verzia 1.1, 2003/10/24 15:40:44 |
verzia 2.2, 2004/12/12 18:00:11 |
|
|
#!/bin/sh |
#!/bin/sh |
|
|
# |
# |
# This will be universal firewalling script in near future |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003 Platon SDG, http://platon.sk/ |
# Copyright (c) 2003-2004 Platon SDG, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.1 2004/12/11 19:50:24 rajo Exp $ |
# |
# |
|
# Changelog: |
# |
# 2004-11-14 - created |
# Config: |
|
# |
# |
|
|
DESC="firewall" |
DESC="firewall" |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
|
|
DEFAULT_POLICY="DROP" |
DEFAULT_CONFIG="${DEFAULT_CONFIG:=/etc/default/firewall}" |
|
|
|
if [ -f "$DEFAULT_CONFIG" ]; then |
|
echo "Reading config file $DEFAULT_CONFIG" |
|
. $DEFAULT_CONFIG |
|
fi |
|
|
|
# |
|
# Default configuration values: |
|
# |
|
|
|
DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" |
# which modules to load |
# which modules to load |
MODULES="ipt_LOG ipt_REJECT ip_conntrack_ftp" |
MODULES="${MODULES:=}" |
|
|
LOG_LIMIT="-m limit --limit 12/h --limit-burst 10" |
LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10}" |
|
|
# Paths: |
# Paths: |
IPTABLES="/sbin/iptables" |
|
#IPTABLES=":" # for testing only - does nothing |
#IPTABLES=":" # for testing only - does nothing |
IFCONFIG="/sbin/ifconfig" |
IPTABLES="${IPTABLES:=/sbin/iptables}" |
DEPMOD="/sbin/depmod" |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
MODPROBE="/sbin/modprobe" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
RMMOD="/sbin/rmmod" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
|
RMMOD="${RMMOD:=/sbin/rmmod}" |
AWK="/usr/bin/awk" |
AWK="${AWK:=/usr/bin/awk}" |
|
|
# interface connected to cruel world (internet jungle) |
|
INET_IFACE="eth0" |
|
INET_IP="IP_$INET_IFACE" |
|
|
|
# loopback interface |
# loopback interface |
LO_IFACE="lo" |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IP="IP_$LO_IFACE" |
LO_IP="IP_$LO_IFACE" |
|
|
# Which ports will be allowed on INPUT (TCP connections) |
# Which ports will be allowed on INPUT (TCP connections) |
# 21 - ftp, 22 - ssh, 25 - smtp, 53 - DNS server TCP, 80 - www, 110 - POP3 |
ALL_ACCEPT_INPUT_TCP="${ALL_ACCEPT_INPUT_TCP:=}" |
# 143 - IMAP, 443 - HTTPS, 873 - rsync server |
# interface eth0 |
# 123 137 138 139 631 - samba |
eth0_ACCEPT_INPUT_TCP="${eth0_ACCEPT_INPUT_TCP:=}" |
ACCEPT_INPUT_TCP="123 137 138 139 631 22 80" |
# interface ppp0 |
|
ppp0_ACCEPT_INPUT_TCP="${ppp0_ACCEPT_INPUT_TCP:=}" |
|
|
# Which ports will be allowed on INPUT (UDP connections) |
# Which ports will be allowed on INPUT (UDP connections) |
# 53 - DNS server, 517 - talk, 518 - ntalk |
# interface eth0 |
ACCEPT_INPUT_UDP="123 137 138 139 631" |
eth0_ACCEPT_INPUT_UDP="${eth0_ACCEPT_INPUT_UDP:=}" |
|
# interface ppp0 |
|
ppp0_ACCEPT_INPUT_UDP="${ppp0_ACCEPT_INPUT_UDP:=}" |
|
|
# allow some ICMP packets - needed for ping etc. |
# allow some ICMP packets - needed for ping etc. |
ACCEPT_ICMP_PACKETS="echo-reply destination-unreachable echo-request time-exceeded" |
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" |
|
|
# load necessary modules from $MODULES variable |
# load necessary modules from $MODULES variable |
load_modules() |
load_modules() |
Riadok 78 unload_modules() |
|
Riadok 86 unload_modules() |
|
done |
done |
} # }}} |
} # }}} |
|
|
# print status of found interfaces |
# print status of detected interfaces |
print_iface_status() |
print_iface_status() |
{ # {{{ |
{ # {{{ |
# Print interfaces: |
# Print interfaces: |
Riadok 112 remove_chains() |
|
Riadok 120 remove_chains() |
|
$IPTABLES -X # remove all chains |
$IPTABLES -X # remove all chains |
} # }}} |
} # }}} |
|
|
# all packets on loopback are accted |
# all packets on loopback are accpted |
set_loopback() |
set_loopback() |
{ # {{{ |
{ # {{{ |
$IPTABLES -A INPUT -j ACCEPT -i $LO_IFACE |
$IPTABLES -A INPUT -j ACCEPT -i $LO_IFACE |
Riadok 126 nmap_scan_filter() |
|
Riadok 134 nmap_scan_filter() |
|
echo -en "Turning on nmap scan filter " |
echo -en "Turning on nmap scan filter " |
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
echo -en "." |
|
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES -A $chain -p tcp --tcp-flags ALL NONE $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ALL NONE: " |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ALL NONE: " |
$IPTABLES -A $chain -p tcp --tcp-flags ALL NONE -j DROP |
echo -en "." |
|
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
|
echo -en "." |
|
|
# dva odporujuuce si flagy su nastavene: |
# dva odporujuuce si flagy su nastavene: |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
|
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain $flags: " |
|
echo -en "." |
|
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p tcp --tcp-flags $flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain $flags: " |
|
$IPTABLES -A $chain -p tcp --tcp-flags $flags $flags -j DROP |
|
done |
done |
|
|
# je nastavene len $flags bez predpokladaneho ACK |
# je nastavene len $flags bez predpokladaneho ACK |
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
|
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ACK,$flags: " |
|
echo -en "." |
|
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p tcp --tcp-flags ACK,$flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ACK,$flags: " |
|
$IPTABLES -A $chain -p tcp --tcp-flags ACK,$flags $flags -j DROP |
|
done |
done |
done |
done |
|
|
echo "done." |
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
Riadok 156 invalid_packet_filter() |
|
Riadok 167 invalid_packet_filter() |
|
|
|
echo -en "Turning on INVALID packet filter " |
echo -en "Turning on INVALID packet filter " |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
echo -en "." |
|
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT -j LOG --log-prefix "INVALID $chain: " |
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT -j LOG --log-prefix "INVALID $chain: " |
|
echo -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
|
echo -en "." |
done |
done |
|
|
echo "done." |
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
|
|
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN |
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN |
$IPTABLES -A syn-flood -j DROP |
$IPTABLES -A syn-flood -j DROP |
|
|
$IPTABLES -A INPUT -i $INET_IFACE -p tcp --syn -j syn-flood |
for iface in $INTERFACES; do |
|
$IPTABLES -A INPUT -i $iface -p TCP --syn -j syn-flood |
|
|
# Paket je označený jako NEW, ale nemá nastavený SYN flag - pryč s ním |
# packet is marked az NEW, but doesn't have SYN flag - drop it |
$IPTABLES -A INPUT -i $INET_IFACE -p tcp ! --syn -m state --state NEW -j DROP |
$IPTABLES -A INPUT -i $iface -p TCP ! --syn -m state --state NEW -j DROP |
|
done |
|
|
|
|
} # }}} |
} # }}} |
|
|
anti_spoof_filter() |
anti_spoof_filter() |
{ # {{{ |
{ # {{{ |
|
|
# http://www.iana.com/assignments/ipv4-address-space |
# http://www.iana.com/assignments/ipv4-address-space |
|
|
$IPTABLES -N spoof |
if [ ! -z "$ANTISPOOF_IFACE" ]; then |
|
|
echo "Turning on antispoof filter for interface $INET_IFACE " |
echo -en "Turning on antispoof filter for interfaces: " |
# Ochrana proti Spoogingu zo spetnej slucky |
$IPTABLES -N spoof |
$IPTABLES -A spoof -i $INET_IFACE -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:127.0.0.0/8 src" |
|
$IPTABLES -A spoof -i $INET_IFACE -s 127.0.0.0/8 -j DROP |
# Ochrana proti Spoogingu zo spatnej slucky |
$IPTABLES -A spoof -i $INET_IFACE -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:127.0.0.0/8 dest" |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -i $INET_IFACE -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -i $INET_IFACE -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:192.168.0.0/16 src" |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -i $INET_IFACE -s 192.168.0.0/16 -j DROP # RFC1918 |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -i $INET_IFACE -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -i $INET_IFACE -s 10.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -i $INET_IFACE -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -i $INET_IFACE -s 96.0.0.0/4 -j DROP # IANA |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
echo "... done." |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "RESERVED:96.0.0.0/4 src" |
|
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
|
for iface in $ANTISPOOF_IFACE; do |
|
echo -en " $iface" |
|
$IPTABLES -A FORWARD -i $iface -j spoof |
|
$IPTABLES -A INPUT -i $iface -j spoof |
|
done |
|
echo " done." |
|
fi |
} # }}} |
} # }}} |
|
|
mangle_prerouting() |
mangle_prerouting() |
{ # {{{ |
{ # {{{ |
|
|
echo "Optimizing PREROUTING TOS" |
echo -en "Optimizing PREROUTING TOS: " |
# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet |
# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet |
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost |
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost |
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A PREROUTING -p TCP --sport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay |
echo -en "." |
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A PREROUTING -p TCP --dport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos Minimize-Delay |
echo -en "." |
$IPTABLES -t mangle -A PREROUTING -p tcp --dport telnet -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A PREROUTING -p TCP --sport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput |
echo -en "." |
|
$IPTABLES -t mangle -A PREROUTING -p TCP --dport ftp -j TOS --set-tos Minimize-Delay |
|
echo -en "." |
|
$IPTABLES -t mangle -A PREROUTING -p TCP --dport telnet -j TOS --set-tos Minimize-Delay |
|
echo -en "." |
|
$IPTABLES -t mangle -A PREROUTING -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput |
|
echo -en "." |
|
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
mangle_output() |
mangle_output() |
{ # {{{ |
{ # {{{ |
|
|
echo "Optimizing OUTPUT TOS" |
echo -en "Optimizing OUTPUT TOS:" |
# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet |
# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet |
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost |
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost |
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ssh -j TOS --set-tos Minimize-Delay |
for iface in $INTERFACES; do |
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport ssh -j TOS --set-tos Minimize-Delay |
echo -en " $iface"; |
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport telnet -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport ftp -j TOS --set-tos Minimize-Delay |
|
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport telnet -j TOS --set-tos Minimize-Delay |
|
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput |
|
done |
|
echo " done." |
|
|
|
} # }}} |
|
|
|
# Masquerade local subnet |
|
masquerade() |
|
{ # {{{ |
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
echo -en "Masquerading local subnet:" |
|
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
|
netmask="Mask_$NAT_SUBNET_IFACE" |
|
localnet="${!ip}/${!netmask}" |
|
|
|
# alow packets from private subnet |
|
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
|
$IPTABLES -A INPUT -i $NAT_SUBNET_IFACE -j ACCEPT |
|
$IPTABLES -A FORWARD -i $NAT_SUBNET_IFACE -j ACCEPT |
|
|
|
$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE |
|
|
|
|
|
# Keep state of connections from private subnets |
|
iptables -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
iptables -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
echo " done." |
|
fi |
|
} # }}} |
|
|
|
drop_output() |
|
{ # {{{ |
|
|
|
for iface in $INTERFACES; do |
|
ip="IP_$iface"; |
|
drop_output_tcp="${iface}_DROP_OUTPUT_TCP" |
|
DROP_OUTPUT_TCP="${!drop_output_tcp}" |
|
drop_output_udp="${iface}_DROP_OUTPUT_UDP" |
|
DROP_OUTPUT_UDP="${!drop_output_udp}" |
|
|
|
if [ ! -z "$DROP_OUTPUT_TCP" ]; then |
|
echo -en "$iface: Dropping outgoing packets from ports:" |
|
for port in $DROP_OUTPUT_TCP; do |
|
echo -en " $port" |
|
$IPTABLES -A FORWARD -p TCP --sport $port -o $iface -j DROP |
|
$IPTABLES -A OUTPUT -p TCP --sport $port -o $iface -j DROP |
|
done |
|
echo " done." |
|
fi |
|
|
|
if [ ! -z "$DROP_OUTPUT_UDP" ]; then |
|
echo -en "$iface: Dropping outgoing packets from ports:" |
|
for port in $DROP_OUTPUT_UDP; do |
|
echo -en " $port" |
|
$IPTABLES -A FORWARD -p UDP --sport $port -o $iface -j DROP |
|
$IPTABLES -A OUTPUT -p UDP --sport $port -o $iface -j DROP |
|
done |
|
echo " done." |
|
fi |
|
done |
|
|
} # }}} |
} # }}} |
|
|
# accept TCP packets for ports in $ACCEPT_INPUT_TCP |
|
# accept UDP packets for ports in $ACCEPT_INPUT_UDP |
|
allow_input() |
allow_input() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
|
echo -en "Accepting INPUT TCP connections on ports: " |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
for port in $ACCEPT_INPUT_TCP; do |
echo -en "Accepting ALL packets on interfaces:" |
echo -en " $port" |
for iface in $IFACE_ACCEPT_ALL; do |
$IPTABLES -A INPUT -i $INET_IFACE -d ${!INET_IP} -p TCP --dport $port -j ACCEPT |
echo -en " $iface" |
|
$IPTABLES -A INPUT -i $iface -j ACCEPT |
|
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
done |
done |
echo "." |
echo " done." |
fi |
fi |
|
|
if [ ! -z "$ACCEPT_INPUT_UDP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
echo -en "Accepting INPUT UDP connections on ports: " |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
for port in $ACCEPT_INPUT_UDP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
echo -en " $port" |
for iface in $INTERFACES; do |
#$IPTABLES -A INPUT -i $INET_IFACE -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
ip="IP_$iface"; |
$IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport $port -j ACCEPT |
echo -en " $port($iface)" |
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p TCP --dport $port -j ACCEPT |
|
done |
done |
done |
echo "." |
echo " done." |
fi |
fi |
|
|
|
for iface in $INTERFACES; do |
|
ip="IP_$iface"; |
|
accept_input_tcp="${iface}_ACCEPT_INPUT_TCP" |
|
ACCEPT_INPUT_TCP="${!accept_input_tcp}" |
|
accept_input_udp="${iface}_ACCEPT_INPUT_UDP" |
|
ACCEPT_INPUT_UDP="${!accept_input_udp}" |
|
|
|
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
|
echo -en "$iface: Accepting INPUT TCP connections on ports:" |
|
for port in $ACCEPT_INPUT_TCP; do |
|
echo -en " $port" |
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p TCP --dport $port -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
|
|
if [ ! -z "$ACCEPT_INPUT_UDP" ]; then |
|
echo -en "$iface: Accepting INPUT UDP connections on ports:" |
|
for port in $ACCEPT_INPUT_UDP; do |
|
echo -en " $port" |
|
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
|
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
|
$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
done |
|
|
} # }}} |
} # }}} |
|
|
# ACCEPT all packets from our IP address |
# ACCEPT all packets from our IP address |
Riadok 264 allow_output() |
|
Riadok 387 allow_output() |
|
{ # {{{ |
{ # {{{ |
|
|
# Povolíme odchozí pakety, které mají naše IP adresy |
# Povolíme odchozí pakety, které mají naše IP adresy |
echo "Accepting OUTPUT packets from ${!LO_IP} ${!INET_IP}" |
echo -en "Accepting OUTPUT packets from" |
$IPTABLES -A OUTPUT -s ${!LO_IP} -j ACCEPT |
for iface in $INTERFACES; do |
$IPTABLES -A OUTPUT -s ${!INET_IP} -j ACCEPT |
ip="IP_$iface"; |
|
echo -en " ${!ip}($iface)" |
|
$IPTABLES -A OUTPUT -o $iface -s ${!ip} -j ACCEPT |
|
done; |
|
echo " done."; |
|
|
} # }}} |
} # }}} |
|
|
|
|
# Službu AUTH není dobré filtrovat pomocí DROP, protože to může |
# Službu AUTH není dobré filtrovat pomocí DROP, protože to může |
# vést k prodlevám při navazování některých spojení. Proto jej |
# vést k prodlevám při navazování některých spojení. Proto jej |
# sice zamítneme, ale vygenerujeme korektní ICMP chybovou zprávu |
# sice zamítneme, ale vygenerujeme korektní ICMP chybovou zprávu |
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server |
$IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server |
|
|
# accept only allowed ICMP packets |
# accept only allowed ICMP packets |
for type in $ACCEPT_ICMP_PACKETS; do |
for type in echo-reply destination-unreachable echo-request time-exceeded; do |
echo -en " $type" |
echo -en " $type" |
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type $type -j ACCEPT |
for iface in $INTERFACES; do |
|
ip="IP_$iface"; |
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
|
done |
done |
done |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
Riadok 302 log_output_drop() |
|
Riadok 432 log_output_drop() |
|
|
|
prefix="output drop: " |
prefix="output drop: " |
echo "Output drop is logged with prefix '$prefix'" |
echo "Output drop is logged with prefix '$prefix'" |
# Ostatní pakety logujeme (neměly by být žádné takové) |
|
$IPTABLES -A OUTPUT $LOG_LIMIT -j LOG --log-prefix "$prefix" |
$IPTABLES -A OUTPUT $LOG_LIMIT -j LOG --log-prefix "$prefix" |
|
|
} # }}} |
} # }}} |
|
|
|
log_forward_drop() |
|
{ # {{{ |
|
|
|
prefix="forward drop: " |
|
echo "Forward drop is logged with prefix '$prefix'" |
|
$IPTABLES -A FORWARD $LOG_LIMIT -j LOG --log-prefix "$prefix" |
|
|
|
} # }}} |
|
|
accept_related() |
accept_related() |
{ # {{{ |
{ # {{{ |
|
|
echo "Accepting ESTABLISHED, RELATED packets for IP ${!INET_IP}" |
echo -en "Accepting ESTABLISHED, RELATED packets for IP:" |
$IPTABLES -A INPUT -d ${!INET_IP} -m state --state ESTABLISHED,RELATED -j ACCEPT |
for iface in $INTERFACES; do |
|
ip="IP_$iface"; |
|
echo -en " ${!ip}($iface)" |
|
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
done |
|
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
Riadok 319 accept_loopback() |
|
Riadok 462 accept_loopback() |
|
{ # {{{ |
{ # {{{ |
|
|
# Loopback není radno omezovat |
# Loopback není radno omezovat |
echo "Accepting loopback" |
echo -en "Accepting loopback:" |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
|
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# -- creates shell variables like IP_eth0="192.168.1.123" |
|
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
parse_ifconfig() |
parse_ifconfig() |
{ # {{{ |
{ # {{{ |
Riadok 370 parse_ifconfig() |
|
Riadok 513 parse_ifconfig() |
|
|
|
|
|
parse_ifconfig |
parse_ifconfig |
|
print_iface_status |
|
|
|
# $interfaces - all interfaces |
|
# $INTERFACES - all interfaces withouth loopback |
|
INTERFACES="" |
|
for iface in $interfaces; do |
|
if [ "o$iface" = "olo" ]; then continue; fi |
|
INTERFACES="$INTERFACES $iface"; |
|
done |
|
|
|
|
case "$1" in |
case "$1" in |
start) |
start) |
|
|
# Inicialize modules |
# Inicialize modules |
$DEPMOD -a |
$DEPMOD -a |
load_modules |
load_modules |
|
set_default_policy |
|
remove_chains |
# |
# |
# (un)commnet next lines as needed |
# (un)commnet next lines as needed |
# |
# |
set_default_policy |
|
set_loopback |
set_loopback |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
#anti_spoof_filter |
anti_spoof_filter |
syn_flood |
syn_flood |
mangle_prerouting |
mangle_prerouting |
mangle_output |
mangle_output |
|
drop_output |
allow_input |
allow_input |
allow_output |
allow_output |
|
allow_icmp |
accept_related |
accept_related |
accept_loopback |
accept_loopback |
|
masquerade |
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
|
log_forward_drop |
;; |
;; |
|
|
stop) |
stop) |
echo -n "Stopping $DESC: " |
echo -n "Stopping $DESC: " |
unload_modules |
|
remove_chains |
|
set_default_policy |
set_default_policy |
|
remove_chains |
|
unload_modules |
;; |
;; |
|
|
status) |
status) |