#!/bin/bash ################################################################################# # # # Created......: 17 August 2001 # # Last Modified: 13/09/2001 20:28 # # Author.......: Skylinux # # Version......: 0.2.2 # # Download.....: http://home.earthlink.net/~skylinux/ # # # ################################################################################# # # # Source: # # # # - James Stephens' Iptables script @ # # http://www.cs.princeton.edu/~jns/security/iptables/index.html # # - Linux 2.4 Packet Filtering HOWTO # # - Linux 2.4 NAT HOWTO # # # ################################################################################# # # # Change Log: # # # # v0.2.2 -added FORWARD icmp rule # # # # v0.2 -fixed the FTP forward problem, # # -removed some "double rules", # # v0.11 -added NetBus,Back Orifice & Trin00 protection # # # ################################################################################# # # # To do List: # # # # - add Netkiller flood protection # # - implement script with start/stop function # # - add mirror function (attacker is scanning himself) # # - add another TCP_SERVICES_OUT_* Setting like FORWARD_PORTS_2 # # - fix the error message from the ICQ rule while starting firewall # # # ################################################################################# # # Documentation # ------------- # This firewall script is using the default policy DROP EVERYTHING, in order to get all the services working you need to adjust the # "Standard Settings". # - IPTABLES="/usr/sbin/iptables" => This defines the path where your "iptables" executable is. You can find it by using "whereis iptables" # - INT_IF="eth0" => Change "eth0" to the name of your INTERNAL NIC (Network Interface Card) eg: "eth0" "eth1" "eth2" # - BROADCAST="192.168.3.255/24" => Change the IP to the BROADCAST address of your network. eg: "192.168.0.255/24" "192.168.1.255/24" # - EXT_IF="ppp0" => This is you EXTERNAL INTERFACE, if you use dial up it is "ppp0", if you use broadband it is one of your Ethernets. # - FORWARD_PORTS_1="22,80" => These are the ports which will be FORWARDED from your INTERNAL INTERFACE to your EXTERNAL INTERFACE (maximum 15 ports) # - FORWARD_PORTS_2="194,443" => Same as above, this is just here if you need more than 15 ports (To prevent error messages you should enter at least one port in here) # - TCP_SERVICES_IN_INT_IF="6" => Server ports you want to export to your LOCAL NETWORK. (To prevent error messages enter at least one value, port 6 is Unassigned) # - TCP_SERVICES_IN_EXT_IF="80" => Server ports you want to export to your EXTERNAL INTERFACE (Internet). (To prevent error messages enter at least one value, port 6 is Unassigned) # - TCP_SERVICES_OUT_INT_IF="22,80" => If you want to access ports from the machine where you install the firewall INSIDE your network you need to specify the ports. (To prevent error messages enter at least one value, port 6 is Unassigned) # - TCP_SERVICES_OUT_EXT_IF="22,80" => Ports you want to connect to OUTSIDE your local network from the machine where the firewall is installed. (To prevent error messages enter at least one value, port 6 is Unassigned) # - NAMESERVER_1="XXX.XXX.XXX.XXX" => The IP of your EXTERNAL DNS1/NAMESERVER (you can get the IP from your ISP) # - NAMESERVER_2="XXX.XXX.XXX.XXX" => The IP of your EXTERNAL DNS2/NAMESERVER (you can get the IP from your ISP) # - LOOPBACK="127.0.0.0/8" => This is your loopback IP, don't change this unless you know what you are doing # - CLASS_A="10.0.0.0/8" => This will block a /8 (Class A) IP coming in through your EXTERNAL interface, because it will be spoofed. # - CLASS_B="172.16.0.0/16" => This will block a /16 (Class B) IP coming in through your EXTERNAL interface, because it will be spoofed. # - CLASS_C="192.168.0.0/16" => This will block a /24 (Class C) IP coming in through your EXTERNAL interface, because it will be spoofed. # - XSERVER_PORTS="6000:6063" => Most X servers listen at these ports, this will block the specified ports # - ICQ_PORT_TCP="5190" => This is the default port where ICQ connects to the ICQ network # - ICQ_PORT_UDP="4000" => This is the default port where ICQ connects to the ICQ network # - TROJAN_PORTS_TCP="12345,12346" => This will block INCOMING requests for Trojans on your Network tcp. You can add more ports (max 15 ports) or use port 6 to disable this feature. # - TROJAN_PORTS_UDP="27444,31335" => This will block INCOMING requests for Trojans on your Network udp. You can add more ports (max 15 ports) or use port 6 to disable this feature. # # ########## # Standard Settings IPTABLES="/usr/sbin/iptables" INT_IF="eth0" BROADCAST="192.168.1.255/24" EXT_IF="ppp0" FORWARD_PORTS_1="20,21,22,23,25,79,80,81,110,119" FORWARD_PORTS_2="194,443" TCP_SERVICES_IN_INT_IF="22,80" TCP_SERVICES_IN_EXT_IF="80" TCP_SERVICES_OUT_INT_IF="22,80" TCP_SERVICES_OUT_EXT_IF="21,22,80,119" NAMESERVER_1="207.217.126.81" NAMESERVER_2="207.217.77.82" LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/16" CLASS_C="192.168.0.0/16" UP_PORTS="1024:65535" XSERVER_PORTS="6000:6063" ICQ_PORT_TCP="5190" ICQ_PORT_UDP="4000" TROJAN_PORTS_TCP="12345,12346,1524,27665,31337" TROJAN_PORTS_UDP="12345,12346,27444,31335,31337" # # echo "Starting Firewall ....." # Load appropriate modules. modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp # ########## # Flush Rules $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -F INPUT $IPTABLES -F FORWARD $IPTABLES -F OUTPUT $IPTABLES -t nat -F PREROUTING $IPTABLES -t nat -F POSTROUTING # # ########## # Changing Kernel Parameters, you need CONFIG_SYSCTL defined in your kernel # # SYN Cookie Protection /bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies # Disable response to ping /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Disable response to broadcasts /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route /bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects # Disable ICMP redirect acceptance /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Turn on reverse path filtering for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done # Log spoofed packets, source routed packets, redirect packets /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward # # ########## # Rules # # Standard Rules $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # # Deny packets claiming to be to or from a /8,/16,/24 (Class A,B,C) Network ($EXT_IF) $IPTABLES -A INPUT -i $EXT_IF -s $CLASS_A -j DROP $IPTABLES -A INPUT -i $EXT_IF -d $CLASS_A -j DROP $IPTABLES -A INPUT -i $EXT_IF -s $CLASS_B -j DROP $IPTABLES -A INPUT -i $EXT_IF -d $CLASS_B -j DROP $IPTABLES -A INPUT -i $EXT_IF -s $CLASS_C -j DROP $IPTABLES -A INPUT -i $EXT_IF -d $CLASS_C -j DROP $IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_A -j DROP $IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_A -j DROP $IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_B -j DROP $IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_B -j DROP $IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_C -j DROP $IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_C -j DROP # # Firewall syn/flood and port scanner protection $INT_IF $IPTABLES -N syn-flood_INT_IF $IPTABLES -F syn-flood_INT_IF $IPTABLES -A INPUT -i $INT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_INT_IF #$IPTABLES -A INPUT -i $INT_IF -p tcp --syn -j syn-flood_INT_IF $IPTABLES -A syn-flood_INT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood_INT_IF -j DROP # # Firewall syn/flood and port scanner protection $EXT_IF $IPTABLES -N syn-flood_EXT_IF $IPTABLES -F syn-flood_EXT_IF $IPTABLES -A INPUT -i $EXT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_EXT_IF #$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -j syn-flood_EXT_IF $IPTABLES -A syn-flood_EXT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood_EXT_IF -j DROP # # Make sure NEW tcp connections are SYN packets $IPTABLES -A INPUT -i $INT_IF -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP # # Block incoming fragments $INT_IF $IPTABLES -A INPUT -i $INT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $INT_IF: " $IPTABLES -A INPUT -i $INT_IF -f -j DROP # # Block incoming fragments $EXT_IF $IPTABLES -A INPUT -i $EXT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $EXT_IF: " $IPTABLES -A INPUT -i $EXT_IF -f -j DROP # # Drop broadcast packets $IPTABLES -A INPUT -i $EXT_IF -d $BROADCAST -j DROP # # Trojan protection $IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: " $IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: " $IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP $IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP $IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: " $IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: " $IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP $IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP # # ICQ INPUT/OUTPUT rules (I get the error message that the hostname is not found, if somebody knows why PLZ let me know) #$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # # icmp INPUT/OUTPUT rules $INT_IF. For a list of icmp types check the end of this file. $IPTABLES -A INPUT -i $INT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $INT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A INPUT -i $INT_IF -p icmp --icmp-type 0 -j DROP # # icmp INPUT/OUTPUT rules $EXT_IF. For a list of icmp types check the end of this file. $IPTABLES -A INPUT -i $EXT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j DROP # # Nameserver INPUT/OUTPUT $IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_1 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_2 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # # INPUT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT #$IPTABLES -A INPUT -i $EXT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXT_IF -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT # # FORWARD $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT # # OUTPUT $IPTABLES -A OUTPUT -o $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT # # POSTROUTING $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE ########## # icmp types # # 0 Echo Reply [RFC792] # 1 Unassigned [JBP] # 2 Unassigned [JBP] # 3 Destination Unreachable [RFC792] # 4 Source Quench [RFC792] # 5 Redirect [RFC792] # 6 Alternate Host Address [JBP] # 7 Unassigned [JBP] # 8 Echo [RFC792] # 9 Router Advertisement [RFC1256] # 10 Router Solicitation [RFC1256] # 11 Time Exceeded [RFC792] # 12 Parameter Problem [RFC792] # 13 Timestamp [RFC792] # 14 Timestamp Reply [RFC792] # 15 Information Request [RFC792] # 16 Information Reply [RFC792] # 17 Address Mask Request [RFC950] # 18 Address Mask Reply [RFC950] # 19 Reserved (for Security) [Solo] # 20-29 Reserved (for Robustness Experiment) [ZSu] # 30 Traceroute [RFC1393] # 31 Datagram Conversion Error [RFC1475] # 32 Mobile Host Redirect [David Johnson] # 33 IPv6 Where-Are-You [Bill Simpson] # 34 IPv6 I-Am-Here [Bill Simpson] # 35 Mobile Registration Request [Bill Simpson] # 36 Mobile Registration Reply [Bill Simpson] # 37 Domain Name Request [Simpson] # 38 Domain Name Reply [Simpson] # 39 SKIP [Markson] # 40 Photuris [Simpson] # 41-255 Reserved [JBP] ########## echo "Firewall STARTED" ### END ### #iptables -t nat -A PREROUTING --dport -i -j DNAT --to #iptables -t nat -A PREROUTING -p tcp -i (inet iface) --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 #iptables -t filter -A FORWARD -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j ACCEPT #iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT