Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
linux:firewall [2010/01/28 20:54] greebo |
linux:firewall [2010/12/30 12:54] greebo |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| [[linux: | [[linux: | ||
| [[http:// | [[http:// | ||
| - | |||
| - | |||
| <code bash |> | <code bash |> | ||
| Line 11: | Line 9: | ||
| echo "* Running $0" | echo "* Running $0" | ||
| echo " | echo " | ||
| + | echo "* http:// | ||
| echo | echo | ||
| Line 27: | Line 26: | ||
| # path to iptables and iproute2 files | # path to iptables and iproute2 files | ||
| - | |||
| IPTB="/ | IPTB="/ | ||
| IP="/ | IP="/ | ||
| # name of our Internet and intranet interfaces | # name of our Internet and intranet interfaces | ||
| - | # | ||
| # use INTRANET=" | # use INTRANET=" | ||
| # if you have more ifaces (example: eth0: | # if you have more ifaces (example: eth0: | ||
| Line 51: | Line 48: | ||
| # what UDP ports/ | # what UDP ports/ | ||
| # use "," | # use "," | ||
| - | UDP_PORTS=" | + | UDP_PORTS=" |
| # which ports we forward into our intranet | # which ports we forward into our intranet | ||
| Line 60: | Line 57: | ||
| WE_HAVE_INTRANET=" | WE_HAVE_INTRANET=" | ||
| + | # | ||
| TRUSTED_HOSTS=" | TRUSTED_HOSTS=" | ||
| 212.93.224.0/ | 212.93.224.0/ | ||
| Line 75: | Line 73: | ||
| $IPTB -t nat -F | $IPTB -t nat -F | ||
| + | # new chain for SSH and HTTP access | ||
| $IPTB -N ssh-access | $IPTB -N ssh-access | ||
| $IPTB -N http-access | $IPTB -N http-access | ||
| - | | ||
| # port redirection (transparent proxy) | # port redirection (transparent proxy) | ||
| # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | ||
| + | # DNS (53/tcp and 53/udp) and SMTP (25/tcp) | ||
| #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
| #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
| Line 91: | Line 90: | ||
| $IPTB -A INPUT -m state --state ESTABLISHED, | $IPTB -A INPUT -m state --state ESTABLISHED, | ||
| - | # Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! | + | # move all SSH and HTTP traffic |
| - | # it is wise to use sshaccess input table (TRUSTED_HOSTS) | + | |
| - | #$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT | + | |
| - | #$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP | + | |
| $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | ||
| $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | ||
| - | # ssh | + | # ssh chain |
| for sshhostese in $TRUSTED_HOSTS; | for sshhostese in $TRUSTED_HOSTS; | ||
| do | do | ||
| $IPTB -A ssh-access -s $sshhostese -j ACCEPT | $IPTB -A ssh-access -s $sshhostese -j ACCEPT | ||
| done | done | ||
| + | # Connection limit for SSH connections (1 connection per minute PER source IP) | ||
| + | # - usefull against ssh scanners if you MUST open SSH for every IP! | ||
| + | $IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT | ||
| + | $IPTB -A ssh-access -j DROP | ||
| # ssh | # ssh | ||
| Line 112: | Line 111: | ||
| done | done | ||
| # http | # http | ||
| - | |||
| # IPSEC | # IPSEC | ||
| Line 160: | Line 158: | ||
| $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
| $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | ||
| - | |||
| $IPTB -A INPUT -f -j LOG --log-prefix " | $IPTB -A INPUT -f -j LOG --log-prefix " | ||
| Line 181: | Line 178: | ||
| $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | ||
| - | + | # what we allow from Internet | |
| - | # what we allow from Internet | + | |
| for i in $TCP_PORTS | for i in $TCP_PORTS | ||
| do | do | ||
| $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | ||
| - | | + | |
| + | # what we allow from Internet - UDP ports | ||
| $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT | $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT | ||
| Line 201: | Line 198: | ||
| # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | ||
| - | $IPTB -A INPUT -p icmp --icmp-type 0 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j |
| + | #$IPTB -A INPUT -p icmp --icmp-type 0 -m limit --limit 30/second -j ACCEPT | ||
| $IPTB -A INPUT -p icmp --icmp-type 3 -m limit --limit 30/second -j ACCEPT | $IPTB -A INPUT -p icmp --icmp-type 3 -m limit --limit 30/second -j ACCEPT | ||
| $IPTB -A INPUT -p icmp --icmp-type 4 -m limit --limit 30/second -j ACCEPT | $IPTB -A INPUT -p icmp --icmp-type 4 -m limit --limit 30/second -j ACCEPT | ||
| Line 242: | Line 240: | ||
| $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP | $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP | ||
| - | # adsl | + | # ADSL (PPPoE connections) |
| #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | ||
| $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu | $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu | ||
| Line 249: | Line 247: | ||
| # in " | # in " | ||
| #for mac in `cat valid-macs`; | #for mac in `cat valid-macs`; | ||
| + | |||
| + | # OUTPUT | ||
| + | $IPTB -P OUTPUT DROP | ||
| + | |||
| + | # only allow NEW and related connections out | ||
| + | $IPTB -A OUTPUT -m state --state NEW, | ||
| | | ||
| # list the rules | # list the rules | ||
