Hi people.. i just " finish " my firewall.. i don't test it, i never run it... it may not work at all... but i spend sooooooooo many hours.. that i wan't to share it. I accept any suggestions and critics... it's not finished and there is a lot of things that i need to add... but for now, i will do something else, i hate iptables for the next two o three days :)
any suggestions, welcome :) see ya sorry for my english, never study -- Guido Lorenzutti (Peperino Pomuro) emails: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] linux user #206665 - http://counter.li.org
#!/bin/bash #version 1.0 (mayor release! uija!) # #history: # i lost it :)... deal with it. #to do: #see if i don't need to discriminate the ports below 1024 #check the need of a "catch all" rule at the end #depending on the distro check were the script is and scream if it is not on /etc/init.d/ #this is a comment, i like comments, read them for help ##----------------------------initial config---------------------------------## #-------------system configuration--------------# IPTABLES=/sbin/iptables #path of the iptables MODULES=no #yes if your kernel support modules and you need them #to do, i have to add the modules that you need #----------network devices settings-------------# NETNIC=ppp0 #if you change to ethernet you will start using SNAT IPNETNIC=`ifconfig $NETNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2` LANNIC=eth1 #the interface connected to your lan IPLANNIC=`ifconfig $LANNIC |grep inet |awk '{ print $2 }'|cut -d : -f 2` #-------------/proc sysctl settings-------------# IP_FORWARD=yes #to enable ipforward, VERY important ICMPALLIGNORE=no #yes to block ALL the pings from everywhere ICMPBROADCAST=yes #yes to don't respond to broadcast pings (smurf) ICMPERRORMESG=yes #yes to protect against bogus error messages LOGMARTIANS=yes #yes to log packets with impossible addresses IP_SPOOFING=yes #yes to disable spoofing attacks on ALL interfaces REDUCEDOS=yes #reduces the timeouts and the posibility of a DOS SYNCOOKIES=yes #yes to enable tcp syn cookies protection TIMESTAMPS=yes #yes to enable tcp timestamps protection SOURCEROUTED=yes #yes to ignore source routed packets SENDREDIRECTS=yes #yes to ignore redirected packets #------------adsl specific problems-------------# PPPOE_PMTU=no #if you have problems with your pppoe connection PPTP_GRE=no #if you have problems with your pptp connection #------------------squid setup------------------# TRANSPARENT=yes #yes if you use the squid on transparent mode SQUIDINSIDE=yes #yes if you run squid on the device conected to the lan SQUIDREMOTE= #the ip of the remote squid box on you lan SQUIDPORT=3128 #the port where squid listen ##--------------------------hosts and ports config---------------------------## #----------specific TOTALLY banned IPs----------# USEHATE=no #to start using the next options MICROSOFT=www.microsoft.com #sample of a banned host HATEHOSTS="$MICROSOFT" #add the banned hosts here=09 #-------------specific trusted hosts------------# USETRUST=yes #to start using the next options SICEAR=sicear.dyndns.org #example of a host to trust TRUSTED="$SICEAR" #add the hosts to trust here #-----------local MAC address friends-----------# USEMAC=yes #to start using the next options AZRAEL=00:50:BA:86:9F:EC #example of a mac address to trust DROOPY=00:50:BA:87:32:34 CEREBRO=00:E0:7D:9F:76:A3 MACFRIENDS="$AZRAEL $CEREBRO" #add the hosts to trust here #---------------ssh administration--------------# #still living my life #-----------------flood variables---------------# TCPSYNLIMIT="5/s" # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" # Burst Limit for TCP-SYN-Flood detection LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains PINGLIMIT="5/s" # Overall Limit for Ping-Flood-Detection PINGLIMITBURST="10" # Burst Limit for Ping-Flood-Detection ##---------------------------testing the config------------------------------## if [ "$UID" != "0" ]; then echo " (\___/) " echo " (=':'=) " echo " ('']_['') " echo " " echo " are you r00t?" exit 1 fi if [ -z $IPNETNIC ]; then echo "ABORTING: Unable to determine the IP-address of the $NETNIC" exit 1 else echo "the internet connection is thru the $NETNIC device" fi if [ -z $IPLANNIC ]; then echo "ABORTING: Unable to determine the IP-address of the $LANNIC" exit 1 else echo "the lan connection is thru the $LANNIC device" fi if [ -x $IPTABLES ]; then echo "the configuration seems to be OK" else echo "ABORTING: $IPTABLES doesn't exist or isn't executable" exit 1 fi $IPTABLES -N ICMP if [ "$?" != "0" ] ; then echo echo "you should stop the firewall before start it again" echo "/etc/init.d/firewall stop" echo exit1 fi ##----------------------------modules to load--------------------------------## if [ $MODULES == "yes" ] ; then echo "cargando los modulos necesarios" depmod -a else echo "you don't need any modules or your kernel dosen't support them" fi ##----------------------functions for the firewall---------------------------## #----------------function closep-----------------# function closep() { $IPTABLES -P INPUT DROP #close everything until we are warm $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP } #-----------------function proc-----------------# function proc() { if [ $IP_FORWARD == "yes" ] ; then if [ -f /proc/sys/net/ipv4/ip_forward ] ; then echo 1 > /proc/sys/net/ipv4/ip_forward echo "ip_foward activated" fi fi if [ $ICMPALLIGNORE == "yes" ] ; then if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo "blocking all pings from everywhere" fi fi if [ $ICMPBROADCAST == "yes" ] ; then if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "blocking all broadcast pings" fi fi if [ $ICMPERRORMESG == "yes" ] ; then if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "enable error message protection" fi fi if [ $LOGMARTIANS == "yes" ] ; then if [ -f /proc/sys/net/ipv4/conf/all/log_martinas ] ; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo "logging packets with impossible addresses" fi fi if [ $IP_SPOOFING == "yes" ] ; then if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter echo "blocking IP spoofing attacks" fi fi if [ $REDUCEDOS == "yes" ] ; then echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack fi if [ $SYNCOOKIES == "yes" ] ; then if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "tcp syn cookies protection enabled" fi fi if [ $TIMESTAMPS == "yes" ] ; then if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then echo "0" > /proc/sys/net/ipv4/tcp_timestamps echo "tcp timestamps protection enabled" fi fi if [ $SOURCEROUTED == "yes" ] ; then if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "ignore source routed packets" fi fi if [ $SENDREDIRECTS == "yes" ] ; then if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects echo "ignore redirected packets" fi fi } #---------------------logs----------------------# function firewall() { $IPTABLES -N WATCH #if i want to log something i allow $IPTABLES -A WATCH -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level warn --log-prefix "ACCEPT" $IPTABLES -A WATCH -j ACCEPT $IPTABLES -N LDROP #log everything i drop $IPTABLES -A LDROP -p tcp -j LOG --log-level info --log-prefix "DROP TCP" $IPTABLES -A LDROP -p udp -j LOG --log-level info --log-prefix "DROP UDP" $IPTABLES -A LDROP -p icmp -j LOG --log-level info --log-prefix "DROP ICMP" $IPTABLES -A LDROP -p gre -j LOG --log-level info --log-prefix "DROP GRE" $IPTABLES -A LDROP -j DROP $IPTABLES -N LBADFLAG #log every badflag $IPTABLES -A LBADGLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "badflag" $IPTABLES -A LBADFLAG -j DROP $IPTABLES -N LINVALID #invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "invalid" $IPTABLES -A LINVALID -j DROP $IPTABLES -N LPINGFLOOD #block ping floods $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "pingflood" $IPTABLES -A LPINGFLOOD -j DROP #-------------------icmp stuff------------------# $IPTABLES -N ICMP #icmp chain $IPTABLES -A ICMP -p icmp --icmp-type echo-reply -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT $IPTABLES -A ICMP -p icmp --icmp-type echo-reply -j LPINGFLOOD $IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT $IPTABLES -A ICMP -p icmp --icmp-type port-unreachable -j LPINGFLOOD ICMPWATCH="destination-unreachable network-unreachable host-unreachable protocol-unreachable source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited echo-request time-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing" ICMPLDROP="fragmentation-needed host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect router-advertisement router-solicitation timestamp-request timestamp-reply address-mask-request address-mask-reply" for i in $ICMPWATCH do $IPTABLES -A ICMP -p icmp --icmp-type $i -j WATCH done for i in $ICMPLDROP do $IPTABLES -A ICMP -p icmp --icmp-type $i -j LDROP done $IPTABLES -A ICMP -p icmp -j LDROP #---------logging portscanning attacks----------# $IPTABLES -N CHECKBADFLAG #Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP Nmap XMAS Scan:" $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN RST Scan:" $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --limit-burst 5 --log-level $LOGLEVEL --log-prefix "DROP SYN FIN Scan:" $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth FYN Scan: " $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL FIN -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP ALL/ALL Scan: " $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "DROP Nmap Stealth Null Scan: " $IPTABLES -A CHECKBADFLAG -i $INT -p tcp --tcp-flags ALL NONE -j DROP #--------------log bloqued ports----------------# $IPTABLES -N BLOCKEDPORTS #Kill any TCP/UDP-Packets for the selected ports $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP deepthroat trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6670 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP back orifice trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 31337:31338 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP hack'a'tack trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 28431 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP Xs ports:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6000:6063 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 12345:12346 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP netbus trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 20034 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 1243 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 1243 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 27374 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 27374 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "DROP subseven trojan:" $IPTABLES -A BLOCKEDPORTS -p tcp --dport 6711:6713 -j DROP #------------drop ports without log-------------# $IPTABLES -A BLOCKEDPORTS -p tcp --dport 137 -j DROP #samba $IPTABLES -A BLOCKEDPORTS -p tcp --dport 138 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 139 -j DROP $IPTABLES -A BLOCKEDPORTS -p tcp --dport 445 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 137 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 138 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 139 -j DROP $IPTABLES -A BLOCKEDPORTS -p udp --dport 445 -j DROP #------------------INPUT chain------------------# $IPTABLES -A INPUT -i lo -j ACCEPT #i trust in my lookback if [ $PPTP_GRE == "yes" ] ; then $IPTABLES -A INPUT -p GRE -d $NETNIC -j ACCEPT fi if [ $USEMAC == "yes" ] ; then for i in $MACFRIENDS do $IPTABLES -A INPUT -m mac --mac-source $i -j ACCEPT done fi if [ $USETRUST == "yes" ] ; then for i in $TRUSTED do $IPTABLES -A INPUT -s $i -j ACCEPT done fi if [ $USEHATE == "yes" ] ; then for i in $HATEHOSTS do $IPTABLES -A INPUT -s $i -j DROP done fi $IPTABLES -A INPUT -p icmp -j ICMP $IPTABLES -A INPUT -m state --state INVALID -j LINVALID $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG #i only care about the internet, my lan is friendly $IPTABLES -A INPUT -i $NETNIC -j BLOCKEDPORTS #this enable to use ftp an irc, remove the related to more security $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -i $NETNIC -j ACCEPT $IPTABLES -A INPUT -i $LANNIC -j ACCEPT #Aceptar cierto servicio en el propio firewall #$IPTABLES -A INPUT -i ppp0 -p tcp --dport PUERTO -j ACCEPT #----------------forward chaing-----------------# $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID $IPTABLES -A FORWARD -o $NETNIC -j BLOCKEDPORTS $IPTABLES -A FORWARD -i $NETNIC -j BLOCKEDPORTS #this should allow fowarding from internal network to the outside... not tested #$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p tcp --sport puerto -j ACCEPT #$IPTABLES -A FORWARD -i $LANNIC -o NETNIC -s ipdelalan -p udp --sport puerto -j ACCEPT $IPTABLES -A FORWARD -i $NETNIC -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $NETNIC -p icmp -m state --state RELATED -j ACCEPT #-----------------output chain------------------# $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o $NETNIC -j BLOCKEDPORTS #------------------prerouting-------------------# if [ $TRANSPARENT == "yes" ] ; then if [ $SQUIDINSIDE =3D=3D yes ] ; then $IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT echo "SQUID in transparent mode Enabled to $LANNIC" else $IPTABLES -t nat -A PREROUTING -i $LANNIC -p tcp --dport 80 -j DNAT --to $SQUIDREMOTE:$SQUIDPORT echo "SQUID in transparent mode Enabled to $SQUIDREMOTE" fi fi #Dnateo los puertos del icq para un host definido, FIX THIS #$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 20000 -j DNAT --to 192.168.1.36 #Fowardear servicios a algun servidor de la lan #$IPTABLES -t nat -a PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.1.36:22 #-----------------postrouting-------------------# if [ $PPPOE_PMTU == "yes" ] ; then $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu fi if [ $NETNIC == "ppp0" ] ; then $IPTABLES -t nat -A POSTROUTING -o $NETNIC -p tcp -j MASQUERADE else $IPTABLES -t nat -A POSTROUTING -o $NETNIC -j SNAT --to source $IPNETNIC fi } #----------------function clean-----------------# function clean() { $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -F -t nat $IPTABLES -X -t nat #$IPTABLES -F -t mangle #$IPTABLES -X -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT } ##----------------------start | stop | restart | status-----------------------# set -e case "$1" in start) #closep proc clean firewall ;; stop) clean ;; restart) stop start ;; status) echo "" echo "#################" echo "#the filter table" echo "" $IPTABLES -L -v echo "" echo "##############" echo "#the NAT table" echo "" $IPTABLES -t nat -L -v echo "" echo "#################" echo "#the Mangle table" echo "" $IPTABLES -t mangle -L -v ;; *) echo "Usage: /etc/init.d/firewall { start | stop | restart | status }" exit 1 ;; esac
signature.asc
Description: This is a digitally signed message part