---------- +++++ Contributed by vogt@hansenet.com +++++ #! /bin/sh # # firewall setting up IPTables firewalling # this is a debian startscript (/etc/init.d/firewall) # other distributions may need slight modifications # IPTABLES="/sbin/iptables" set -e case "$1" in start) echo "Starting firewall: " modprobe ip_conntrack echo -n "setting default policy: " # syncookies and NO ip-forwarding echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/ip_forward $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP $IPTABLES -N in_icmp $IPTABLES -N in_tcp $IPTABLES -N in_udp $IPTABLES -A INPUT -p tcp -j in_tcp $IPTABLES -A INPUT -p udp -j in_udp $IPTABLES -A INPUT -p icmp -j in_icmp echo "done" echo -n "spoofing, redirect and broadcast protection/logging: " echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "done" echo -n "enabling scan detection: " if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_psd.o ]; then $IPTABLES -A INPUT -m psd -m limit --limit 5/minute -j LOG --log-prefix '#### Port Scan ####' echo "psd enabled" else $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-prefix '#### Ping Scan ####' # high rate for stealth scans, since they could be legitimate connection # attempts as well $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j LOG --log-level info --log-prefix '#### Stealth Scan ####' $IPTABLES -A in_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### XMAS Scan ####' $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/RST Scan ####' $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/FIN Scan ####' echo "limited detection enabled (no ipt_psd module)" fi echo -n "flood, fragment and various other protections: " # we allow 4 TCP connects per second, no more $IPTABLES -N syn-flood $IPTABLES -A INPUT -p tcp --syn -j syn-flood $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood -j DROP # new connections that have no syn set are most probably evil $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # invalid packets $IPTABLES -A INPUT -p tcp -m state --state INVALID -m limit --limit 10/m -j LOG --log-level info --log-prefix "### Invalid Packet ###" $IPTABLES -A INPUT -p tcp --tcp-option 64 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(64) ###" $IPTABLES -A INPUT -p tcp --tcp-option 128 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(128) ###" echo "done" echo -n "setting up ICMP: " # we allow echo requests and replies # could limit replies to could limit replies to related, but since we # answer ping requests, where would be the point in that? $IPTABLES -A in_icmp -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A in_icmp -p icmp --icmp-type 8 -j ACCEPT # we need destination unreachable $IPTABLES -A in_icmp -p icmp --icmp-type 3 -j ACCEPT # we are nice and allow traceroute, though it is not required $IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT echo "done" echo -n "enabling local and outgoing traffic: " $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -I in_tcp -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -j ACCEPT # we are nice and reject instead of drop ident traffic $IPTABLES -I in_tcp -p tcp --dport auth --j REJECT echo "done" echo -n "enabling selected services:" $IPTABLES -I in_tcp -p tcp --dport http -m state --state NEW,ESTABLISHED -j ACCEPT echo -n " http" $IPTABLES -I in_tcp -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT echo -n " ssh" $IPTABLES -I in_tcp -p tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT echo -n " smtp" $IPTABLES -I in_tcp -p tcp --dport imaps -m state --state NEW,ESTABLISHED -j ACCEPT echo -n " imaps" $IPTABLES -I in_tcp -p tcp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -I in_udp -p udp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT echo -n " dns" $IPTABLES -I in_tcp -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT # active ftp $IPTABLES -I in_tcp -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT echo -n " ftp" # quake3 $IPTABLES -I in_udp -p udp --dport 1024:65535 -j ACCEPT echo -n " quake (all UDP >1024)" echo " - all done" echo "Firewall setup complete." ;; stop) echo -n "Shutting down firewall: " $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT echo "done" ;; *) N=/etc/init.d/$NAME echo "Usage: $N {start|stop}" >&2 exit 1 ;; esac exit 0