Linux IPV6 firewall
how to block TOR network in realtime
FS security

#!/bin/bash
echo "*************"
echo "* Running $0"
echo "*************"
echo "* http://tnt.aufbix.org/ linux firewall script"
 
echo
echo  "It was sad music. But it waved its sadness like a battle flag."
echo  " It said the universe had done all it could, but you were still alive."
echo
echo "					Discworld"
 
TNX_IDIOT="yes"
 
echo " how iptables work in linux kernel"
echo
echo ">-[prerouting]->	+ >-[forward]->	+ >-[postrouting]->"
echo "			|		|"
echo "			[input] >--->[output]"
 
# path to iptables and iproute2 files
IPTB="/sbin/iptables"
IP="/sbin/ip"
 
# name of our Internet and intranet interfaces
# use INTRANET="eth1+" or INTERNET="eth0+"
# if you have more ifaces (example: eth0:0)  towards Intranet/Internet
#
# WAN Interface
INTERNET="eth0"
# ADSL - INTERNET="ppp0"
#
# LAN Interface
INTRANET="eth1"
 
# what IPs are used in intranet
LAN="192.168.6.0/24"
 
# what is our static  IP (if we have one)
GW_IP="X.X.X.X"
 
# what TCP ports/services we allow (and FORWARD) from Internet
# use " " as delimiter
TCP_PORTS="25 53 80"
 
# what UDP ports/services we allow (and FORWARD) from Internet
# use "," as delimiter
UDP_PORTS="53,123"
 
# which ports we forward into our intranet
# use "," as delimiter
FWD_TCP_PORTS="1214,6346"
 
# set to 1 if we you have intranet
WE_HAVE_INTRANET="0"
 
# 
TRUSTED_HOSTS="193.77.1.1/32 \
212.93.224.0/19 \
212.18.32.0/24"
 
# enable IP forwarding (routing!)
echo "0" > /proc/sys/net/ipv4/ip_forward
 
# enable PMTU (mss/mtu discovery)
echo "1" > /proc/sys/net/ipv4/tcp_mtu_probing
 
# first we flush the tables and policy
$IPTB -F
$IPTB -X
$IPTB -F INPUT
$IPTB -F FORWARD
$IPTB -F OUTPUT
 
$IPTB -t nat -F
 
# new chain for SSH and HTTP access
$IPTB -N ssh-access
$IPTB -N http-access
 
# port redirection (transparent proxy)
# redirect all outgoing traffic that is NOT for the GW to local (GW) ports
# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25
 
# INPUT TABLE
$IPTB -P INPUT DROP
 
# statefull firewall makes most hits
$IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# move all SSH and HTTP traffic to apropriate chains
$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
 
# ssh chain
for sshhostese in $TRUSTED_HOSTS;
        do
        $IPTB -A ssh-access -s $sshhostese -j ACCEPT
        done
 # Connection limit for SSH connections (1 connection per minute PER source IP)
 # - usefull against ssh scanners if you MUST open SSH for every IP!
$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
$IPTB -A ssh-access -j DROP
# ssh
 
# http
for httphostese in $TRUSTED_HOSTS;
        do
        $IPTB -A http-access -s $httphostese -j ACCEPT
        done
# http
 
# IPSEC
#$IPTB -A INPUT -i $INTERNET -p udp --sport 500 --dport 500  -j ACCEPT
#$IPTB -A INPUT -i $INTERNET -p 50 -j ACCEPT
#$IPTB -A INPUT -i $INTERNET -p 51 -j ACCEPT
 
# we allow all traffic from $INTRANET and localhost interfaces
$IPTB -A INPUT -i $INTRANET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTB -A INPUT -i lo  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "packet not in conntrack> "
$IPTB -A INPUT -m state --state INVALID -j DROP
 
#
$IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type broadcast -j DROP
$IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type multicast -j DROP
 
#FIN is set and ACK is not
$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> "
$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
 
#PSH is set and ACK is not
$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> "
$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
 
#URG is set and ACK is not
$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> "
$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
 
# Block portscans:
$IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j LOG --log-prefix "XMAS scan> "
$IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j DROP
 
#no flag is set
$IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan> "
$IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan> "
$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
#SYN and FIN are both set
$IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2> "
$IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 
#FIN and RST are both set
$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 
$IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> "
$IPTB -A INPUT -f -j DROP
 
$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN>"
$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
 
$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN>"
$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
 
$IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN>"
$IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
 
$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID>"
$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
 
#SYN and RST are both set
$IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST> "
$IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
# what we allow from Internet - TCP ports
for i in $TCP_PORTS
	do
	$IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
        done
 
# what we allow from Internet - UDP ports
$IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
 
# identd requests
$IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
 
# traceroute (udp - IOS, Uni*es)
$IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
 
# Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS)
$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> "
$IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT
 
# thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
# echo-reply
#$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT
# unreachables
$IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT
# source-quench (depreciated)
#$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT
# timeout (forward loop prevention)
$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT
# parameter problem
$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT
#icmp-traceroute
$IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT
# echo-request
$IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT
 
# if the default policy is not DROP then we must use this
#$IPTB -A INPUT -p icmp -j DROP
 
# FORWARD TABLE
$IPTB -P FORWARD DROP
 
# port forwarding
#$IPTB	-A FORWARD	-p tcp	-i $INTERNET	-m multiport --dport $FWD_TCP_PORTS	-j ACCEPT
 
# START	/ port forwarding
# list forwarder ports in separate command lines
#$IPTB	-t nat	-A PREROUTING	-p tcp	-i $INTERNET --dport 1214  -j DNAT --to 192.168.1.10
#$IPTB	-t nat	-A PREROUTING	-p tcp	-i $INTERNET --dport 6346  -j DNAT --to 192.168.1.10
# END 	/ port forwarding 
 
# statefull firewall
#$IPTB -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID: "
$IPTB -A FORWARD -m state --state INVALID -j DROP
$IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTB -A FORWARD -m state --state NEW ! -i $INTERNET -j ACCEPT
 
$IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP
$IPTB -A FORWARD -m pkttype --pkt-type multicast -j DROP
 
# NAT (IP masquerading)
#$IPTB -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
 
# NAT but to certain IP (if we have multiple Internet IPs)
$IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP
 
# ADSL (PPPoE connections)
#$IPTB -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
 
# we allow only access to network cards (NIC) that have their MAC addresses listed
# in "valid-macs" file
#for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done
 
# OUTPUT
$IPTB -P OUTPUT DROP
 
# only allow NEW and related connections out
$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# list the rules
$IPTB -L -v -n --line
$IPTB -t nat -L -v -n --line
 
echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward

linux/firewall.txt · Last modified: 2019/04/15 10:18 by zagi
CC Attribution-Noncommercial-Share Alike 4.0 International
Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0 ipv6 ready