verzia 2.8, 2005/01/04 19:57:14 |
verzia 2.15, 2005/01/16 12:13:32 |
|
|
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2004 Platon SDG, http://platon.sk/ |
# Copyright (c) 2003-2005 Platon SDG, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.7 2005/01/02 13:31:46 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.14 2005/01/16 11:06:46 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2004-11-14 - created |
# 2003-10-24 - created |
# |
# |
|
|
DESC="firewall" |
DESC="firewall" |
Riadok 33 DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" |
|
Riadok 33 DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" |
|
# which modules to load |
# which modules to load |
MODULES="${MODULES:=}" |
MODULES="${MODULES:=}" |
|
|
LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10}" |
LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}" |
|
|
# Paths: |
# Paths: |
#IPTABLES=":" # for testing only - does nothing |
#IPTABLES=":" # for testing only - does nothing |
IPTABLES="${IPTABLES:=/sbin/iptables}" |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
Riadok 48 AWK="${AWK:=/usr/bin/awk}" |
|
Riadok 48 AWK="${AWK:=/usr/bin/awk}" |
|
LO_IFACE="${LO_IFACE:=lo}" |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IP="IP_$LO_IFACE" |
LO_IP="IP_$LO_IFACE" |
|
|
# Which ports will be allowed on INPUT (TCP connections) |
|
ALL_ACCEPT_INPUT_TCP="${ALL_ACCEPT_INPUT_TCP:=}" |
|
# interface eth0 |
|
eth0_ACCEPT_INPUT_TCP="${eth0_ACCEPT_INPUT_TCP:=}" |
|
# interface ppp0 |
|
ppp0_ACCEPT_INPUT_TCP="${ppp0_ACCEPT_INPUT_TCP:=}" |
|
|
|
# Which ports will be allowed on INPUT (UDP connections) |
|
# interface eth0 |
|
eth0_ACCEPT_INPUT_UDP="${eth0_ACCEPT_INPUT_UDP:=}" |
|
# interface ppp0 |
|
ppp0_ACCEPT_INPUT_UDP="${ppp0_ACCEPT_INPUT_UDP:=}" |
|
|
|
# allow some ICMP packets - needed for ping etc. |
# allow some ICMP packets - needed for ping etc. |
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" |
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" |
|
|
Riadok 124 remove_chains() |
|
Riadok 111 remove_chains() |
|
|
|
} # }}} |
} # }}} |
|
|
# all packets on loopback are accpted |
|
set_loopback() |
|
{ # {{{ |
|
$IPTABLES -A INPUT -j ACCEPT -i $LO_IFACE |
|
$IPTABLES -A OUTPUT -j ACCEPT -o $LO_IFACE |
|
} # }}} |
|
|
|
# DROP packages from nmap(1) |
# DROP packages from nmap(1) |
nmap_scan_filter() |
nmap_scan_filter() |
{ # {{{ |
{ # {{{ |
Riadok 139 nmap_scan_filter() |
|
Riadok 119 nmap_scan_filter() |
|
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ALL NONE: " |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
echo -en "." |
echo -en "." |
|
|
# dva odporujuuce si flagy su nastavene: |
# dva odporujuuce si flagy su nastavene: |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain $flags: " |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
echo -en "." |
echo -en "." |
Riadok 154 nmap_scan_filter() |
|
Riadok 134 nmap_scan_filter() |
|
|
|
# je nastavene len $flags bez predpokladaneho ACK |
# je nastavene len $flags bez predpokladaneho ACK |
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ACK,$flags: " |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
echo -en "." |
echo -en "." |
Riadok 171 invalid_packet_filter() |
|
Riadok 151 invalid_packet_filter() |
|
|
|
echo -en "Turning on INVALID packet filter " |
echo -en "Turning on INVALID packet filter " |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT -j LOG --log-prefix "INVALID $chain: " |
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
echo -en "." |
echo -en "." |
Riadok 208 anti_spoof_filter() |
|
Riadok 188 anti_spoof_filter() |
|
$IPTABLES -N spoof |
$IPTABLES -N spoof |
|
|
# Ochrana proti Spoogingu zo spatnej slucky |
# Ochrana proti Spoogingu zo spatnej slucky |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "RESERVED:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
|
|
echo -en " $type" |
echo -en " $type" |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
|
#$IPTABLES -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
echo " done." |
echo " done." |
|
|
# Keep state of connections from private subnets |
# Keep state of connections from private subnets |
|
|
|
|
} # }}} |
} # }}} |
|
|
allow_input() |
allow_accept_all() |
{ # {{{ |
{ # {{{ |
|
|
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
echo -en "Accepting ALL packets on interfaces:" |
echo -en "Accepting ALL packets on interfaces:" |
for iface in $IFACE_ACCEPT_ALL; do |
for iface in $IFACE_ACCEPT_ALL; do |
echo -en " $iface" |
echo -en " $iface" |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A OUTPUT -i $iface -j ACCEPT |
|
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
$IPTABLES -A OUTPUT -o $iface -j ACCEPT |
done |
done |
echo " done." |
echo " done." |
fi |
fi |
|
} # }}} |
|
|
|
allow_input() |
|
{ # {{{ |
|
|
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
|
|
done |
done |
echo " done." |
echo " done." |
fi |
fi |
|
if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then |
|
echo -en "Accepting ALL INPUT UDP connections on ports:" |
|
for port in $ALL_ACCEPT_INPUT_UDP; do |
|
for iface in $INTERFACES; do |
|
ip="IP_$iface"; |
|
echo -en " $port($iface)" |
|
$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j ACCEPT |
|
done |
|
done |
|
echo " done." |
|
fi |
|
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
ip="IP_$iface"; |
ip="IP_$iface"; |
|
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
done |
done |
|
#$IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
|
#$IPTABLES -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
Riadok 488 log_input_drop() |
|
Riadok 485 log_input_drop() |
|
|
|
prefix="input drop: " |
prefix="input drop: " |
echo "Input drop is logged with prefix '$prefix'" |
echo "Input drop is logged with prefix '$prefix'" |
$IPTABLES -A INPUT $LOG_LIMIT -j LOG --log-prefix "$prefix" |
$IPTABLES -A INPUT $LOG_LIMIT "$prefix" |
|
|
} # }}} |
} # }}} |
|
|
Riadok 497 log_output_drop() |
|
Riadok 494 log_output_drop() |
|
|
|
prefix="output drop: " |
prefix="output drop: " |
echo "Output drop is logged with prefix '$prefix'" |
echo "Output drop is logged with prefix '$prefix'" |
$IPTABLES -A OUTPUT $LOG_LIMIT -j LOG --log-prefix "$prefix" |
$IPTABLES -A OUTPUT $LOG_LIMIT "$prefix" |
|
|
} # }}} |
} # }}} |
|
|
Riadok 506 log_forward_drop() |
|
Riadok 503 log_forward_drop() |
|
|
|
prefix="forward drop: " |
prefix="forward drop: " |
echo "Forward drop is logged with prefix '$prefix'" |
echo "Forward drop is logged with prefix '$prefix'" |
$IPTABLES -A FORWARD $LOG_LIMIT -j LOG --log-prefix "$prefix" |
$IPTABLES -A FORWARD $LOG_LIMIT "$prefix" |
|
|
} # }}} |
} # }}} |
|
|
Riadok 580 parse_ifconfig() |
|
Riadok 577 parse_ifconfig() |
|
parse_ifconfig |
parse_ifconfig |
print_iface_status |
print_iface_status |
|
|
# $interfaces - all interfaces |
# |
|
# Split interfaces into 2 groups: |
|
# |
|
# $INTERFACES_ACCEPT_ALL - interfaces withouth restrictions |
|
# |
# $INTERFACES - all interfaces withouth loopback |
# $INTERFACES - all interfaces withouth loopback |
|
# and devices without restrictions (e.g. tun0 tun1 tap0 ...) |
|
# |
|
# list of all interfaces is in $interfaces variable |
|
# |
INTERFACES="" |
INTERFACES="" |
|
INTERFACES_ACCEPT_ALL="" |
|
regexp='^\('`echo $IFACE_ACCEPT_ALL | sed 's/ /\\\|/g; s/+/.*/g;'`'\)$' |
for iface in $interfaces; do |
for iface in $interfaces; do |
if [ "o$iface" = "olo" ]; then continue; fi |
#if [ "o$iface" = "olo" ]; then continue; fi |
INTERFACES="$INTERFACES $iface"; |
echo $iface | grep -q -e "$regexp" |
|
if [ $? = 0 ] || [ "o$iface" = "olo" ]; then # lo interface is always here |
|
INTERFACES_ACCEPT_ALL="$INTERFACES_ACCEPT_ALL $iface"; |
|
else |
|
INTERFACES="$INTERFACES $iface"; |
|
fi |
done |
done |
|
|
|
|
|
|
# |
# |
# (un)commnet next lines as needed |
# (un)commnet next lines as needed |
# |
# |
set_loopback |
allow_accept_all |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
anti_spoof_filter |
anti_spoof_filter |