From 499b1db1f685a0cac432fe1e5b885dccce6565c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= <jschneider@entrouvert.com>
Date: Mon, 7 Mar 2011 18:12:12 +0100
Subject: [PATCH] Rename firewall to eofirewall and add a minimal makefile

---
 Makefile      |  17 ++++
 README        |   4 +
 firewall      | 248 ++++++++++++++++++++++++++++++++++++++++++++++++++
 firewall.conf |  45 +++++++++
 iptables.conf |   2 +
 5 files changed, 316 insertions(+)
 create mode 100644 Makefile
 create mode 100644 README
 create mode 100755 firewall
 create mode 100644 firewall.conf
 create mode 100644 iptables.conf

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..0327b4b
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,17 @@
+##
+## Makefile for firewall
+##
+## Made by jerome schneider Entr'ouvert
+## Login   <jschneider@entrouvert.org>
+##
+
+NAME = firewall
+RM = rm -rf
+DESTDIR=
+
+install:
+		install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
+		install    -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
+		install    -m 0640 -o root -g root iptables.conf $(DESTDIR)/etc/rsyslog.d
+		install    -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
+
diff --git a/README b/README
new file mode 100644
index 0000000..3b0d7ad
--- /dev/null
+++ b/README
@@ -0,0 +1,4 @@
+= INSTALLATION =
+ * Install rsyslog
+ * make install
+ * use /etc/init.d/firewall [stop | start | restart]
diff --git a/firewall b/firewall
new file mode 100755
index 0000000..94131d2
--- /dev/null
+++ b/firewall
@@ -0,0 +1,248 @@
+#!/bin/bash
+
+### BEGIN INIT INFO
+# Provides:          firewall.sh
+# Required-Start:    $remote_fs $syslog $network
+# Required-Stop:     $remote_fs $syslog $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Iptables firewall
+# Description:       An iptables firewall
+### END INIT INFO
+
+source /etc/firewall.conf
+NAME="firewall.sh"
+
+abort()
+{
+    message=$@
+    echo >&2
+    echo -e "$message" >&2
+    echo >&2
+    exit 1
+}
+
+clean()
+{
+    $IPTABLES -F
+    $IPTABLES -F INPUT
+    $IPTABLES -F OUTPUT
+    $IPTABLES -F FORWARD
+    $IPTABLES -F -t mangle
+    $IPTABLES -F -t nat
+    $IPTABLES -X
+}
+
+forward_port()
+{
+    traffic=$1
+    source=$(echo $traffic | cut -d "-" -f1)
+    port=$(echo $traffic | cut -d "-" -f2)
+    destination=$(echo $traffic | cut -d "-" -f3)
+    proto=$(echo $traffic | cut -d "-" -f4)
+    dest_ip=$(echo $destination | cut -d ":" -f1)
+    dest_port=$(echo $destination | cut -d ":" -f2)
+
+    echo "+ Forward $port to $destination for protocol $proto"
+    $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ! INVALID -j ACCEPT
+    $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+}
+
+port_redirection()
+{
+    redirection=$1
+    int=$(echo $traffic | cut -d "-" -f1)
+    srcport=$(echo $traffic | cut -d "-" -f2)
+    destport=$(echo $traffic | cut -d "-" -f3)
+    proto=$(echo $traffic | cut -d "-" -f4)
+
+    echo "+ Redirect $int port $srcport to $destport for portocol $proto"
+    iptables -t nat -A PREROUTING -i $int -p $proto --dport $srcport -j REDIRECT --to-port $destport
+}
+
+start()
+{
+    echo "Starting: Firewall"
+    modprobe ip_conntrack
+    clean
+
+    # default policies
+    $IPTABLES -P INPUT DROP
+    $IPTABLES -P FORWARD DROP
+    $IPTABLES -P OUTPUT DROP
+
+    ## allow packets coming from the machine
+    $IPTABLES -A INPUT -i lo -j ACCEPT
+    $IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+    echo "+ Allow WAN outgoing traffic"
+    $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
+    $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED  -j ACCEPT
+
+    if [ $LAN == 1 ]; then
+        echo "+ Allow WAN outgoing traffic from lan"
+        $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
+        $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+        echo "+ Allow local network"
+        $IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT
+        $IPTABLES -A INPUT  -i $LAN_INT -p all -j ACCEPT
+        for ALLOW_INT in $ALLOW_INTS; do
+                echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT"
+                $IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
+                $IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+                echo "+ Allow local network"
+                $IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT
+                $IPTABLES -A INPUT  -i $ALLOW_INT -p all -j ACCEPT
+        done
+   fi
+
+    ## block spoofing
+    echo "+ Block spoofing"
+    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+
+    ## NMAP FIN/URG/PSH
+    echo "+ Block scan ports"
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+
+    ## stop Xmas Tree type scanning
+    echo "+ Block Xmas Tree"
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+    ## stop null scanning
+    echo "+ Block null scanning"
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
+    ## SYN/RST
+    echo "+ Block SYN/RST"
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+    ## SYN/FIN
+    echo "+ Block SYN/FIN"
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
+    $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+
+    ## stop sync flood
+    echo "+ Block Syn flood"
+    echo "1" >/proc/sys/net/ipv4/tcp_syncookies
+    echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
+
+    if [ $PING == 1 ]; then
+        echo "+ PING allowed"
+        ## stop ping flood attack
+        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+        # Don't accept ICMP redirect messages
+        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+        # Don't send ICMP redirect messages
+        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+        $IPTABLES -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
+        $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "iptables: PING-FLOOD: " --log-ip-options --log-level 4
+        $IPTABLES -A INPUT -p icmp -j DROP
+    fi
+
+    if [ $FTP == 1 ]; then
+        echo "+ FTP allowed"
+        modprobe ip_conntrack_ftp
+        $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
+        $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
+        # Data
+        $IPTABLES -A INPUT  -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
+        $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
+        # Passive mod
+        $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
+        $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
+    fi
+
+
+    ## OPEN PORTS
+    for traffic in $OPEN_PORTS; do
+        source=$(echo $traffic | cut -d "-" -f1)
+        proto=$(echo $traffic | cut -d "-" -f2)
+        ports=$(echo $traffic | cut -d "-" -f3)
+        for port in $(echo $ports | sed 's/,/ /g'); do
+            echo "+ Open port $port to $source for protocol $proto"
+                $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state --state ! INVALID -j ACCEPT
+        done
+    done
+    
+    ## Port forwading
+    for traffic in $TRAFFICS; do
+        forward_port $traffic
+    done
+
+    ## Port redirection
+    for redirection in $REDIRECTIONS; do
+        port_redirection $redirection
+    done
+
+    ## NAT
+    if [ $NAT == 1 ]; then
+        echo "+ Activate nat"
+        modprobe ip_nat_ftp
+        modprobe ip_nat_irc
+        $IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j MASQUERADE
+    fi
+
+    ipt_hook
+
+    ## LOG
+    ## Create a LOGDROP chain to log and drop packets
+    $IPTABLES -N LOGDROP
+    $IPTABLES -A LOGDROP -j LOG --log-prefix "iptables: " --log-level 4
+    $IPTABLES -A LOGDROP -j DROP
+
+    $IPTABLES -A INPUT -j LOGDROP
+    $IPTABLES -A OUTPUT -j LOGDROP
+    $IPTABLES -A FORWARD -j LOGDROP
+}
+
+
+stop()
+{
+    echo "+ Firewall stoped"
+    $IPTABLES -t filter -F
+    $IPTABLES -t filter -X
+
+    $IPTABLES -t filter -P INPUT   ACCEPT
+    $IPTABLES -t filter -P FORWARD ACCEPT
+    $IPTABLES -t filter -P OUTPUT  ACCEPT
+
+    $IPTABLES -t nat -F
+    $IPTABLES -t nat -X
+
+    $IPTABLES -t nat -P PREROUTING  ACCEPT
+    $IPTABLES -t nat -P OUTPUT      ACCEPT
+    $IPTABLES -t nat -P POSTROUTING ACCEPT
+
+    $IPTABLES -t mangle -F
+    $IPTABLES -t mangle -X
+
+    $IPTABLES -t mangle -P PREROUTING  ACCEPT
+    $IPTABLES -t mangle -P INPUT       ACCEPT
+    $IPTABLES -t mangle -P FORWARD     ACCEPT
+}
+
+case "$1" in
+        start)
+                start || exit 1
+        ;;
+        stop)
+                stop || exit 1
+        ;;
+        restart|force-reload)
+                stop
+                start || exit 1
+        ;;
+        *)
+                N=/etc/init.d/$NAME
+                abort "Usage: $N {start|stop|restart|force-reload}" >&2
+        ;;
+esac
+
+exit 0
diff --git a/firewall.conf b/firewall.conf
new file mode 100644
index 0000000..5e7827a
--- /dev/null
+++ b/firewall.conf
@@ -0,0 +1,45 @@
+IPTABLES=/sbin/iptables
+
+# WAN configuration
+WAN_INT='ethX'
+IP='x.x.x.x'
+
+# Allow ping
+PING=1
+
+# Allow FTP server (passive and active)
+FTP=0
+
+# NAT LAN_NETWORK
+NAT=0
+LAN_NETWORK=''
+# Allow traffic between the WAN and LAN
+LAN=0
+LAN_INT='ethX'
+
+# Allow all traffic for interface(s)
+# example ALLOW_INTS='br0 xenbr42'
+ALLOW_INTS=''
+
+# Open ports
+# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
+# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
+OPEN_PORTS='0.0.0.0/0-tcp-ssh'
+
+# Port forwarding
+# source-port-destination:port-protocole source-port-destination:port-protocole ...
+# example : TRAFFICS='0.0.0.0/0-80-192.168.0.42:80-tcp 42.42.42.42-4242-192.168.0.43:22-tcp'
+TRAFFICS=""
+
+# Port redirection
+# interface-sourceport-destport-protocole
+# example : REDIRECTIONS='$LAN_INT-25-4242-tcp $WAN_INT-25-4242-udp eth42-32-25-tcp'
+REDIRECTIONS=""
+
+# Hook point to write your own iptables rules
+ipt_hook()
+{
+  echo "+ Load your own iptables rules"
+  # Write your own iptables rules here
+}
+
diff --git a/iptables.conf b/iptables.conf
new file mode 100644
index 0000000..455207a
--- /dev/null
+++ b/iptables.conf
@@ -0,0 +1,2 @@
+:msg,contains,"iptables:" /var/log/iptables.log
+& ~