#!/bin/bash ### BEGIN INIT INFO # Provides: firewall.sh # Required-Start: $remote_fs $syslog $network # Required-Stop: $remote_fs $syslog $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Iptables firewall # Description: An iptables firewall ### END INIT INFO source /etc/firewall.conf NAME="firewall.sh" abort() { message=$@ echo >&2 echo -e "$message" >&2 echo >&2 exit 1 } clean() { $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X } forward_port() { traffic=$1 source=$(echo $traffic | cut -d "-" -f1) port=$(echo $traffic | cut -d "-" -f2) destination=$(echo $traffic | cut -d "-" -f3) proto=$(echo $traffic | cut -d "-" -f4) dest_ip=$(echo $destination | cut -d ":" -f1) dest_port=$(echo $destination | cut -d ":" -f2) echo "+ Forward $port to $destination for protocol $proto" $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination } port_redirection() { redirection=$1 int=$(echo $traffic | cut -d "-" -f1) srcport=$(echo $traffic | cut -d "-" -f2) destport=$(echo $traffic | cut -d "-" -f3) proto=$(echo $traffic | cut -d "-" -f4) echo "+ Redirect $int port $srcport to $destport for portocol $proto" iptables -t nat -A PREROUTING -i $int -p $proto --dport $srcport -j REDIRECT --to-port $destport } start() { echo "Starting: Firewall" modprobe ip_conntrack clean # default policies $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP ## allow packets coming from the machine $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT echo "+ Allow WAN outgoing traffic" $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT if [ $LAN == 1 ]; then echo "+ Allow WAN outgoing traffic from lan" $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT echo "+ Allow local network" $IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT $IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT for ALLOW_INT in $ALLOW_INTS; do echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT" $IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT $IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT echo "+ Allow local network" $IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT $IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT done fi ## block spoofing echo "+ Block spoofing" echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter ## NMAP FIN/URG/PSH echo "+ Block scan ports" $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4 $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ## stop Xmas Tree type scanning echo "+ Block Xmas Tree" $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4 $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4 $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP ## stop null scanning echo "+ Block null scanning" $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4 $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP ## SYN/RST echo "+ Block SYN/RST" $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4 $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ## SYN/FIN echo "+ Block SYN/FIN" $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4 $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ## stop sync flood echo "+ Block Syn flood" echo "1" >/proc/sys/net/ipv4/tcp_syncookies echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog if [ $PING == 1 ]; then echo "+ PING allowed" ## stop ping flood attack echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "iptables: PING-FLOOD: " --log-ip-options --log-level 4 $IPTABLES -A INPUT -p icmp -j DROP fi if [ $FTP == 1 ]; then echo "+ FTP allowed" modprobe ip_conntrack_ftp $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT # Data $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive mod $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT fi ## OPEN PORTS for traffic in $OPEN_PORTS; do source=$(echo $traffic | cut -d "-" -f1) proto=$(echo $traffic | cut -d "-" -f2) ports=$(echo $traffic | cut -d "-" -f3) for port in $(echo $ports | sed 's/,/ /g'); do echo "+ Open port $port to $source for protocol $proto" $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT done done ## Port forwading for traffic in $TRAFFICS; do forward_port $traffic done ## Port redirection for redirection in $REDIRECTIONS; do port_redirection $redirection done ## NAT if [ $NAT == 1 ]; then echo "+ Activate nat" modprobe ip_nat_ftp modprobe ip_nat_irc $IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j MASQUERADE fi ipt_hook ## LOG ## Create a LOGDROP chain to log and drop packets $IPTABLES -N LOGDROP $IPTABLES -A LOGDROP -j LOG --log-prefix "iptables: " --log-level 4 $IPTABLES -A LOGDROP -j DROP $IPTABLES -A INPUT -j LOGDROP $IPTABLES -A OUTPUT -j LOGDROP $IPTABLES -A FORWARD -j LOGDROP } stop() { echo "+ Firewall stoped" $IPTABLES -t filter -F $IPTABLES -t filter -X $IPTABLES -t filter -P INPUT ACCEPT $IPTABLES -t filter -P FORWARD ACCEPT $IPTABLES -t filter -P OUTPUT ACCEPT $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t mangle -F $IPTABLES -t mangle -X $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT } case "$1" in start) start || exit 1 ;; stop) stop || exit 1 ;; restart|force-reload) stop start || exit 1 ;; *) N=/etc/init.d/$NAME abort "Usage: $N {start|stop|restart|force-reload}" >&2 ;; esac exit 0