firewall: use users chains everywhere
Jérôme Schneider
parent
39fb640472
commit
5cc34f7b41
172
firewall
172
firewall
|
|
@ -21,13 +21,21 @@ abort()
|
|||
exit 1
|
||||
}
|
||||
|
||||
chain_exists()
|
||||
{
|
||||
local chain_name="$1" ; shift
|
||||
[ $# -eq 1 ] && local table="--table $1"
|
||||
iptables $table -n --list "$chain_name" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
if [ -f "/etc/firewall/firewall.conf" ]; then
|
||||
source /etc/firewall/firewall.conf
|
||||
else
|
||||
abort "No configuration file /etc/firewall/firewall.conf"
|
||||
fi
|
||||
|
||||
clean()
|
||||
flush()
|
||||
{
|
||||
$IPTABLES -t filter -F
|
||||
$IPTABLES -t filter -X
|
||||
|
|
@ -51,6 +59,59 @@ clean()
|
|||
$IPTABLES -t mangle -P FORWARD ACCEPT
|
||||
}
|
||||
|
||||
clean()
|
||||
{
|
||||
$IPTABLES -t filter -P INPUT ACCEPT
|
||||
$IPTABLES -t filter -P FORWARD ACCEPT
|
||||
$IPTABLES -t filter -P OUTPUT ACCEPT
|
||||
$IPTABLES -t nat -F
|
||||
$IPTABLES -t nat -X
|
||||
$IPTABLES -t mangle -F
|
||||
$IPTABLES -t mangle -X
|
||||
|
||||
if chain_exists EO-INPUT; then
|
||||
$IPTABLES -D INPUT -j EO-INPUT
|
||||
$IPTABLES -F EO-INPUT
|
||||
$IPTABLES -X EO-INPUT
|
||||
fi
|
||||
if chain_exists EO-OUTPUT; then
|
||||
$IPTABLES -D OUTPUT -j EO-OUTPUT
|
||||
$IPTABLES -F EO-OUTPUT
|
||||
$IPTABLES -X EO-OUTPUT
|
||||
fi
|
||||
if chain_exists EO-FORWARD; then
|
||||
$IPTABLES -D FORWARD -j EO-FORWARD
|
||||
$IPTABLES -F EO-FORWARD
|
||||
$IPTABLES -X EO-FORWARD
|
||||
fi
|
||||
if chain_exists LOGDROP; then
|
||||
$IPTABLES -D INPUT -j LOGDROP
|
||||
$IPTABLES -D OUTPUT -j LOGDROP
|
||||
$IPTABLES -D FORWARD -j LOGDROP
|
||||
$IPTABLES -F LOGDROP
|
||||
$IPTABLES -X LOGDROP
|
||||
fi
|
||||
}
|
||||
|
||||
init()
|
||||
{
|
||||
clean
|
||||
test_config
|
||||
modprobe ip_conntrack
|
||||
|
||||
$IPTABLES -N EO-INPUT
|
||||
$IPTABLES -N EO-OUTPUT
|
||||
$IPTABLES -N EO-FORWARD
|
||||
$IPTABLES -N LOGDROP
|
||||
|
||||
|
||||
# default policies
|
||||
log_action_msg "DROP Input, Forward and Output by default"
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
$IPTABLES -P OUTPUT DROP
|
||||
}
|
||||
|
||||
test_config()
|
||||
{
|
||||
# FIXME: test if the interface and the ip exist
|
||||
|
|
@ -63,7 +124,7 @@ critical_return()
|
|||
{
|
||||
if [ `echo $?` != 0 ]; then
|
||||
log_failure_msg "Error on the last command firewall will be stop"
|
||||
stop
|
||||
flush
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
|
@ -87,7 +148,7 @@ forward_port()
|
|||
log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
|
||||
else
|
||||
log_action_msg "Forward $port to $destination for protocol $proto"
|
||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||
fi
|
||||
fi
|
||||
|
|
@ -109,7 +170,7 @@ open_port()
|
|||
fi
|
||||
source=$1
|
||||
log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
|
||||
critical_return
|
||||
}
|
||||
|
||||
|
|
@ -145,70 +206,67 @@ port_knocking()
|
|||
((i++))
|
||||
tock_number=$knock_number$i
|
||||
if [ $i -gt 1 ]; then
|
||||
iptables -N toc${tock_number}
|
||||
iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
|
||||
iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
|
||||
iptables -N EO-TOC${tock_number}
|
||||
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
|
||||
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
|
||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
|
||||
else
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
|
||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
|
||||
fi
|
||||
done
|
||||
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
|
||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
|
||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
|
||||
done
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
test_config
|
||||
modprobe ip_conntrack
|
||||
clean
|
||||
|
||||
# default policies
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
$IPTABLES -P OUTPUT DROP
|
||||
init
|
||||
|
||||
## allow packets coming from the machine
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||
log_action_msg "Accept lo interface"
|
||||
$IPTABLES -A EO-INPUT -i lo -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o lo -j ACCEPT
|
||||
|
||||
log_action_msg "Allow WAN outgoing traffic"
|
||||
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then
|
||||
log_action_msg "Allow WAN outgoing traffic"
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
fi
|
||||
|
||||
critical_return
|
||||
|
||||
if [ $LAN == 1 ]; then
|
||||
log_action_msg "Allow WAN outgoing traffic from lan"
|
||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
log_action_msg "Allow local network"
|
||||
$IPTABLES -A OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
|
||||
$IPTABLES -A INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
|
||||
fi
|
||||
|
||||
## block spoofing
|
||||
log_action_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
## NMAP FIN/URG/PSH
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
|
||||
## stop Xmas Tree type scanning
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||
## stop null scanning
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
## SYN/RST
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
## SYN/FIN
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
|
||||
## stop sync flood
|
||||
log_action_msg "Block Syn flood"
|
||||
|
|
@ -217,22 +275,22 @@ start()
|
|||
|
||||
if [ $PING == 1 ]; then
|
||||
log_action_msg "PING allowed"
|
||||
iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ $FTP == 1 ]; then
|
||||
log_action_msg "FTP allowed"
|
||||
modprobe ip_conntrack_ftp
|
||||
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
|
||||
# Data
|
||||
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
# Passive mod
|
||||
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
## Open Ports
|
||||
|
|
@ -278,9 +336,12 @@ start()
|
|||
|
||||
ipt_hook
|
||||
|
||||
$IPTABLES -A INPUT -j EO-INPUT
|
||||
$IPTABLES -A OUTPUT -j EO-OUTPUT
|
||||
$IPTABLES -A FORWARD -j EO-FORWARD
|
||||
|
||||
## LOG
|
||||
## Create a LOGDROP chain to log and drop packets
|
||||
$IPTABLES -N LOGDROP
|
||||
$IPTABLES -A LOGDROP -p tcp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied tcp: " --log-level 4
|
||||
$IPTABLES -A LOGDROP -p udp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied udp: " --log-level 4
|
||||
$IPTABLES -A LOGDROP -p icmp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied icmp: " --log-level 4
|
||||
|
|
@ -289,15 +350,9 @@ start()
|
|||
$IPTABLES -A INPUT -j LOGDROP
|
||||
$IPTABLES -A OUTPUT -j LOGDROP
|
||||
$IPTABLES -A FORWARD -j LOGDROP
|
||||
|
||||
}
|
||||
|
||||
|
||||
stop()
|
||||
{
|
||||
clean
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start|restore)
|
||||
log_daemon_msg "Starting firewall"
|
||||
|
|
@ -310,7 +365,7 @@ case "$1" in
|
|||
;;
|
||||
stop)
|
||||
log_daemon_msg "Stopping firewall"
|
||||
stop || exit 1
|
||||
clean || exit 1
|
||||
log_end_msg 0
|
||||
;;
|
||||
test)
|
||||
|
|
@ -325,7 +380,7 @@ case "$1" in
|
|||
iptables-restore < /etc/network/iptables-save
|
||||
log_action_msg "Old rules restored"
|
||||
else
|
||||
stop
|
||||
flush
|
||||
log_action_msg "Rules flushed"
|
||||
fi
|
||||
log_action_msg "If you are happy with this new rules please use save option"
|
||||
|
|
@ -336,6 +391,9 @@ case "$1" in
|
|||
iptables-save > /etc/network/iptables-save
|
||||
log_end_msg 0
|
||||
;;
|
||||
flush)
|
||||
flush
|
||||
;;
|
||||
*)
|
||||
N=/etc/init.d/$NAME
|
||||
echo "Usage: $N {start|restore|save|test|stop}"
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
IPTABLES=/sbin/iptables
|
||||
|
||||
## WAN configuration
|
||||
WAN_INT='' # WAN interface
|
||||
IP='' # WAN IP
|
||||
WAN_INT='eth0' # WAN interface
|
||||
IP='192.168.0.1' # WAN IP
|
||||
|
||||
PING=1 # Allow ping
|
||||
FTP=0 # Allow FTP server (passive and active)
|
||||
|
|
@ -14,7 +14,7 @@ LAN=0 # Allow traffic between the WAN and LAN
|
|||
LAN_INT='' # LAN interface
|
||||
|
||||
## Allow OUTPUT for everything
|
||||
ALLOW_OUTOUT_EVERYWHERE=0
|
||||
ALLOW_WAN_OUTOUT_EVERYWHERE=1
|
||||
|
||||
## Allow all traffic for interface(s)
|
||||
# example ALLOW_INTS='br0 xenbr42'
|
||||
|
|
|
|||
Reference in New Issue