#! /bin/sh
#
# firewall setting up IPTables firewalling
#
# tom-at-lemuria-dot-org
# if you find any bugs, you may keep them :)
#
IPTABLES=”/sbin/iptables”
set -e
case “$1” in
start)
echo “Starting firewall: ”
modprobe ip_conntrack
echo -n “setting default policy: ”
# syncookies and NO ip-forwarding
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -N in_icmp
$IPTABLES -N in_tcp
$IPTABLES -N in_udp
$IPTABLES -A INPUT -p tcp -j in_tcp
$IPTABLES -A INPUT -p udp -j in_udp
$IPTABLES -A INPUT -p icmp -j in_icmp
echo “done”
echo -n “spoofing, redirect and broadcast protection/logging: ”
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo “done”
echo -n “enabling scan detection: ”
if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_psd.o ]; then
$IPTABLES -A INPUT -m psd -m limit –limit 5/minute -j LOG –log-prefix ‘#### Port Scan ####’
echo “psd enabled”
else
$IPTABLES -A INPUT -p icmp –icmp-type echo-request -m limit –limit 5/minute -j LOG –log-prefix ‘#### Ping Scan ####’
# high rate for stealth scans, since they could be legitimate connection
# attempts as well
$IPTABLES -A in_tcp -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s –limit-burst 5 -j LOG –log-level info –log-prefix ‘#### Stealth Scan ####’
$IPTABLES -A in_tcp -p tcp –tcp-flags ALL FIN,URG,PSH -m limit –limit 5/m -j LOG –log-level info –log-prefix ‘#### XMAS Scan ####’
$IPTABLES -A in_tcp -p tcp –tcp-flags SYN,RST SYN,RST -m limit –limit 5/m -j LOG –log-level info –log-prefix ‘#### SYN/RST Scan ####’
$IPTABLES -A in_tcp -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m -j LOG –log-level info –log-prefix ‘#### SYN/FIN Scan ####’
echo “limited detection enabled (no ipt_psd module)”
fi
echo -n “flood, fragment and various other protections: ”
# we allow 4 TCP connects per second, no more
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp –syn -j syn-flood
$IPTABLES -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
# new connections that have no syn set are most probably evil
$IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
# invalid packets
$IPTABLES -A INPUT -p tcp -m state –state INVALID -m limit –limit 10/m -j LOG –log-level info –log-prefix “### Invalid Packet ###”
$IPTABLES -A INPUT -p tcp –tcp-option 64 -m limit –limit 5/m -j LOG –log-level info –log-prefix “### Bad TCP FLAG(64) ###”
$IPTABLES -A INPUT -p tcp –tcp-option 128 -m limit –limit 5/m -j LOG –log-level info –log-prefix “### Bad TCP FLAG(128) ###”
echo “done”
echo -n “setting up ICMP: ”
# we allow echo requests and replies
# could limit replies to could limit replies to related, but since we
# answer ping requests, where would be the point in that?
$IPTABLES -A in_icmp -p icmp –icmp-type 0 -j ACCEPT
$IPTABLES -A in_icmp -p icmp –icmp-type 8 -j ACCEPT
# we need destination unreachable
$IPTABLES -A in_icmp -p icmp –icmp-type 3 -j ACCEPT
# we are nice and allow traceroute, though it is not required
$IPTABLES -A in_icmp -p icmp –icmp-type 11 -j ACCEPT
$IPTABLES -A in_icmp -p icmp –icmp-type 30 -j ACCEPT
echo “done”
echo -n “enabling local and outgoing traffic: ”
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -I in_tcp -p tcp –dport 1024:65535 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
# we are nice and reject instead of drop ident traffic
$IPTABLES -I in_tcp -p tcp –dport auth –j REJECT
echo “done”
echo -n “enabling selected services:”
$IPTABLES -I in_tcp -p tcp –dport http -m state –state NEW,ESTABLISHED -j ACCEPT
echo -n ” http”
$IPTABLES -I in_tcp -p tcp –dport ssh -m state –state NEW,ESTABLISHED -j ACCEPT
echo -n ” ssh”
$IPTABLES -I in_tcp -p tcp –dport smtp -m state –state NEW,ESTABLISHED -j ACCEPT
echo -n ” smtp”
$IPTABLES -I in_tcp -p tcp –dport imaps -m state –state NEW,ESTABLISHED -j ACCEPT
echo -n ” imaps”
$IPTABLES -I in_tcp -p tcp –dport domain -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -I in_udp -p udp –dport domain -m state –state NEW,ESTABLISHED -j ACCEPT
echo -n ” dns”
$IPTABLES -I in_tcp -p tcp –dport ftp -m state –state NEW,ESTABLISHED -j ACCEPT
# active ftp
$IPTABLES -I in_tcp -p tcp –dport ftp-data -m state –state ESTABLISHED,RELATED -j ACCEPT
echo -n ” ftp”
# quake3
$IPTABLES -I in_udp -p udp –dport 1024:65535 -j ACCEPT
echo -n ” quake (all UDP >1024)”
echo ” – all done”
echo “Firewall setup complete.”
;;
stop)
echo -n “Shutting down firewall: ”
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo “done”
;;
*)
N=/etc/init.d/$NAME
echo “Usage: $N {start|stop}” >&2
exit 1
;;
esac
exit 0