Firewall Script

Journal IBitOBear's Journal: Firewall Script

Journal by IBitOBear on Thursday June 26, 2008 @08:32PM

#!/bin/bash -e ### BEGIN INIT INFO # Provides: firewall # Required-Start: networking # Required-Stop: networking # Default-Start: S # Default-Stop: 0 6 # Short-Description: Secures interfaces. ### END INIT INFO ################################################################################# # # IPTABLES Firewall v 0.86 # by shadow999@firemail.de # # Small parts from http://members.optusnet.com.au/~technion/ # and some tutorials # # This script is intended to setup a masquerading firewall based on # the IPTABLES (Net)filter-machanism of Linux 2.3.15+ # Syslogging matches fireparse for graphical output (see http://www.fireparse.com) # # Normally this script will work 'out-of-the-box', but you should adapt it to # your own needs (At least you should set the correct default interfaces # --> see Default-Interfaces section) # # Comments, suggestions, etc. are welcome # # Usage on your own risk ;) # # Syntax to invoke script: firewall (start|stop|restart|status) EXTIF INTIF # Example: "firewall start eth1 eth0" # ################################################################################# # # Version History: # # 0.86: Added a few comments # # 0.85: Various re-arrangements # Added TCP-SYN-flood protection # Added separate logging of pingfloods # Added automatic detection of parameters on internal interface # Made flooding-parameters variable # # 0.84: Added special ICMP-Filtering # # 0.83: Added ICMP-logging-chain # Some minor changes # # 0.82: Reorganized parts of the script # Added special user-chains # # 0.80: Altered logging strings to match fireparse # # 0.78: Added many comments # Completed flushing of tables (missing -X) # # 0.75: Added automatic detection of IP-address, gateway, etc of external interface # # 0.7: Added new logging-chains # # 0.65: Added special sanity checks for TCP-Flags # Silently filter out SMB-traffic # Removed unclean-checks (according to some docs still unstable) # # 0.6: Major redesign of whole script, divided into chain-sections # # 0.5: Adopted parts of firewall-script from http://members.optusnet.com.au/~technion/ # Minor changes # # ######################################################################################## # This is the location of the iptables command IPTABLES="/sbin/iptables" case "$1" in stop) echo "Shutting down firewall..." $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "...done" ;; status) echo $"Table: filter" $IPTABLES --list echo $"Table: nat" $IPTABLES -t nat --list echo $"Table: mangle" $IPTABLES -t mangle --list ;; restart|reload) $0 stop $0 start ;; start) echo "Starting Firewall..." echo "" ##--------------------------Begin Firewall---------------------------------## #----Default-Interfaces-----# ## Default external interface (used, if EXTIF isn't specified on command line) DEFAULT_EXTIF="eth1" ## Default internal interface (used, if INTIF isn't specified on command line) DEFAULT_INTIF="eth0" #----Special Variables-----# # IP Mask for all IP addresses UNIVERSE="0.0.0.0/0" # Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535" # Specification of X Window System (TCP) ports. XWINPORTS="6000:6063" # Ports for IRC-Connection-Tracking IRCPORTS="6665,6666,6667,6668,1024,1025,1026,1027" #-----Port-Forwarding Variables-----# #For port-forwarding to an internal host, define a variable with the appropriate #internal IP-Address here and take a look at the port-forwarding sections in the FORWARD + #PREROUTING-chain: #These are examples, uncomment to activate #IP for forwarded Battlecom-traffic #BATTLECOMIP="192.168.0.5" #Bittorrent Computer BITTORRENT=192.168.10.10 BITTPORT=57981 MONOTONE=192.168.10.10 MONOTONEPORT=4691 #Vonage VONAGEIP=192.168.10.6 VONAGEPORTS=10000:20000 #Blizzard Downloader BLIZZARD_DEST=192.168.10.95 BLIZZARD_PORTS=3724,6112,6881:6999 #BLIZZARD_PORTS=3724 #IP for forwarded HTTP-traffic HTTPIP="192.168.10.250" #----Flood Variables-----# # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" # Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10" # Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10" #----Automatically determine infos about involved interfaces-----# ### External Interface: ## Get external interface from command-line ## If no interface is specified then set $DEFAULT_EXTIF as EXTIF if [ "x$2" != "x" ]; then EXTIF=$2 else EXTIF=$DEFAULT_EXTIF fi echo External Interface: $EXTIF ## Determine external IP EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$EXTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $EXTIF !" exit 1 fi echo External IP: $EXTIP ## Determine external gateway EXTGW=`route -n | grep '0.0.0.0' | grep -A 4 UG | awk '{ print $2}'` echo Default GW: $EXTGW echo " --- " ### Internal Interface: ## Get internal interface from command-line ## If no interface is specified then set $DEFAULT_INTIF as INTIF if [ "x$3" != "x" ]; then INTIF=$3 else INTIF=$DEFAULT_INTIF fi echo Internal Interface: $INTIF ## Determine internal IP INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$INTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $INTIF !" exit 1 fi echo Internal IP: $INTIP ## Determine internal netmask INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`" echo Internal Netmask: $INTMASK ## Determine network address of the internal network INTLAN=$INTIP'/'23 echo Internal LAN: $INTLAN echo "" #----Load IPTABLES-modules-----# #Insert modules- should be done automatically if needed #If the IRC-modules are available, uncomment them below echo "Loading IPTABLES modules" dmesg -n 1 #Kill copyright display on module load /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS /sbin/modprobe ip_nat_irc ports=$IRCPORTS dmesg -n 6 echo " --- " #----Clear/Reset all chains-----# #Clear all IPTABLES-chains #Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat #Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP #----Set network sysctl options-----# echo "Setting sysctl options" #Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter echo 1 > /proc/sys/net/ipv4/conf/${EXTIF}/rp_filter #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 1 > /proc/sys/net/ipv4/tcp_sack echo 1 > /proc/sys/net/ipv4/tcp_timestamps #Ignore icmp echo (ping) broadcast events echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo " --- " echo "Creating user-chains" #----Create logging chains-----# ##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding ##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com) #Invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -N LINVALID $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=INVALID:1 a=DROP " $IPTABLES -A LINVALID -j DROP #TCP-Packets with one ore more bad flags $IPTABLES -N LBADFLAG $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=BADFLAG:1 a=DROP " $IPTABLES -A LBADFLAG -j DROP #Logging of connection attempts on special ports (Trojan portscans, special services, etc.) $IPTABLES -N LSPECIALPORT $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SPECIALPORT:1 a=DROP " $IPTABLES -A LSPECIALPORT -j DROP #Logging of possible TCP-SYN-Floods $IPTABLES -N LSYNFLOOD $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SYNFLOOD:1 a=DROP " $IPTABLES -A LSYNFLOOD -j DROP #Logging of possible Ping-Floods $IPTABLES -N LPINGFLOOD $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=PINGFLOOD:1 a=DROP " $IPTABLES -A LPINGFLOOD -j DROP #All other dropped packets $IPTABLES -N LDROP $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=DROP " $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=DROP " $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=DROP " $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=DROP " $IPTABLES -A LDROP -j DROP #All other rejected packets $IPTABLES -N LREJECT $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=REJECT " $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=REJECT " $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=REJECT " $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=REJECT " $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A LREJECT -j REJECT #----Create Accept-Chains-----# #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in $IPTABLES -N TCPACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT #----Create special User-Chains-----# #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan) $IPTABLES -N CHECKBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG #FILTERING FOR SPECIAL PORTS #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs) #SMB-Traffic $IPTABLES -N SMB $IPTABLES -A SMB -p tcp --dport 137 -j DROP $IPTABLES -A SMB -p tcp --dport 138 -j DROP $IPTABLES -A SMB -p tcp --dport 139 -j DROP $IPTABLES -A SMB -p tcp --dport 445 -j DROP $IPTABLES -A SMB -p udp --dport 137 -j DROP $IPTABLES -A SMB -p udp --dport 138 -j DROP $IPTABLES -A SMB -p udp --dport 139 -j DROP $IPTABLES -A SMB -p udp --dport 445 -j DROP $IPTABLES -A SMB -p tcp --sport 137 -j DROP $IPTABLES -A SMB -p tcp --sport 138 -j DROP $IPTABLES -A SMB -p tcp --sport 139 -j DROP $IPTABLES -A SMB -p tcp --sport 445 -j DROP $IPTABLES -A SMB -p udp --sport 137 -j DROP $IPTABLES -A SMB -p udp --sport 138 -j DROP $IPTABLES -A SMB -p udp --sport 139 -j DROP $IPTABLES -A SMB -p udp --sport 445 -j DROP #Inbound Special Ports $IPTABLES -N SPECIALPORTS #Deepthroat Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT #Subseven Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT #Netbus Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT #Back Orifice scan $IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT #X-Win $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT #Hack'a'Tack 2000 $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT #ICMP/TRACEROUTE FILTERING #Inbound ICMP/Traceroute $IPTABLES -N ICMPINBOUND #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT # $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP #Allow all other ICMP in $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT #Outbound ICMP/Traceroute $IPTABLES -N ICMPOUTBOUND #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP #Block ICMP-TTL-Expired #MS Traceroute (MS uses ICMP instead of UDp for tracert) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP #Block ICMP-Parameter-Problem $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP ##Accept all other ICMP going out $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT ######## # Throttle SSH connections by host # to prevent brute force attacks ######## $IPTABLES --new-chain SSHTHROTTLE $IPTABLES --flush SSHTHROTTLE $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --seconds $(( 3600 * 18)) --update -j DROP $IPTABLES --append SSHTHROTTLE --match limit --limit 3/hour -j RETURN $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --set -j DROP #----End User-Chains-----# echo " --- " #----Start Ruleset-----# echo "Implementing firewall rules..." ################# ## INPUT-Chain ## (everything that is addressed to the firewall itself) ################# ##GENERAL Filtering # Kill INVALID packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A INPUT -m state --state INVALID -j LINVALID # Check TCP-Packets for Bad Flags $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG ##Packets FROM FIREWALL-BOX ITSELF #Local IF $IPTABLES -A INPUT -i lo -j ACCEPT # #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT ##Packets FROM INTERNAL NET ##Allow unlimited traffic from internal network using legit addresses to firewall-box ##If protection from the internal interface is needed, alter it $IPTABLES -A INPUT -i ! $EXTIF -s $INTLAN -j ACCEPT #Allow Local DHCP Service Nonsense $IPTABLES -I INPUT -i ! $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT #Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter) $IPTABLES -A INPUT -s $INTLAN -j LREJECT ##Packets FROM EXTERNAL NET ## DHCP Server on ISP's Site $IPTABLES -I INPUT -i $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 67 --dport 68 -j ACCEPT if [ -f /var/lib/dhcp3/dhclient.${EXTIF}.leases ]; then DHCPSID=$(grep dhcp-server-identifier /var/lib/dhcp3/dhclient.${EXTIF}.leases | tail --lines=1 | sed --expression='s;.* $[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$.*;\1;') echo $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT fi ##ICMP & Traceroute filtering #Filter ICMP $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND #Block UDP-Traceroute $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP ##Silent Drops/Rejects (Things we don't want in our logs) #Drop all SMB-Traffic $IPTABLES -A INPUT -i $EXTIF -j SMB #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection) $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset ##Public services running ON FIREWALL-BOX (comment out to activate): # ftp-data #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT # ftp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT # ssh $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --syn -j SSHTHROTTLE $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --match state --state NEW -j TCPACCEPT #telnet #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT # smtp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT # DNS $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT # http # $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT # https #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT # POP-3 #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT ##Separate logging of special portscans/connection attempts $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS ##Allow ESTABLISHED/RELATED connections in $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT ##Catch all rule $IPTABLES -A INPUT -j LDROP ################## ## Output-Chain ## (everything that comes directly from the Firewall-Box) ################## ##Packets TO FIREWALL-BOX ITSELF #Local IF $IPTABLES -A OUTPUT -o lo -j ACCEPT ##Packets TO INTERNAL NET #Allow unlimited traffic to internal network using legit addresses $IPTABLES -A OUTPUT -o ! $EXTIF -d $INTLAN -j ACCEPT ##Packets TO EXTERNAL NET ##NTP $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport ntp --dport ntp -j ACCEPT ##ICMP & Traceroute $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND ##Silent Drops/Rejects (Things we don't want in our logs) #SMB $IPTABLES -A OUTPUT -o $EXTIF -j SMB #Ident $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset ##Public services running ON FIREWALL-BOX (comment out to activate): # ftp-data #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT # ftp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT # ssh $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 8193 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #telnet #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT # smtp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT # DNS $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT # http #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # https #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # POP-3 #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT # DHCP Server on ISP's Site $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 68 --dport 67 --source 0.0.0.0 --destination 255.255.255.255 -j ACCEPT if [ -f /etc/dhcpc/dhcpcd-${EXTIF}.info ]; then DHCPSID=$(grep DHCPSID /etc/dhcpc/dhcpcd-${EXTIF}.info | awk -F= '{print $2}') $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 68 --dport 67 --destination $DHCPSID -j ACCEPT fi # DHCP Server inside Firewall Box $IPTABLES -A OUTPUT -o ! $EXTIF -p udp --sport 67 --dport 68 -j ACCEPT ##Accept all tcp/udp traffic on unprivileged ports going out $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT ##Catch all rule $IPTABLES -A OUTPUT -j LDROP #################### ## FORWARD-Chain ## (everything that passes the firewall) #################### ##GENERAL Filtering # optimal forwarding rates $IPTABLES -A FORWARD -i ! $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -m state --state NEW -j ACCEPT #Kill invalid packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID # Check TCP-Packets for Bad Flags $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG # Bad Broadcasting $IPTABLES -A FORWARD -d 255.255.255.255 -j DROP $IPTABLES -A FORWARD -d 192.168.10.0 -j DROP $IPTABLES -A FORWARD -d 192.168.11.0 -j DROP # Spoofing $IPTABLES -A FORWARD -i $EXTIF -s 192.168.10.0/23 -j LDROP ##Silent Drops/Rejects (Things we don't want in our logs) #SMB $IPTABLES -A FORWARD -o $EXTIF -j SMB $IPTABLES -A FORWARD -p tcp -m multiport --destination-ports 137,138,139,445 -j DROP $IPTABLES -A FORWARD -p udp -m multiport --destination-ports 137,138,139,445 -j DROP ##Filtering FROM INTERNAL NET ##Special Drops/Rejects # - To be done - ##Filter for some Trojans communicating to outside # - To be done - ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING) #HTTP-Forwarding #$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT ##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT ##Allow non-external nets to talk to each other, q.v. wireless to wired "internal" networks $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT ##Filtering FROM EXTERNAL NET ##Silent Drops/Rejects (Things we don't want in our logs) #SMB Handled Above #$IPTABLES -A FORWARD -i $EXTIF -j SMB ##Allow replies coming in $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -m state --state RELATED -j ACCEPT ##Port-Forwarding [inbound] (--> Also see chain PREROUTING) #HTTP-Forwarding $IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP --dport 80 -j ACCEPT #Battlecom-Forwarding #$IPTABLES -A FORWARD -p tcp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT #$IPTABLES -A FORWARD -p udp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT #$IPTABLES -A FORWARD -p tcp --dport 47624 -i $EXTIF -d $BATTLECOMIP -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT $IPTABLES -A FORWARD -p udp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport $MONOTONEPORT -i $EXTIF -d $MONOTONE -j ACCEPT $IPTABLES -A FORWARD -p udp --dport $VONAGEPORTS -i $EXTIF -d $VONAGEIP -j ACCEPT $IPTABLES -A FORWARD -p tcp --match multiport --destination-ports $BLIZZARD_PORTS -i $EXTIF -d $BLIZZARD_DEST -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -d $BLIZZARD_DEST -p tcp --match multiport --destination-ports $BLIZZARD_PORTS --match state --state NEW -j ACCEPT ##Catch all rule/Deny every other forwarding $IPTABLES -A FORWARD -j LDROP ################ ## PREROUTING ## ################ ##Port-Forwarding (--> Also see chain FORWARD) ##NTP $IPTABLES -A PREROUTING -t nat -i ! $EXTIF -p udp --destination-port ntp -j REDIRECT ##HTTP $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT --to $HTTPIP ##Battlecom #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 47624 -i $EXTIF -j DNAT --to $BATTLECOMIP:47624 $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT ##Monotone $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $MONOTONEPORT -i $EXTIF -j DNAT --to $MONOTONE:$MONOTONEPORT ##Vonage $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $VONAGEPORTS -i $EXTIF -j DNAT --to $VONAGEIP ##Blizzard $IPTABLES -t nat -A PREROUTING --destination $EXTIP --in-interface $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST SYN --match multiport --destination-ports $BLIZZARD_PORTS -j DNAT --to $BLIZZARD_DEST ################### ## POSTROUTING ## ################### #Masquerade from Internal Net to External Net $IPTABLES -A POSTROUTING -t nat --out-interface $EXTIF -j SNAT --to-source $EXTIP # Initial Shape Classifier # gIive "overhead" packets highest priority $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -j CLASSIFY --set-class 1:60 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:68 -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10 #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10 #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL FIN -j CLASSIFY --set-class 1:10 # interactive SSH traffic and UDP gaming $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:20 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF --source $VONAGEIP -p udp -j RETURN $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20 # interactive mail or web traffic $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --dport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --sport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30 # dns lookups $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport domain -j CLASSIFY --set-class 1:30 # ICMP $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p icmp -m length --length 28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY --set-class 1:40 # bulk traffic $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 101: -j CLASSIFY --set-class 1:50 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 101: -j CLASSIFY --set-class 1:50 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport 25 -j CLASSIFY --set-class 1:50 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport 6667 -j CLASSIFY --set-class 1:50 ip6tables -P FORWARD DROP #------End Ruleset------# echo "...done" echo "" echo "--> IPTABLES firewall loaded/activated <--" ##--------------------------------End Firewall---------------------------------## ;; *) echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" exit 1 esac exit 0

This discussion has been archived. No new comments can be posted.

Load All Comments

Search 0 Comments Log In/Create an Account

Comments Filter:

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Journal IBitOBear's Journal: Firewall Script

Firewall Script More Login

Firewall Script

Slashdot Top Deals

Slashdot