[[linux:firewall6|Linux IPV6 firewall]]\\ [[linux:firewall_blocktor| how to block TOR network in realtime]]\\ [[http://www.fs-security.com/|FS security]]\\ #!/bin/bash echo "*************" echo "* Running $0" echo "*************" echo "* http://tnt.aufbix.org/ linux firewall script" echo echo "It was sad music. But it waved its sadness like a battle flag." echo " It said the universe had done all it could, but you were still alive." echo echo " Discworld" TNX_IDIOT="yes" echo " how iptables work in linux kernel" echo echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->" echo " | |" echo " [input] >--->[output]" # path to iptables and iproute2 files IPTB="/sbin/iptables" IP="/sbin/ip" # name of our Internet and intranet interfaces # use INTRANET="eth1+" or INTERNET="eth0+" # if you have more ifaces (example: eth0:0) towards Intranet/Internet # # WAN Interface INTERNET="eth0" # ADSL - INTERNET="ppp0" # # LAN Interface INTRANET="eth1" # what IPs are used in intranet LAN="192.168.6.0/24" # what is our static IP (if we have one) GW_IP="X.X.X.X" # what TCP ports/services we allow (and FORWARD) from Internet # use " " as delimiter TCP_PORTS="25 53 80" # what UDP ports/services we allow (and FORWARD) from Internet # use "," as delimiter UDP_PORTS="53,123" # which ports we forward into our intranet # use "," as delimiter FWD_TCP_PORTS="1214,6346" # set to 1 if we you have intranet WE_HAVE_INTRANET="0" # TRUSTED_HOSTS="193.77.1.1/32 \ 212.93.224.0/19 \ 212.18.32.0/24" # enable IP forwarding (routing!) echo "0" > /proc/sys/net/ipv4/ip_forward # enable PMTU (mss/mtu discovery) echo "1" > /proc/sys/net/ipv4/tcp_mtu_probing # first we flush the tables and policy $IPTB -F $IPTB -X $IPTB -F INPUT $IPTB -F FORWARD $IPTB -F OUTPUT $IPTB -t nat -F # new chain for SSH and HTTP access $IPTB -N ssh-access $IPTB -N http-access # port redirection (transparent proxy) # redirect all outgoing traffic that is NOT for the GW to local (GW) ports # DNS (53/tcp and 53/udp) and SMTP (25/tcp) #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 # INPUT TABLE $IPTB -P INPUT DROP # statefull firewall makes most hits $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # move all SSH and HTTP traffic to apropriate chains $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access # ssh chain for sshhostese in $TRUSTED_HOSTS; do $IPTB -A ssh-access -s $sshhostese -j ACCEPT done # Connection limit for SSH connections (1 connection per minute PER source IP) # - usefull against ssh scanners if you MUST open SSH for every IP! $IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT $IPTB -A ssh-access -j DROP # ssh # http for httphostese in $TRUSTED_HOSTS; do $IPTB -A http-access -s $httphostese -j ACCEPT done # http # IPSEC #$IPTB -A INPUT -i $INTERNET -p udp --sport 500 --dport 500 -j ACCEPT #$IPTB -A INPUT -i $INTERNET -p 50 -j ACCEPT #$IPTB -A INPUT -i $INTERNET -p 51 -j ACCEPT # we allow all traffic from $INTRANET and localhost interfaces $IPTB -A INPUT -i $INTRANET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTB -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "packet not in conntrack> " $IPTB -A INPUT -m state --state INVALID -j DROP # $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type broadcast -j DROP $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type multicast -j DROP #FIN is set and ACK is not $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> " $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP #PSH is set and ACK is not $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> " $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP #URG is set and ACK is not $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> " $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP # Block portscans: $IPTB -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS scan> " $IPTB -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #no flag is set $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan> " $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan> " $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP #SYN and FIN are both set $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2> " $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #FIN and RST are both set $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> " $IPTB -A INPUT -f -j DROP $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN>" $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN>" $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN>" $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j DROP $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID>" $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP #SYN and RST are both set $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST> " $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # what we allow from Internet - TCP ports for i in $TCP_PORTS do $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT done # what we allow from Internet - UDP ports $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT # identd requests $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset # traceroute (udp - IOS, Uni*es) $IPTB -A INPUT -p udp -m limit --limit 3/second --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " $IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough # echo-reply #$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT # unreachables $IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT # source-quench (depreciated) #$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT # timeout (forward loop prevention) $IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT # parameter problem $IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT #icmp-traceroute $IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT # echo-request $IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT # if the default policy is not DROP then we must use this #$IPTB -A INPUT -p icmp -j DROP # FORWARD TABLE $IPTB -P FORWARD DROP # port forwarding #$IPTB -A FORWARD -p tcp -i $INTERNET -m multiport --dport $FWD_TCP_PORTS -j ACCEPT # START / port forwarding # list forwarder ports in separate command lines #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 1214 -j DNAT --to 192.168.1.10 #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 6346 -j DNAT --to 192.168.1.10 # END / port forwarding # statefull firewall #$IPTB -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID: " $IPTB -A FORWARD -m state --state INVALID -j DROP $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A FORWARD -m state --state NEW ! -i $INTERNET -j ACCEPT $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP $IPTB -A FORWARD -m pkttype --pkt-type multicast -j DROP # NAT (IP masquerading) #$IPTB -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE # NAT but to certain IP (if we have multiple Internet IPs) $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP # ADSL (PPPoE connections) #$IPTB -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu # we allow only access to network cards (NIC) that have their MAC addresses listed # in "valid-macs" file #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done # OUTPUT $IPTB -P OUTPUT DROP # only allow NEW and related connections out $IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # list the rules $IPTB -L -v -n --line $IPTB -t nat -L -v -n --line echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward