verzia 2.1, 2004/12/11 19:50:24 |
verzia 2.8, 2005/01/04 19:57:14 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.0 2004/11/14 15:23:09 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.7 2005/01/02 13:31:46 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2004-11-14 - created |
# 2004-11-14 - created |
Riadok 116 antispoof_on() |
|
Riadok 116 antispoof_on() |
|
# clear status of iptable chains |
# clear status of iptable chains |
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
$IPTABLES -F # clear all chains |
|
$IPTABLES -X # remove all chains |
for table in filter nat mangle; do |
|
$IPTABLES -t $table -F # clear all chains |
|
$IPTABLES -t $table -X # remove all chains |
|
done |
|
|
} # }}} |
} # }}} |
|
|
# all packets on loopback are accpted |
# all packets on loopback are accpted |
|
|
anti_spoof_filter() |
anti_spoof_filter() |
{ # {{{ |
{ # {{{ |
|
|
# http://www.iana.com/assignments/ipv4-address-space |
# http://www.iana.com/assignments/ipv4-address-space |
|
|
INET_IFACE=$1 |
if [ ! -z "$ANTISPOOF_IFACE" ]; then |
|
|
$IPTABLES -N spoof |
echo -en "Turning on antispoof filter for interfaces: " |
|
$IPTABLES -N spoof |
|
|
echo "Turning on antispoof filter for interface $INET_IFACE " |
# Ochrana proti Spoogingu zo spatnej slucky |
# Ochrana proti Spoogingu zo spatnej slucky |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:127.0.0.0/8 src" |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -i $INET_IFACE -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -i $INET_IFACE -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:127.0.0.0/8 dest" |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -i $INET_IFACE -d 127.0.0.0/8 -j DROP |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:192.168.0.0/16 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -i $INET_IFACE -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -i $INET_IFACE -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 10.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -i $INET_IFACE -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "RESERVED:96.0.0.0/4 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
$IPTABLES -A spoof -i $INET_IFACE -s 96.0.0.0/4 -j DROP # IANA |
|
echo " done." |
for iface in $ANTISPOOF_IFACE; do |
|
echo -en " $iface" |
|
$IPTABLES -A FORWARD -i $iface -j spoof |
|
$IPTABLES -A INPUT -i $iface -j spoof |
|
done |
|
echo " done." |
|
fi |
} # }}} |
} # }}} |
|
|
mangle_prerouting() |
mangle_prerouting() |
Riadok 261 mangle_output() |
|
Riadok 272 mangle_output() |
|
|
|
} # }}} |
} # }}} |
|
|
|
# Masquerade local subnet |
|
masquerade() |
|
{ # {{{ |
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
|
netmask="Mask_$NAT_SUBNET_IFACE" |
|
localnet="${!ip}/${!netmask}" |
|
|
|
lan_ip="IP_$NAT_LAN_IFACE" |
|
|
|
# alow packets from private subnet |
|
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
|
|
|
for redirect in $NAT_TCP_PORT_REDIRECT; do |
|
eval `echo $redirect | awk -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
|
echo -en " $remote_port:$local_port" |
|
$IPTABLES -t nat -A PREROUTING -p TCP \ |
|
-i ! $NAT_LAN_IFACE -d ! ${!lan_ip} \ |
|
--dport $remote_port -j REDIRECT --to-port $local_port |
|
done |
|
|
|
#$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE |
|
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
|
|
|
echo " done." |
|
|
|
# don't forward Miscrosoft protocols - NOT RFC compliant packets |
|
if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then |
|
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
|
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
|
|
|
for port in 69 135 445 1434 6667; do |
|
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
|
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
|
done |
|
fi |
|
fi |
|
|
|
if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then |
|
echo -en "\tAccepting FORWARD TCP ports:" |
|
for port in $NAT_FORWARD_TCP_PORTS; do |
|
echo -en " $port" |
|
$IPTABLES -A FORWARD -p TCP --dport $port -m state --state NEW -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
|
|
if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then |
|
echo -en "\tAccepting FORWARD UDP ports:" |
|
for port in $NAT_FORWARD_UDP_PORTS; do |
|
echo -en " $port" |
|
$IPTABLES -A FORWARD -p UDP --dport $port -m state --state NEW -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
|
|
echo -en "\tAccepting ICMP packets:" |
|
for type in $ACCEPT_ICMP_PACKETS; do |
|
echo -en " $type" |
|
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
|
done |
|
echo " done." |
|
|
|
# Keep state of connections from private subnets |
|
$IPTABLES -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
|
|
fi |
|
} # }}} |
|
|
|
log_new_connections() |
|
{ # {{{ |
|
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
|
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
|
echo -en "Logging new connections:" |
|
$IPTABLES -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
|
$IPTABLES -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
|
$IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
|
echo " done." |
|
fi |
|
fi |
|
} # }}} |
|
|
|
drop_output() |
|
{ # {{{ |
|
|
|
for iface in $INTERFACES; do |
|
ip="IP_$iface"; |
|
drop_output_tcp="${iface}_DROP_OUTPUT_TCP" |
|
DROP_OUTPUT_TCP="${!drop_output_tcp}" |
|
drop_output_udp="${iface}_DROP_OUTPUT_UDP" |
|
DROP_OUTPUT_UDP="${!drop_output_udp}" |
|
|
|
if [ ! -z "$DROP_OUTPUT_TCP" ]; then |
|
echo -en "$iface: Dropping outgoing packets from ports:" |
|
for port in $DROP_OUTPUT_TCP; do |
|
echo -en " $port" |
|
$IPTABLES -A FORWARD -p TCP --sport $port -o $iface -j DROP |
|
$IPTABLES -A OUTPUT -p TCP --sport $port -o $iface -j DROP |
|
done |
|
echo " done." |
|
fi |
|
|
|
if [ ! -z "$DROP_OUTPUT_UDP" ]; then |
|
echo -en "$iface: Dropping outgoing packets from ports:" |
|
for port in $DROP_OUTPUT_UDP; do |
|
echo -en " $port" |
|
$IPTABLES -A FORWARD -p UDP --sport $port -o $iface -j DROP |
|
$IPTABLES -A OUTPUT -p UDP --sport $port -o $iface -j DROP |
|
done |
|
echo " done." |
|
fi |
|
done |
|
|
|
} # }}} |
|
|
allow_input() |
allow_input() |
{ # {{{ |
{ # {{{ |
|
|
|
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
|
echo -en "Accepting ALL packets on interfaces:" |
|
for iface in $IFACE_ACCEPT_ALL; do |
|
echo -en " $iface" |
|
$IPTABLES -A INPUT -i $iface -j ACCEPT |
|
$IPTABLES -A OUTPUT -i $iface -j ACCEPT |
|
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
|
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
|
|
ACCEPT_INPUT_UDP="${!accept_input_udp}" |
ACCEPT_INPUT_UDP="${!accept_input_udp}" |
|
|
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
echo -en "$iface: Accepting INPUT TCP connections on ports: " |
echo -en "$iface: Accepting INPUT TCP connections on ports:" |
for port in $ACCEPT_INPUT_TCP; do |
for port in $ACCEPT_INPUT_TCP; do |
echo -en " $port" |
echo -en " $port" |
$IPTABLES -A INPUT -i $iface -d ${!ip} -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i $iface -d ${!ip} -p TCP --dport $port -j ACCEPT |
|
|
fi |
fi |
|
|
if [ ! -z "$ACCEPT_INPUT_UDP" ]; then |
if [ ! -z "$ACCEPT_INPUT_UDP" ]; then |
echo -en "$iface: Accepting INPUT UDP connections on ports: " |
echo -en "$iface: Accepting INPUT UDP connections on ports:" |
for port in $ACCEPT_INPUT_UDP; do |
for port in $ACCEPT_INPUT_UDP; do |
echo -en " $port" |
echo -en " $port" |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
|
|
$IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server |
$IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server |
|
|
# accept only allowed ICMP packets |
# accept only allowed ICMP packets |
for type in echo-reply destination-unreachable echo-request time-exceeded; do |
for type in $ACCEPT_ICMP_PACKETS; do |
echo -en " $type" |
echo -en " $type" |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
ip="IP_$iface"; |
ip="IP_$iface"; |
Riadok 355 log_output_drop() |
|
Riadok 497 log_output_drop() |
|
|
|
prefix="output drop: " |
prefix="output drop: " |
echo "Output drop is logged with prefix '$prefix'" |
echo "Output drop is logged with prefix '$prefix'" |
# Ostatní pakety logujeme (neměly by být žádné takové) |
|
$IPTABLES -A OUTPUT $LOG_LIMIT -j LOG --log-prefix "$prefix" |
$IPTABLES -A OUTPUT $LOG_LIMIT -j LOG --log-prefix "$prefix" |
|
|
} # }}} |
} # }}} |
|
|
|
log_forward_drop() |
|
{ # {{{ |
|
|
|
prefix="forward drop: " |
|
echo "Forward drop is logged with prefix '$prefix'" |
|
$IPTABLES -A FORWARD $LOG_LIMIT -j LOG --log-prefix "$prefix" |
|
|
|
} # }}} |
|
|
accept_related() |
accept_related() |
{ # {{{ |
{ # {{{ |
|
|
Riadok 367 accept_related() |
|
Riadok 517 accept_related() |
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
ip="IP_$iface"; |
ip="IP_$iface"; |
echo -en " ${!ip}($iface)" |
echo -en " ${!ip}($iface)" |
$IPTABLES -A INPUT -i $iface -d ${!ip} -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
done |
done |
echo " done." |
echo " done." |
|
|
|
|
set_loopback |
set_loopback |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
#anti_spoof_filter eth0 |
anti_spoof_filter |
syn_flood |
syn_flood |
mangle_prerouting |
mangle_prerouting |
mangle_output |
mangle_output |
|
log_new_connections |
|
drop_output |
allow_input |
allow_input |
allow_output |
allow_output |
allow_icmp |
allow_icmp |
accept_related |
accept_related |
accept_loopback |
accept_loopback |
|
masquerade |
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
|
log_forward_drop |
;; |
;; |
|
|
stop) |
stop) |