"Vincent Munari" <[EMAIL PROTECTED]> writes:
> Quelqu'un aurait-il des liens intéressants où iptables est
> décortiqué et bien expliqué? (en dehors des man pages et des HOW-TO
> qui ne sont pas asset détaillés à mon goût)
ben voila le script que je vais bientot installer. je dois encore le
tester un peu, mais tout les commentaires sont les bienvenus. le
script je l'ai fait en copiant a gauche et a droite et en lisant la
doc. il est destine a etre demarre au boot (une partie en tout cas) et
l'autre partie lors du ppp/ip-up.
/etc/firewall/firewall peut etre copie dans /etc/init.d/,
/etc/firewall/firewall.ppp peut etre copie dans /etc/ppp/ip-up.d/ et
ip-down.d.
/etc/firewall/firewall
**********************************************************************
#!/bin/sh
PROG_NAME="$0"
IPTABLES_FW_SCRIPT="/etc/firewall/firewall.sh"
if [ ! -x "$IPTABLES_FW_SCRIPT" ]; then
IPTABLES_FW_SCRIPT=`dirname "$PROG_NAME"`"/iptables-fw.sh"
fi
# ----------------------------------------------------------------------
usage() {
cat <<EOF
Usage: $0 start|stop|restart|status
EOF
} # end of function usage
# ----------------------------------------------------------------------
if [ $# -ne 1 ]; then
usage
fi
cmd_arg="$1"
case "$cmd_arg" in
start)
$IPTABLES_FW_SCRIPT start main
$IPTABLES_FW_SCRIPT start private
;;
stop)
$IPTABLES_FW_SCRIPT stop private
$IPTABLES_FW_SCRIPT stop main
;;
restart)
$PROG_NAME stop
$PROG_NAME start
;;
status)
$IPTABLES_FW_SCRIPT status
;;
*)
usage
exit 1
;;
esac
exit 0
**********************************************************************
/etc/firewall/firewall.ppp
**********************************************************************
#!/bin/sh
echo $0 | grep '^/etc/ppp/ip-up.d/' && CMD=start
echo $0 | grep '^/etc/ppp/ip-down.d/' && CMD=stop
FIREWALL_SCRIPT="/etc/firewall/firewall.sh"
if [ ! -x "$FIREWALL_SCRIPT" ]; then
FIREWALL_SCRIPT=`dirname "$PROG_NAME"`"/iptables-fw.sh"
fi
[ ! -x $FIREWALL_SCRIPT ] && exit 1
#LOCALNET=`grep '^localnet' /etc/networks | sed -e '2,$d' -e
's/^.*[^0-9]\+\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/g'`
#LOCALNET_NETWORK=`/usr/bin/ipv4calc --network $LOCALNET`
LOCALNET_NETWORK=192.168.56.0
REMOTE_NETWORK=`/usr/bin/ipv4calc --network $PPP_REMOTE`
#LOCAL_NETWORK=`/usr/bin/ipv4calc --network $PPP_LOCAL`
GENERIC_IFACE=`echo $PPP_IFACE | /usr/bin/tr -d '[0-9]'`
echo REMOTE_NETWORK=$REMOTE_NETWORK, LOCALNET_NETWORK=$LOCALNET_NETWORK,
GENERIC_IFACE=$GENERIC_IFACE >> /tmp/ppp.log
if [ $REMOTE_NETWORK = $LOCALNET_NETWORK -a $GENERIC_IFACE = "ppp" ]; then
# we have the palm interface pppX
# we could also test for the device, but only because we use an alias
ARGS="$CMD palm $PPP_IFACE $PPP_LOCAL $PPP_REMOTE"
else
# else we brought up the link to the internet
ARGS="$CMD public $PPP_IFACE $PPP_LOCAL"
fi
echo $FIREWALL_SCRIPT $ARGS >> /var/log/ppp.log
$FIREWALL_SCRIPT $ARGS
**********************************************************************
/etc/firewall/firewall.sh
**********************************************************************
#!/bin/sh
PROG_NAME="$0"
DYNAMIC_VALUE="_dynamic_"
ECHO="/bin/echo"
# --------------------------------------------------------------------
PRIVATE_IP_HOST_ARGON="192.168.56.1/32"
PRIVATE_IP_HOST_PLUTO="192.168.56.10/32"
# ... ... ... ... ... ... ... ... ... ... ... ..
INTERNAL_INTERFACE="eth0"
PRIVATE_IF="$DYNAMIC_VALUE"
PRIVATE_IP="$DYNAMIC_VALUE"
PRIVATE_CIDR="$DYNAMIC_VALUE"
PRIVATE_NET="$DYNAMIC_VALUE"
PRIVATE_BROADCAST="$DYNAMIC_VALUE"
# ... ... ... ... ... ... ... ... ... ... ... ..
PRIVATE_IP_DNS="$PRIVATE_IP_HOST_ARGON"
PRIVATE_IP_PROXY="$PRIVATE_IP_HOST_ARGON"
PRIVATE_IP_NTP="$PRIVATE_IP_HOST_ARGON"
PRIVATE_IP_LPD="$PRIVATE_IP_HOST_ARGON"
# ....................................................................
#DMZ_IF="eth2"
#DMZ_NET="192.168.99.0/24"
#DMZ_IP="192.168.99.11/32"
# ....................................................................
PUBLIC_IF="$DYNAMIC_VALUE"
PUBLIC_NET="0.0.0.0/0"
PUBLIC_IP="$DYNAMIC_VALUE"
# ....................................................................
LOOPBACK_IF="lo"
LOOPBACK_NET="127.0.0.0/8"
LOOPBACK_IP="127.0.0.1/32"
# ....................................................................
BROADCAST="255.255.255.255/32"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ERR_NO_ERROR=0
ERR_INIT=1
ERR_RUNNING=2
# --------------------------------------------------------------------
# --------------------------------------------------------------------
FD_ERROR="/dev/stderr"
FD_TRACE="$FD_ERROR"
FD_DEBUG="$FD_ERROR"
DEBUG="off" # possible values are "on" or "off"
[ "$IPTABLES_FW_DEBUG" = "on" ] && DEBUG="on"
DEBUG_CMD="$ECHO"
[ "$DEBUG" = "off" ] && DEBUG_CMD=""
DEPMOD="$DEBUG_CMD /sbin/depmod"
IPTABLES="$DEBUG_CMD /sbin/iptables"
MODPROBE="$DEBUG_CMD /sbin/modprobe"
SED="/bin/sed"
GREP="/bin/grep"
IPV4CALC="/usr/bin/ipv4calc"
TRACE="on" # possible values are "on" or "off"
# log variables
LOG_PRIO_NORMAL=6
LOG_PRIO_PARANOIA=7
LOG_PRIO_ALL=$LOG_PRIO_NORMAL
LOG_PREFIX_NORMAL=" "
LOG_PREFIX_PARANOIA="*"
LOG_PREFIX_ALL="!"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
PORT_UNPRIV="1024:"
PORT_TR_SRC="32769:"
PORT_TR_DEST="33434:33523"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_main_usage() {
cat <<EOF
Usage: ctrl_main start|stop <private interface>
EOF
exit $ERR_RUNNING
} # end of function ctrl_main_usage
ctrl_main() {
trace "ctrl_main: ctrl_main: begin"
if [ $# -lt 2 ]; then
error "Missing/exessive arguments for 'ctrl_main' ($# args supplied)"
ctrl_main_usage
fi
main_cmd="$1"
case "$main_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_main: wrong action '$main_cmd'."
return
;;
esac
intif="$2"
# --------------------------------------------------
$DEPMOD -a
trace "ctrl_main: modprobing modules"
$MODPROBE iptable_filter
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_main: cleaning up tables/chains"
# flushing all chains...
$IPTABLES -F
# deleting all existing chains
$IPTABLES -X
# reseting counters
$IPTABLES -Z
# policy: drop any packet
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
if [ "$main_cmd" = "start" ]; then
# ..............................................
# set up new chain to log and drop packets
trace "ctrl_main: create log-chains drop"
$IPTABLES -N log_DROP
$IPTABLES $action log_DROP \
-j LOG --log-level $LOG_PRIO_NORMAL \
--log-prefix="${LOG_PREFIX_NORMAL}Packet-drop: " \
### -m limit --limit 30/hour
$IPTABLES $action log_DROP -j DROP
$IPTABLES -N log_DROP_PARANOIA
$IPTABLES $action log_DROP_PARANOIA \
-j LOG --log-level $LOG_PRIO_PARANOIA \
--log-prefix="${LOG_PREFIX_PARANOIA}Packet-drop: " \
### -m limit --limit 30/hour
$IPTABLES $action log_DROP_PARANOIA -j DROP
$IPTABLES -N log_DROP_ALL
$IPTABLES $action log_DROP_ALL \
-j LOG --log-level $LOG_PRIO_ALL \
--log-prefix="${LOG_PREFIX_ALL}Packet-drop: " \
### -m limit --limit 30/hour
$IPTABLES $action log_DROP_ALL -j DROP
# ..............................................
# ..............................................
# set up new chain to log and reject packets
trace "ctrl_main: create log-chains reject"
$IPTABLES -N log_REJECT
$IPTABLES $action log_REJECT \
-j LOG --log-level $LOG_PRIO_NORMAL \
--log-prefix="${LOG_PREFIX_NORMAL}Packet-reject: " \
### -m limit --limit 30/hour
$IPTABLES $action log_REJECT -j REJECT
$IPTABLES -N log_REJECT_PARANOIA
$IPTABLES $action log_REJECT_PARANOIA \
-j LOG --log-level $LOG_PRIO_PARANOIA \
--log-prefix="${LOG_PREFIX_PARANOIA}Packet-reject: " \
### -m limit --limit 30/hour
$IPTABLES $action log_REJECT_PARANOIA -j REJECT
$IPTABLES -N log_REJECT_ALL
$IPTABLES $action log_REJECT_ALL \
-j LOG --log-level $LOG_PRIO_ALL \
--log-prefix="${LOG_PREFIX_ALL}Packet-reject: " \
### -m limit --limit 30/hour
$IPTABLES $action log_REJECT_ALL -j REJECT
# ..............................................
# ..............................................
# set up new chain to log and accept packets
trace "ctrl_main: create log-chains accept"
$IPTABLES -N log_ACCEPT
$IPTABLES $action log_ACCEPT \
-j LOG --log-level $LOG_PRIO_NORMAL \
--log-prefix="${LOG_PREFIX_NORMAL}Packet-ok: " \
### -m limit --limit 30/hour
$IPTABLES $action log_ACCEPT -j ACCEPT
$IPTABLES -N log_ACCEPT_PARANOIA
$IPTABLES $action log_ACCEPT_PARANOIA \
-j LOG --log-level $LOG_PRIO_PARANOIA \
--log-prefix="${LOG_PREFIX_PARANOIA}Packet-ok: " \
### -m limit --limit 30/hour
$IPTABLES $action log_ACCEPT_PARANOIA -j ACCEPT
$IPTABLES -N log_ACCEPT_ALL
$IPTABLES $action log_ACCEPT_ALL \
-j LOG --log-level $LOG_PRIO_ALL \
--log-prefix="${LOG_PREFIX_ALL}Packet-ok: " \
### -m limit --limit 30/hour
$IPTABLES $action log_ACCEPT_ALL -j ACCEPT
# ..............................................
fi
# --------------------------------------------------
# --------------------------------------------------
## Kernel flags
trace "ctrl_main: set kernel flags"
# disable ECN (Electronic Congestion Notification), at least
# for now....
trace "$ECHO 0 > /proc/sys/net/ipv4/tcp_ecn"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/tcp_ecn
# To dynamically change kernel parameters and variables on the
# fly you need CONFIG_SYSCTL defined in your kernel. I would
# advise the following:
# Disable response to ping.
trace "$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
trace "$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use
# source routing to generate traffic pretending to be from
# inside your network, but which is routed back along the
# path from which it came, namely outside, so attackers can
# compromise your network. Source routing is rarely used for
# legitimate purposes.
trace "$ECHO 0 > /proc/sys/net/ipv4/conf/all/accept_source_route"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be
# used to alter your routing tables, possibly to a bad end.
trace "$ECHO 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
trace "$ECHO 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that
# packets use legitimate source addresses, by automatically
# rejecting incoming packets if the routing table entry for
# their source address doesn't match the network interface
# they're arriving on. This has security advantages because
# it prevents so-called IP spoofing, however it can pose problems
# if you use asymmetric routing (packets from you to a host take
# a different path than packets from that host to you) or if you
# operate a non-routing host which has several IP addresses on
# different interfaces. (Note - If you turn on IP forwarding, you
# will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
trace "$ECHO 1 > $interface"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > $interface
done
# Log spoofed packets, source routed packets, redirect packets.
trace "$ECHO 1 > /proc/sys/net/ipv4/conf/all/log_martians"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/conf/all/log_martians
# lets turn off IP forwarding, for now
trace "$ECHO 0 > /proc/sys/net/ipv4/ip_forward"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/ip_forward
# Note: With connection tracking, all fragments are reassembled
# before being passed to the packet-filtering code so there is
# no ip_always_defrag switch as there was in the 2.2 kernel.
# --------------------------------------------------
# --------------------------------------------------
# loopback interface is ok
trace "ctrl_main: configure loopback interface"
$IPTABLES $action INPUT -i $LOOPBACK_IF -j log_ACCEPT_ALL
$IPTABLES $action OUTPUT -o $LOOPBACK_IF -j log_ACCEPT_ALL
# --------------------------------------------------
# --------------------------------------------------
# delete the chains we've created in case we stop here.
if [ "$main_cmd" = "stop" ]; then
trace "ctrl_main: deleting log-chains"
for chain in log_DROP log_REJECT log_ACCEPT; do
$IPTABLES -F $chain
$IPTABLES -X $chain
done
fi
# --------------------------------------------------
trace "ctrl_main: end"
} # end of function ctrl_main
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_private_usage() {
cat <<EOF
Usage: ctrl_private start|stop <private-interface>
EOF
ctrl_main start $INTERNAL_INTERFACE
exit $ERR_RUNNING
} # end of function ctrl_private_usage
ctrl_private() {
trace "ctrl_private: begin"
if [ $# -lt 2 ]; then
error "Missing/exessive arguments for 'ctrl_private' ($# args supplied)"
ctrl_private_usage
fi
private_cmd="$1"
case "$private_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_private: wrong action '$private_cmd'."
ctrl_private_usage
return
;;
esac
# since this is for the routing, we have several interface
# (and associated ip addresses):
# internal interface and ip
intif="$2"
set_private_vars $intif
# --------------------------------------------------
# INCOMING and OUTGOING connections
# allow all incoming and outgoing TCP, UDP and ICMP connections
# (on the local network!)
# all TCP ports open are:
trace "ctrl_private: configure incoming TCP connections"
$IPTABLES $action INPUT -p tcp \
-i $intif -s $PRIVATE_NET -d $PRIVATE_IP \
-j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -p tcp \
-o $intif -s $PRIVATE_IP -d $PRIVATE_NET \
-j log_ACCEPT_PARANOIA
# all UDP ports open are:
trace "ctrl_private: configure incoming UDP connections"
$IPTABLES $action INPUT -p udp \
-i $intif -s $PRIVATE_NET -d $PRIVATE_IP \
-j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -p udp \
-o $intif -s $PRIVATE_IP -d $PRIVATE_NET \
-j log_ACCEPT_PARANOIA
# all ICMP messages open are:
trace "ctrl_private: configure incoming ICMP connections"
$IPTABLES $action INPUT -p icmp \
-i $intif -s $PRIVATE_NET -d $PRIVATE_IP \
-j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -p icmp \
-o $intif -s $PRIVATE_IP -d $PRIVATE_NET \
-j log_ACCEPT_PARANOIA
# --------------------------------------------------
# --------------------------------------------------
# all other packets are logged:
# trace "ctrl_private: default log & drop"
# $IPTABLES $action INPUT -j log_DROP
# $IPTABLES $action OUTPUT -j log_DROP
# $IPTABLES $action FORWARD -j log_DROP
# --------------------------------------------------
trace "ctrl_private: end"
} # end of function ctrl_private
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_dmz_usage() {
cat <<EOF
Usage: ctrl_dmz start|stop <private-interface> <dmz-interface>
EOF
ctrl_main start $INTERNAL_INTERFACE
exit $ERR_RUNNING
} # end of function ctrl_dmz_usage
ctrl_dmz() {
trace "ctrl_dmz: begin"
if [ $# -ne 3 ]; then
error "Missing/exessive arguments for 'ctrl_dmz' ($# args supplied)"
ctrl_dmz_usage
fi
dmz_cmd="$1"
case "$dmz_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_dmz: wrong action '$dmz_cmd'."
return
;;
esac
# internal interface and ip
intif="$2"
set_private_vars $intif
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_dmz: end"
} # end of function ctrl_dmz
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_public_usage() {
cat <<EOF
Usage: ctrl_public start|stop <private-interface> <private-ip> <public-interface>
<public-ip>
EOF
ctrl_main start $INTERNAL_INTERFACE
exit $ERR_RUNNING
} # end of function ctrl_public_usage
ctrl_public() {
trace "ctrl_public: begin"
if [ $# -ne 4 ]; then
error "Missing/exessive arguments for 'ctrl_public' ($# args supplied)"
ctrl_public_usage
fi
public_cmd="$1"
case "$public_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_public: wrong action '$public_cmd'."
return
;;
esac
# since this is for the routing, we have several interface
# (and associated ip addresses):
# internal interface and ip
intif="$2"
set_private_vars $intif
# external interface and ip
extint="$3"
extip="$4"
# --------------------------------------------------
## SYN-FLOODINGPROTECTION
# This rule maximises the rate of incoming connections. In
# order to do this we divert tcp packets with the SYN bit
# set off to a user-defined chain. Up to limit-burst
# connections can arrive in 1/limit seconds ..... in this
# case 4 connections in one second. After this, one of the
# burst is regained every second and connections are allowed
# again. The default limit is 3/hour. The default limit burst
# is 5.
trace "ctrl_public: syn-flood protection"
if [ "$public_cmd" = "start" ]; then
$IPTABLES -N sys_SYN_FLOOD
fi
$IPTABLES $action INPUT -i $extint -p tcp --syn -j sys_SYN_FLOOD
$IPTABLES $action sys_SYN_FLOOD -m limit \
--limit 1/s --limit-burst 4 -j RETURN
$IPTABLES $action sys_SYN_FLOOD -j log_DROP
## Make sure NEW tcp connections are SYN packets
trace "ctrl_public: check new TCP connection has syn flag set"
$IPTABLES $action INPUT -i $extint -p tcp ! --syn \
-m state --state NEW -j log_DROP
## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2
# to effectively "drown" Firewall-1. Fragments can be
# overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
trace "ctrl_public: fragments handling"
$IPTABLES $action INPUT -i $extint -f \
-j LOG --log-prefix "IPTABLES FRAGMENTS: "
$IPTABLES $action INPUT -i $extint -f -j DROP
## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really
# necessary with the flags we have set in the kernel above
# ........... but you never know there isn't a bug somewhere in
# your IP stack.
#
trace "ctrl_public: refuse spoofed packets"
# Refuse spoofed packets pretending to be from your IP address.
$IPTABLES $action INPUT -i $extint -s $extip -j log_DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface
# protects against source quench, whereby a machine can be
# told to slow itself down by an icmp source quench to the
# loopback.
$IPTABLES $action INPUT -i $extint -d $LOOPBACK_NET \
-j log_DROP
for sense in INPUT OUTPUT; do
case "$sense" in
"INPUT")
sense_if="-i"
sense_comment="in"
;;
"OUTPUT")
sense_if="-o"
sense_comment="out"
;;
*)
sense_if=""
sense_comment="UNKNOWN"
;;
esac
trace "ctrl_public: refuse unroutable packets $sense_comment"
# Refuse packets claiming to be from (or going to) a
# Class A private network.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_A \
-j log_DROP
# Refuse packets claiming to be from (or going to) a
# Class B private network.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_B \
-j log_DROP
# Refuse packets claiming to be from (or going to) a
# Class C private network.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_C \
-j log_DROP
# Refuse Class D multicast addresses. Multicast is
# illegal as a source address.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_D_MULTICAST \
-j log_DROP
# Refuse Class E reserved IP addresses.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_E_RESERVED_NET \
-j log_DROP
trace "ctrl_public: refuse broadcasts $sense_comment"
# Refuse broadcast address packets.
$IPTABLES $action $sense $sense_if $extint -d $PRIVATE_BROADCAST \
-j log_DROP
done
# --------------------------------------------------
# --------------------------------------------------
$IPTABLES $action OUTPUT -o $extint -p tcp \
-m state --state NEW,ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES $action INPUT -i $extint -p tcp \
-m state --state ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -o $extint -p udp \
-m state --state NEW,ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES -A INPUT -i $extint -p udp \
-m state --state ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -o $extint -p icmp \
-m state --state NEW,ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES -A INPUT -i $extint -p icmp \
-m state --state ESTABLISHED,RELATED -j log_ACCEPT_PARANOIA
# --------------------------------------------------
# --------------------------------------------------
# some ports to block explictly from going out and coming in:
trace "ctrl_public: explicit block"
for el in 137 138 139; do
for proto in tcp udp; do
$IPTABLES $action OUTPUT -o $extint -p $proto \
--dport $el -j log_DROP_PARANOIA
$IPTABLES $action INPUT -i $extint -p $proto \
--dport $el -j log_DROP_PARANOIA
done
done
for el in 6000:6007; do
$IPTABLES $action OUTPUT -o $extint -p tcp \
--dport $el -j log_DROP_PARANOIA
$IPTABLES $action INPUT -i $extint -p tcp \
--dport $el -j log_DROP_PARANOIA
done
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_public: control incoming new and invalid"
# Disallow NEW and INVALID incoming or forwarded packets from
# the external interface:
$IPTABLES $action INPUT -i $extint \
-m state --state NEW,INVALID -j log_DROP
$IPTABLES $action FORWARD -i $extint \
-m state --state NEW,INVALID -j log_DROP
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_public: masquerading"
# this is also a router, so we masquerade:
# masquerade out of the external interface
$IPTABLES -t nat $action POSTROUTING -o $extint -j MASQUERADE
# lets turn off IP forwarding, for now
if [ "$action" = "start" ]; then
ip_forwarding=1
else
ip_forwarding=0
fi
trace "$ECHO $ip_forwarding > /proc/sys/net/ipv4/ip_forward"
[ "$DEBUG" != "on" ] &&
$ECHO "$ip_forwarding" > /proc/sys/net/ipv4/ip_forward
echo $ip_forwarding > /proc/sys/net/ipv4/ip_forward
# --------------------------------------------------
# --------------------------------------------------
if [ "$public_cmd" = "stop" ]; then
trace "ctrl_public: cleanup syn-flood chain"
$IPTABLES -F sys_SYN_FLOOD
$IPTABLES -X sys_SYN_FLOOD
$IPTABLES -Z sys_SYN_FLOOD
fi
# --------------------------------------------------
trace "ctrl_public: end"
} # end of function ctrl_public
# --------------------------------------------------------------------
# --------------------------------------------------------------------
set_private_vars_usage() {
cat <<EOF
Usage: set_private_vars <private interface>
EOF
exit $ERR_RUNNING
} # end of function set_private_vars_usage
set_private_vars() {
trace "set_private_vars: begin"
if [ $# -ne 1 ]; then
set_private_vars_usage
fi
PRIVATE_IF="$1"
PRIVATE_IP="$PRIVATE_IP_HOST_PLUTO"
PRIVATE_IP_TMP=`echo "$PRIVATE_IP" | sed -e 's/\/.*$//g'`
PRIVATE_IP="$PRIVATE_IP_TMP/32"
# [ "$PRIVATE_IP" = "$DYNAMIC_VALUE" ] &&
# PRIVATE_IP="`ifconfig $PRIVATE_IF | $GREP 'inet addr:' | $SED -e
's/^\(.[^:]*:\)\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)\(.*$\)/\2/g'`/32"
# if [ `$ECHO $PRIVATE_IP | $GREP -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$'` -ne
0 ]; then
# cat <<EOF
#
#set_private_vars: Unable to obtain a correct (private) IP address from the private
interface $PRIVATE_IF. Closing down firewall a maximum.
#
#EOF
# ctrl_main start $INTERNAL_INTERFACE
# exit $ERR_RUNNING
# fi
PRIVATE_CIDR=24
# if [ "$PRIVATE_CIDR" = "$DYNAMIC_VALUE" ]; then
# TMP_PRIVATE_IP=`$ECHO $PRIVATE_IP | sed -e 's/\/.*//g'`
# PRIVATE_CIDR=`$IPV4CALC --cidr $TMP_PRIVATE_IP`
# fi
[ "$PRIVATE_NET" = "$DYNAMIC_VALUE" ] &&
PRIVATE_NET="`$IPV4CALC --network $PRIVATE_IP_TMP/$PRIVATE_CIDR`/$PRIVATE_CIDR"
[ "$PRIVATE_BROADCAST" = "$DYNAMIC_VALUE" ] &&
PRIVATE_BROADCAST="`$IPV4CALC --broadcast
$PRIVATE_IP_TMP/$PRIVATE_CIDR`/$PRIVATE_CIDR"
trace " + private interface: $PRIVATE_IF"
trace " + private IP: $PRIVATE_IP"
trace " + private network: $PRIVATE_NET"
trace " + private broadcast: $PRIVATE_BROADCAST"
trace "set_private_vars: begin"
} # end of function set_private_vars
# --------------------------------------------------------------------
# --------------------------------------------------------------------
usage() {
cat <<EOF
Usage: $PROG_NAME start <target> [ <interface> <ip> ]
$PROG_NAME stop <target>
$PROG_NAME status
$PROG_NAME help
<target> specify which part to control [main|private|dmz|public|log]
<interface> the public interface (that connects to the internet/ISP)
<ip> the public IP address (assigned by the ISP)
The two arguments <interface> and <ip> are only needed
for the <internet> and <dmz> targets with the <start> command.
The 'log' target logs all dropped packets.
EOF
} # end of function usage
# --------------------------------------------------------------------
# --------------------------------------------------------------------
trace() {
[ "$TRACE" = "on" ] && $ECHO "$*" >> $FD_TRACE
} # end of function trace
# --------------------------------------------------------------------
# --------------------------------------------------------------------
debug() {
[ "$DEBUG_CMD" = "on" ] && $ECHO "$*" >> $FD_DEBUG
} # end of function debug
# --------------------------------------------------------------------
# --------------------------------------------------------------------
error() {
$ECHO "Error: $*" >> $FD_ERROR
} # end of function error
# --------------------------------------------------------------------
# --------------------------------------------------------------------
missing_variable() {
case $# in
1)
error "Variable $1 is undefined."
;;
2)
error "Variable $1 is undefined (use option '$2')."
;;
*)
error "Variable $1 is undefined & unknown option."
esac
exit $ERR_INIT
} # end of function missing_variable
# --------------------------------------------------------------------
while [ $# -gt 0 ]; do
FW_CMD="$1"
shift_n=1
trace "main loop: cmd=$FW_CMD"
case "$FW_CMD" in
help)
usage
exit $ERR_NO_ERROR
;;
start)
if [ $# -lt 2 ]; then
error "missing arguments for 'start' command"
usage
exit $ERR_INIT
fi
FW_TARGET="$2"
shift_n=2
trace "main loop: start: target=$FW_TARGET"
case "$FW_TARGET" in
dmz)
echo "UNUSED, YET..."
# ctrl_dmz $FW_CMD $INTERNAL_INTERFACE $DMZ_IF
;;
main)
ctrl_main $FW_CMD $INTERNAL_INTERFACE
;;
open)
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
;;
private)
ctrl_private $FW_CMD $INTERNAL_INTERFACE
;;
public)
if [ $# -lt 4 ]; then
error "missing arguments for 'start public' command"
usage
exit $ERR_INIT
fi
PUBLIC_IF="$3"
PUBLIC_IP="$4"
shift_n=4
ctrl_public $FW_CMD $INTERNAL_INTERFACE $PUBLIC_IF $PUBLIC_IP
;;
*)
error "Unknown target '$FW_TARGET'"
usage
exit $ERR_INIT
;;
esac
;;
status)
trace "....'status' command"
$IPTABLES -L -v -n
exit $ERR_NO_ERROR
;;
stop)
trace "....'stop' command"
if [ $# -lt 2 ]; then
error "missing arguments for 'stop' command"
usage
exit $ERR_INIT
fi
FW_TARGET="$2"
shift_n=2
trace "main loop: stop: target=$FW_TARGET"
case "$FW_TARGET" in
dmz)
echo "UNUSED, YET..."
# ctrl_dmz $FW_CMD $INTERNAL_INTERFACE $DMZ_IF
;;
main)
ctrl_main $FW_CMD $INTERNAL_INTERFACE
;;
private)
ctrl_private $FW_CMD $INTERNAL_INTERFACE
;;
public)
ctrl_public $FW_CMD $INTERNAL_INTERFACE $PUBLIC_IF $PUBLIC_IP
;;
*)
error "Unknown target '$FW_TARGET' for '$FW_CMD' command"
usage
exit $ERR_INIT
;;
esac
;;
*)
error "Unknown command '$FW_CMD'"
usage
exit $ERR_INIT
;;
esac
shift $shift_n
done
exit $ERR_NO_ERROR
**********************************************************************
tom
--
as seen in a signature:
"In an open world without walls and fences,
who needs Gates and windows?"
--
http://www-internal.alphanet.ch/linux-leman/ avant de poser
une question. Ouais, pour se désabonner aussi.
