verzia 2.23, 2005/04/15 22:07:18 |
verzia 2.25, 2005/06/29 15:24:04 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.22 2005/03/16 13:53:36 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.24 2005/04/18 22:49:30 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
DESC="firewall" |
DESC="firewall" |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
|
|
DEFAULT_CONFIG="${DEFAULT_CONFIG:=/etc/default/firewall}" |
DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}" |
|
|
if [ -f "$DEFAULT_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
echo "Reading config file $DEFAULT_CONFIG" |
echo "Reading config file $DEFAULT_FIREWALL_CONFIG" |
. $DEFAULT_CONFIG |
. $DEFAULT_FIREWALL_CONFIG |
fi |
fi |
|
|
# |
# |
Riadok 38 LOG_LIMIT="${LOG_LIMIT:=-m limit --limit |
|
Riadok 38 LOG_LIMIT="${LOG_LIMIT:=-m limit --limit |
|
# Paths: |
# Paths: |
#IPTABLES=":" # for testing only - does nothing |
#IPTABLES=":" # for testing only - does nothing |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
|
if [ "x$LOGGING" = "xoff" ]; then |
|
IPTABLES_LOG=": log turned off" |
|
else |
|
IPTABLES_LOG="${IPTABLES_LOG:=$DEBUG/sbin/iptables}" |
|
fi |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
Riadok 118 antispoof_on() |
|
Riadok 123 antispoof_on() |
|
done |
done |
} # }}} |
} # }}} |
|
|
|
forward_on() |
|
{ # {{{ |
|
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
} # }}} |
|
|
|
forward_off() |
|
{ # {{{ |
|
echo -en "NAT: Disabling packet forwarding..." |
|
echo 0 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
} # }}} |
|
|
# clear status of iptable chains |
# clear status of iptable chains |
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
Riadok 138 nmap_scan_filter() |
|
Riadok 157 nmap_scan_filter() |
|
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
echo -en "." |
echo -en "." |
|
|
# dva odporujuuce si flagy su nastavene: |
# dva odporujuuce si flagy su nastavene: |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
# je nastavene len $flags bez predpokladaneho ACK |
# je nastavene len $flags bez predpokladaneho ACK |
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
done |
done |
Riadok 170 invalid_packet_filter() |
|
Riadok 189 invalid_packet_filter() |
|
|
|
echo -en "Turning on INVALID packet filter " |
echo -en "Turning on INVALID packet filter " |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
Riadok 207 anti_spoof_filter() |
|
Riadok 226 anti_spoof_filter() |
|
$IPTABLES -N spoof |
$IPTABLES -N spoof |
|
|
# Ochrana proti Spoogingu zo spatnej slucky |
# Ochrana proti Spoogingu zo spatnej slucky |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES_LOG -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES_LOG -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES_LOG -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
echo -en " $iface" |
echo -en " $iface" |
|
|
echo -en " $type" |
echo -en " $type" |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
#$IPTABLES -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
echo " done." |
echo " done." |
|
|
# Port forwarding to local machines |
# Port forwarding to local machines |
Riadok 370 log_new_connections() |
|
Riadok 389 log_new_connections() |
|
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
echo -en "Logging new connections:" |
echo -en "Logging new connections:" |
$IPTABLES -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
$IPTABLES_LOG -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
$IPTABLES -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
$IPTABLES_LOG -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
$IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
$IPTABLES_LOG -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
echo " done." |
echo " done." |
fi |
fi |
fi |
fi |
|
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
done |
done |
#$IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES_LOG -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
#$IPTABLES_LOG -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
log_input_drop() |
log_input_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="input drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Input drop is logged with prefix '$prefix'" |
prefix="input drop: " |
$IPTABLES -A INPUT $LOG_LIMIT "$prefix" |
echo "Input drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A INPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_output_drop() |
log_output_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="output drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Output drop is logged with prefix '$prefix'" |
prefix="output drop: " |
$IPTABLES -A OUTPUT $LOG_LIMIT "$prefix" |
echo "Output drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A OUTPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_forward_drop() |
log_forward_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="forward drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Forward drop is logged with prefix '$prefix'" |
prefix="forward drop: " |
$IPTABLES -A FORWARD $LOG_LIMIT "$prefix" |
echo "Forward drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A FORWARD $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
|
|
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
unload_modules |
unload_modules |
|
forward_off |
;; |
;; |
|
|
status) |
status) |
|
|
;; |
;; |
|
|
*) |
*) |
echo "Usage: $0 {start|stop|stop}" >&2 |
echo "Usage: $0 {start|stop|status}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |