Differences

This shows you the differences between two versions of the page.

--- linux:firewall [2009/06/24 11:17]
greebo
+++ linux:firewall [2019/04/15 10:18] (current)
zagi
@@ Line 1: / Line 1: @@
 [[linux:firewall6|Linux IPV6 firewall]]\\
+[[linux:firewall_blocktor| how to block TOR network in realtime]]\\
 [[http://www.fs-security.com/|FS security]]\\
@@ Line 8: / Line 9: @@
 echo "* Running $0"
 echo "*************"
+echo "* http://tnt.aufbix.org/ linux firewall script"
 echo
@@ Line 24: / Line 26: @@
 # path to iptables and iproute2 files
 IPTB="/sbin/iptables"
 IP="/sbin/ip"
 # name of our Internet and intranet interfaces
-#
 # use INTRANET="eth1+" or INTERNET="eth0+"
 # if you have more ifaces (example: eth0:0)  towards Intranet/Internet
-INTRANET="eth1"
+#
+# WAN Interface
 INTERNET="eth0"
 # ADSL - INTERNET="ppp0"
+#
+# LAN Interface
+INTRANET="eth1"
 # what IPs are used in intranet
@@ Line 48: / Line 52: @@
 # what UDP ports/services we allow (and FORWARD) from Internet
 # use "," as delimiter
-UDP_PORTS="53"
+UDP_PORTS="53,123"
 # which ports we forward into our intranet
@@ Line 57: / Line 61: @@
 WE_HAVE_INTRANET="0"
+#
 TRUSTED_HOSTS="193.77.1.1/32 \
 .93.224.0/19 \
 .18.32.0/24"
+# enable IP forwarding (routing!)
 echo "0" > /proc/sys/net/ipv4/ip_forward
+# enable PMTU (mss/mtu discovery)
+echo "1" > /proc/sys/net/ipv4/tcp_mtu_probing
 # first we flush the tables and policy
@@ Line 72: / Line 81: @@
 $IPTB -t nat -F
+# new chain for SSH and HTTP access
 $IPTB -N ssh-access
 $IPTB -N http-access
 # port redirection (transparent proxy)
 # redirect all outgoing traffic that is NOT for the GW to local (GW) ports
+# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
@@ Line 88: / Line 98: @@
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP!
+# move all SSH and HTTP traffic to apropriate chains
-# it is wise to use sshaccess input table (TRUSTED_HOSTS)
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCESS
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
-# ssh
+# ssh chain
 for sshhostese in $TRUSTED_HOSTS;
         do
         $IPTB -A ssh-access -s $sshhostese -j ACCEPT
         done
+ # Connection limit for SSH connections (1 connection per minute PER source IP)
+ # - usefull against ssh scanners if you MUST open SSH for every IP!
+$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
+$IPTB -A ssh-access -j DROP
 # ssh
@@ Line 109: / Line 119: @@
         done
 # http
 # IPSEC
@@ Line 117: / Line 126: @@
 # we allow all traffic from $INTRANET and localhost interfaces
-$IPTB -A INPUT -i $INTRANET -j ACCEPT
+$IPTB -A INPUT -i $INTRANET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-$IPTB -A INPUT -i lo -j ACCEPT
+$IPTB -A INPUT -i lo  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-#$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "INVALID packet> "
+$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "packet not in conntrack> "
-#$IPTB -A INPUT -m state --state INVALID -j DROP
+$IPTB -A INPUT -m state --state INVALID -j DROP
 #
@@ Line 128: / Line 137: @@
 #FIN is set and ACK is not
-$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> "
+$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
 #PSH is set and ACK is not
+$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> "
 $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
-$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> "
 #URG is set and ACK is not
+$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> "
 $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> "
 # Block portscans:
@@ Line 155: / Line 164: @@
 #FIN and RST are both set
-$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
+$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
+$IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> "
-$IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "
 $IPTB -A INPUT -f -j DROP
@@ Line 178: / Line 186: @@
 $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+# what we allow from Internet - TCP ports
-# what we allow from Internet
 for i in $TCP_PORTS
 	do
-		$IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
+	$IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
-    done
+        done
+# what we allow from Internet - UDP ports
 $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
@@ Line 190: / Line 198: @@
 $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-# traceroute
+# traceroute (udp - IOS, Uni*es)
 $IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
 # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS)
 $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> "
-$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP
+$IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT
 # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
-$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT
+# echo-reply
-$IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT
+#$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT
-$IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT
+# unreachables
-$IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT
-$IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT
+# source-quench (depreciated)
+#$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT
+# timeout (forward loop prevention)
+$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT
+# parameter problem
+$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT
 #icmp-traceroute
-$IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT
 # echo-request
-$IPTB -A INPUT -p icmp --icmp-type 8  -m limit --limit 3/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT
 # if the default policy is not DROP then we must use this
@@ Line 228: / Line 240: @@
 $IPTB -A FORWARD -m state --state INVALID -j DROP
 $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTB -A FORWARD -m state --state NEW -i ! $INTERNET -j ACCEPT
+$IPTB -A FORWARD -m state --state NEW ! -i $INTERNET -j ACCEPT
 $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP
@@ Line 239: / Line 251: @@
 $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP
-# adsl
+# ADSL (PPPoE connections)
-#$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+#$IPTB -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
@@ Line 246: / Line 258: @@
 # in "valid-macs" file
 #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done
+# OUTPUT
+$IPTB -P OUTPUT DROP
+# only allow NEW and related connections out
+$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 # list the rules
-$IPTB -L -v -n
+$IPTB -L -v -n --line
+$IPTB -t nat -L -v -n --line
 echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward
 </code>