From 5cc34f7b41d352ae3ff659e4010b950e02f62e9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= Date: Thu, 14 Nov 2013 18:56:58 +0100 Subject: [PATCH] firewall: use users chains everywhere --- firewall | 172 +++++++++++++++++++++++++++++++++----------------- firewall.conf | 6 +- 2 files changed, 118 insertions(+), 60 deletions(-) diff --git a/firewall b/firewall index 444acdf..cf626c0 100755 --- a/firewall +++ b/firewall @@ -21,13 +21,21 @@ abort() exit 1 } +chain_exists() +{ + local chain_name="$1" ; shift + [ $# -eq 1 ] && local table="--table $1" + iptables $table -n --list "$chain_name" >/dev/null 2>&1 +} + + if [ -f "/etc/firewall/firewall.conf" ]; then source /etc/firewall/firewall.conf else abort "No configuration file /etc/firewall/firewall.conf" fi -clean() +flush() { $IPTABLES -t filter -F $IPTABLES -t filter -X @@ -51,6 +59,59 @@ clean() $IPTABLES -t mangle -P FORWARD ACCEPT } +clean() +{ + $IPTABLES -t filter -P INPUT ACCEPT + $IPTABLES -t filter -P FORWARD ACCEPT + $IPTABLES -t filter -P OUTPUT ACCEPT + $IPTABLES -t nat -F + $IPTABLES -t nat -X + $IPTABLES -t mangle -F + $IPTABLES -t mangle -X + + if chain_exists EO-INPUT; then + $IPTABLES -D INPUT -j EO-INPUT + $IPTABLES -F EO-INPUT + $IPTABLES -X EO-INPUT + fi + if chain_exists EO-OUTPUT; then + $IPTABLES -D OUTPUT -j EO-OUTPUT + $IPTABLES -F EO-OUTPUT + $IPTABLES -X EO-OUTPUT + fi + if chain_exists EO-FORWARD; then + $IPTABLES -D FORWARD -j EO-FORWARD + $IPTABLES -F EO-FORWARD + $IPTABLES -X EO-FORWARD + fi + if chain_exists LOGDROP; then + $IPTABLES -D INPUT -j LOGDROP + $IPTABLES -D OUTPUT -j LOGDROP + $IPTABLES -D FORWARD -j LOGDROP + $IPTABLES -F LOGDROP + $IPTABLES -X LOGDROP + fi +} + +init() +{ + clean + test_config + modprobe ip_conntrack + + $IPTABLES -N EO-INPUT + $IPTABLES -N EO-OUTPUT + $IPTABLES -N EO-FORWARD + $IPTABLES -N LOGDROP + + + # default policies + log_action_msg "DROP Input, Forward and Output by default" + $IPTABLES -P INPUT DROP + $IPTABLES -P FORWARD DROP + $IPTABLES -P OUTPUT DROP +} + test_config() { # FIXME: test if the interface and the ip exist @@ -63,7 +124,7 @@ critical_return() { if [ `echo $?` != 0 ]; then log_failure_msg "Error on the last command firewall will be stop" - stop + flush exit 1 fi } @@ -87,7 +148,7 @@ forward_port() log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward" else log_action_msg "Forward $port to $destination for protocol $proto" - $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination fi fi @@ -109,7 +170,7 @@ open_port() fi source=$1 log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto" - $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT + $IPTABLES -A EO-INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT critical_return } @@ -145,70 +206,67 @@ port_knocking() ((i++)) tock_number=$knock_number$i if [ $i -gt 1 ]; then - iptables -N toc${tock_number} - iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove - iptables -A toc${tock_number} -m recent --name toc${tock_number} --set - iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number} + iptables -N EO-TOC${tock_number} + iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove + iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set + iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number} else - iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number} + iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number} fi done log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT" for port in $(echo $ports | sed 's/,/ /g'); do - iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT + iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT done } start() { - test_config - modprobe ip_conntrack - clean - - # default policies - $IPTABLES -P INPUT DROP - $IPTABLES -P FORWARD DROP - $IPTABLES -P OUTPUT DROP + init ## allow packets coming from the machine - $IPTABLES -A INPUT -i lo -j ACCEPT - $IPTABLES -A OUTPUT -o lo -j ACCEPT + log_action_msg "Accept lo interface" + $IPTABLES -A EO-INPUT -i lo -j ACCEPT + $IPTABLES -A EO-OUTPUT -o lo -j ACCEPT - log_action_msg "Allow WAN outgoing traffic" - $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT + + if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then + log_action_msg "Allow WAN outgoing traffic" + $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + fi critical_return if [ $LAN == 1 ]; then log_action_msg "Allow WAN outgoing traffic from lan" - $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT log_action_msg "Allow local network" - $IPTABLES -A OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT - $IPTABLES -A INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT + $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT + $IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT fi ## block spoofing log_action_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN" echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter ## NMAP FIN/URG/PSH - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4 - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4 + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ## stop Xmas Tree type scanning - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4 - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4 - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4 + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4 + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP ## stop null scanning - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4 - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4 + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP ## SYN/RST - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4 - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4 + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ## SYN/FIN - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4 - $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4 + $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ## stop sync flood log_action_msg "Block Syn flood" @@ -217,22 +275,22 @@ start() if [ $PING == 1 ]; then log_action_msg "PING allowed" - iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT - iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT - iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT + iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT + iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT + iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT fi if [ $FTP == 1 ]; then log_action_msg "FTP allowed" modprobe ip_conntrack_ftp - $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT - $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT + $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT + $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT # Data - $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT - $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT + $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive mod - $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT - $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT + $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT fi ## Open Ports @@ -278,9 +336,12 @@ start() ipt_hook + $IPTABLES -A INPUT -j EO-INPUT + $IPTABLES -A OUTPUT -j EO-OUTPUT + $IPTABLES -A FORWARD -j EO-FORWARD + ## LOG ## Create a LOGDROP chain to log and drop packets - $IPTABLES -N LOGDROP $IPTABLES -A LOGDROP -p tcp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied tcp: " --log-level 4 $IPTABLES -A LOGDROP -p udp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied udp: " --log-level 4 $IPTABLES -A LOGDROP -p icmp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied icmp: " --log-level 4 @@ -289,15 +350,9 @@ start() $IPTABLES -A INPUT -j LOGDROP $IPTABLES -A OUTPUT -j LOGDROP $IPTABLES -A FORWARD -j LOGDROP - } -stop() -{ - clean -} - case "$1" in start|restore) log_daemon_msg "Starting firewall" @@ -310,7 +365,7 @@ case "$1" in ;; stop) log_daemon_msg "Stopping firewall" - stop || exit 1 + clean || exit 1 log_end_msg 0 ;; test) @@ -325,7 +380,7 @@ case "$1" in iptables-restore < /etc/network/iptables-save log_action_msg "Old rules restored" else - stop + flush log_action_msg "Rules flushed" fi log_action_msg "If you are happy with this new rules please use save option" @@ -336,6 +391,9 @@ case "$1" in iptables-save > /etc/network/iptables-save log_end_msg 0 ;; + flush) + flush + ;; *) N=/etc/init.d/$NAME echo "Usage: $N {start|restore|save|test|stop}" diff --git a/firewall.conf b/firewall.conf index 29a300f..7606bac 100644 --- a/firewall.conf +++ b/firewall.conf @@ -1,8 +1,8 @@ IPTABLES=/sbin/iptables ## WAN configuration -WAN_INT='' # WAN interface -IP='' # WAN IP +WAN_INT='eth0' # WAN interface +IP='192.168.0.1' # WAN IP PING=1 # Allow ping FTP=0 # Allow FTP server (passive and active) @@ -14,7 +14,7 @@ LAN=0 # Allow traffic between the WAN and LAN LAN_INT='' # LAN interface ## Allow OUTPUT for everything -ALLOW_OUTOUT_EVERYWHERE=0 +ALLOW_WAN_OUTOUT_EVERYWHERE=1 ## Allow all traffic for interface(s) # example ALLOW_INTS='br0 xenbr42'