Buenas, buenas... recien termine ..va, sigue en pañales, pero tengo medianamente armado un firewall despues de muuuuuuuuuchas horas. Ni siquiera lo probe, capaz que el solito script da un error.. .ni idea, pero bueno... si alguien le quiere pegar una mirada y darme su opinion a simple vista, igual todavia le faltan muchas cosas... pido disculpas por haber escrito la mayoria de los comentarios en ingles, mala costumbre la mia... perdon... Pero bueno, los invito a criticarlo duramente.. seguro tiene muchos errores... gracias :) -- Guido Lorenzutti (Peperino Pomuro) emails: guidolorenzutti@arnet.com.ar gml-bsas@sicemercosur.com.ar peperinopomuro@arnet.com.ar linux user #206665 - http://counter.li.org
#!/bin/bash
#version 1.0 (mayor release! uija!)
#
#history:
# i lost it :)... deal with it.
#to do:
#see if i don't need to discriminate the ports below 1024
#check the need of a "catch all" rule at the end
#depending on the distro check were the script is and scream if it is not on /etc/init.d/
#this is a comment, i like comments, read them for help
##----------------------------initial config---------------------------------##
#-------------system configuration--------------#
IPTABLES=/sbin/iptables #path of the iptables
MODULES=no #yes if your kernel support modules and you need them
#to do, i have to add the modules that you need
#----------network devices settings-------------#
NETNIC=ppp0 #if you change to ethernet you will start using SNAT
IPNETNIC=`ifconfig $NETNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2`
LANNIC=eth1 #the interface connected to your lan
IPLANNIC=`ifconfig $LANNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2`
#-------------/proc sysctl settings-------------#
IP_FORWARD=yes #to enable ipforward, VERY important
ICMPALLIGNORE=no #yes to block ALL the pings from everywhere
ICMPBROADCAST=yes #yes to don't respond to broadcast pings (smurf)
ICMPERRORMESG=yes #yes to protect against bogus error messages
LOGMARTIANS=yes #yes to log packets with impossible addresses
IP_SPOOFING=yes #yes to disable spoofing attacks on ALL interfaces
REDUCEDOS=yes #reduces the timeouts and the posibility of a DOS
SYNCOOKIES=yes #yes to enable tcp syn cookies protection
TIMESTAMPS=yes #yes to enable tcp timestamps protection
SOURCEROUTED=yes #yes to ignore source routed packets
SENDREDIRECTS=yes #yes to ignore redirected packets
#------------adsl specific problems-------------#
PPPOE_PMTU=no #if you have problems with your pppoe connection
PPTP_GRE=no #if you have problems with your pptp connection
#------------------squid setup------------------#
TRANSPARENT=yes #yes if you use the squid on transparent mode
SQUIDINSIDE=yes #yes if you run squid on the device conected to the lan
SQUIDREMOTE= #the ip of the remote squid box on you lan
SQUIDPORT=3128 #the port where squid listen
##--------------------------hosts and ports config---------------------------##
#----------specific TOTALLY banned IPs----------#
USEHATE=no #to start using the next options
MICROSOFT=www.microsoft.com #sample of a banned host
HATEHOSTS="$MICROSOFT" #add the banned hosts here=09
#-------------specific trusted hosts------------#
USETRUST=yes #to start using the next options
SICEAR=sicear.dyndns.org #example of a host to trust
TRUSTED="$SICEAR" #add the hosts to trust here
#-----------local MAC address friends-----------#
USEMAC=yes #to start using the next options
AZRAEL=00:50:BA:86:9F:EC #example of a mac address to trust
DROOPY=00:50:BA:87:32:34
CEREBRO=00:E0:7D:9F:76:A3
MACFRIENDS="$AZRAEL $CEREBRO" #add the hosts to trust here
#---------------ssh administration--------------#
#still living my life
#-----------------flood variables---------------#
TCPSYNLIMIT="5/s" # Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10" # Burst Limit for TCP-SYN-Flood detection
LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains
LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains
PINGLIMIT="5/s" # Overall Limit for Ping-Flood-Detection
PINGLIMITBURST="10" # Burst Limit for Ping-Flood-Detection
##---------------------------testing the config------------------------------##
if [ "$UID" != "0" ]; then
echo " (\___/) "
echo " (=':'=) "
echo " ('']_['') "
echo " "
echo " are you r00t?"
exit 1
fi
if [ -z $IPNETNIC ]; then
echo "ABORTING: Unable to determine the IP-address of the $NETNIC"
exit 1
else
echo "the internet connection is thru the $NETNIC device"
fi
if [ -z $IPLANNIC ]; then
echo "ABORTING: Unable to determine the IP-address of the $LANNIC"
exit 1
else
echo "the lan connection is thru the $LANNIC device"
fi
if [ -x $IPTABLES ]; then
echo "the configuration seems to be OK"
else
echo "ABORTING: $IPTABLES doesn't exist or isn't executable"
exit 1
fi
$IPTABLES -N ICMP
if [ "$?" != "0" ] ; then
echo
echo "you should stop the firewall before start it again"
echo "/etc/init.d/firewall stop"
echo
exit1
fi
##----------------------------modules to load--------------------------------##
if [ $MODULES == "yes" ] ; then
echo "cargando los modulos necesarios"
depmod -a
else
echo "you don't need any modules or your kernel dosen't support them"
fi
##----------------------functions for the firewall---------------------------##
#----------------function closep-----------------#
function closep() {
$IPTABLES -P INPUT DROP #close everything until we are warm
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
}
#-----------------function proc-----------------#
function proc() {
if [ $IP_FORWARD == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "ip_foward activated"
fi
fi
if [ $ICMPALLIGNORE == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "blocking all pings from everywhere"
fi
fi
if [ $ICMPBROADCAST == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "blocking all broadcast pings"
fi
fi
if [ $ICMPERRORMESG == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "enable error message protection"
fi
fi
if [ $LOGMARTIANS == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/log_martinas ] ; then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "logging packets with impossible addresses"
fi
fi
if [ $IP_SPOOFING == "yes" ] ; then
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "blocking IP spoofing attacks"
fi
fi
if [ $REDUCEDOS == "yes" ] ; then
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
fi
if [ $SYNCOOKIES == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "tcp syn cookies protection enabled"
fi
fi
if [ $TIMESTAMPS == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "tcp timestamps protection enabled"
fi
fi
if [ $SOURCEROUTED == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "ignore source routed packets"
fi
fi
if [ $SENDREDIRECTS == "yes" ] ; then
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "ignore redirected packets"
fi
fi
}
#---------------------logs----------------------#
function firewall() {
$IPTABLES -N WATCH #if i want to log something i allow
$IPTABLES -A WATCH -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level warn --log-prefix "ACCEPT"
$IPTABLES -A WATCH -j ACCEPT
$IPTABLES -N LDROP #log everything i drop
$IPTABLES -A LDROP -p tcp -j LOG --log-level info --log-prefix "DROP TCP"
$IPTABLES -A LDROP -p udp -j LOG --log-level info --log-prefix "DROP UDP"
$IPTABLES -A LDROP -p icmp -j LOG --log-level info --log-prefix "DROP ICMP"
$IPTABLES -A LDROP -p gre -j LOG --log-level info --log-prefix "DROP GRE"
$IPTABLES -A LDROP -j DROP
$IPTABLES -N LBADFLAG #log every badflag
$IPTABLES -A LBADGLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "badflag"
$IPTABLES -A LBADFLAG -j DROP
$IPTABLES -N LINVALID #invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "invalid"
$IPTABLES -A LINVALID -j DROP
$IPTABLES -N LPINGFLOOD #block ping floods
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "pingflood"
$IPTABLES -A LPINGFLOOD -j DROP
#-------------------icmp stuff------------------#
$IPTABLES -N ICMP #icmp chain
$IPTABLES -A ICMP -p icmp --icmp-type echo-reply -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMP -p icmp --icmp-type echo-reply -j LPINGFLOOD
$IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -j LPINGFLOOD
ICMPWATCH="destination-unreachable network-unreachable host-unreachable protocol-unreachable source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited echo-request time-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing"
ICMPLDROP="fragmentation-needed host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect router-advertisement router-solicitation timestamp-request timestamp-reply address-mask-request address-mask-reply"
for i in $ICMPWATCH
do
$IPTABLES -A ICMP -p icmp --icmp-type $i -j WATCH
done
for i in $ICMPLDROP
do
$IPTABLES -A ICMP -p icmp --icmp-type $i -j LDROP
done
$IPTABLES -A ICMP -p icmp -j LDROP
#---------logging portscanning attacks----------#
$IPTABLES -N CHECKBADFLAG #Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP Nmap XMAS Scan:"
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN RST Scan:"
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN FIN Scan:"
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth FYN Scan: "
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP ALL/ALL Scan: "
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth Null Scan: "
$IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -j DROP
#--------------log bloqued ports----------------#
$IPTABLES -N BLOCKEDPORTS #Kill any TCP/UDP-Packets for the selected ports
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP deepthroat trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP back orifice trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP hack'a'tack trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP Xs ports:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:"
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -j DROP
#------------drop ports without log-------------#
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 137 -j DROP #samba
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 138 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 139 -j DROP
$IPTABLES -A BLOCKEDPORTS -p tcp --dport 445 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 137 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 138 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 139 -j DROP
$IPTABLES -A BLOCKEDPORTS -p udp --dport 445 -j DROP
#------------------INPUT chain------------------#
$IPTABLES -A INPUT -i lo -j ACCEPT #i trust in my lookback
if [ $PPTP_GRE == "yes" ] ; then
$IPTABLES -A INPUT -p GRE -d $NETNIC -j ACCEPT
fi
if [ $USEMAC == "yes" ] ; then
for i in $MACFRIENDS
do
$IPTABLES -A INPUT -m mac --mac-source $i -j ACCEPT
done
fi
if [ $USETRUST == "yes" ] ; then
for i in $TRUSTED
do
$IPTABLES -A INPUT -s $i -j ACCEPT
done
fi
if [ $USEHATE == "yes" ] ; then
for i in $HATEHOSTS
do
$IPTABLES -A INPUT -s $i -j DROP
done
fi
$IPTABLES -A INPUT -p icmp -j ICMP
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
#i only care about the internet, my lan is friendly
$IPTABLES -A INPUT -i $NETNIC -j BLOCKEDPORTS
#this enable to use ftp an irc, remove the related to more security
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -i $NETNIC -j ACCEPT
$IPTABLES -A INPUT -i $LANNIC -j ACCEPT
#Aceptar cierto servicio en el propio firewall
#$IPTABLES -A INPUT -i ppp0 -p tcp --dport PUERTO -j ACCEPT
#----------------forward chaing-----------------#
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
$IPTABLES -A FORWARD -o $NETNIC -j BLOCKEDPORTS
$IPTABLES -A FORWARD -i $NETNIC -j BLOCKEDPORTS
#this should allow fowarding from internal network to the outside... not tested
#$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p tcp --sport puerto -j ACCEPT
#$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p udp --sport puerto -j ACCEPT
$IPTABLES -A FORWARD -i $NETNIC -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $NETNIC -p icmp -m state --state RELATED -j ACCEPT
#-----------------output chain------------------#
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -o $NETNIC -j BLOCKEDPORTS
#------------------prerouting-------------------#
if [ $TRANSPARENT == "yes" ] ; then
if [ $SQUIDINSIDE =3D=3D yes ] ; then
$IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
echo "SQUID in transparent mode Enabled to $LANNIC"
else
$IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j DNAT --to $SQUIDREMOTE:$SQUIDPORT
echo "SQUID in transparent mode Enabled to $SQUIDREMOTE"
fi
fi
#Dnateo los puertos del icq para un host definido, FIX THIS
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 20000 -j DNAT --to 192.168.1.36
#Fowardear servicios a algun servidor de la lan
#$IPTABLES -t nat -a PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.1.36:22
#-----------------postrouting-------------------#
if [ $PPPOE_PMTU == "yes" ] ; then
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
if [ $NETNIC == "ppp0" ] ; then
$IPTABLES -t nat -A POSTROUTING -o $NETNIC -p tcp -j MASQUERADE
else
$IPTABLES -t nat -A POSTROUTING -o $NETNIC -j SNAT --to source $IPNETNIC
fi
}
#----------------function clean-----------------#
function clean() {
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
#$IPTABLES -F -t mangle
#$IPTABLES -X -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
}
##----------------------start | stop | restart | status-----------------------#
set -e
case "$1" in
start)
#closep
proc
clean
firewall
;;
stop)
clean
;;
restart)
stop
start
;;
status)
echo ""
echo "#################"
echo "#the filter table"
echo ""
$IPTABLES -L -v
echo ""
echo "##############"
echo "#the NAT table"
echo ""
$IPTABLES -t nat -L -v
echo ""
echo "#################"
echo "#the Mangle table"
echo ""
$IPTABLES -t mangle -L -v
;;
*)
echo "Usage: /etc/init.d/firewall { start | stop | restart | status }"
exit 1
;;
esac
Attachment:
signature.asc
Description: This is a digitally signed message part