[[linux:firewall]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
linux:firewall [2009/06/24 11:17]
greebo 		linux:firewall [2016/02/23 10:51]
zagi
Line 1: Line 1:
 [[linux:firewall6|Linux IPV6 firewall]]\\ [[linux:firewall6|Linux IPV6 firewall]]\\
 +[[linux:firewall_blocktor| how to block TOR network in realtime]]\\ 
 [[http://www.fs-security.com/|FS security]]\\ [[http://www.fs-security.com/|FS security]]\\
  
Line 8: Line 9:
 echo "* Running $0" echo "* Running $0"
 echo "*************" echo "*************"
 +echo "* http://tnt.aufbix.org/ linux firewall script"
  
 echo echo
Line 24: Line 26:
  
 # path to iptables and iproute2 files # path to iptables and iproute2 files
- 
 IPTB="/sbin/iptables" IPTB="/sbin/iptables"
 IP="/sbin/ip" IP="/sbin/ip"
  
 # name of our Internet and intranet interfaces # name of our Internet and intranet interfaces
-# 
 # use INTRANET="eth1+" or INTERNET="eth0+" # use INTRANET="eth1+" or INTERNET="eth0+"
 # if you have more ifaces (example: eth0:0)  towards Intranet/Internet # if you have more ifaces (example: eth0:0)  towards Intranet/Internet
-INTRANET="eth1"+
 +# WAN Interface
 INTERNET="eth0" INTERNET="eth0"
 # ADSL - INTERNET="ppp0" # ADSL - INTERNET="ppp0"
 +#
 +# LAN Interface
 +INTRANET="eth1"
      
 # what IPs are used in intranet # what IPs are used in intranet
Line 48: Line 52:
 # what UDP ports/services we allow (and FORWARD) from Internet # what UDP ports/services we allow (and FORWARD) from Internet
 # use "," as delimiter # use "," as delimiter
-UDP_PORTS="53"+UDP_PORTS="53,123"
  
 # which ports we forward into our intranet # which ports we forward into our intranet
Line 57: Line 61:
 WE_HAVE_INTRANET="0" WE_HAVE_INTRANET="0"
  
 +
 TRUSTED_HOSTS="193.77.1.1/32 \ TRUSTED_HOSTS="193.77.1.1/32 \
 212.93.224.0/19 \ 212.93.224.0/19 \
 212.18.32.0/24" 212.18.32.0/24"
  
 +# enable IP forwarding (routing!)
 echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/ip_forward
 +
 +# enable PMTU (mss/mtu discovery)
 +echo "1" > /proc/sys/net/ipv4/tcp_mtu_probing
  
 # first we flush the tables and policy # first we flush the tables and policy
Line 72: Line 81:
 $IPTB -t nat -F $IPTB -t nat -F
  
 +# new chain for SSH and HTTP access
 $IPTB -N ssh-access $IPTB -N ssh-access
 $IPTB -N http-access $IPTB -N http-access
  
-   
 # port redirection (transparent proxy) # port redirection (transparent proxy)
 # redirect all outgoing traffic that is NOT for the GW to local (GW) ports # redirect all outgoing traffic that is NOT for the GW to local (GW) ports
 +# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
Line 88: Line 98:
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
-Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! +move all SSH and HTTP traffic to apropriate chains
-# it is wise to use sshaccess input table (TRUSTED_HOSTS) +
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCESS +
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP +
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
  
-# ssh+# ssh chain
 for sshhostese in $TRUSTED_HOSTS; for sshhostese in $TRUSTED_HOSTS;
         do         do
         $IPTB -A ssh-access -s $sshhostese -j ACCEPT         $IPTB -A ssh-access -s $sshhostese -j ACCEPT
         done         done
 + # Connection limit for SSH connections (1 connection per minute PER source IP)
 + # - usefull against ssh scanners if you MUST open SSH for every IP!
 +$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
 +$IPTB -A ssh-access -j DROP
 # ssh # ssh
  
Line 109: Line 119:
         done         done
 # http # http
- 
  
 # IPSEC # IPSEC
Line 117: Line 126:
  
 # we allow all traffic from $INTRANET and localhost interfaces # we allow all traffic from $INTRANET and localhost interfaces
-$IPTB -A INPUT -i $INTRANET -j ACCEPT +$IPTB -A INPUT -i $INTRANET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
-$IPTB -A INPUT -i lo -j ACCEPT+$IPTB -A INPUT -i lo  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  
-#$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "INVALID packet> " +$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "packet not in conntrack> " 
-#$IPTB -A INPUT -m state --state INVALID -j DROP+$IPTB -A INPUT -m state --state INVALID -j DROP
  
 # #
Line 128: Line 137:
    
 #FIN is set and ACK is not #FIN is set and ACK is not
-$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP 
 $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> " $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> "
 +$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
  
 #PSH is set and ACK is not #PSH is set and ACK is not
 +$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> "
 $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
-$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> " 
  
 #URG is set and ACK is not #URG is set and ACK is not
 +$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> "
 $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> " 
  
 # Block portscans: # Block portscans:
Line 155: Line 164:
  
 #FIN and RST are both set #FIN and RST are both set
-$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
 +$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  
- +$IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> "
-$IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "+
 $IPTB -A INPUT -f -j DROP $IPTB -A INPUT -f -j DROP
  
Line 178: Line 186:
 $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  
- +# what we allow from Internet - TCP ports
-# what we allow from Internet+
 for i in $TCP_PORTS for i in $TCP_PORTS
  do  do
- $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT + $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT 
-    done+        done
  
 +# what we allow from Internet - UDP ports
 $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
  
Line 190: Line 198:
 $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
  
-# traceroute+# traceroute (udp - IOS, Uni*es)
 $IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT $IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
  
 # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS)
 $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> "
-$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP+$IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT
  
 # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
-$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT +# echo-reply 
-$IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT +#$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT 
-$IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT 
-$IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT +#$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT 
-$IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT+$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT 
 +$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT
 #icmp-traceroute #icmp-traceroute
-$IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT
 # echo-request # echo-request
-$IPTB -A INPUT -p icmp --icmp-type 8  -m limit --limit 3/second -j ACCEPT+$IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT
  
 # if the default policy is not DROP then we must use this # if the default policy is not DROP then we must use this
Line 228: Line 236:
 $IPTB -A FORWARD -m state --state INVALID -j DROP $IPTB -A FORWARD -m state --state INVALID -j DROP
 $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTB -A FORWARD -m state --state NEW -i $INTERNET -j ACCEPT+$IPTB -A FORWARD -m state --state NEW -i $INTERNET -j ACCEPT
  
 $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP
Line 239: Line 247:
 $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP
  
-adsl +ADSL (PPPoE connections) 
-#$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu+#$IPTB -I FORWARD -tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
  
Line 246: Line 254:
 # in "valid-macs" file # in "valid-macs" file
 #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done
 +
 +# OUTPUT
 +$IPTB -P OUTPUT DROP
 +
 +# only allow NEW and related connections out
 +$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      
 # list the rules # list the rules
-$IPTB -L -v -n+$IPTB -L -v -n --line 
 +$IPTB -t nat -L -v -n --line
      
 echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward
  
 </code> </code>
linux/firewall.txt · Last modified: 2019/04/15 10:18 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready