Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux:firewall [2008/11/28 10:31]
greebo
linux:firewall [2019/04/15 10:18] (current)
zagi
Line 1: Line 1:
-[[linux:firewall6|Linux IPV6 firewall]]+[[linux:firewall6|Linux IPV6 firewall]]\\ 
 +[[linux:firewall_blocktor| how to block TOR network in realtime]]\\  
 +[[http://www.fs-security.com/|FS security]]\\
  
-<code bash>+<code bash |>
  
 #!/bin/bash #!/bin/bash
Line 7: Line 9:
 echo "* Running $0" echo "* Running $0"
 echo "*************" echo "*************"
 +echo "* http://tnt.aufbix.org/ linux firewall script"
  
 echo echo
Line 16: Line 19:
 TNX_IDIOT="yes" TNX_IDIOT="yes"
  
-echo " how iptables work in linux kernel 2.4.x/2.6.x"+echo " how iptables work in linux kernel"
 echo echo
 echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->" echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->"
Line 23: Line 26:
  
 # path to iptables and iproute2 files # path to iptables and iproute2 files
- 
 IPTB="/sbin/iptables" IPTB="/sbin/iptables"
 IP="/sbin/ip" IP="/sbin/ip"
  
 # name of our Internet and intranet interfaces # name of our Internet and intranet interfaces
-INTRANET="eth1"+# use INTRANET="eth1+or INTERNET="eth0+" 
 +# if you have more ifaces (example: eth0:0)  towards Intranet/Internet 
 +
 +# WAN Interface
 INTERNET="eth0" INTERNET="eth0"
 # ADSL - INTERNET="ppp0" # ADSL - INTERNET="ppp0"
 +#
 +# LAN Interface
 +INTRANET="eth1"
      
 # what IPs are used in intranet # what IPs are used in intranet
Line 40: Line 48:
 # what TCP ports/services we allow (and FORWARD) from Internet # what TCP ports/services we allow (and FORWARD) from Internet
 # use " " as delimiter # use " " as delimiter
-TCP_PORTS="22 25 53 80"+TCP_PORTS="25 53 80"
  
 # what UDP ports/services we allow (and FORWARD) from Internet # what UDP ports/services we allow (and FORWARD) from Internet
 # use "," as delimiter # use "," as delimiter
-UDP_PORTS="53"+UDP_PORTS="53,123"
  
 # which ports we forward into our intranet # which ports we forward into our intranet
Line 52: Line 60:
 # set to 1 if we you have intranet # set to 1 if we you have intranet
 WE_HAVE_INTRANET="0" WE_HAVE_INTRANET="0"
-  + 
 +#  
 +TRUSTED_HOSTS="193.77.1.1/32 \ 
 +212.93.224.0/19 \ 
 +212.18.32.0/24" 
 + 
 +# enable IP forwarding (routing!)
 echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/ip_forward
 +
 +# enable PMTU (mss/mtu discovery)
 +echo "1" > /proc/sys/net/ipv4/tcp_mtu_probing
  
 # first we flush the tables and policy # first we flush the tables and policy
 $IPTB -F $IPTB -F
 +$IPTB -X
 $IPTB -F INPUT $IPTB -F INPUT
 $IPTB -F FORWARD $IPTB -F FORWARD
 $IPTB -F OUTPUT $IPTB -F OUTPUT
 +
 $IPTB -t nat -F $IPTB -t nat -F
-  + 
 +# new chain for SSH and HTTP access 
 +$IPTB -N ssh-access 
 +$IPTB -N http-access 
 # port redirection (transparent proxy) # port redirection (transparent proxy)
 +# redirect all outgoing traffic that is NOT for the GW to local (GW) ports
 +# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
Line 70: Line 95:
 $IPTB -P INPUT DROP $IPTB -P INPUT DROP
  
-# statefull firewall+# statefull firewall makes most hits
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +# move all SSH and HTTP traffic to apropriate chains
 +$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 +$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
 +
 +# ssh chain
 +for sshhostese in $TRUSTED_HOSTS;
 +        do
 +        $IPTB -A ssh-access -s $sshhostese -j ACCEPT
 +        done
 + # Connection limit for SSH connections (1 connection per minute PER source IP)
 + # - usefull against ssh scanners if you MUST open SSH for every IP!
 +$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
 +$IPTB -A ssh-access -j DROP
 +# ssh
 +
 +# http
 +for httphostese in $TRUSTED_HOSTS;
 +        do
 +        $IPTB -A http-access -s $httphostese -j ACCEPT
 +        done
 +# http
  
 # IPSEC # IPSEC
Line 79: Line 126:
  
 # we allow all traffic from $INTRANET and localhost interfaces # we allow all traffic from $INTRANET and localhost interfaces
-$IPTB -A INPUT -i $INTRANET -j ACCEPT +$IPTB -A INPUT -i $INTRANET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
-$IPTB -A INPUT -i lo -j ACCEPT+$IPTB -A INPUT -i lo  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  
-#$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "INVALID packet> " +$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "packet not in conntrack> " 
-#$IPTB -A INPUT -m state --state INVALID -j DROP+$IPTB -A INPUT -m state --state INVALID -j DROP
  
 # #
Line 90: Line 137:
    
 #FIN is set and ACK is not #FIN is set and ACK is not
-$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP 
 $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> " $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> "
 +$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
  
 #PSH is set and ACK is not #PSH is set and ACK is not
-$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP 
 $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> " $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> "
 +$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
  
 #URG is set and ACK is not #URG is set and ACK is not
-$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP 
 $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> " $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> "
 +$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
  
 # Block portscans: # Block portscans:
Line 117: Line 164:
  
 #FIN and RST are both set #FIN and RST are both set
 +$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" 
- 
  
-$IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "+$IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> "
 $IPTB -A INPUT -f -j DROP $IPTB -A INPUT -f -j DROP
  
Line 140: Line 186:
 $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  
-# Connection limit for SSH connections ( 1 connection per minute) +# what we allow from Internet - TCP ports
-$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT +
-$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP +
- +
-# what we allow from Internet+
 for i in $TCP_PORTS for i in $TCP_PORTS
  do  do
- $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT + $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT 
-    done+        done
  
 +# what we allow from Internet - UDP ports
 $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
  
Line 155: Line 198:
 $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
  
-# traceroute+# traceroute (udp - IOS, Uni*es)
 $IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT $IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
  
-# Log and drop ICMP fragments (shouldn'happen at all, but often used for DoS)+# Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS)
 $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> "
-$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP+$IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT
  
 # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
-$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT +# echo-reply 
-$IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT +#$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT 
-$IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT +# unreachables 
-$IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT 
-$IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT+# source-quench (depreciated) 
 +#$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT 
 +# timeout (forward loop prevention) 
 +$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT 
 +# parameter problem 
 +$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT
 #icmp-traceroute #icmp-traceroute
-$IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT
 # echo-request # echo-request
-$IPTB -A INPUT -p icmp --icmp-type 8  -m limit --limit 3/second -j ACCEPT+$IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT
  
 # if the default policy is not DROP then we must use this # if the default policy is not DROP then we must use this
Line 193: Line 240:
 $IPTB -A FORWARD -m state --state INVALID -j DROP $IPTB -A FORWARD -m state --state INVALID -j DROP
 $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTB -A FORWARD -m state --state NEW -i $INTERNET -j ACCEPT+$IPTB -A FORWARD -m state --state NEW -i $INTERNET -j ACCEPT
  
 $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP
Line 204: Line 251:
 $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP
  
-adsl +ADSL (PPPoE connections) 
-#$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu+#$IPTB -I FORWARD -tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
  
Line 211: Line 258:
 # in "valid-macs" file # in "valid-macs" file
 #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done
 +
 +# OUTPUT
 +$IPTB -P OUTPUT DROP
 +
 +# only allow NEW and related connections out
 +$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      
 # list the rules # list the rules
-$IPTB -L -v -n+$IPTB -L -v -n --line 
 +$IPTB -t nat -L -v -n --line
      
 echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward
  
 </code> </code>
linux/firewall.1227864708.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready