Buenas, buenas... recien termine ..va, sigue en paņales, pero tengo medianamente armado un firewall despues de muuuuuuuuuchas horas. Ni siquiera lo probe, capaz que el solito script da un error.. .ni idea, pero bueno... si alguien le quiere pegar una mirada y darme su opinion a simple vista, igual todavia le faltan muchas cosas... pido disculpas por haber escrito la mayoria de los comentarios en ingles, mala costumbre la mia... perdon...
Pero bueno, los invito a criticarlo duramente.. seguro tiene muchos errores... gracias :) -- Guido Lorenzutti (Peperino Pomuro) emails: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] linux user #206665 - http://counter.li.org
#!/bin/bash #version 1.0 (mayor release! uija!) # #history: # i lost it :)... deal with it. #to do: #see if i don't need to discriminate the ports below 1024 #check the need of a "catch all" rule at the end #depending on the distro check were the script is and scream if it is not on /etc/init.d/ #this is a comment, i like comments, read them for help ##----------------------------initial config---------------------------------## #-------------system configuration--------------# IPTABLES=/sbin/iptables #path of the iptables MODULES=no #yes if your kernel support modules and you need them #to do, i have to add the modules that you need #----------network devices settings-------------# NETNIC=ppp0 #if you change to ethernet you will start using SNAT IPNETNIC=`ifconfig $NETNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2` LANNIC=eth1 #the interface connected to your lan IPLANNIC=`ifconfig $LANNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2` #-------------/proc sysctl settings-------------# IP_FORWARD=yes #to enable ipforward, VERY important ICMPALLIGNORE=no #yes to block ALL the pings from everywhere ICMPBROADCAST=yes #yes to don't respond to broadcast pings (smurf) ICMPERRORMESG=yes #yes to protect against bogus error messages LOGMARTIANS=yes #yes to log packets with impossible addresses IP_SPOOFING=yes #yes to disable spoofing attacks on ALL interfaces REDUCEDOS=yes #reduces the timeouts and the posibility of a DOS SYNCOOKIES=yes #yes to enable tcp syn cookies protection TIMESTAMPS=yes #yes to enable tcp timestamps protection SOURCEROUTED=yes #yes to ignore source routed packets SENDREDIRECTS=yes #yes to ignore redirected packets #------------adsl specific problems-------------# PPPOE_PMTU=no #if you have problems with your pppoe connection PPTP_GRE=no #if you have problems with your pptp connection #------------------squid setup------------------# TRANSPARENT=yes #yes if you use the squid on transparent mode SQUIDINSIDE=yes #yes if you run squid on the device conected to the lan SQUIDREMOTE= #the ip of the remote squid box on you lan SQUIDPORT=3128 #the port where squid listen ##--------------------------hosts and ports config---------------------------## #----------specific TOTALLY banned IPs----------# USEHATE=no #to start using the next options MICROSOFT=www.microsoft.com #sample of a banned host HATEHOSTS="$MICROSOFT" #add the banned hosts here=09 #-------------specific trusted hosts------------# USETRUST=yes #to start using the next options SICEAR=sicear.dyndns.org #example of a host to trust TRUSTED="$SICEAR" #add the hosts to trust here #-----------local MAC address friends-----------# USEMAC=yes #to start using the next options AZRAEL=00:50:BA:86:9F:EC #example of a mac address to trust DROOPY=00:50:BA:87:32:34 CEREBRO=00:E0:7D:9F:76:A3 MACFRIENDS="$AZRAEL $CEREBRO" #add the hosts to trust here #---------------ssh administration--------------# #still living my life #-----------------flood variables---------------# TCPSYNLIMIT="5/s" # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" # Burst Limit for TCP-SYN-Flood detection LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains PINGLIMIT="5/s" # Overall Limit for Ping-Flood-Detection PINGLIMITBURST="10" # Burst Limit for Ping-Flood-Detection ##---------------------------testing the config------------------------------## if [ "$UID" != "0" ]; then echo " (\___/) " echo " (=':'=) " echo " ('']_['') " echo " " echo " are you r00t?" exit 1 fi if [ -z $IPNETNIC ]; then echo "ABORTING: Unable to determine the IP-address of the $NETNIC" exit 1 else echo "the internet connection is thru the $NETNIC device" fi if [ -z $IPLANNIC ]; then echo "ABORTING: Unable to determine the IP-address of the $LANNIC" exit 1 else echo "the lan connection is thru the $LANNIC device" fi if [ -x $IPTABLES ]; then echo "the configuration seems to be OK" else echo "ABORTING: $IPTABLES doesn't exist or isn't executable" exit 1 fi $IPTABLES -N ICMP if [ "$?" != "0" ] ; then echo echo "you should stop the firewall before start it again" echo "/etc/init.d/firewall stop" echo exit1 fi ##----------------------------modules to load--------------------------------## if [ $MODULES == "yes" ] ; then echo "cargando los modulos necesarios" depmod -a else echo "you don't need any modules or your kernel dosen't support them" fi ##----------------------functions for the firewall---------------------------## #----------------function closep-----------------# function closep() { $IPTABLES -P INPUT DROP #close everything until we are warm $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP } #-----------------function proc-----------------# function proc() { if [ $IP_FORWARD == "yes" ] ; then if [ -f /proc/sys/net/ipv4/ip_forward ] ; then echo 1 > /proc/sys/net/ipv4/ip_forward echo "ip_foward activated" fi fi if [ $ICMPALLIGNORE == "yes" ] ; then if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo "blocking all pings from everywhere" fi fi if [ $ICMPBROADCAST == "yes" ] ; then if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "blocking all broadcast pings" fi fi if [ $ICMPERRORMESG == "yes" ] ; then if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "enable error message protection" fi fi if [ $LOGMARTIANS == "yes" ] ; then if [ -f /proc/sys/net/ipv4/conf/all/log_martinas ] ; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo "logging packets with impossible addresses" fi fi if [ $IP_SPOOFING == "yes" ] ; then if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter echo "blocking IP spoofing attacks" fi fi if [ $REDUCEDOS == "yes" ] ; then echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack fi if [ $SYNCOOKIES == "yes" ] ; then if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "tcp syn cookies protection enabled" fi fi if [ $TIMESTAMPS == "yes" ] ; then if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then echo "0" > /proc/sys/net/ipv4/tcp_timestamps echo "tcp timestamps protection enabled" fi fi if [ $SOURCEROUTED == "yes" ] ; then if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "ignore source routed packets" fi fi if [ $SENDREDIRECTS == "yes" ] ; then if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects echo "ignore redirected packets" fi fi } #---------------------logs----------------------# function firewall() { $IPTABLES -N WATCH #if i want to log something i allow $IPTABLES -A WATCH -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level warn --log-prefix "ACCEPT" $IPTABLES -A WATCH -j ACCEPT $IPTABLES -N LDROP #log everything i drop $IPTABLES -A LDROP -p tcp -j LOG --log-level info --log-prefix "DROP TCP" $IPTABLES -A LDROP -p udp -j LOG --log-level info --log-prefix "DROP UDP" $IPTABLES -A LDROP -p icmp -j LOG --log-level info --log-prefix "DROP ICMP" $IPTABLES -A LDROP -p gre -j LOG --log-level info --log-prefix "DROP GRE" $IPTABLES -A LDROP -j DROP $IPTABLES -N LBADFLAG #log every badflag $IPTABLES -A LBADGLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "badflag" $IPTABLES -A LBADFLAG -j DROP $IPTABLES -N LINVALID #invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "invalid" $IPTABLES -A LINVALID -j DROP $IPTABLES -N LPINGFLOOD #block ping floods $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "pingflood" $IPTABLES -A LPINGFLOOD -j DROP #-------------------icmp stuff------------------# $IPTABLES -N ICMP #icmp chain $IPTABLES -A ICMP -p icmp --icmp-type echo-reply -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT $IPTABLES -A ICMP -p icmp --icmp-type echo-reply -j LPINGFLOOD $IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT $IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -j LPINGFLOOD ICMPWATCH="destination-unreachable network-unreachable host-unreachable protocol-unreachable source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited echo-request time-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing" ICMPLDROP="fragmentation-needed host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect router-advertisement router-solicitation timestamp-request timestamp-reply address-mask-request address-mask-reply" for i in $ICMPWATCH do $IPTABLES -A ICMP -p icmp --icmp-type $i -j WATCH done for i in $ICMPLDROP do $IPTABLES -A ICMP -p icmp --icmp-type $i -j LDROP done $IPTABLES -A ICMP -p icmp -j LDROP #---------logging portscanning attacks----------# $IPTABLES -N CHECKBADFLAG #Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP Nmap XMAS Scan:" $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN RST Scan:" $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN FIN Scan:" $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth FYN Scan: " $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP ALL/ALL Scan: " $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth Null Scan: " $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -j DROP #--------------log bloqued ports----------------# $IPTABLES -N BLOCKEDPORTS #Kill any TCP/UDP-Packets for the selected ports $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP deepthroat trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP back orifice trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP hack'a'tack trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP Xs ports:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -j DROP #------------drop ports without log-------------# $IPTABLES -A BLOCKEDPORTS -p tcp --dport 137 -j DROP #samba $IPTABLES -A BLOCKEDPORTS -p tcp --dport 138 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 139 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 445 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 137 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 138 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 139 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 445 -j DROP #------------------INPUT chain------------------# $IPTABLES -A INPUT -i lo -j ACCEPT #i trust in my lookback if [ $PPTP_GRE == "yes" ] ; then $IPTABLES -A INPUT -p GRE -d $NETNIC -j ACCEPT fi if [ $USEMAC == "yes" ] ; then for i in $MACFRIENDS do $IPTABLES -A INPUT -m mac --mac-source $i -j ACCEPT done fi if [ $USETRUST == "yes" ] ; then for i in $TRUSTED do $IPTABLES -A INPUT -s $i -j ACCEPT done fi if [ $USEHATE == "yes" ] ; then for i in $HATEHOSTS do $IPTABLES -A INPUT -s $i -j DROP done fi $IPTABLES -A INPUT -p icmp -j ICMP $IPTABLES -A INPUT -m state --state INVALID -j LINVALID $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG #i only care about the internet, my lan is friendly $IPTABLES -A INPUT -i $NETNIC -j BLOCKEDPORTS #this enable to use ftp an irc, remove the related to more security $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -i $NETNIC -j ACCEPT $IPTABLES -A INPUT -i $LANNIC -j ACCEPT #Aceptar cierto servicio en el propio firewall #$IPTABLES -A INPUT -i ppp0 -p tcp --dport PUERTO -j ACCEPT #----------------forward chaing-----------------# $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID $IPTABLES -A FORWARD -o $NETNIC -j BLOCKEDPORTS $IPTABLES -A FORWARD -i $NETNIC -j BLOCKEDPORTS #this should allow fowarding from internal network to the outside... not tested #$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p tcp --sport puerto -j ACCEPT #$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p udp --sport puerto -j ACCEPT $IPTABLES -A FORWARD -i $NETNIC -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $NETNIC -p icmp -m state --state RELATED -j ACCEPT #-----------------output chain------------------# $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o $NETNIC -j BLOCKEDPORTS #------------------prerouting-------------------# if [ $TRANSPARENT == "yes" ] ; then if [ $SQUIDINSIDE =3D=3D yes ] ; then $IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT echo "SQUID in transparent mode Enabled to $LANNIC" else $IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j DNAT --to $SQUIDREMOTE:$SQUIDPORT echo "SQUID in transparent mode Enabled to $SQUIDREMOTE" fi fi #Dnateo los puertos del icq para un host definido, FIX THIS #$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 20000 -j DNAT --to 192.168.1.36 #Fowardear servicios a algun servidor de la lan #$IPTABLES -t nat -a PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.1.36:22 #-----------------postrouting-------------------# if [ $PPPOE_PMTU == "yes" ] ; then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu fi if [ $NETNIC == "ppp0" ] ; then $IPTABLES -t nat -A POSTROUTING -o $NETNIC -p tcp -j MASQUERADE else $IPTABLES -t nat -A POSTROUTING -o $NETNIC -j SNAT --to source $IPNETNIC fi } #----------------function clean-----------------# function clean() { $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -F -t nat $IPTABLES -X -t nat #$IPTABLES -F -t mangle #$IPTABLES -X -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT } ##----------------------start | stop | restart | status-----------------------# set -e case "$1" in start) #closep proc clean firewall ;; stop) clean ;; restart) stop start ;; status) echo "" echo "#################" echo "#the filter table" echo "" $IPTABLES -L -v echo "" echo "##############" echo "#the NAT table" echo "" $IPTABLES -t nat -L -v echo "" echo "#################" echo "#the Mangle table" echo "" $IPTABLES -t mangle -L -v ;; *) echo "Usage: /etc/init.d/firewall { start | stop | restart | status }" exit 1 ;; esac
signature.asc
Description: This is a digitally signed message part