Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:firewall [2008/04/28 19:03] greebo |
linux:firewall [2010/12/30 12:54] greebo |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | [[iptables| GO HERE! ]] | + | [[linux: |
+ | [[linux: | ||
+ | [[http:// | ||
+ | |||
+ | <code bash |> | ||
+ | |||
+ | #!/bin/bash | ||
+ | echo " | ||
+ | echo "* Running $0" | ||
+ | echo " | ||
+ | echo "* http:// | ||
+ | |||
+ | echo | ||
+ | echo "It was sad music. But it waved its sadness like a battle flag." | ||
+ | echo " It said the universe had done all it could, but you were still alive." | ||
+ | echo | ||
+ | echo " | ||
+ | |||
+ | TNX_IDIOT=" | ||
+ | |||
+ | echo " how iptables work in linux kernel" | ||
+ | echo | ||
+ | echo "> | ||
+ | echo " | ||
+ | echo " | ||
+ | |||
+ | # path to iptables and iproute2 files | ||
+ | IPTB="/ | ||
+ | IP="/ | ||
+ | |||
+ | # name of our Internet and intranet interfaces | ||
+ | # use INTRANET=" | ||
+ | # if you have more ifaces (example: eth0: | ||
+ | INTRANET=" | ||
+ | INTERNET=" | ||
+ | # ADSL - INTERNET=" | ||
+ | |||
+ | # what IPs are used in intranet | ||
+ | LAN=" | ||
+ | |||
+ | # what is our static | ||
+ | GW_IP=" | ||
+ | |||
+ | # what TCP ports/ | ||
+ | # use " " as delimiter | ||
+ | TCP_PORTS=" | ||
+ | |||
+ | # what UDP ports/ | ||
+ | # use "," | ||
+ | UDP_PORTS=" | ||
+ | |||
+ | # which ports we forward into our intranet | ||
+ | # use "," | ||
+ | FWD_TCP_PORTS=" | ||
+ | |||
+ | # set to 1 if we you have intranet | ||
+ | WE_HAVE_INTRANET=" | ||
+ | |||
+ | # | ||
+ | TRUSTED_HOSTS=" | ||
+ | 212.93.224.0/ | ||
+ | 212.18.32.0/ | ||
+ | |||
+ | echo " | ||
+ | |||
+ | # first we flush the tables and policy | ||
+ | $IPTB -F | ||
+ | $IPTB -X | ||
+ | $IPTB -F INPUT | ||
+ | $IPTB -F FORWARD | ||
+ | $IPTB -F OUTPUT | ||
+ | |||
+ | $IPTB -t nat -F | ||
+ | |||
+ | # new chain for SSH and HTTP access | ||
+ | $IPTB -N ssh-access | ||
+ | $IPTB -N http-access | ||
+ | |||
+ | # port redirection (transparent proxy) | ||
+ | # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | ||
+ | # DNS (53/tcp and 53/udp) and SMTP (25/tcp) | ||
+ | #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
+ | #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
+ | #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 | ||
+ | |||
+ | # INPUT TABLE | ||
+ | $IPTB -P INPUT DROP | ||
+ | |||
+ | # statefull firewall makes most hits | ||
+ | $IPTB -A INPUT -m state --state ESTABLISHED, | ||
+ | |||
+ | # move all SSH and HTTP traffic to apropriate chains | ||
+ | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | ||
+ | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | ||
+ | |||
+ | # ssh chain | ||
+ | for sshhostese in $TRUSTED_HOSTS; | ||
+ | do | ||
+ | $IPTB -A ssh-access -s $sshhostese -j ACCEPT | ||
+ | done | ||
+ | # Connection limit for SSH connections (1 connection per minute PER source IP) | ||
+ | # - usefull against ssh scanners if you MUST open SSH for every IP! | ||
+ | $IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT | ||
+ | $IPTB -A ssh-access -j DROP | ||
+ | # ssh | ||
+ | |||
+ | # http | ||
+ | for httphostese in $TRUSTED_HOSTS; | ||
+ | do | ||
+ | $IPTB -A http-access -s $httphostese -j ACCEPT | ||
+ | done | ||
+ | # http | ||
+ | |||
+ | # IPSEC | ||
+ | #$IPTB -A INPUT -i $INTERNET -p udp --sport 500 --dport 500 -j ACCEPT | ||
+ | #$IPTB -A INPUT -i $INTERNET -p 50 -j ACCEPT | ||
+ | #$IPTB -A INPUT -i $INTERNET -p 51 -j ACCEPT | ||
+ | |||
+ | # we allow all traffic from $INTRANET and localhost interfaces | ||
+ | $IPTB -A INPUT -i $INTRANET -j ACCEPT | ||
+ | $IPTB -A INPUT -i lo -j ACCEPT | ||
+ | |||
+ | #$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix " | ||
+ | #$IPTB -A INPUT -m state --state INVALID -j DROP | ||
+ | |||
+ | # | ||
+ | $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type broadcast -j DROP | ||
+ | $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type multicast -j DROP | ||
+ | |||
+ | #FIN is set and ACK is not | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix " | ||
+ | |||
+ | #PSH is set and ACK is not | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix " | ||
+ | |||
+ | #URG is set and ACK is not | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix " | ||
+ | |||
+ | # Block portscans: | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS scan> " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
+ | |||
+ | #no flag is set | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan> " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
+ | |||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL SYN, | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL SYN, | ||
+ | |||
+ | #SYN and FIN are both set | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2> " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | ||
+ | |||
+ | #FIN and RST are both set | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | ||
+ | |||
+ | $IPTB -A INPUT -f -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -f -j DROP | ||
+ | |||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP | ||
+ | |||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP | ||
+ | |||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j DROP | ||
+ | |||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL URG, | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ALL URG, | ||
+ | |||
+ | #SYN and RST are both set | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | ||
+ | |||
+ | # what we allow from Internet - TCP ports | ||
+ | for i in $TCP_PORTS | ||
+ | do | ||
+ | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | ||
+ | done | ||
+ | |||
+ | # what we allow from Internet - UDP ports | ||
+ | $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT | ||
+ | |||
+ | # identd requests | ||
+ | $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | ||
+ | |||
+ | # traceroute | ||
+ | $IPTB -A INPUT -p udp -m limit --limit 3/ | ||
+ | |||
+ | # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) | ||
+ | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP | ||
+ | |||
+ | # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | ||
+ | $IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j | ||
+ | #$IPTB -A INPUT -p icmp --icmp-type 0 -m limit --limit 30/second -j ACCEPT | ||
+ | $IPTB -A INPUT -p icmp --icmp-type 3 -m limit --limit 30/second -j ACCEPT | ||
+ | $IPTB -A INPUT -p icmp --icmp-type 4 -m limit --limit 30/second -j ACCEPT | ||
+ | $IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT | ||
+ | $IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT | ||
+ | # | ||
+ | $IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT | ||
+ | |||
+ | # echo-request | ||
+ | $IPTB -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT | ||
+ | |||
+ | # if the default policy is not DROP then we must use this | ||
+ | #$IPTB -A INPUT -p icmp -j DROP | ||
+ | |||
+ | # FORWARD TABLE | ||
+ | $IPTB -P FORWARD DROP | ||
+ | |||
+ | # port forwarding | ||
+ | #$IPTB -A FORWARD -p tcp -i $INTERNET -m multiport --dport $FWD_TCP_PORTS -j ACCEPT | ||
+ | |||
+ | # START / port forwarding | ||
+ | # list forwarder ports in separate command lines | ||
+ | #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 1214 -j DNAT --to 192.168.1.10 | ||
+ | #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 6346 -j DNAT --to 192.168.1.10 | ||
+ | # END / port forwarding | ||
+ | |||
+ | # statefull firewall | ||
+ | #$IPTB -A FORWARD -m state --state INVALID -j LOG --log-prefix " | ||
+ | $IPTB -A FORWARD -m state --state INVALID -j DROP | ||
+ | $IPTB -A FORWARD -m state --state ESTABLISHED, | ||
+ | $IPTB -A FORWARD -m state --state NEW -i ! $INTERNET -j ACCEPT | ||
+ | |||
+ | $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP | ||
+ | $IPTB -A FORWARD -m pkttype --pkt-type multicast -j DROP | ||
+ | |||
+ | # NAT (IP masquerading) | ||
+ | #$IPTB -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE | ||
+ | |||
+ | # NAT but to certain IP (if we have multiple Internet IPs) | ||
+ | $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP | ||
+ | |||
+ | # ADSL (PPPoE connections) | ||
+ | #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | ||
+ | $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu | ||
+ | |||
+ | # we allow only access to network cards (NIC) that have their MAC addresses listed | ||
+ | # in " | ||
+ | #for mac in `cat valid-macs`; | ||
+ | |||
+ | # OUTPUT | ||
+ | $IPTB -P OUTPUT DROP | ||
+ | |||
+ | # only allow NEW and related connections out | ||
+ | $IPTB -A OUTPUT -m state --state NEW, | ||
+ | |||
+ | # list the rules | ||
+ | $IPTB -L -v -n | ||
+ | |||
+ | echo $WE_HAVE_INTRANET > / | ||
+ | |||
+ | </ |