summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2011-03-07 17:12:12 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2011-03-07 17:12:12 (GMT)
commit499b1db1f685a0cac432fe1e5b885dccce6565c7 (patch)
treeb49f080d27d7c1130c29f85e238c15018f18e695
downloadeofirewall-499b1db1f685a0cac432fe1e5b885dccce6565c7.zip
eofirewall-499b1db1f685a0cac432fe1e5b885dccce6565c7.tar.gz
eofirewall-499b1db1f685a0cac432fe1e5b885dccce6565c7.tar.bz2
Rename firewall to eofirewall and add a minimal makefile
-rw-r--r--Makefile17
-rw-r--r--README4
-rwxr-xr-xfirewall248
-rw-r--r--firewall.conf45
-rw-r--r--iptables.conf2
5 files changed, 316 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..0327b4b
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,17 @@
+##
+## Makefile for firewall
+##
+## Made by jerome schneider Entr'ouvert
+## Login <jschneider@entrouvert.org>
+##
+
+NAME = firewall
+RM = rm -rf
+DESTDIR=
+
+install:
+ install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
+ install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
+ install -m 0640 -o root -g root iptables.conf $(DESTDIR)/etc/rsyslog.d
+ install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
+
diff --git a/README b/README
new file mode 100644
index 0000000..3b0d7ad
--- /dev/null
+++ b/README
@@ -0,0 +1,4 @@
+= INSTALLATION =
+ * Install rsyslog
+ * make install
+ * use /etc/init.d/firewall [stop | start | restart]
diff --git a/firewall b/firewall
new file mode 100755
index 0000000..94131d2
--- /dev/null
+++ b/firewall
@@ -0,0 +1,248 @@
+#!/bin/bash
+
+### BEGIN INIT INFO
+# Provides: firewall.sh
+# Required-Start: $remote_fs $syslog $network
+# Required-Stop: $remote_fs $syslog $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Iptables firewall
+# Description: An iptables firewall
+### END INIT INFO
+
+source /etc/firewall.conf
+NAME="firewall.sh"
+
+abort()
+{
+ message=$@
+ echo >&2
+ echo -e "$message" >&2
+ echo >&2
+ exit 1
+}
+
+clean()
+{
+ $IPTABLES -F
+ $IPTABLES -F INPUT
+ $IPTABLES -F OUTPUT
+ $IPTABLES -F FORWARD
+ $IPTABLES -F -t mangle
+ $IPTABLES -F -t nat
+ $IPTABLES -X
+}
+
+forward_port()
+{
+ traffic=$1
+ source=$(echo $traffic | cut -d "-" -f1)
+ port=$(echo $traffic | cut -d "-" -f2)
+ destination=$(echo $traffic | cut -d "-" -f3)
+ proto=$(echo $traffic | cut -d "-" -f4)
+ dest_ip=$(echo $destination | cut -d ":" -f1)
+ dest_port=$(echo $destination | cut -d ":" -f2)
+
+ echo "+ Forward $port to $destination for protocol $proto"
+ $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ! INVALID -j ACCEPT
+ $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+}
+
+port_redirection()
+{
+ redirection=$1
+ int=$(echo $traffic | cut -d "-" -f1)
+ srcport=$(echo $traffic | cut -d "-" -f2)
+ destport=$(echo $traffic | cut -d "-" -f3)
+ proto=$(echo $traffic | cut -d "-" -f4)
+
+ echo "+ Redirect $int port $srcport to $destport for portocol $proto"
+ iptables -t nat -A PREROUTING -i $int -p $proto --dport $srcport -j REDIRECT --to-port $destport
+}
+
+start()
+{
+ echo "Starting: Firewall"
+ modprobe ip_conntrack
+ clean
+
+ # default policies
+ $IPTABLES -P INPUT DROP
+ $IPTABLES -P FORWARD DROP
+ $IPTABLES -P OUTPUT DROP
+
+ ## allow packets coming from the machine
+ $IPTABLES -A INPUT -i lo -j ACCEPT
+ $IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+ echo "+ Allow WAN outgoing traffic"
+ $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
+ $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+ if [ $LAN == 1 ]; then
+ echo "+ Allow WAN outgoing traffic from lan"
+ $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
+ $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ echo "+ Allow local network"
+ $IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT
+ $IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT
+ for ALLOW_INT in $ALLOW_INTS; do
+ echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT"
+ $IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ! INVALID -j ACCEPT
+ $IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ echo "+ Allow local network"
+ $IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT
+ $IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT
+ done
+ fi
+
+ ## block spoofing
+ echo "+ Block spoofing"
+ echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+
+ ## NMAP FIN/URG/PSH
+ echo "+ Block scan ports"
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+
+ ## stop Xmas Tree type scanning
+ echo "+ Block Xmas Tree"
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+ ## stop null scanning
+ echo "+ Block null scanning"
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
+ ## SYN/RST
+ echo "+ Block SYN/RST"
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ ## SYN/FIN
+ echo "+ Block SYN/FIN"
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
+ $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+
+ ## stop sync flood
+ echo "+ Block Syn flood"
+ echo "1" >/proc/sys/net/ipv4/tcp_syncookies
+ echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
+
+ if [ $PING == 1 ]; then
+ echo "+ PING allowed"
+ ## stop ping flood attack
+ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+ echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+ # Don't accept ICMP redirect messages
+ echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+ # Don't send ICMP redirect messages
+ echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+ $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
+ $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "iptables: PING-FLOOD: " --log-ip-options --log-level 4
+ $IPTABLES -A INPUT -p icmp -j DROP
+ fi
+
+ if [ $FTP == 1 ]; then
+ echo "+ FTP allowed"
+ modprobe ip_conntrack_ftp
+ $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
+ # Data
+ $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
+ $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
+ # Passive mod
+ $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
+ $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+ fi
+
+
+ ## OPEN PORTS
+ for traffic in $OPEN_PORTS; do
+ source=$(echo $traffic | cut -d "-" -f1)
+ proto=$(echo $traffic | cut -d "-" -f2)
+ ports=$(echo $traffic | cut -d "-" -f3)
+ for port in $(echo $ports | sed 's/,/ /g'); do
+ echo "+ Open port $port to $source for protocol $proto"
+ $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state --state ! INVALID -j ACCEPT
+ done
+ done
+
+ ## Port forwading
+ for traffic in $TRAFFICS; do
+ forward_port $traffic
+ done
+
+ ## Port redirection
+ for redirection in $REDIRECTIONS; do
+ port_redirection $redirection
+ done
+
+ ## NAT
+ if [ $NAT == 1 ]; then
+ echo "+ Activate nat"
+ modprobe ip_nat_ftp
+ modprobe ip_nat_irc
+ $IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j MASQUERADE
+ fi
+
+ ipt_hook
+
+ ## LOG
+ ## Create a LOGDROP chain to log and drop packets
+ $IPTABLES -N LOGDROP
+ $IPTABLES -A LOGDROP -j LOG --log-prefix "iptables: " --log-level 4
+ $IPTABLES -A LOGDROP -j DROP
+
+ $IPTABLES -A INPUT -j LOGDROP
+ $IPTABLES -A OUTPUT -j LOGDROP
+ $IPTABLES -A FORWARD -j LOGDROP
+}
+
+
+stop()
+{
+ echo "+ Firewall stoped"
+ $IPTABLES -t filter -F
+ $IPTABLES -t filter -X
+
+ $IPTABLES -t filter -P INPUT ACCEPT
+ $IPTABLES -t filter -P FORWARD ACCEPT
+ $IPTABLES -t filter -P OUTPUT ACCEPT
+
+ $IPTABLES -t nat -F
+ $IPTABLES -t nat -X
+
+ $IPTABLES -t nat -P PREROUTING ACCEPT
+ $IPTABLES -t nat -P OUTPUT ACCEPT
+ $IPTABLES -t nat -P POSTROUTING ACCEPT
+
+ $IPTABLES -t mangle -F
+ $IPTABLES -t mangle -X
+
+ $IPTABLES -t mangle -P PREROUTING ACCEPT
+ $IPTABLES -t mangle -P INPUT ACCEPT
+ $IPTABLES -t mangle -P FORWARD ACCEPT
+}
+
+case "$1" in
+ start)
+ start || exit 1
+ ;;
+ stop)
+ stop || exit 1
+ ;;
+ restart|force-reload)
+ stop
+ start || exit 1
+ ;;
+ *)
+ N=/etc/init.d/$NAME
+ abort "Usage: $N {start|stop|restart|force-reload}" >&2
+ ;;
+esac
+
+exit 0
diff --git a/firewall.conf b/firewall.conf
new file mode 100644
index 0000000..5e7827a
--- /dev/null
+++ b/firewall.conf
@@ -0,0 +1,45 @@
+IPTABLES=/sbin/iptables
+
+# WAN configuration
+WAN_INT='ethX'
+IP='x.x.x.x'
+
+# Allow ping
+PING=1
+
+# Allow FTP server (passive and active)
+FTP=0
+
+# NAT LAN_NETWORK
+NAT=0
+LAN_NETWORK=''
+# Allow traffic between the WAN and LAN
+LAN=0
+LAN_INT='ethX'
+
+# Allow all traffic for interface(s)
+# example ALLOW_INTS='br0 xenbr42'
+ALLOW_INTS=''
+
+# Open ports
+# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
+# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
+OPEN_PORTS='0.0.0.0/0-tcp-ssh'
+
+# Port forwarding
+# source-port-destination:port-protocole source-port-destination:port-protocole ...
+# example : TRAFFICS='0.0.0.0/0-80-192.168.0.42:80-tcp 42.42.42.42-4242-192.168.0.43:22-tcp'
+TRAFFICS=""
+
+# Port redirection
+# interface-sourceport-destport-protocole
+# example : REDIRECTIONS='$LAN_INT-25-4242-tcp $WAN_INT-25-4242-udp eth42-32-25-tcp'
+REDIRECTIONS=""
+
+# Hook point to write your own iptables rules
+ipt_hook()
+{
+ echo "+ Load your own iptables rules"
+ # Write your own iptables rules here
+}
+
diff --git a/iptables.conf b/iptables.conf
new file mode 100644
index 0000000..455207a
--- /dev/null
+++ b/iptables.conf
@@ -0,0 +1,2 @@
+:msg,contains,"iptables:" /var/log/iptables.log
+& ~