Re: Firewall-Skript schreiben
Am 14.12.2010 08:59, schrieb Andre Tann:
zusammenstricke. Sprich: ich bräuchte einen Firewall-Generator, dessen
Ergebnis ich dann noch anpassen kann.
Ich habe ein generisches init.d Script, welches die IPTables setzt.
Dieses ist auf allen Maschinen gleich, Maschinenspezifische Anpassungen
werden über etc/default gesetzt.
#! /bin/sh
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: SIMPLE IP Protect for host
# Description: SIMPLE IP Protect for host
#
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
SCRIPTNAME=/etc/init.d/firewall.sh
NAME=firewall
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
# Exit if the package is not installed
[ -x "$IPTABLES" ] || exit 1
[ -x "$IP6TABLES" ] || exit 1
ICMP_IN="echo-request"
ICMP6_IN="echo-request neighbour-solicitation neighbour-advertisement
ttl-zero-during-reassembly bad-header 134"
CHAINS=2
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
do_icmp_limit() {
[ "$1" = "echo-request" ] && echo "-m limit --limit 30/minute
--limit-burst 60"
[ "$1" = "8" ] && echo "-m limit --limit 30/minute --limit-burst 60"
}
do_icmp() {
if [ "$2" = "icmpv6" ]
then
if [ `echo $1 $4 | wc -w` -gt 2 ]
then
$IP6TABLES -N $3
$IP6TABLES -A INPUT -p $2 -j $3
PTT="$3"
else
PTT="INPUT"
fi
for i in $1
do
$IP6TABLES -A "$PTT" -p $2 --icmpv6-type $i `do_icmp_limit $i` -j
ACCEPT
done
for i in $4
do
for j in $LAN_RANGE6
do
$IP6TABLES -A "$PTT" -p $2 -s $j --icmpv6-type $i `do_icmp_limit
$i` -j ACCEPT
done
done
else
if [ `echo $1 $4 | wc -w` -gt 2 ]
then
$IPTABLES -N $3
$IPTABLES -A INPUT -p $2 -j $3
PTT="$3"
else
PTT="INPUT"
fi
for i in $1
do
$IPTABLES -A "$PTT" -p $2 --icmp-type $i `do_icmp_limit $i` -j ACCEPT
done
for i in $4
do
for j in $LAN_RANGE4
do
$IPTABLES -A "$PTT" -p $2 -s $j --icmp-type $i `do_icmp_limit $i`
-j ACCEPT
done
done
fi
}
add_port() {
for j in $4
do
$IPTABLES -A $3 -p $2 -s $j --dport $1 -j ACCEPT
done
for j in $5
do
$IP6TABLES -A $3 -p $2 -s $j --dport $1 -j ACCEPT
done
}
do_ports() {
if [ `echo $1 $4 $5 | wc -w` -gt $CHAINS ]
then
$IPTABLES -N $3
$IP6TABLES -N $3
$IPTABLES -A INPUT -p $2 -j $3
$IP6TABLES -A INPUT -p $2 -j $3
PTT="$3"
else
PTT="INPUT"
fi
for i in $1
do
add_port $i $2 "$PTT" "0/0" "::/0"
done
for i in $4
do
add_port $i $2 "$PTT" "$LAN_RANGE4" "$LAN_RANGE6"
done
for i in $5
do
if [ "$2" = "tcp" ]
then
$IPTABLES -A "$PTT" -p $2 --dport $i -j REJECT --reject-with tcp-reset
$IP6TABLES -A "$PTT" -p $2 --dport $i -j REJECT --reject-with
tcp-reset
else
$IPTABLES -A "$PTT" -p $2 --dport $i -j REJECT
$IP6TABLES -A "$PTT" -p $2 --dport $i -j REJECT
fi
done
}
add_port_out() {
for j in $4
do
$IPTABLES -A $3 -p $2 -d $j --dport $1 -j ACCEPT
done
for j in $5
do
$IP6TABLES -A $3 -p $2 -d $j --dport $1 -j ACCEPT
done
}
do_ports_out() {
if [ `echo $1 $4 | wc -w` -gt $CHAINS ]
then
$IPTABLES -N $3
$IP6TABLES -N $3
$IPTABLES -A OUTPUT -p $2 -j $3
$IP6TABLES -A OUTPUT -p $2 -j $3
PTT="$3"
else
PTT="OUTPUT"
fi
for i in $1
do
add_port_out $i $2 "$PTT" "0/0" "::/0"
done
for i in $4
do
add_port_out $i $2 "$PTT" "$LAN_RANGE4" "$LAN_RANGE6"
done
}
do_icmp_out() {
if [ "$2" = "icmpv6" ]
then
if [ `echo $1 $4 | wc -w` -gt 2 ]
then
$IP6TABLES -N $3
$IP6TABLES -A OUTPUT -p $2 -j $3
PTT="$3"
else
PTT="OUTPUT"
fi
for i in $1
do
$IP6TABLES -A "$PTT" -p $2 --icmpv6-type $i `do_icmp_limit $i` -j
ACCEPT
done
for i in $4
do
for j in $LAN_RANGE6
do
$IP6TABLES -A "$PTT" -p $2 -d $j --icmpv6-type $i `do_icmp_limit
$i` -j ACCEPT
done
done
else
if [ `echo $1 $4 | wc -w` -gt 2 ]
then
$IPTABLES -N $3
$IPTABLES -A OUTPUT -p $2 -j $3
PTT="$3"
else
PTT="OUTPUT"
fi
for i in $1
do
$IPTABLES -A "$PTT" -p $2 --icmp-type $i `do_icmp_limit $i` -j ACCEPT
done
for i in $4
do
for j in $LAN_RANGE4
do
$IPTABLES -A "$PTT" -p $2 -d $j --icmp-type $i `do_icmp_limit $i`
-j ACCEPT
done
done
fi
}
#
# Function that starts the daemon/service
#
do_start()
{
/sbin/modprobe ip_conntrack_ftp
do_stop
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
do_nat
#
# Create chain for bad tcp packets we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IP6TABLES -N bad_tcp_packets
$IP6TABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -j REJECT --reject-with tcp-reset
$IP6TABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
$IP6TABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
[ -x /etc/init.d/fail2ban ] && $IPTABLES -N fail2ban
[ -x /etc/init.d/fail2ban ] && $IPTABLES -A INPUT -i eth0 -j fail2ban
#
# Input chain
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IP6TABLES -A INPUT -p tcp -j bad_tcp_packets
# Input devices
for i in $INPUT_DEV
do
$IPTABLES -A INPUT -p ALL -i $i -j ACCEPT
$IP6TABLES -A INPUT -p ALL -i $i -j ACCEPT
done
# Verbindungen aus erlaubten Netzen zulassen
for i in $INPUT_NETS4
do
$IPTABLES -A INPUT -p ALL -s $i -j ACCEPT
done
for i in $INPUT_NETS6
do
$IP6TABLES -A INPUT -p ALL -s $i -j ACCEPT
done
[ "$LNCB_RANGE" = "" ] || $IPTABLES -A INPUT -d $LNCB_RANGE -j
ACCEPT
# bestehende Verbindungen zulassen
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
do_ports "$TCP_IN" "tcp" "tcp_in" "$TCP_IN_LAN" "$TCP_IN_REJ"
do_ports "$UDP_IN" "udp" "udp_in" "$UDP_IN_LAN" "$UDP_IN_REJ"
do_icmp "$ICMP_IN" "icmp" "icmp_in" "$ICMP_IN_LAN"
do_icmp "$ICMP6_IN" "icmpv6" "icmpv6_in" "$ICMP6_IN_LAN"
# alles andere verwerfen
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -j REJECT
$IP6TABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT6 INPUT packet died: "
$IP6TABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IP6TABLES -A INPUT -j REJECT
#
# Output Chain
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IP6TABLES -A OUTPUT -p tcp -j bad_tcp_packets
for i in $OUTPUT_DEV
do
$IPTABLES -A OUTPUT -p ALL -o $i -j ACCEPT
$IP6TABLES -A OUTPUT -p ALL -o $i -j ACCEPT
done
for i in $OUTPUT_NETS4
do
$IPTABLES -A OUTPUT -p ALL -d $i -j ACCEPT
done
for i in $OUTPUT_NETS6
do
$IP6TABLES -A OUTPUT -p ALL -d $i -j ACCEPT
done
$IPTABLES -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
do_ports_out "$TCP_OUT" "tcp" "tcp_out" "$TCP_OUT_LAN"
do_ports_out "$UDP_OUT" "udp" "udp_out" "$UDP_OUT_LAN"
do_icmp_out "$ICMP_OUT" "icmp" "icmp_out" "$ICMP_OUT_LAN"
do_icmp_out "$ICMP6_OUT" "icmpv6" "icmpv6_out" "$ICMP6_OUT_LAN"
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
$IPTABLES -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A OUTPUT -j REJECT
$IP6TABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT6 OUTPUT packet died: "
$IP6TABLES -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
$IP6TABLES -A OUTPUT -j REJECT
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IP6TABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IP6TABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j
ACCEPT
for i in $FORWARD_DEV_IN
do
for j in $FORWARD_DEV_OUT
do
$IPTABLES -A FORWARD -i $i -o $j -s $LAN_RANGE4 -j ACCEPT
$IP6TABLES -A FORWARD -i $i -o $j -s $LAN_RANGE6 -j ACCEPT
done
done
do_forward
#
# Log weird packets that dont match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -j REJECT
$IP6TABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG --log-prefix "IPT6 FORWARD packet died: "
$IP6TABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IP6TABLES -A FORWARD -j REJECT
}
#
# Function that stops the daemon/service
#
do_stop()
{
[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IP6TABLES -P INPUT ACCEPT
$IP6TABLES -P FORWARD ACCEPT
$IP6TABLES -P OUTPUT ACCEPT
#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IP6TABLES -t mangle -P PREROUTING ACCEPT
$IP6TABLES -t mangle -P POSTROUTING ACCEPT
$IP6TABLES -t mangle -P INPUT ACCEPT
$IP6TABLES -t mangle -P OUTPUT ACCEPT
$IP6TABLES -t mangle -P FORWARD ACCEPT
#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IP6TABLES -F
$IP6TABLES -t mangle -F
#
# erase all chains thats not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IP6TABLES -X
$IP6TABLES -t mangle -X
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
return 0
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
status)
echo "iptables: "
echo " "
$IPTABLES -L -v
echo " "
echo "ip6tables: "
echo " "
$IP6TABLES -L -v
;;
restart|force-reload)
do_start
;;
*)
echo "Usage: $SCRIPTNAME
{start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
exit 0;
Reply to: