firewall: use users chains everywhere

This commit is contained in:
Jérôme Schneider 2013-11-14 18:56:58 +01:00
parent 39fb640472
commit 5cc34f7b41
2 changed files with 118 additions and 60 deletions

172
firewall
View File

@ -21,13 +21,21 @@ abort()
exit 1
}
chain_exists()
{
local chain_name="$1" ; shift
[ $# -eq 1 ] && local table="--table $1"
iptables $table -n --list "$chain_name" >/dev/null 2>&1
}
if [ -f "/etc/firewall/firewall.conf" ]; then
source /etc/firewall/firewall.conf
else
abort "No configuration file /etc/firewall/firewall.conf"
fi
clean()
flush()
{
$IPTABLES -t filter -F
$IPTABLES -t filter -X
@ -51,6 +59,59 @@ clean()
$IPTABLES -t mangle -P FORWARD ACCEPT
}
clean()
{
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
if chain_exists EO-INPUT; then
$IPTABLES -D INPUT -j EO-INPUT
$IPTABLES -F EO-INPUT
$IPTABLES -X EO-INPUT
fi
if chain_exists EO-OUTPUT; then
$IPTABLES -D OUTPUT -j EO-OUTPUT
$IPTABLES -F EO-OUTPUT
$IPTABLES -X EO-OUTPUT
fi
if chain_exists EO-FORWARD; then
$IPTABLES -D FORWARD -j EO-FORWARD
$IPTABLES -F EO-FORWARD
$IPTABLES -X EO-FORWARD
fi
if chain_exists LOGDROP; then
$IPTABLES -D INPUT -j LOGDROP
$IPTABLES -D OUTPUT -j LOGDROP
$IPTABLES -D FORWARD -j LOGDROP
$IPTABLES -F LOGDROP
$IPTABLES -X LOGDROP
fi
}
init()
{
clean
test_config
modprobe ip_conntrack
$IPTABLES -N EO-INPUT
$IPTABLES -N EO-OUTPUT
$IPTABLES -N EO-FORWARD
$IPTABLES -N LOGDROP
# default policies
log_action_msg "DROP Input, Forward and Output by default"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
}
test_config()
{
# FIXME: test if the interface and the ip exist
@ -63,7 +124,7 @@ critical_return()
{
if [ `echo $?` != 0 ]; then
log_failure_msg "Error on the last command firewall will be stop"
stop
flush
exit 1
fi
}
@ -87,7 +148,7 @@ forward_port()
log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
else
log_action_msg "Forward $port to $destination for protocol $proto"
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
fi
fi
@ -109,7 +170,7 @@ open_port()
fi
source=$1
log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto"
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
$IPTABLES -A EO-INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
critical_return
}
@ -145,70 +206,67 @@ port_knocking()
((i++))
tock_number=$knock_number$i
if [ $i -gt 1 ]; then
iptables -N toc${tock_number}
iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
iptables -N EO-TOC${tock_number}
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
else
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
fi
done
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
for port in $(echo $ports | sed 's/,/ /g'); do
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
done
}
start()
{
test_config
modprobe ip_conntrack
clean
# default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
init
## allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
log_action_msg "Accept lo interface"
$IPTABLES -A EO-INPUT -i lo -j ACCEPT
$IPTABLES -A EO-OUTPUT -o lo -j ACCEPT
log_action_msg "Allow WAN outgoing traffic"
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then
log_action_msg "Allow WAN outgoing traffic"
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
fi
critical_return
if [ $LAN == 1 ]; then
log_action_msg "Allow WAN outgoing traffic from lan"
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
log_action_msg "Allow local network"
$IPTABLES -A OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
$IPTABLES -A INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
$IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
$IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
fi
## block spoofing
log_action_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
## NMAP FIN/URG/PSH
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## stop Xmas Tree type scanning
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
## stop null scanning
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## stop sync flood
log_action_msg "Block Syn flood"
@ -217,22 +275,22 @@ start()
if [ $PING == 1 ]; then
log_action_msg "PING allowed"
iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
fi
if [ $FTP == 1 ]; then
log_action_msg "FTP allowed"
modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
# Data
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
# Passive mod
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
## Open Ports
@ -278,9 +336,12 @@ start()
ipt_hook
$IPTABLES -A INPUT -j EO-INPUT
$IPTABLES -A OUTPUT -j EO-OUTPUT
$IPTABLES -A FORWARD -j EO-FORWARD
## LOG
## Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -p tcp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied tcp: " --log-level 4
$IPTABLES -A LOGDROP -p udp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied udp: " --log-level 4
$IPTABLES -A LOGDROP -p icmp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied icmp: " --log-level 4
@ -289,15 +350,9 @@ start()
$IPTABLES -A INPUT -j LOGDROP
$IPTABLES -A OUTPUT -j LOGDROP
$IPTABLES -A FORWARD -j LOGDROP
}
stop()
{
clean
}
case "$1" in
start|restore)
log_daemon_msg "Starting firewall"
@ -310,7 +365,7 @@ case "$1" in
;;
stop)
log_daemon_msg "Stopping firewall"
stop || exit 1
clean || exit 1
log_end_msg 0
;;
test)
@ -325,7 +380,7 @@ case "$1" in
iptables-restore < /etc/network/iptables-save
log_action_msg "Old rules restored"
else
stop
flush
log_action_msg "Rules flushed"
fi
log_action_msg "If you are happy with this new rules please use save option"
@ -336,6 +391,9 @@ case "$1" in
iptables-save > /etc/network/iptables-save
log_end_msg 0
;;
flush)
flush
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|restore|save|test|stop}"

View File

@ -1,8 +1,8 @@
IPTABLES=/sbin/iptables
## WAN configuration
WAN_INT='' # WAN interface
IP='' # WAN IP
WAN_INT='eth0' # WAN interface
IP='192.168.0.1' # WAN IP
PING=1 # Allow ping
FTP=0 # Allow FTP server (passive and active)
@ -14,7 +14,7 @@ LAN=0 # Allow traffic between the WAN and LAN
LAN_INT='' # LAN interface
## Allow OUTPUT for everything
ALLOW_OUTOUT_EVERYWHERE=0
ALLOW_WAN_OUTOUT_EVERYWHERE=1
## Allow all traffic for interface(s)
# example ALLOW_INTS='br0 xenbr42'