Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firewall Script

IBitOBear (410965) writes | about 6 years ago

User Journal 0

#!/bin/bash -e
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: networking
# Required-Stop: networking
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Secures interfaces.
### END INIT INFO
#!/bin/bash -e
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    networking
# Required-Stop:     networking
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Secures interfaces.
### END INIT INFO

#################################################################################
#
# IPTABLES Firewall v 0.86
# by shadow999@firemail.de
#
# Small parts from http://members.optusnet.com.au/~technion/
# and some tutorials
#
# This script is intended to setup a masquerading firewall based on
# the IPTABLES (Net)filter-machanism of Linux 2.3.15+
# Syslogging matches fireparse for graphical output (see http://www.fireparse.com)
#
# Normally this script will work 'out-of-the-box', but you should adapt it to
# your own needs (At least you should set the correct default interfaces
# --> see Default-Interfaces section)
#
# Comments, suggestions, etc. are welcome
#
# Usage on your own risk ;)
#
# Syntax to invoke script: firewall (start|stop|restart|status) EXTIF INTIF
# Example: "firewall start eth1 eth0"
#
#################################################################################
#
# Version History:
#
# 0.86: Added a few comments
#
# 0.85: Various re-arrangements
#       Added TCP-SYN-flood protection
#       Added separate logging of pingfloods
#       Added automatic detection of parameters on internal interface
#       Made flooding-parameters variable
#
# 0.84: Added special ICMP-Filtering
#
# 0.83: Added ICMP-logging-chain
#       Some minor changes
#
# 0.82: Reorganized parts of the script
#       Added special user-chains
#
# 0.80: Altered logging strings to match fireparse
#
# 0.78: Added many comments
#       Completed flushing of tables (missing -X)
#
# 0.75: Added automatic detection of IP-address, gateway, etc of external interface
#
# 0.7: Added new logging-chains
#
# 0.65: Added special sanity checks for TCP-Flags
#       Silently filter out SMB-traffic
#       Removed unclean-checks (according to some docs still unstable)
#
# 0.6: Major redesign of whole script, divided into chain-sections
#
# 0.5: Adopted parts of firewall-script from http://members.optusnet.com.au/~technion/
#      Minor changes
#
#
########################################################################################

# This is the location of the iptables command
IPTABLES="/sbin/iptables"

case "$1" in
   stop)
      echo "Shutting down firewall..."
      $IPTABLES -F
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat

      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
      echo "...done"
      ;;
   status)
      echo $"Table: filter"
      $IPTABLES --list
      echo $"Table: nat"
      $IPTABLES -t nat --list
      echo $"Table: mangle"
      $IPTABLES -t mangle --list
      ;;
   restart|reload)
      $0 stop
      $0 start
      ;;
   start)
    echo "Starting Firewall..."
    echo ""

##--------------------------Begin Firewall---------------------------------##

#----Default-Interfaces-----#

## Default external interface (used, if EXTIF isn't specified on command line)
DEFAULT_EXTIF="eth1"

## Default internal interface (used, if INTIF isn't specified on command line)
DEFAULT_INTIF="eth0"

#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
IRCPORTS="6665,6666,6667,6668,1024,1025,1026,1027"

#-----Port-Forwarding Variables-----#

#For port-forwarding to an internal host, define a variable with the appropriate
#internal IP-Address here and take a look at the port-forwarding sections in the FORWARD +
#PREROUTING-chain:

#These are examples, uncomment to activate

#IP for forwarded Battlecom-traffic
#BATTLECOMIP="192.168.0.5"

#Bittorrent Computer
BITTORRENT=192.168.10.10
BITTPORT=57981

MONOTONE=192.168.10.10
MONOTONEPORT=4691

#Vonage
VONAGEIP=192.168.10.6
VONAGEPORTS=10000:20000

#Blizzard Downloader
BLIZZARD_DEST=192.168.10.95
BLIZZARD_PORTS=3724,6112,6881:6999
#BLIZZARD_PORTS=3724

#IP for forwarded HTTP-traffic
HTTPIP="192.168.10.250"

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"

#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
   EXTIF=$2
else
   EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF

## Determine external IP
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$EXTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $EXTIF !"
     exit 1
  fi
echo External IP: $EXTIP

## Determine external gateway
EXTGW=`route -n | grep '0.0.0.0' | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW

echo " --- "

### Internal Interface:

## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
   INTIF=$3
else
   INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF

## Determine internal IP
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$INTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $INTIF !"
     exit 1
  fi
echo Internal IP: $INTIP

## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network
INTLAN=$INTIP'/'23
echo Internal LAN: $INTLAN

echo ""

#----Load IPTABLES-modules-----#

#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "

#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#----Set network sysctl options-----#

echo "Setting sysctl options"

#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/${EXTIF}/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 1 > /proc/sys/net/ipv4/tcp_sack
echo 1 > /proc/sys/net/ipv4/tcp_timestamps

#Ignore icmp echo (ping) broadcast events
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo " --- "

echo "Creating user-chains"

#----Create logging chains-----#

##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding
##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com)

#Invalid packets (not ESTABLISHED,RELATED or NEW)
        $IPTABLES -N LINVALID
        $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=INVALID:1 a=DROP "
        $IPTABLES -A LINVALID -j DROP

#TCP-Packets with one ore more bad flags
        $IPTABLES -N LBADFLAG
        $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=BADFLAG:1 a=DROP "
        $IPTABLES -A LBADFLAG -j DROP

#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
        $IPTABLES -N LSPECIALPORT
        $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SPECIALPORT:1 a=DROP "
        $IPTABLES -A LSPECIALPORT -j DROP

#Logging of possible TCP-SYN-Floods
        $IPTABLES -N LSYNFLOOD
        $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SYNFLOOD:1 a=DROP "
        $IPTABLES -A LSYNFLOOD -j DROP

#Logging of possible Ping-Floods
        $IPTABLES -N LPINGFLOOD
        $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=PINGFLOOD:1 a=DROP "
        $IPTABLES -A LPINGFLOOD -j DROP

#All other dropped packets
        $IPTABLES -N LDROP
        $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=DROP "
        $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=DROP "
        $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=DROP "
        $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=DROP "
        $IPTABLES -A LDROP -j DROP

#All other rejected packets
        $IPTABLES -N LREJECT
        $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=REJECT "
        $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=REJECT "
        $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=REJECT "
        $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=REJECT "
        $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
        $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
        $IPTABLES -A LREJECT -j REJECT

#----Create Accept-Chains-----#

#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

        $IPTABLES -N TCPACCEPT
        $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
        $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
        $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

        $IPTABLES -N CHECKBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

#FILTERING FOR SPECIAL PORTS

        #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

                #SMB-Traffic
                $IPTABLES -N SMB

                $IPTABLES -A SMB -p tcp --dport 137 -j DROP
                $IPTABLES -A SMB -p tcp --dport 138 -j DROP
                $IPTABLES -A SMB -p tcp --dport 139 -j DROP
                $IPTABLES -A SMB -p tcp --dport 445 -j DROP
                $IPTABLES -A SMB -p udp --dport 137 -j DROP
                $IPTABLES -A SMB -p udp --dport 138 -j DROP
                $IPTABLES -A SMB -p udp --dport 139 -j DROP
                $IPTABLES -A SMB -p udp --dport 445 -j DROP

                $IPTABLES -A SMB -p tcp --sport 137 -j DROP
                $IPTABLES -A SMB -p tcp --sport 138 -j DROP
                $IPTABLES -A SMB -p tcp --sport 139 -j DROP
                $IPTABLES -A SMB -p tcp --sport 445 -j DROP
                $IPTABLES -A SMB -p udp --sport 137 -j DROP
                $IPTABLES -A SMB -p udp --sport 138 -j DROP
                $IPTABLES -A SMB -p udp --sport 139 -j DROP
                $IPTABLES -A SMB -p udp --sport 445 -j DROP

        #Inbound Special Ports

                $IPTABLES -N SPECIALPORTS

                #Deepthroat Scan
                $IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j LSPECIALPORT

                #Subseven Scan
                $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT

                #Netbus Scan
                $IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT

                #Back Orifice scan
                $IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT

                #X-Win
                $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j LSPECIALPORT

                #Hack'a'Tack 2000
                $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT

#ICMP/TRACEROUTE FILTERING

        #Inbound ICMP/Traceroute

                $IPTABLES -N ICMPINBOUND

                #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
                #
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                #Allow all other ICMP in
                $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

        #Outbound ICMP/Traceroute

                $IPTABLES -N ICMPOUTBOUND

                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-TTL-Expired
                #MS Traceroute (MS uses ICMP instead of UDp for tracert)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP

                #Block ICMP-Parameter-Problem
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                ##Accept all other ICMP going out
                $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

########
# Throttle SSH connections by host
#    to prevent brute force attacks
########
    $IPTABLES --new-chain SSHTHROTTLE
    $IPTABLES --flush SSHTHROTTLE
    $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --seconds $(( 3600 * 18)) --update -j DROP
    $IPTABLES --append SSHTHROTTLE --match limit --limit 3/hour -j RETURN
    $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --set -j DROP

#----End User-Chains-----#

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."

#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################

##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
  $IPTABLES -A INPUT -m state --state INVALID -j LINVALID

  # Check TCP-Packets for Bad Flags
  $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG

##Packets FROM FIREWALL-BOX ITSELF

  #Local IF
  $IPTABLES -A INPUT -i lo -j ACCEPT
  #
  #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
  $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT

##Packets FROM INTERNAL NET

##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it

  $IPTABLES -A INPUT -i ! $EXTIF -s $INTLAN -j ACCEPT

  #Allow Local DHCP Service Nonsense
  $IPTABLES -I INPUT -i ! $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT

  #Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter)
  $IPTABLES -A INPUT -s $INTLAN -j LREJECT

##Packets FROM EXTERNAL NET

## DHCP Server on ISP's Site
  $IPTABLES -I INPUT -i $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
  if [ -f /var/lib/dhcp3/dhclient.${EXTIF}.leases ]; then
        DHCPSID=$(grep dhcp-server-identifier /var/lib/dhcp3/dhclient.${EXTIF}.leases | tail --lines=1 | sed --expression='s;.* \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*;\1;')
        echo $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT
        $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT
  fi

##ICMP & Traceroute filtering

  #Filter ICMP
  $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND

  #Block UDP-Traceroute
  $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP

##Silent Drops/Rejects (Things we don't want in our logs)

  #Drop all SMB-Traffic
  $IPTABLES -A INPUT -i $EXTIF -j SMB

  #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset

##Public services running ON FIREWALL-BOX (comment out to activate):

  # ftp-data
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 20 -j TCPACCEPT

  # ftp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 21 -j TCPACCEPT

  # ssh
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --syn -j SSHTHROTTLE
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --match state --state NEW -j TCPACCEPT

  #telnet
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT

  # smtp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT

  # DNS
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT

  # http
  # $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT

  # https
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT

  # POP-3
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT

##Separate logging of special portscans/connection attempts

  $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

##Allow ESTABLISHED/RELATED connections in

  $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT

##Catch all rule
  $IPTABLES -A INPUT -j LDROP

##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################

##Packets TO FIREWALL-BOX ITSELF

  #Local IF
  $IPTABLES -A OUTPUT -o lo -j ACCEPT

##Packets TO INTERNAL NET

  #Allow unlimited traffic to internal network using legit addresses
  $IPTABLES -A OUTPUT -o ! $EXTIF -d $INTLAN -j ACCEPT

##Packets TO EXTERNAL NET

##NTP
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport ntp --dport ntp -j ACCEPT

##ICMP & Traceroute

  $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND

##Silent Drops/Rejects (Things we don't want in our logs)

  #SMB
  $IPTABLES -A OUTPUT -o $EXTIF -j SMB

  #Ident
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset

##Public services running ON FIREWALL-BOX (comment out to activate):

  # ftp-data
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 20 -j ACCEPT

  # ftp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 21 -j ACCEPT

  # ssh
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 8193 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

  #telnet
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT

  # smtp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

  # DNS
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT

  # http
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

  # https
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

  # POP-3
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

  # DHCP Server on ISP's Site
  $IPTABLES -A OUTPUT -o $EXTIF -p udp  --sport 68 --dport 67 --source 0.0.0.0 --destination 255.255.255.255 -j ACCEPT
  if [ -f /etc/dhcpc/dhcpcd-${EXTIF}.info ]; then
        DHCPSID=$(grep DHCPSID /etc/dhcpc/dhcpcd-${EXTIF}.info | awk -F= '{print $2}')
        $IPTABLES -A OUTPUT -o $EXTIF -p udp  --sport 68 --dport 67 --destination $DHCPSID -j ACCEPT
  fi

  # DHCP Server inside Firewall Box
        $IPTABLES -A OUTPUT -o ! $EXTIF -p udp  --sport 67 --dport 68 -j ACCEPT

##Accept all tcp/udp traffic on unprivileged ports going out

  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT

##Catch all rule

$IPTABLES -A OUTPUT -j LDROP

####################
## FORWARD-Chain  ## (everything that passes the firewall)
####################

##GENERAL Filtering

  # optimal forwarding rates
  $IPTABLES -A FORWARD -i ! $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -m state --state NEW -j ACCEPT

  #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
  $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID

  # Check TCP-Packets for Bad Flags
  $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG

  # Bad Broadcasting
  $IPTABLES -A FORWARD -d 255.255.255.255 -j DROP
  $IPTABLES -A FORWARD -d 192.168.10.0 -j DROP
  $IPTABLES -A FORWARD -d 192.168.11.0 -j DROP

  # Spoofing
  $IPTABLES -A FORWARD -i $EXTIF -s 192.168.10.0/23 -j LDROP

  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB
   $IPTABLES -A FORWARD -o $EXTIF -j SMB
   $IPTABLES -A FORWARD -p tcp -m multiport --destination-ports 137,138,139,445 -j DROP
   $IPTABLES -A FORWARD -p udp -m multiport --destination-ports 137,138,139,445 -j DROP

##Filtering FROM INTERNAL NET

  ##Special Drops/Rejects
   # - To be done -

  ##Filter for some Trojans communicating to outside
   # - To be done -

  ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

   #HTTP-Forwarding
   #$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT

  ##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT

  ##Allow non-external nets to talk to each other, q.v. wireless to wired "internal" networks
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT

##Filtering FROM EXTERNAL NET

  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB Handled Above
   #$IPTABLES -A FORWARD -i $EXTIF -j SMB

  ##Allow replies coming in
  $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -m state --state RELATED -j ACCEPT

##Port-Forwarding [inbound] (--> Also see chain PREROUTING)

  #HTTP-Forwarding
  $IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP --dport 80 -j ACCEPT

  #Battlecom-Forwarding
  #$IPTABLES -A FORWARD -p tcp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT
  #$IPTABLES -A FORWARD -p udp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT
  #$IPTABLES -A FORWARD -p tcp --dport 47624 -i $EXTIF -d $BATTLECOMIP -j ACCEPT

  $IPTABLES -A FORWARD -p tcp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT
  $IPTABLES -A FORWARD -p udp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT
  $IPTABLES -A FORWARD -p tcp --dport $MONOTONEPORT -i $EXTIF -d $MONOTONE -j ACCEPT

  $IPTABLES -A FORWARD -p udp --dport $VONAGEPORTS -i $EXTIF -d $VONAGEIP -j ACCEPT

  $IPTABLES -A FORWARD -p tcp --match multiport --destination-ports $BLIZZARD_PORTS -i $EXTIF -d $BLIZZARD_DEST -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -d $BLIZZARD_DEST -p tcp --match multiport --destination-ports $BLIZZARD_PORTS --match state --state NEW -j ACCEPT

##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

  ##NTP
   $IPTABLES -A PREROUTING -t nat -i ! $EXTIF -p udp --destination-port ntp -j REDIRECT

  ##HTTP
  $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT --to $HTTPIP

  ##Battlecom
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 47624 -i $EXTIF -j DNAT --to $BATTLECOMIP:47624

  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT
  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT

  ##Monotone
  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $MONOTONEPORT -i $EXTIF -j DNAT --to $MONOTONE:$MONOTONEPORT

  ##Vonage
  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $VONAGEPORTS -i $EXTIF -j DNAT --to $VONAGEIP

  ##Blizzard
  $IPTABLES -t nat -A PREROUTING --destination   $EXTIP --in-interface   $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST SYN --match multiport --destination-ports $BLIZZARD_PORTS -j DNAT --to $BLIZZARD_DEST

###################
##  POSTROUTING  ##
###################

  #Masquerade from Internal Net to External Net
  $IPTABLES -A POSTROUTING -t nat --out-interface $EXTIF -j SNAT --to-source $EXTIP

  # Initial Shape Classifier
  # gIive "overhead" packets highest priority
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -j CLASSIFY --set-class 1:60
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:68 -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10
  #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10
  #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL FIN -j CLASSIFY --set-class 1:10
  # interactive SSH traffic and UDP gaming
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:20
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF --source $VONAGEIP -p udp -j RETURN
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:30
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
  # interactive mail or web traffic
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --dport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --sport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30
  # dns lookups
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport domain -j CLASSIFY --set-class 1:30
  # ICMP
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p icmp -m length --length 28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY --set-class 1:40
  # bulk traffic
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport 25 -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport 6667 -j CLASSIFY --set-class 1:50

ip6tables -P FORWARD DROP

#------End Ruleset------#

echo "...done"
echo ""

echo "--> IPTABLES firewall loaded/activated <--"

##--------------------------------End Firewall---------------------------------##

   ;;
   *)
      echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
      exit 1
esac

exit 0

cancel ×

0 comments

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...