi
fi
if [ $SENDREDIRECTS == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "ignore redirected packets"
fi
fi
}
#---------------------logs----------------------#
function firewall() {
$IPTABLES -N WATCH #if i want to log something i allow
$IPTABLES -A WATCH -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level warn --log-prefix "ACCEPT"
$IPTABLES -A WATCH -j ACCEPT
$IPTABLES -N LDROP #log everything i drop
$IPTABLES -A LDROP -p tcp -j LOG --log-level info --log-prefix "DROP TCP"
$IPTABLES -A LDROP -p udp -j LOG --log-level info --log-prefix "DROP UDP"
$IPTABLES -A LDROP -p icmp -j LOG --log-level info --log-prefix "DROP ICMP"
$IPTABLES -A LDROP -p gre -j LOG --log-level info --log-prefix "DROP GRE"
$IPTABLES -A LDROP -j DROP
$IPTABLES -N LBADFLAG #log every badflag
$IPTABLES -A LBADGLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "badflag"
$IPTABLES -A LBADFLAG -j DROP
$IPTABLES -N LINVALID #invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "invalid"
$IPTABLES -A LINVALID -j DROP
$IPTABLES -N LPINGFLOOD #block ping floods
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "pingflood"
$IPTABLES -A LPINGFLOOD -j DROP
#-------------------icmp stuff------------------#
$IPTABLES -N ICMP #icmp chain
$IPTABLES -A ICMP -p icmp --icmp-type echo-reply -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMP -p icmp --icmp-type echo-reply -j LPINGFLOOD
$IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -j LPINGFLOOD
ICMPWATCH="destination-unreachable network-unreachable host-unreachable protocol-unreachable source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited echo-request time-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing"
ICMPLDROP="fragmentation-needed host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect router-advertisement router-solicitation timestamp-request timestamp-reply address-mask-request address-mask-reply"
for i in $ICMPWATCH
do
$IPTABLES -A ICMP -p icmp --icmp-type $i -j WATCH
done
for i in $ICMPLDROP
do
$IPTABLES -A ICMP -p icmp --icmp-type $i -j LDROP
done
$IPTABLES -A ICMP -p icmp -j LDROP
#---------logging portscanning attacks----------#
$IPTABLES -N CHECKBADFLAG #Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP Nmap XMAS Scan:"
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN RST Scan:"
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN FIN Scan:"
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth FYN Scan: "
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP ALL/ALL Scan: "
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth Null Scan: "
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -j DROP
#--------------log bloqued ports----------------#
$IPTABLES -N BLOCKEDPORTS #Kill any TCP/UDP-Packets for the selected ports
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP deepthroat trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP back orifice trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP hack'a'tack trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP Xs ports:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -j DROP
#------------drop ports without log-------------#
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 137 -j DROP #samba
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 138 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 139 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 445 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 137 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 138 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 139 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 445 -j DROP
#------------------INPUT chain------------------#
$IPTABLES -A INPUT -i lo -j ACCEPT #i trust in my lookback
if [ $PPTP_GRE == "yes" ] ; then
$IPTABLES -A INPUT -p GRE -d $NETNIC -j ACCEPT
fi
if [ $USEMAC == "yes" ] ; then
for i in $MACFRIENDS
do
$IPTABLES -A INPUT -m mac --mac-source $i -j ACCEPT
done
fi
if [ $USETRUST == "yes" ] ; then
for i in $TRUSTED
do
$IPTABLES -A INPUT -s $i -j ACCEPT
done
fi
if [ $USEHATE == "yes" ] ; then
for i in $HATEHOSTS
do
$IPTABLES -A INPUT -s $i -j DROP
done
fi
$IPTABLES -A INPUT -p icmp -j ICMP
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
#i only care about the internet, my lan is friendly
$IPTABLES -A INPUT -i $NETNIC -j BLOCKEDPORTS
#this enable to use ftp an irc, remove the related to more security
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -i $NETNIC -j ACCEPT
$IPTABLES -A INPUT -i $LANNIC -j ACCEPT
#Aceptar cierto servicio en el propio firewall
#$IPTABLES -A INPUT -i ppp0 -p tcp --dport PUERTO -j ACCEPT
#----------------forward chaing-----------------#
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
$IPTABLES -A FORWARD -o $NETNIC -j BLOCKEDPORTS
$IPTABLES -A FORWARD -i $NETNIC -j BLOCKEDPORTS
#this should allow fowarding from internal network to the outside... not tested
#$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p tcp --sport puerto -j ACCEPT
#$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p udp --sport puerto -j ACCEPT
$IPTABLES -A FORWARD -i $NETNIC -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $NETNIC -p icmp -m state --state RELATED -j ACCEPT
#-----------------output chain------------------#
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -o $NETNIC -j BLOCKEDPORTS
#------------------prerouting-------------------#
if [ $TRANSPARENT == "yes" ] ; then
if [ $SQUIDINSIDE =3D=3D yes ] ; then
$IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
echo "SQUID in transparent mode Enabled to $LANNIC"
else
$IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j DNAT --to $SQUIDREMOTE:$SQUIDPORT
echo "SQUID in transparent mode Enabled to $SQUIDREMOTE"
fi
fi
#Dnateo los puertos del icq para un host definido, FIX THIS
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 20000 -j DNAT --to 192.168.1.36
#Fowardear servicios a algun servidor de la lan
#$IPTABLES -t nat -a PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.1.36:22
#-----------------postrouting-------------------#
if [ $PPPOE_PMTU == "yes" ] ; then
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
if [ $NETNIC == "ppp0" ] ; then
$IPTABLES -t nat -A POSTROUTING -o $NETNIC -p tcp -j MASQUERADE
else
$IPTABLES -t nat -A POSTROUTING -o $NETNIC -j SNAT --to source $IPNETNIC
fi
}
#----------------function clean-----------------#
function clean() {
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
#$IPTABLES -F -t mangle
#$IPTABLES -X -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
}
##----------------------start | stop | restart | status-----------------------#
set -e
case "$1" in
start)
#closep
proc
clean
firewall
;;
stop)
clean
;;
restart)
stop
start
;;
status)
echo ""
echo "#################"
echo "#the filter table"
echo ""
$IPTABLES -L -v
echo ""
echo "##############"
echo "#the NAT table"
echo ""
$IPTABLES -t nat -L -v
echo ""
echo "#################"
echo "#the Mangle table"
echo ""
$IPTABLES -t mangle -L -v
;;
*)
echo "Usage: /etc/init.d/firewall { start | stop | restart | status }"
exit 1
;;
esac
Attachment:
signature.asc
Description: This is a digitally signed message part