Re: Comunicazione tra sottoreti [script firewall - LUNGO]
Allego lo script firewall. E' abbastanza grosso.
#!/bin/sh
#
# chkconfig: 2345 11 89
# description: Arno's iptables firewall
MY_VERSION="1.8.2"
############################################################################################
# You should put this script(rc.iptables) for example in "/etc/rc.d/" or
"/etc/init.d/". #
# Furthermore make sure it's only root executable! -> "chmod 700" & "chown
root:root" it!).#
# If you want to run it upon boot, either add an entry in your
"/etc/rc.d/rc.local" or #
# (for Debian) in "/etc/rcS.d/" create a softlink to the rc.iptables-script
#
# (eg. "ln -s /etc/init.d/rc.iptables S99iptables").
#
############################################################################################
# Location of the configuration file for this firewall:
#######################################################
CONFIG_FILE=/etc/iptables-firewall.conf
#
----------------------------------------------------------------------------------------------------------------------
# Arno's iptables firewall - Single- & multi-homed firewall script with DSL/ADSL
support
# (C) Copyright 2001-2004444 Arno van Amersfoort
# Homepage : http://rocky.molphys.leidenuniv.nl/
# Freshmeat homepage :
http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : a r n o v a AT x s 4 a l l DOT n l
#
----------------------------------------------------------------------------------------------------------------------
# Credits :
# - Seven. The initial firewall script was based on his work (Seven's iptables
script 1.6 - (C) 2001)
# - ADSL4linux. The initial ADSL implementation was taken from their iptables
script (http://www.adsl4linux.nl)
# - Arch@os for providing me with some useful information and for beta testing
# - RelaxLex (Lex) for pointing out some inconsistencies
# - Rifath Nawaz for beta testing the Freeswan support and providing the
Freeswan Virtual-IP patch
# - Rok for providing the SNAT patch
#
----------------------------------------------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
----------------------------------------------------------------------------------------------------------------------
# All IP addresses reserved by IANA (for the time being)
# This changes regulary, see http://www.iana.org/assignments/ipv4-address-space
# Last update check: Febr 2, 2003
###############################################################################
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8
94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8
101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
222.0.0.0/8 223.0.0.0/8 \
224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
echo -e "\033[40m\033[1;32mArno's IPTABLES Firewall Script v$MY_VERSION\033[0m"
echo "---------------------------------------------------------------"
# Check whether we also need to drop messages in a dedicated firewall log file
if [ "$FIREWALL_LOG" == "" ]; then FIREWALL_LOG="/dev/null"; fi
if [ "$UID" != "0" ]; then
echo -e "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use
this script)! Quitting...\033[0m"
exit 1
fi
# Check if config file exists and if so load it
###############################################
if [ -e "$CONFIG_FILE" ]; then
source $CONFIG_FILE
else
echo -e "\033[40m\033[1;31mERROR: Could not read configuration file
$CONFIG_FILE!\033[0m"
echo "Please, check the file's location and (root) rights."
exit 2
fi
# Make sure EXT_IF != ""
########################
if [ "$EXT_IF" == "" ]; then
echo -e "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m"
echo "Please, correct this by checking the settings in the configuration file."
exit 3
fi
# Make sure INT_IF != EXT_IF
############################
for eif in $EXT_IF; do
for iif in $INT_IF; do
if [ "$iif" == "$eif" ]; then
echo -e "\033[40m\033[1;31mERROR: At least one of the interfaces specified
in EXT_IF is the same as one in INT_IF!\033[0m"
echo "Please, correct this by checking the settings in the configuration
file."
exit 3
fi
done
done
# Make sure EXT_IF != MODEM_IF
##############################
for eif in $EXT_IF; do
if [ "$eif" == "$MODEM_IF" ]; then
echo -e "\033[40m\033[1;31mERROR: At least one of the interfaces specified
in EXT_IF is the same as the one in MODEM_IF!\033[0m"
echo "Please, correct this by checking the settings in the configuration file."
exit 3
fi
done
# Make sure INT_IF != MODEM_IF
##############################
if [ "$MODEM_IF" != "" ]; then
for iif in $INT_IF; do
if [ "$iif" == "$MODEM_IF" ]; then
echo -e "\033[40m\033[1;31mERROR: At least one of the interfaces specified
in INT_IF is the same as the one in MODEM_IF!\033[0m"
echo "Please, correct this by checking the settings in the configuration
file."
exit 3
fi
done
fi
# Make sure EXT_IF != lo / 127.0.0.1
####################################
for eif in $EXT_IF; do
if [ "$eif" == "lo" ] || [ "$eif" == "127.0.0.1" ]; then
echo -e "\033[40m\033[1;31mERROR: At least one of the interfaces specified
in EXT_IF has the address or name of the local loopback device!\033[0m"
echo "Please, correct this by checking the settings in the configuration file."
exit 3
fi
done
# Make sure INT_IF != lo / 127.0.0.1
####################################
for iif in $INT_IF; do
if [ "$iif" == "lo" ] || [ "$iif" == "127.0.0.1" ]; then
echo -e "\033[40m\033[1;31mERROR: At least one of the interfaces specified
in INT_IF has the address or name of the local loopback device!\033[0m"
echo "Please, correct this by checking the settings in the configuration file."
exit 3
fi
done
# Make sure MODEM_IF != lo / 127.0.0.1
####################################
if [ "$MODEM_IF" == "lo" ] || [ "$MODEM_IF" == "127.0.0.1" ]; then
echo -e "\033[40m\033[1;31mERROR: The interface specified in MODEM_IF has the
address or name of the local loopback device!\033[0m"
echo "Please, correct this by checking the setting in the configuration file."
exit 3
fi
# Check whether the iptables binary exists and if its executable
################################################################
if [ ! -x $IPTABLES ]; then
echo -e "\033[40m\033[1;31mERROR: Binary \"$IPTABLES\" does not exist or is
not executable!\033[0m"
echo "Please, make sure that IPTABLES is (properly) installed."
exit 3
fi
# Check that we have at least kernel 2.4 else generate a warning (no error as
2.2 kernels could be iptables patched)
####################################################################################################################
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -lt 2 ] || [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ]; then
echo -e "\033[40m\033[1;31mWARNING: Your kernel version is older than 2.4!\033[0m"
echo -e "\033[40m\033[1;31mYour kernel probably doesn't support IPTABLES
unless an IPTABLES patch is compiled in it.\033[0m"
fi
# Check whether IPCHAINS is active else IPTABLES won't work (RedHat <7.2 for
example)
###########################################################################################
if /sbin/lsmod 2>/dev/null |grep -q ipchains; then
echo -e "\033[40m\033[1;31mERROR: Found IPCHAINS module loaded in the kernel.
Unable to load IPTABLES module because of this!\033[0m"
echo "Please, use \"rmmod ipchains\" (as root) to remove the IPCHAINS module
and then run this script again."
exit 4
fi
# Passed all sanity checks :-)
##############################
echo "Sanity checks passed...OK"
# modprobing is only performed for a "start"
############################################
if [ "$1" == "start" ]; then
if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.* ]; then
echo "Detected IPTABLES module... Loading additional IPTABLES modules:"
modprobe ip_tables # Required; all ipv4 modules depend on
this one
modprobe ipt_limit # Allows log limits
modprobe ipt_state # Permits packet state checking (SYN,
SYN-ACK, ACK, and so on).
modprobe ip_conntrack # Permits connection tracking and packet
defragmentation.
modprobe ip_conntrack_ftp # Permits active FTP; requires ip_conntrack
modprobe ipt_multiport # Allows packet specifications on
multiple ports
modprobe iptable_filter # Implements the filter table
# modprobe ip_queue # Allows queuing packets to user space
# modprobe ipt_ttl # Allows ttl manipulation (not
supported yet :-( )
# modprobe ipt_mac # Allows specifying MAC address
# modprobe ipt_owner # Permits user/group checking on OUTPUT
packets
# modprobe ipt_mark # Allows use of mark match
# modprobe ip_conntrack_egg
if [ "$USE_IRC" == "1" ]; then
echo "Enabling IRC DCC module support..."
modprobe ip_conntrack_irc
#ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001
modprobe ip_nat_irc
#ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001
fi
if [ "$SET_MSS" == "1" ]; then
modprobe ipt_tcpmss # Permits TCPMSS checking on a packet
fi
if [ "$NAT" == "1" ]; then
modprobe iptable_nat # Implements nat table
modprobe ip_nat_ftp # Permits active FTP via nat; requires
ip_conntrack, iptables_nat
fi
if [ "$MANGLE_TOS" == "1" ]; then
modprobe iptable_mangle # Implements the mangle table
modprobe ipt_tos # Permits TOS checking on a packet
fi
# if [ "$TRAFFIC_SHAPING" == "1" ]; then
# modprobe ipt_length
# fi
echo "All IPTABLES modules loaded!"
else
echo "No module found for IPTABLES, assuming that it's compiled in the kernel."
fi
# Reset the iptables counters
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
fi
echo ""
echo "External (internet) interface (EXT_IF) : $EXT_IF"
echo "---------------------------------------------------------------"
if [ "$1" == "start" ] || [ "$1" == "restart" ]; then
datum=`date +'%b %d %k:%M:%S'`;
echo -e "$datum ** Starting Arno's IPTABLES firewall v$MY_VERSION **" >>
/var/log/messages
echo "$datum ** Starting Arno's IPTABLES firewall v$MY_VERSION **" >>
$FIREWALL_LOG
echo "Flushing rules in the filter table."
# Attempt to flush all rules in filter table
############################################
$IPTABLES -F
$IPTABLES -X
# Flush built-in rules
######################
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
# Flush rules/delete user chains
################################
$IPTABLES -X EXTIF_CHECK 2>/dev/null
$IPTABLES -X VALID_CHECK 2>/dev/null
$IPTABLES -X RESERVED_NET_CHECK 2>/dev/null
$IPTABLES -X HOST_BLOCK 2>/dev/null
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
echo "Setting default secure policies."
# Set standard policies for the tables (drop = very secure)
###########################################################
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
# New table named EXTIF_CHECK, to check incoming packets on our external
(internet) interface
#############################################################################################
$IPTABLES -N EXTIF_CHECK
# New table named VALID_CHECK, to check packets for invalid flags etc.
######################################################################
$IPTABLES -N VALID_CHECK
# New table named RESERVED_NET_CHECK, to check packets for invalid source
addresses
###################################################################################
$IPTABLES -N RESERVED_NET_CHECK
# New table named HOST_BLOCK, the block user defined hosts (blackhole).
#######################################################################
$IPTABLES -N HOST_BLOCK
# Use /proc rp_filter values to drop connections from non-routable IPs
######################################################################
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
if [ "$RP_FILTER" != "0" ]; then
echo "Enabling anti-spoof with rp_filter."
else
echo "Disabling anti-spoof with rp_filter."
fi
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
# if [ "$i" == "/proc/sys/net/ipv4/conf/$EXT_IF/rp_filter" ] || [
"$RP_FILTER" != "0" ]; then
if [ "$RP_FILTER" != "0" ]; then
echo "1" > $i
else
echo "0" > $i
fi
done
fi
# Block ALL ICMP echo requests?
###############################
if [ "$ECHO_IGNORE" == "1" ]; then
echo "Blocking all ICMP echo-requests (through /proc/.../)"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi
# Add synflood protection?
##########################
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
if [ "$SYN_PROT" != 0 ]; then
echo "Enabling SYN-flood protection via SYN-cookies."
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
echo "Disabling SYN-flood protection via SYN-cookies."
echo "0" > /proc/sys/net/ipv4/tcp_syncookies
fi
fi
# Log martians?
###############
if [ "$LOG_MARTIANS" == "1" ]; then
echo "Enabling the logging of martians."
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
echo "Disabling the logging of martians."
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
fi
# Accept ICMP redirect messages?
################################
if [ "$ICMP_REDIRECT" == "1" ]; then
echo "Enabling the acception of ICMP-redirect messages."
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
echo "Disabling the acception of ICMP-redirect messages."
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
fi
# Set the maximum number of connections to track.
# The kernel "default" depends on the available amount of RAM, 128 MB of RAM
-> 8192
# possible entries, 256 MB of RAM --> 16376 possible entries, etc...
#######################################################################################
if [ ! -f /proc/sys/net/ipv4/ip_conntrack_max ] && [ ! -f
/proc/sys/net/ipv4/netfilter/ip_conntrack_max ] \
&& [ "$CONNTRACK" != "" ]; then
echo -e "\033[40m\033[1;31mWARNING: /proc/../ip_conntrack_max was NOT found.
This may be a problem!\033[0m"
else
if [ "$CONNTRACK" != "" ]; then
echo "Setting the max. amount of simultaneous connections to $CONNTRACK."
else
echo "Setting the max. amount of simultaneous connections to 4096 (default)."
fi
# Default location for ip_conntrack_max
if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
if [ "$CONNTRACK" != "" ]; then
echo "$CONNTRACK" > /proc/sys/net/ipv4/ip_conntrack_max
else
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
fi
fi
# Alternate location for ip_conntrack_max
if [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then
if [ "$CONNTRACK" != "" ]; then
echo "$CONNTRACK" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
else
echo "4096" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
fi
fi
fi
# Disable ICMP send_redirect
############################
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $interface
done
fi
# Don't accept source routed packets.
# Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back
along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
###################################################################################
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $interface
done
fi
# ICMP Broadcasting protection (smurf amplifier protection)
###########################################################
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# ICMP Dead Error Messages protection
#####################################
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# Enable automatic IP defragmenting (is obsolete for 2.4 kernels, but still
used for 2.2 legacy support)
########################################################################################################
if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
fi
# LooseUDP patch is required by some internet-based games
#
# If you are trying to get an internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working., try
# enabling this option. This option is disabled by default due to possible
# internal machine UDP port scanning vulnerabilities.
#############################################################################
if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then
if [ "$LOOSE_UDP_PATCH" == "1" ]; then
echo "Enabling the LOOSE_UDP_PATCH (required for some internet games, but
less secure!)."
echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
else
echo "Disabling the LOOSE_UDP_PATCH (more secure)."
echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose
fi
fi
# IP forwarding (need it to perform for example NAT)
####################################################
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
echo -e "\033[40m\033[1;31mWARNING: /proc/sys/net/ipv4/ip_forward does not
exist!\033[0m"
echo -e "\033[40m\033[1;31mIf you're using NAT or IPSEC this may be a
problem.\033[0m"
fi
# Reduce DoS'ing ability by reducing timeouts
# Defaults:
# echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
# echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
# echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
# echo 1 > /proc/sys/net/ipv4/tcp_sack
#############################################################
if [ "$REDUCE_DOS_ABILITY" == "1" ]; then
echo "Enabling reduction of the DoS'ing ability."
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
fi
# Set out local port range
# Default echo "1024 4999" > /proc/sys/net/ipv4/ip_local_port_range
###################################################################
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
fi
# Time To Live (TTL) is the term for a data field in the internet protocol.
# TTL is today interpreted to indicate the maximum number of routers a packet
may transit.
# Each router that handles a packet will decrement the TTL field by 1.
# Raise if you have a huge network.
# Set the default ttl. (Kernel Default: 64)
###########################################################################################
if [ -e /proc/sys/net/ipv4/ip_default_ttl ]; then
echo "64" > /proc/sys/net/ipv4/ip_default_ttl
fi
# Increase the default queuelength. (Kernel Default: 1024)
##########################################################
if [ -e /proc/sys/net/ipv4/ipv4/ip_queue_maxlen ]; then
echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
fi
# Enable ECN? (Explicit Congestion Notification)
################################################
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
if [ "$ECN" == "1" ]; then
echo "Enabling ECN (Explicit Congestion Notification)."
echo "1" > /proc/sys/net/ipv4/tcp_ecn
else
echo "Disabling ECN (Explicit Congestion Notification)."
echo "0" > /proc/sys/net/ipv4/tcp_ecn
fi
fi
fi
# This creates the seperate host block chain
############################################
if [ "$1" == "start" ] || [ "$1" == "restart" ] || [ "$1" == "breread" ]; then
chain_chk=`$IPTABLES -F HOST_BLOCK 2>&1 |grep "No chain"`
if [ "$chain_chk" != "" ]; then
echo -e "\033[40m\033[1;31mERROR: The firewall isn't running!\033[0m"
echo "You should first run this script with the \"start\" command."
exit 5
fi
echo "Using loglevel $LOGLEVEL for syslogd."
if [ -e "$BLOCK_HOSTS_FILE" ]; then
echo "(Re)loading list of BLOCKED hosts (blackhole) from $BLOCK_HOSTS_FILE."
while read host
do
chk_comment=`echo "$host" |cut -c1`
if [ "$chk_comment" != "#" ] && [ "$host" != "" ]; then # Filter
out comment fields starting with '#'
if [ "$BLOCKED_HOST_LOG" == "1" ]; then
$IPTABLES -A HOST_BLOCK -s $host -m limit --limit 3/m --limit-burst 5
-j LOG --log-level $LOGLEVEL --log-prefix "Blocked hosts violation: "
fi
$IPTABLES -A HOST_BLOCK -s $host -j DROP
fi
done < $BLOCK_HOSTS_FILE
else
if [ "$1" == "breread" ]; then
echo -e "\033[40m\033[1;31mERROR: Cannot reread the blocked hosts file
\"$BLOCK_HOSTS_FILE\" because it doesn't exist.\033[0m"
exit 6
fi
fi
fi
# Here the actual iptables rules are loaded
###########################################
if [ "$1" == "start" ] || [ "$1" == "restart" ]; then
# Besides MTU, there is yet another way to set the maximum packet size, the so
called Maximum Segment Size.
# This is a field in the TCP Options part of a SYN packet.
# The good thing about this is that by setting the MSS value, you are telling
the remote side unequivocally
# 'do not ever try to send me packets bigger than this value'. No ICMP traffic
is needed to get this to work.
# In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3
or higher. The basic commandline is:
##################################################################################################################
if [ "$SET_MSS" == "1" ]; then
echo "Enabling setting the maximum packet size via MSS."
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
# Accept all packets for the loopback device
############################################
echo "Accepting packets from the local loopback device."
$IPTABLES -A INPUT -i lo -j ACCEPT
# First we do all the special blocking from the custom block file (this should
also terminate ESTABLISHED connections)
######################################################################################################################
$IPTABLES -A INPUT -j HOST_BLOCK
$IPTABLES -A FORWARD -j HOST_BLOCK
$IPTABLES -A OUTPUT -j HOST_BLOCK
# Accept packets of established connections in the input chain
##############################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
# here we add some protection from random packets we receive, such as random
sweeps from other
# (possible) hacked computers, or just packets who are invalid, not belonging
to ANY connection
###############################################################################################
if [ "$INVALID_PACKET_LOG" != "0" ]; then
echo "Logging of INVALID packets enabled."
# Only log INVALID ICMP packets when we also want to log "normal" ICMP packets
if [ "$ICMP_DROP_LOG" != "0" ]; then
$IPTABLES -A INPUT -p icmp -m state --state INVALID -m limit --limit 3/m
--limit-burst 2 -j LOG --log-level $LOGLEVEL \
--log-prefix "INVALID INPUT packet: "
$IPTABLES -A FORWARD -p icmp -m state --state INVALID -m limit --limit 3/m
--limit-burst 2 -j LOG --log-level $LOGLEVEL \
--log-prefix "INVALID FORWARD packet: "
fi
$IPTABLES -A INPUT -p ! icmp -m state --state INVALID -m limit --limit 3/m
--limit-burst 2 -j LOG --log-level $LOGLEVEL \
--log-prefix "INVALID INPUT packet: "
$IPTABLES -A FORWARD -p ! icmp -m state --state INVALID -m limit --limit 3/m
--limit-burst 2 -j LOG --log-level $LOGLEVEL \
--log-prefix "INVALID FORWARD packet: "
else
echo "Logging of INVALID packets disabled."
fi
# Drop invalid packets
######################
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
# This is only used if you have a (A)DSL modem (connected to an ethernet
interface)
###################################################################################
if [ "$MODEM_IF" != "" ]; then
echo "Applying (A)DSL modem rules."
if [ "$MODEM_IF_IP" != "" ]; then
# Refuse spoofing of modem subnet range
#######################################
$IPTABLES -A INPUT -i ! $MODEM_IF -s "$MODEM_IF_IP/24" -m limit --limit
3/m -j LOG --log-level $LOGLEVEL --log-prefix "Spoofed (MODEM) packet: "
$IPTABLES -A FORWARD -i ! $MODEM_IF -s "$MODEM_IF_IP/24" -m limit --limit
3/m -j LOG --log-level $LOGLEVEL --log-prefix "Spoofed (MODEM) packet: "
$IPTABLES -A INPUT -i ! $MODEM_IF -s "$MODEM_IF_IP/24" -j DROP
$IPTABLES -A FORWARD -i ! $MODEM_IF -s "$MODEM_IF_IP/24" -j DROP
if [ "$MODEM_IP" != "" ]; then
# Only allow traffic from the MODEM (check IP) to this machine
##############################################################
$IPTABLES -A INPUT -i $MODEM_IF -s $MODEM_IP -d $MODEM_IF_IP -j ACCEPT
else
# Only allow traffic from the MODEM (no IP, so no checking) to this machine
###########################################################################
$IPTABLES -A INPUT -i $MODEM_IF -d $MODEM_IF_IP -j ACCEPT
fi
else
if [ "$MODEM_IP" != "" ]; then
# Only allow traffic from the MODEM (check IP) to this machine
##############################################################
$IPTABLES -A INPUT -i $MODEM_IF -s $MODEM_IP -j ACCEPT
else
# Only allow traffic from the MODEM (no IP, so no checking) to this machine
###########################################################################
$IPTABLES -A INPUT -i $MODEM_IF -j ACCEPT
fi
fi
# Everything else is logged & dropped
$IPTABLES -A INPUT -i $MODEM_IF -m limit --limit 1/s -j LOG --log-level
$LOGLEVEL --log-prefix "Dropped MODEM packet: "
$IPTABLES -A INPUT -i $MODEM_IF -j DROP
fi
# Refuse spoofing of internal subnet range
##########################################
if [ "$INTERNAL_NET" != "" ] && [ "$INT_IF" != "" ]
then
# Do it for every internal net
for net in $INTERNAL_NET; do
$IPTABLES -A INPUT -i $EXT_IF -s $net -m limit --limit 3/m -j LOG
--log-level $LOGLEVEL --log-prefix "Spoofed packet: "
$IPTABLES -A FORWARD -i $EXT_IF -s $net -m limit --limit 3/m -j LOG
--log-level $LOGLEVEL --log-prefix "Spoofed packet: "
$IPTABLES -A INPUT -i $EXT_IF -s $net -j DROP
$IPTABLES -A FORWARD -i $EXT_IF -s $net -j DROP
done
fi
# This rule is for local OUTPUT TCP blocking
############################################
for port in $DENY_TCP_OUTPUT; do
if [ "$OUTPUT_DENY_LOG" != "0" ]; then
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport $port -m limit \
--limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix
"Denied OUTPUT packet: "
fi
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport $port -j DROP
done
# This rule is for local OUTPUT UDP blocking
############################################
for port in $DENY_UDP_OUTPUT; do
if [ "$OUTPUT_DENY_LOG" != "0" ]; then
$IPTABLES -A OUTPUT -o $EXT_IF -p udp --dport $port -m limit \
--limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix
"Denied OUTPUT packet: "
fi
$IPTABLES -A OUTPUT -o $EXT_IF -p udp --dport $port -j DROP
done
# This rule is for local OUTPUT IP blocking
############################################
for proto in $DENY_IP_OUTPUT; do
if [ "$OUTPUT_DENY_LOG" != "0" ]; then
$IPTABLES -A OUTPUT -o $EXT_IF -p $proto -m limit \
--limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix
"Denied OUTPUT packet: "
fi
$IPTABLES -A OUTPUT -o $EXT_IF -p $proto -j DROP
done
# This rule is for local OUTPUT TCP watching
############################################
if [ "$LOG_TCP_OUTPUT" != "" ]; then
echo "Logging outgoing TCP port(s): $LOG_TCP_OUTPUT."
for port in $LOG_TCP_OUTPUT; do
$IPTABLES -A OUTPUT -p tcp --dport $port -m state --state NEW -m limit \
--limit 3/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix
"Watched OUTPUT packet: "
done
fi
# This rule is for local OUTPUT UDP watching
############################################
if [ "$LOG_UDP_OUTPUT" != "" ]; then
echo "Logging outgoing UDP port(s): $LOG_UDP_OUTPUT."
for port in $LOG_UDP_OUTPUT; do
$IPTABLES -A OUTPUT -p udp --dport $port -m state --state NEW -m limit \
--limit 3/m --limit-burst
Reply to: