Rename firewall to eofirewall and add a minimal makefile
This commit is contained in:
commit
499b1db1f6
|
@ -0,0 +1,17 @@
|
||||||
|
##
|
||||||
|
## Makefile for firewall
|
||||||
|
##
|
||||||
|
## Made by jerome schneider Entr'ouvert
|
||||||
|
## Login <jschneider@entrouvert.org>
|
||||||
|
##
|
||||||
|
|
||||||
|
NAME = firewall
|
||||||
|
RM = rm -rf
|
||||||
|
DESTDIR=
|
||||||
|
|
||||||
|
install:
|
||||||
|
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
|
||||||
|
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
|
||||||
|
install -m 0640 -o root -g root iptables.conf $(DESTDIR)/etc/rsyslog.d
|
||||||
|
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
= INSTALLATION =
|
||||||
|
* Install rsyslog
|
||||||
|
* make install
|
||||||
|
* use /etc/init.d/firewall [stop | start | restart]
|
|
@ -0,0 +1,248 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: firewall.sh
|
||||||
|
# Required-Start: $remote_fs $syslog $network
|
||||||
|
# Required-Stop: $remote_fs $syslog $network
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: Iptables firewall
|
||||||
|
# Description: An iptables firewall
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
source /etc/firewall.conf
|
||||||
|
NAME="firewall.sh"
|
||||||
|
|
||||||
|
abort()
|
||||||
|
{
|
||||||
|
message=$@
|
||||||
|
echo >&2
|
||||||
|
echo -e "$message" >&2
|
||||||
|
echo >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
clean()
|
||||||
|
{
|
||||||
|
$IPTABLES -F
|
||||||
|
$IPTABLES -F INPUT
|
||||||
|
$IPTABLES -F OUTPUT
|
||||||
|
$IPTABLES -F FORWARD
|
||||||
|
$IPTABLES -F -t mangle
|
||||||
|
$IPTABLES -F -t nat
|
||||||
|
$IPTABLES -X
|
||||||
|
}
|
||||||
|
|
||||||
|
forward_port()
|
||||||
|
{
|
||||||
|
traffic=$1
|
||||||
|
source=$(echo $traffic | cut -d "-" -f1)
|
||||||
|
port=$(echo $traffic | cut -d "-" -f2)
|
||||||
|
destination=$(echo $traffic | cut -d "-" -f3)
|
||||||
|
proto=$(echo $traffic | cut -d "-" -f4)
|
||||||
|
dest_ip=$(echo $destination | cut -d ":" -f1)
|
||||||
|
dest_port=$(echo $destination | cut -d ":" -f2)
|
||||||
|
|
||||||
|
echo "+ Forward $port to $destination for protocol $proto"
|
||||||
|
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ! INVALID -j ACCEPT
|
||||||
|
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||||
|
}
|
||||||
|
|
||||||
|
port_redirection()
|
||||||
|
{
|
||||||
|
redirection=$1
|
||||||
|
int=$(echo $traffic | cut -d "-" -f1)
|
||||||
|
srcport=$(echo $traffic | cut -d "-" -f2)
|
||||||
|
destport=$(echo $traffic | cut -d "-" -f3)
|
||||||
|
proto=$(echo $traffic | cut -d "-" -f4)
|
||||||
|
|
||||||
|
echo "+ Redirect $int port $srcport to $destport for portocol $proto"
|
||||||
|
iptables -t nat -A PREROUTING -i $int -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
||||||
|
}
|
||||||
|
|
||||||
|
start()
|
||||||
|
{
|
||||||
|
echo "Starting: Firewall"
|
||||||
|
modprobe ip_conntrack
|
||||||
|
clean
|
||||||
|
|
||||||
|
# default policies
|
||||||
|
$IPTABLES -P INPUT DROP
|
||||||
|
$IPTABLES -P FORWARD DROP
|
||||||
|
$IPTABLES -P OUTPUT DROP
|
||||||
|
|
||||||
|
## allow packets coming from the machine
|
||||||
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
|
echo "+ Allow WAN outgoing traffic"
|
||||||
|
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
if [ $LAN == 1 ]; then
|
||||||
|
echo "+ Allow WAN outgoing traffic from lan"
|
||||||
|
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
|
||||||
|
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
echo "+ Allow local network"
|
||||||
|
$IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT
|
||||||
|
$IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT
|
||||||
|
for ALLOW_INT in $ALLOW_INTS; do
|
||||||
|
echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT"
|
||||||
|
$IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
|
||||||
|
$IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
echo "+ Allow local network"
|
||||||
|
$IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT
|
||||||
|
$IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
## block spoofing
|
||||||
|
echo "+ Block spoofing"
|
||||||
|
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||||
|
|
||||||
|
## NMAP FIN/URG/PSH
|
||||||
|
echo "+ Block scan ports"
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
|
||||||
|
|
||||||
|
## stop Xmas Tree type scanning
|
||||||
|
echo "+ Block Xmas Tree"
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||||
|
|
||||||
|
## stop null scanning
|
||||||
|
echo "+ Block null scanning"
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
|
||||||
|
## SYN/RST
|
||||||
|
echo "+ Block SYN/RST"
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
|
## SYN/FIN
|
||||||
|
echo "+ Block SYN/FIN"
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||||
|
|
||||||
|
## stop sync flood
|
||||||
|
echo "+ Block Syn flood"
|
||||||
|
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
|
||||||
|
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
|
||||||
|
|
||||||
|
if [ $PING == 1 ]; then
|
||||||
|
echo "+ PING allowed"
|
||||||
|
## stop ping flood attack
|
||||||
|
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||||
|
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
||||||
|
# Don't accept ICMP redirect messages
|
||||||
|
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
|
||||||
|
# Don't send ICMP redirect messages
|
||||||
|
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
|
||||||
|
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
|
||||||
|
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "iptables: PING-FLOOD: " --log-ip-options --log-level 4
|
||||||
|
$IPTABLES -A INPUT -p icmp -j DROP
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $FTP == 1 ]; then
|
||||||
|
echo "+ FTP allowed"
|
||||||
|
modprobe ip_conntrack_ftp
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
# Data
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
# Passive mod
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
## OPEN PORTS
|
||||||
|
for traffic in $OPEN_PORTS; do
|
||||||
|
source=$(echo $traffic | cut -d "-" -f1)
|
||||||
|
proto=$(echo $traffic | cut -d "-" -f2)
|
||||||
|
ports=$(echo $traffic | cut -d "-" -f3)
|
||||||
|
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||||
|
echo "+ Open port $port to $source for protocol $proto"
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state --state ! INVALID -j ACCEPT
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
## Port forwading
|
||||||
|
for traffic in $TRAFFICS; do
|
||||||
|
forward_port $traffic
|
||||||
|
done
|
||||||
|
|
||||||
|
## Port redirection
|
||||||
|
for redirection in $REDIRECTIONS; do
|
||||||
|
port_redirection $redirection
|
||||||
|
done
|
||||||
|
|
||||||
|
## NAT
|
||||||
|
if [ $NAT == 1 ]; then
|
||||||
|
echo "+ Activate nat"
|
||||||
|
modprobe ip_nat_ftp
|
||||||
|
modprobe ip_nat_irc
|
||||||
|
$IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j MASQUERADE
|
||||||
|
fi
|
||||||
|
|
||||||
|
ipt_hook
|
||||||
|
|
||||||
|
## LOG
|
||||||
|
## Create a LOGDROP chain to log and drop packets
|
||||||
|
$IPTABLES -N LOGDROP
|
||||||
|
$IPTABLES -A LOGDROP -j LOG --log-prefix "iptables: " --log-level 4
|
||||||
|
$IPTABLES -A LOGDROP -j DROP
|
||||||
|
|
||||||
|
$IPTABLES -A INPUT -j LOGDROP
|
||||||
|
$IPTABLES -A OUTPUT -j LOGDROP
|
||||||
|
$IPTABLES -A FORWARD -j LOGDROP
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
stop()
|
||||||
|
{
|
||||||
|
echo "+ Firewall stoped"
|
||||||
|
$IPTABLES -t filter -F
|
||||||
|
$IPTABLES -t filter -X
|
||||||
|
|
||||||
|
$IPTABLES -t filter -P INPUT ACCEPT
|
||||||
|
$IPTABLES -t filter -P FORWARD ACCEPT
|
||||||
|
$IPTABLES -t filter -P OUTPUT ACCEPT
|
||||||
|
|
||||||
|
$IPTABLES -t nat -F
|
||||||
|
$IPTABLES -t nat -X
|
||||||
|
|
||||||
|
$IPTABLES -t nat -P PREROUTING ACCEPT
|
||||||
|
$IPTABLES -t nat -P OUTPUT ACCEPT
|
||||||
|
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
||||||
|
|
||||||
|
$IPTABLES -t mangle -F
|
||||||
|
$IPTABLES -t mangle -X
|
||||||
|
|
||||||
|
$IPTABLES -t mangle -P PREROUTING ACCEPT
|
||||||
|
$IPTABLES -t mangle -P INPUT ACCEPT
|
||||||
|
$IPTABLES -t mangle -P FORWARD ACCEPT
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
start || exit 1
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
stop || exit 1
|
||||||
|
;;
|
||||||
|
restart|force-reload)
|
||||||
|
stop
|
||||||
|
start || exit 1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
N=/etc/init.d/$NAME
|
||||||
|
abort "Usage: $N {start|stop|restart|force-reload}" >&2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,45 @@
|
||||||
|
IPTABLES=/sbin/iptables
|
||||||
|
|
||||||
|
# WAN configuration
|
||||||
|
WAN_INT='ethX'
|
||||||
|
IP='x.x.x.x'
|
||||||
|
|
||||||
|
# Allow ping
|
||||||
|
PING=1
|
||||||
|
|
||||||
|
# Allow FTP server (passive and active)
|
||||||
|
FTP=0
|
||||||
|
|
||||||
|
# NAT LAN_NETWORK
|
||||||
|
NAT=0
|
||||||
|
LAN_NETWORK=''
|
||||||
|
# Allow traffic between the WAN and LAN
|
||||||
|
LAN=0
|
||||||
|
LAN_INT='ethX'
|
||||||
|
|
||||||
|
# Allow all traffic for interface(s)
|
||||||
|
# example ALLOW_INTS='br0 xenbr42'
|
||||||
|
ALLOW_INTS=''
|
||||||
|
|
||||||
|
# Open ports
|
||||||
|
# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
|
||||||
|
# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
|
||||||
|
OPEN_PORTS='0.0.0.0/0-tcp-ssh'
|
||||||
|
|
||||||
|
# Port forwarding
|
||||||
|
# source-port-destination:port-protocole source-port-destination:port-protocole ...
|
||||||
|
# example : TRAFFICS='0.0.0.0/0-80-192.168.0.42:80-tcp 42.42.42.42-4242-192.168.0.43:22-tcp'
|
||||||
|
TRAFFICS=""
|
||||||
|
|
||||||
|
# Port redirection
|
||||||
|
# interface-sourceport-destport-protocole
|
||||||
|
# example : REDIRECTIONS='$LAN_INT-25-4242-tcp $WAN_INT-25-4242-udp eth42-32-25-tcp'
|
||||||
|
REDIRECTIONS=""
|
||||||
|
|
||||||
|
# Hook point to write your own iptables rules
|
||||||
|
ipt_hook()
|
||||||
|
{
|
||||||
|
echo "+ Load your own iptables rules"
|
||||||
|
# Write your own iptables rules here
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
:msg,contains,"iptables:" /var/log/iptables.log
|
||||||
|
& ~
|
Reference in New Issue