[[linux:firewall]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux:firewall [2009/06/24 00:13]
a 		linux:firewall [2010/12/30 12:54]
greebo
Line 1: Line 1:
 [[linux:firewall6|Linux IPV6 firewall]]\\ [[linux:firewall6|Linux IPV6 firewall]]\\
 +[[linux:firewall_blocktor| how to block TOR network in realtime]]\\ 
 [[http://www.fs-security.com/|FS security]]\\ [[http://www.fs-security.com/|FS security]]\\
  
Line 8: Line 9:
 echo "* Running $0" echo "* Running $0"
 echo "*************" echo "*************"
 +echo "* http://tnt.aufbix.org/ linux firewall script"
  
 echo echo
Line 24: Line 26:
  
 # path to iptables and iproute2 files # path to iptables and iproute2 files
- 
 IPTB="/sbin/iptables" IPTB="/sbin/iptables"
 IP="/sbin/ip" IP="/sbin/ip"
  
 # name of our Internet and intranet interfaces # name of our Internet and intranet interfaces
 +# use INTRANET="eth1+" or INTERNET="eth0+"
 +# if you have more ifaces (example: eth0:0)  towards Intranet/Internet
 INTRANET="eth1" INTRANET="eth1"
 INTERNET="eth0" INTERNET="eth0"
Line 41: Line 44:
 # what TCP ports/services we allow (and FORWARD) from Internet # what TCP ports/services we allow (and FORWARD) from Internet
 # use " " as delimiter # use " " as delimiter
-TCP_PORTS="22 25 53 80"+TCP_PORTS="25 53 80"
  
 # what UDP ports/services we allow (and FORWARD) from Internet # what UDP ports/services we allow (and FORWARD) from Internet
 # use "," as delimiter # use "," as delimiter
-UDP_PORTS="53"+UDP_PORTS="53,123"
  
 # which ports we forward into our intranet # which ports we forward into our intranet
Line 54: Line 57:
 WE_HAVE_INTRANET="0" WE_HAVE_INTRANET="0"
  
 +
 TRUSTED_HOSTS="193.77.1.1/32 \ TRUSTED_HOSTS="193.77.1.1/32 \
 212.93.224.0/19 \ 212.93.224.0/19 \
-212.18.32.0\24"+212.18.32.0/24"
  
 echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/ip_forward
Line 69: Line 73:
 $IPTB -t nat -F $IPTB -t nat -F
  
 +# new chain for SSH and HTTP access
 $IPTB -N ssh-access $IPTB -N ssh-access
 $IPTB -N http-access $IPTB -N http-access
  
-   
 # port redirection (transparent proxy) # port redirection (transparent proxy)
 +# redirect all outgoing traffic that is NOT for the GW to local (GW) ports
 +# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
Line 84: Line 90:
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
 +# move all SSH and HTTP traffic to apropriate chains
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
  
-# ssh+# ssh chain
 for sshhostese in $TRUSTED_HOSTS; for sshhostese in $TRUSTED_HOSTS;
         do         do
         $IPTB -A ssh-access -s $sshhostese -j ACCEPT         $IPTB -A ssh-access -s $sshhostese -j ACCEPT
         done         done
 + # Connection limit for SSH connections (1 connection per minute PER source IP)
 + # - usefull against ssh scanners if you MUST open SSH for every IP!
 +$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
 +$IPTB -A ssh-access -j DROP
 # ssh # ssh
  
Line 100: Line 111:
         done         done
 # http # http
- 
  
 # IPSEC # IPSEC
Line 148: Line 158:
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
- 
  
 $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> " $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "
Line 169: Line 178:
 $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  
-# Connection limit for SSH connections ( 1 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! +# what we allow from Internet - TCP ports
-# it is wise to use sshaccess input table (TRUSTED_HOSTS) +
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT +
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP +
- +
-# what we allow from Internet+
 for i in $TCP_PORTS for i in $TCP_PORTS
  do  do
  $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT  $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
-    done+        done
  
 +# what we allow from Internet - UDP ports
 $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
  
Line 193: Line 198:
  
 # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
-$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT+$IPTB -A INPUT -p icmp --icmp-type 0  -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j  
 +#$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT
 $IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT $IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT
 $IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT $IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT
Line 234: Line 240:
 $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP
  
-adsl+ADSL (PPPoE connections)
 #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
Line 241: Line 247:
 # in "valid-macs" file # in "valid-macs" file
 #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done
 +
 +# OUTPUT
 +$IPTB -P OUTPUT DROP
 +
 +# only allow NEW and related connections out
 +$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      
 # list the rules # list the rules
linux/firewall.txt · Last modified: 2019/04/15 10:18 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready