Passion is like genius; a miracle.

iptable setup

Tags:

Lemuria.org

#! /bin/sh
#
# firewall   setting up IPTables firewalling
#
# tom-at-lemuria-dot-org
# if you find any bugs, you may keep them :)
#

IPTABLES=”/sbin/iptables”

set -e

case “$1” in
start)
   echo “Starting firewall: ”
   modprobe ip_conntrack
   echo -n “setting default policy: ”
   # syncookies and NO ip-forwarding
   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
   echo 0 > /proc/sys/net/ipv4/ip_forward
   $IPTABLES -F
   $IPTABLES -X
   $IPTABLES -Z
   $IPTABLES -P INPUT DROP
   $IPTABLES -P FORWARD DROP
   $IPTABLES -P OUTPUT DROP
    $IPTABLES -N in_icmp
   $IPTABLES -N in_tcp
   $IPTABLES -N in_udp
   $IPTABLES -A INPUT -p tcp -j in_tcp
   $IPTABLES -A INPUT -p udp -j in_udp
   $IPTABLES -A INPUT -p icmp -j in_icmp
   echo “done”
   echo -n “spoofing, redirect and broadcast protection/logging: ”
   echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
   echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
   echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo “done”
   echo -n “enabling scan detection: ”
   if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_psd.o ]; then
      $IPTABLES -A INPUT -m psd -m limit –limit 5/minute -j LOG –log-prefix ‘#### Port Scan ####’
      echo “psd enabled”
   else
      $IPTABLES -A INPUT -p icmp –icmp-type echo-request -m limit –limit 5/minute -j LOG –log-prefix ‘#### Ping Scan ####’
      # high rate for stealth scans, since they could be legitimate connection
      # attempts as well
      $IPTABLES -A in_tcp -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s –limit-burst 5 -j LOG –log-level info –log-prefix ‘#### Stealth Scan ####’
      $IPTABLES -A in_tcp -p tcp –tcp-flags ALL FIN,URG,PSH -m limit –limit 5/m -j LOG –log-level info –log-prefix ‘#### XMAS Scan ####’
      $IPTABLES -A in_tcp -p tcp –tcp-flags SYN,RST SYN,RST -m limit –limit 5/m -j LOG –log-level info –log-prefix ‘#### SYN/RST Scan ####’
      $IPTABLES -A in_tcp -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m -j LOG –log-level info –log-prefix ‘#### SYN/FIN Scan ####’
      echo “limited detection enabled (no ipt_psd module)”
   fi
   echo -n “flood, fragment and various other protections: ”
   # we allow 4 TCP connects per second, no more
   $IPTABLES -N syn-flood
   $IPTABLES -A INPUT -p tcp –syn -j syn-flood
   $IPTABLES -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN
   $IPTABLES -A syn-flood -j DROP
   # new connections that have no syn set are most probably evil
   $IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
   # invalid packets
   $IPTABLES -A INPUT -p tcp -m state –state INVALID -m limit –limit 10/m -j LOG –log-level info –log-prefix “### Invalid Packet ###”
   $IPTABLES -A INPUT -p tcp –tcp-option 64 -m limit –limit 5/m -j LOG –log-level info –log-prefix “### Bad TCP FLAG(64) ###”
   $IPTABLES -A INPUT -p tcp –tcp-option 128 -m limit –limit 5/m -j LOG –log-level info –log-prefix “### Bad TCP FLAG(128) ###”
   echo “done”
   echo -n “setting up ICMP: ”
   # we allow echo requests and replies
   # could limit replies to could limit replies to related, but since we
   # answer ping requests, where would be the point in that?
   $IPTABLES -A in_icmp -p icmp –icmp-type 0 -j ACCEPT
   $IPTABLES -A in_icmp -p icmp –icmp-type 8 -j ACCEPT
   # we need destination unreachable
   $IPTABLES -A in_icmp -p icmp –icmp-type 3 -j ACCEPT
   # we are nice and allow traceroute, though it is not required
   $IPTABLES -A in_icmp -p icmp –icmp-type 11 -j ACCEPT
   $IPTABLES -A in_icmp -p icmp –icmp-type 30 -j ACCEPT
   echo “done”
   echo -n “enabling local and outgoing traffic: ”
   $IPTABLES -A INPUT -i lo -j ACCEPT
   $IPTABLES -I in_tcp -p tcp –dport 1024:65535 -m state –state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A OUTPUT -j ACCEPT
   # we are nice and reject instead of drop ident traffic
   $IPTABLES -I in_tcp -p tcp –dport auth –j REJECT
   echo “done”
   echo -n “enabling selected services:”
   $IPTABLES -I in_tcp -p tcp –dport http -m state –state NEW,ESTABLISHED -j ACCEPT
   echo -n ” http”
   $IPTABLES -I in_tcp -p tcp –dport ssh -m state –state NEW,ESTABLISHED -j ACCEPT
   echo -n ” ssh”
   $IPTABLES -I in_tcp -p tcp –dport smtp -m state –state NEW,ESTABLISHED -j ACCEPT
   echo -n ” smtp”
   $IPTABLES -I in_tcp -p tcp –dport imaps -m state –state NEW,ESTABLISHED -j ACCEPT
   echo -n ” imaps”
   $IPTABLES -I in_tcp -p tcp –dport domain -m state –state NEW,ESTABLISHED -j ACCEPT
   $IPTABLES -I in_udp -p udp –dport domain -m state –state NEW,ESTABLISHED -j ACCEPT
   echo -n ” dns”
   $IPTABLES -I in_tcp -p tcp –dport ftp -m state –state NEW,ESTABLISHED -j ACCEPT
   # active ftp
   $IPTABLES -I in_tcp -p tcp –dport ftp-data -m state –state ESTABLISHED,RELATED -j ACCEPT
   echo -n ” ftp”
   # quake3
   $IPTABLES -I in_udp -p udp –dport 1024:65535 -j ACCEPT
   echo -n ” quake (all UDP >1024)”
   echo ” – all done”
   echo “Firewall setup complete.”
   ;;
stop)
   echo -n “Shutting down firewall: ”
   $IPTABLES -F
   $IPTABLES -X
   $IPTABLES -P INPUT ACCEPT
   $IPTABLES -P FORWARD ACCEPT
   $IPTABLES -P OUTPUT ACCEPT
   echo “done”
   ;;
*)
   N=/etc/init.d/$NAME
   echo “Usage: $N {start|stop}” >&2
   exit 1
   ;;
esac

exit 0

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *