"Vincent Munari" <[EMAIL PROTECTED]> writes:
> Quelqu'un aurait-il des liens int�ressants o� iptables est
> d�cortiqu� et bien expliqu�? (en dehors des man pages et des HOW-TO
> qui ne sont pas asset d�taill�s � mon go�t)
ben voila le script que je vais bientot installer. je dois encore le
tester un peu, mais tout les commentaires sont les bienvenus. le
script je l'ai fait en copiant a gauche et a droite et en lisant la
doc. il est destine a etre demarre au boot (une partie en tout cas) et
l'autre partie lors du ppp/ip-up.
/etc/firewall/firewall peut etre copie dans /etc/init.d/,
/etc/firewall/firewall.ppp peut etre copie dans /etc/ppp/ip-up.d/ et
ip-down.d.
/etc/firewall/firewall
**********************************************************************
#!/bin/sh
PROG_NAME="$0"
IPTABLES_FW_SCRIPT="/etc/firewall/firewall.sh"
if [ ! -x "$IPTABLES_FW_SCRIPT" ]; then
IPTABLES_FW_SCRIPT=`dirname "$PROG_NAME"`"/iptables-fw.sh"
fi
# ----------------------------------------------------------------------
usage() {
cat <<EOF
Usage: $0 start|stop|restart|status
EOF
} # end of function usage
# ----------------------------------------------------------------------
if [ $# -ne 1 ]; then
usage
fi
cmd_arg="$1"
case "$cmd_arg" in
start)
$IPTABLES_FW_SCRIPT start main
$IPTABLES_FW_SCRIPT start private
;;
stop)
$IPTABLES_FW_SCRIPT stop private
$IPTABLES_FW_SCRIPT stop main
;;
restart)
$PROG_NAME stop
$PROG_NAME start
;;
status)
$IPTABLES_FW_SCRIPT status
;;
*)
usage
exit 1
;;
esac
exit 0
**********************************************************************
/etc/firewall/firewall.ppp
**********************************************************************
#!/bin/sh
echo $0 | grep '^/etc/ppp/ip-up.d/' && CMD=start
echo $0 | grep '^/etc/ppp/ip-down.d/' && CMD=stop
FIREWALL_SCRIPT="/etc/firewall/firewall.sh"
if [ ! -x "$FIREWALL_SCRIPT" ]; then
FIREWALL_SCRIPT=`dirname "$PROG_NAME"`"/iptables-fw.sh"
fi
[ ! -x $FIREWALL_SCRIPT ] && exit 1
#LOCALNET=`grep '^localnet' /etc/networks | sed -e '2,$d' -e
's/^.*[^0-9]\+\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/g'`
#LOCALNET_NETWORK=`/usr/bin/ipv4calc --network $LOCALNET`
LOCALNET_NETWORK=192.168.56.0
REMOTE_NETWORK=`/usr/bin/ipv4calc --network $PPP_REMOTE`
#LOCAL_NETWORK=`/usr/bin/ipv4calc --network $PPP_LOCAL`
GENERIC_IFACE=`echo $PPP_IFACE | /usr/bin/tr -d '[0-9]'`
echo REMOTE_NETWORK=$REMOTE_NETWORK, LOCALNET_NETWORK=$LOCALNET_NETWORK,
GENERIC_IFACE=$GENERIC_IFACE >> /tmp/ppp.log
if [ $REMOTE_NETWORK = $LOCALNET_NETWORK -a $GENERIC_IFACE = "ppp" ]; then
# we have the palm interface pppX
# we could also test for the device, but only because we use an alias
ARGS="$CMD palm $PPP_IFACE $PPP_LOCAL $PPP_REMOTE"
else
# else we brought up the link to the internet
ARGS="$CMD public $PPP_IFACE $PPP_LOCAL"
fi
echo $FIREWALL_SCRIPT $ARGS >> /var/log/ppp.log
$FIREWALL_SCRIPT $ARGS
**********************************************************************
/etc/firewall/firewall.sh
**********************************************************************
#!/bin/sh
PROG_NAME="$0"
DYNAMIC_VALUE="_dynamic_"
ECHO="/bin/echo"
# --------------------------------------------------------------------
PRIVATE_IP_HOST_ARGON="192.168.56.1/32"
PRIVATE_IP_HOST_PLUTO="192.168.56.10/32"
# ... ... ... ... ... ... ... ... ... ... ... ..
INTERNAL_INTERFACE="eth0"
PRIVATE_IF="$DYNAMIC_VALUE"
PRIVATE_IP="$DYNAMIC_VALUE"
PRIVATE_CIDR="$DYNAMIC_VALUE"
PRIVATE_NET="$DYNAMIC_VALUE"
PRIVATE_BROADCAST="$DYNAMIC_VALUE"
# ... ... ... ... ... ... ... ... ... ... ... ..
PRIVATE_IP_DNS="$PRIVATE_IP_HOST_ARGON"
PRIVATE_IP_PROXY="$PRIVATE_IP_HOST_ARGON"
PRIVATE_IP_NTP="$PRIVATE_IP_HOST_ARGON"
PRIVATE_IP_LPD="$PRIVATE_IP_HOST_ARGON"
# ....................................................................
#DMZ_IF="eth2"
#DMZ_NET="192.168.99.0/24"
#DMZ_IP="192.168.99.11/32"
# ....................................................................
PUBLIC_IF="$DYNAMIC_VALUE"
PUBLIC_NET="0.0.0.0/0"
PUBLIC_IP="$DYNAMIC_VALUE"
# ....................................................................
LOOPBACK_IF="lo"
LOOPBACK_NET="127.0.0.0/8"
LOOPBACK_IP="127.0.0.1/32"
# ....................................................................
BROADCAST="255.255.255.255/32"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ERR_NO_ERROR=0
ERR_INIT=1
ERR_RUNNING=2
# --------------------------------------------------------------------
# --------------------------------------------------------------------
FD_ERROR="/dev/stderr"
FD_TRACE="$FD_ERROR"
FD_DEBUG="$FD_ERROR"
DEBUG="off" # possible values are "on" or "off"
[ "$IPTABLES_FW_DEBUG" = "on" ] && DEBUG="on"
DEBUG_CMD="$ECHO"
[ "$DEBUG" = "off" ] && DEBUG_CMD=""
DEPMOD="$DEBUG_CMD /sbin/depmod"
IPTABLES="$DEBUG_CMD /sbin/iptables"
MODPROBE="$DEBUG_CMD /sbin/modprobe"
SED="/bin/sed"
GREP="/bin/grep"
IPV4CALC="/usr/bin/ipv4calc"
TRACE="on" # possible values are "on" or "off"
# log variables
LOG_PRIO_NORMAL=6
LOG_PRIO_PARANOIA=7
LOG_PRIO_ALL=$LOG_PRIO_NORMAL
LOG_PREFIX_NORMAL=" "
LOG_PREFIX_PARANOIA="*"
LOG_PREFIX_ALL="!"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
PORT_UNPRIV="1024:"
PORT_TR_SRC="32769:"
PORT_TR_DEST="33434:33523"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_main_usage() {
cat <<EOF
Usage: ctrl_main start|stop <private interface>
EOF
exit $ERR_RUNNING
} # end of function ctrl_main_usage
ctrl_main() {
trace "ctrl_main: ctrl_main: begin"
if [ $# -lt 2 ]; then
error "Missing/exessive arguments for 'ctrl_main' ($# args supplied)"
ctrl_main_usage
fi
main_cmd="$1"
case "$main_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_main: wrong action '$main_cmd'."
return
;;
esac
intif="$2"
# --------------------------------------------------
$DEPMOD -a
trace "ctrl_main: modprobing modules"
$MODPROBE iptable_filter
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_main: cleaning up tables/chains"
# flushing all chains...
$IPTABLES -F
# deleting all existing chains
$IPTABLES -X
# reseting counters
$IPTABLES -Z
# policy: drop any packet
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
if [ "$main_cmd" = "start" ]; then
# ..............................................
# set up new chain to log and drop packets
trace "ctrl_main: create log-chains drop"
$IPTABLES -N log_DROP
$IPTABLES $action log_DROP \
-j LOG --log-level $LOG_PRIO_NORMAL \
--log-prefix="${LOG_PREFIX_NORMAL}Packet-drop: " \
### -m limit --limit 30/hour
$IPTABLES $action log_DROP -j DROP
$IPTABLES -N log_DROP_PARANOIA
$IPTABLES $action log_DROP_PARANOIA \
-j LOG --log-level $LOG_PRIO_PARANOIA \
--log-prefix="${LOG_PREFIX_PARANOIA}Packet-drop: " \
### -m limit --limit 30/hour
$IPTABLES $action log_DROP_PARANOIA -j DROP
$IPTABLES -N log_DROP_ALL
$IPTABLES $action log_DROP_ALL \
-j LOG --log-level $LOG_PRIO_ALL \
--log-prefix="${LOG_PREFIX_ALL}Packet-drop: " \
### -m limit --limit 30/hour
$IPTABLES $action log_DROP_ALL -j DROP
# ..............................................
# ..............................................
# set up new chain to log and reject packets
trace "ctrl_main: create log-chains reject"
$IPTABLES -N log_REJECT
$IPTABLES $action log_REJECT \
-j LOG --log-level $LOG_PRIO_NORMAL \
--log-prefix="${LOG_PREFIX_NORMAL}Packet-reject: " \
### -m limit --limit 30/hour
$IPTABLES $action log_REJECT -j REJECT
$IPTABLES -N log_REJECT_PARANOIA
$IPTABLES $action log_REJECT_PARANOIA \
-j LOG --log-level $LOG_PRIO_PARANOIA \
--log-prefix="${LOG_PREFIX_PARANOIA}Packet-reject: " \
### -m limit --limit 30/hour
$IPTABLES $action log_REJECT_PARANOIA -j REJECT
$IPTABLES -N log_REJECT_ALL
$IPTABLES $action log_REJECT_ALL \
-j LOG --log-level $LOG_PRIO_ALL \
--log-prefix="${LOG_PREFIX_ALL}Packet-reject: " \
### -m limit --limit 30/hour
$IPTABLES $action log_REJECT_ALL -j REJECT
# ..............................................
# ..............................................
# set up new chain to log and accept packets
trace "ctrl_main: create log-chains accept"
$IPTABLES -N log_ACCEPT
$IPTABLES $action log_ACCEPT \
-j LOG --log-level $LOG_PRIO_NORMAL \
--log-prefix="${LOG_PREFIX_NORMAL}Packet-ok: " \
### -m limit --limit 30/hour
$IPTABLES $action log_ACCEPT -j ACCEPT
$IPTABLES -N log_ACCEPT_PARANOIA
$IPTABLES $action log_ACCEPT_PARANOIA \
-j LOG --log-level $LOG_PRIO_PARANOIA \
--log-prefix="${LOG_PREFIX_PARANOIA}Packet-ok: " \
### -m limit --limit 30/hour
$IPTABLES $action log_ACCEPT_PARANOIA -j ACCEPT
$IPTABLES -N log_ACCEPT_ALL
$IPTABLES $action log_ACCEPT_ALL \
-j LOG --log-level $LOG_PRIO_ALL \
--log-prefix="${LOG_PREFIX_ALL}Packet-ok: " \
### -m limit --limit 30/hour
$IPTABLES $action log_ACCEPT_ALL -j ACCEPT
# ..............................................
fi
# --------------------------------------------------
# --------------------------------------------------
## Kernel flags
trace "ctrl_main: set kernel flags"
# disable ECN (Electronic Congestion Notification), at least
# for now....
trace "$ECHO 0 > /proc/sys/net/ipv4/tcp_ecn"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/tcp_ecn
# To dynamically change kernel parameters and variables on the
# fly you need CONFIG_SYSCTL defined in your kernel. I would
# advise the following:
# Disable response to ping.
trace "$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
trace "$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use
# source routing to generate traffic pretending to be from
# inside your network, but which is routed back along the
# path from which it came, namely outside, so attackers can
# compromise your network. Source routing is rarely used for
# legitimate purposes.
trace "$ECHO 0 > /proc/sys/net/ipv4/conf/all/accept_source_route"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be
# used to alter your routing tables, possibly to a bad end.
trace "$ECHO 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
trace "$ECHO 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that
# packets use legitimate source addresses, by automatically
# rejecting incoming packets if the routing table entry for
# their source address doesn't match the network interface
# they're arriving on. This has security advantages because
# it prevents so-called IP spoofing, however it can pose problems
# if you use asymmetric routing (packets from you to a host take
# a different path than packets from that host to you) or if you
# operate a non-routing host which has several IP addresses on
# different interfaces. (Note - If you turn on IP forwarding, you
# will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
trace "$ECHO 1 > $interface"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > $interface
done
# Log spoofed packets, source routed packets, redirect packets.
trace "$ECHO 1 > /proc/sys/net/ipv4/conf/all/log_martians"
[ "$DEBUG" != "on" ] &&
$ECHO "1" > /proc/sys/net/ipv4/conf/all/log_martians
# lets turn off IP forwarding, for now
trace "$ECHO 0 > /proc/sys/net/ipv4/ip_forward"
[ "$DEBUG" != "on" ] &&
$ECHO "0" > /proc/sys/net/ipv4/ip_forward
# Note: With connection tracking, all fragments are reassembled
# before being passed to the packet-filtering code so there is
# no ip_always_defrag switch as there was in the 2.2 kernel.
# --------------------------------------------------
# --------------------------------------------------
# loopback interface is ok
trace "ctrl_main: configure loopback interface"
$IPTABLES $action INPUT -i $LOOPBACK_IF -j log_ACCEPT_ALL
$IPTABLES $action OUTPUT -o $LOOPBACK_IF -j log_ACCEPT_ALL
# --------------------------------------------------
# --------------------------------------------------
# delete the chains we've created in case we stop here.
if [ "$main_cmd" = "stop" ]; then
trace "ctrl_main: deleting log-chains"
for chain in log_DROP log_REJECT log_ACCEPT; do
$IPTABLES -F $chain
$IPTABLES -X $chain
done
fi
# --------------------------------------------------
trace "ctrl_main: end"
} # end of function ctrl_main
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_private_usage() {
cat <<EOF
Usage: ctrl_private start|stop <private-interface>
EOF
ctrl_main start $INTERNAL_INTERFACE
exit $ERR_RUNNING
} # end of function ctrl_private_usage
ctrl_private() {
trace "ctrl_private: begin"
if [ $# -lt 2 ]; then
error "Missing/exessive arguments for 'ctrl_private' ($# args supplied)"
ctrl_private_usage
fi
private_cmd="$1"
case "$private_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_private: wrong action '$private_cmd'."
ctrl_private_usage
return
;;
esac
# since this is for the routing, we have several interface
# (and associated ip addresses):
# internal interface and ip
intif="$2"
set_private_vars $intif
# --------------------------------------------------
# INCOMING and OUTGOING connections
# allow all incoming and outgoing TCP, UDP and ICMP connections
# (on the local network!)
# all TCP ports open are:
trace "ctrl_private: configure incoming TCP connections"
$IPTABLES $action INPUT -p tcp \
-i $intif -s $PRIVATE_NET -d $PRIVATE_IP \
-j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -p tcp \
-o $intif -s $PRIVATE_IP -d $PRIVATE_NET \
-j log_ACCEPT_PARANOIA
# all UDP ports open are:
trace "ctrl_private: configure incoming UDP connections"
$IPTABLES $action INPUT -p udp \
-i $intif -s $PRIVATE_NET -d $PRIVATE_IP \
-j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -p udp \
-o $intif -s $PRIVATE_IP -d $PRIVATE_NET \
-j log_ACCEPT_PARANOIA
# all ICMP messages open are:
trace "ctrl_private: configure incoming ICMP connections"
$IPTABLES $action INPUT -p icmp \
-i $intif -s $PRIVATE_NET -d $PRIVATE_IP \
-j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -p icmp \
-o $intif -s $PRIVATE_IP -d $PRIVATE_NET \
-j log_ACCEPT_PARANOIA
# --------------------------------------------------
# --------------------------------------------------
# all other packets are logged:
# trace "ctrl_private: default log & drop"
# $IPTABLES $action INPUT -j log_DROP
# $IPTABLES $action OUTPUT -j log_DROP
# $IPTABLES $action FORWARD -j log_DROP
# --------------------------------------------------
trace "ctrl_private: end"
} # end of function ctrl_private
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_dmz_usage() {
cat <<EOF
Usage: ctrl_dmz start|stop <private-interface> <dmz-interface>
EOF
ctrl_main start $INTERNAL_INTERFACE
exit $ERR_RUNNING
} # end of function ctrl_dmz_usage
ctrl_dmz() {
trace "ctrl_dmz: begin"
if [ $# -ne 3 ]; then
error "Missing/exessive arguments for 'ctrl_dmz' ($# args supplied)"
ctrl_dmz_usage
fi
dmz_cmd="$1"
case "$dmz_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_dmz: wrong action '$dmz_cmd'."
return
;;
esac
# internal interface and ip
intif="$2"
set_private_vars $intif
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_dmz: end"
} # end of function ctrl_dmz
# --------------------------------------------------------------------
# --------------------------------------------------------------------
ctrl_public_usage() {
cat <<EOF
Usage: ctrl_public start|stop <private-interface> <private-ip> <public-interface>
<public-ip>
EOF
ctrl_main start $INTERNAL_INTERFACE
exit $ERR_RUNNING
} # end of function ctrl_public_usage
ctrl_public() {
trace "ctrl_public: begin"
if [ $# -ne 4 ]; then
error "Missing/exessive arguments for 'ctrl_public' ($# args supplied)"
ctrl_public_usage
fi
public_cmd="$1"
case "$public_cmd" in
start)
action="-A"
;;
stop)
action="-D"
;;
*)
error "ctrl_public: wrong action '$public_cmd'."
return
;;
esac
# since this is for the routing, we have several interface
# (and associated ip addresses):
# internal interface and ip
intif="$2"
set_private_vars $intif
# external interface and ip
extint="$3"
extip="$4"
# --------------------------------------------------
## SYN-FLOODINGPROTECTION
# This rule maximises the rate of incoming connections. In
# order to do this we divert tcp packets with the SYN bit
# set off to a user-defined chain. Up to limit-burst
# connections can arrive in 1/limit seconds ..... in this
# case 4 connections in one second. After this, one of the
# burst is regained every second and connections are allowed
# again. The default limit is 3/hour. The default limit burst
# is 5.
trace "ctrl_public: syn-flood protection"
if [ "$public_cmd" = "start" ]; then
$IPTABLES -N sys_SYN_FLOOD
fi
$IPTABLES $action INPUT -i $extint -p tcp --syn -j sys_SYN_FLOOD
$IPTABLES $action sys_SYN_FLOOD -m limit \
--limit 1/s --limit-burst 4 -j RETURN
$IPTABLES $action sys_SYN_FLOOD -j log_DROP
## Make sure NEW tcp connections are SYN packets
trace "ctrl_public: check new TCP connection has syn flag set"
$IPTABLES $action INPUT -i $extint -p tcp ! --syn \
-m state --state NEW -j log_DROP
## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2
# to effectively "drown" Firewall-1. Fragments can be
# overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
trace "ctrl_public: fragments handling"
$IPTABLES $action INPUT -i $extint -f \
-j LOG --log-prefix "IPTABLES FRAGMENTS: "
$IPTABLES $action INPUT -i $extint -f -j DROP
## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really
# necessary with the flags we have set in the kernel above
# ........... but you never know there isn't a bug somewhere in
# your IP stack.
#
trace "ctrl_public: refuse spoofed packets"
# Refuse spoofed packets pretending to be from your IP address.
$IPTABLES $action INPUT -i $extint -s $extip -j log_DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface
# protects against source quench, whereby a machine can be
# told to slow itself down by an icmp source quench to the
# loopback.
$IPTABLES $action INPUT -i $extint -d $LOOPBACK_NET \
-j log_DROP
for sense in INPUT OUTPUT; do
case "$sense" in
"INPUT")
sense_if="-i"
sense_comment="in"
;;
"OUTPUT")
sense_if="-o"
sense_comment="out"
;;
*)
sense_if=""
sense_comment="UNKNOWN"
;;
esac
trace "ctrl_public: refuse unroutable packets $sense_comment"
# Refuse packets claiming to be from (or going to) a
# Class A private network.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_A \
-j log_DROP
# Refuse packets claiming to be from (or going to) a
# Class B private network.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_B \
-j log_DROP
# Refuse packets claiming to be from (or going to) a
# Class C private network.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_C \
-j log_DROP
# Refuse Class D multicast addresses. Multicast is
# illegal as a source address.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_D_MULTICAST \
-j log_DROP
# Refuse Class E reserved IP addresses.
$IPTABLES $action $sense $sense_if $extint \
-s $CLASS_E_RESERVED_NET \
-j log_DROP
trace "ctrl_public: refuse broadcasts $sense_comment"
# Refuse broadcast address packets.
$IPTABLES $action $sense $sense_if $extint -d $PRIVATE_BROADCAST \
-j log_DROP
done
# --------------------------------------------------
# --------------------------------------------------
$IPTABLES $action OUTPUT -o $extint -p tcp \
-m state --state NEW,ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES $action INPUT -i $extint -p tcp \
-m state --state ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -o $extint -p udp \
-m state --state NEW,ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES -A INPUT -i $extint -p udp \
-m state --state ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES $action OUTPUT -o $extint -p icmp \
-m state --state NEW,ESTABLISHED -j log_ACCEPT_PARANOIA
$IPTABLES -A INPUT -i $extint -p icmp \
-m state --state ESTABLISHED,RELATED -j log_ACCEPT_PARANOIA
# --------------------------------------------------
# --------------------------------------------------
# some ports to block explictly from going out and coming in:
trace "ctrl_public: explicit block"
for el in 137 138 139; do
for proto in tcp udp; do
$IPTABLES $action OUTPUT -o $extint -p $proto \
--dport $el -j log_DROP_PARANOIA
$IPTABLES $action INPUT -i $extint -p $proto \
--dport $el -j log_DROP_PARANOIA
done
done
for el in 6000:6007; do
$IPTABLES $action OUTPUT -o $extint -p tcp \
--dport $el -j log_DROP_PARANOIA
$IPTABLES $action INPUT -i $extint -p tcp \
--dport $el -j log_DROP_PARANOIA
done
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_public: control incoming new and invalid"
# Disallow NEW and INVALID incoming or forwarded packets from
# the external interface:
$IPTABLES $action INPUT -i $extint \
-m state --state NEW,INVALID -j log_DROP
$IPTABLES $action FORWARD -i $extint \
-m state --state NEW,INVALID -j log_DROP
# --------------------------------------------------
# --------------------------------------------------
trace "ctrl_public: masquerading"
# this is also a router, so we masquerade:
# masquerade out of the external interface
$IPTABLES -t nat $action POSTROUTING -o $extint -j MASQUERADE
# lets turn off IP forwarding, for now
if [ "$action" = "start" ]; then
ip_forwarding=1
else
ip_forwarding=0
fi
trace "$ECHO $ip_forwarding > /proc/sys/net/ipv4/ip_forward"
[ "$DEBUG" != "on" ] &&
$ECHO "$ip_forwarding" > /proc/sys/net/ipv4/ip_forward
echo $ip_forwarding > /proc/sys/net/ipv4/ip_forward
# --------------------------------------------------
# --------------------------------------------------
if [ "$public_cmd" = "stop" ]; then
trace "ctrl_public: cleanup syn-flood chain"
$IPTABLES -F sys_SYN_FLOOD
$IPTABLES -X sys_SYN_FLOOD
$IPTABLES -Z sys_SYN_FLOOD
fi
# --------------------------------------------------
trace "ctrl_public: end"
} # end of function ctrl_public
# --------------------------------------------------------------------
# --------------------------------------------------------------------
set_private_vars_usage() {
cat <<EOF
Usage: set_private_vars <private interface>
EOF
exit $ERR_RUNNING
} # end of function set_private_vars_usage
set_private_vars() {
trace "set_private_vars: begin"
if [ $# -ne 1 ]; then
set_private_vars_usage
fi
PRIVATE_IF="$1"
PRIVATE_IP="$PRIVATE_IP_HOST_PLUTO"
PRIVATE_IP_TMP=`echo "$PRIVATE_IP" | sed -e 's/\/.*$//g'`
PRIVATE_IP="$PRIVATE_IP_TMP/32"
# [ "$PRIVATE_IP" = "$DYNAMIC_VALUE" ] &&
# PRIVATE_IP="`ifconfig $PRIVATE_IF | $GREP 'inet addr:' | $SED -e
's/^\(.[^:]*:\)\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)\(.*$\)/\2/g'`/32"
# if [ `$ECHO $PRIVATE_IP | $GREP -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$'` -ne
0 ]; then
# cat <<EOF
#
#set_private_vars: Unable to obtain a correct (private) IP address from the private
interface $PRIVATE_IF. Closing down firewall a maximum.
#
#EOF
# ctrl_main start $INTERNAL_INTERFACE
# exit $ERR_RUNNING
# fi
PRIVATE_CIDR=24
# if [ "$PRIVATE_CIDR" = "$DYNAMIC_VALUE" ]; then
# TMP_PRIVATE_IP=`$ECHO $PRIVATE_IP | sed -e 's/\/.*//g'`
# PRIVATE_CIDR=`$IPV4CALC --cidr $TMP_PRIVATE_IP`
# fi
[ "$PRIVATE_NET" = "$DYNAMIC_VALUE" ] &&
PRIVATE_NET="`$IPV4CALC --network $PRIVATE_IP_TMP/$PRIVATE_CIDR`/$PRIVATE_CIDR"
[ "$PRIVATE_BROADCAST" = "$DYNAMIC_VALUE" ] &&
PRIVATE_BROADCAST="`$IPV4CALC --broadcast
$PRIVATE_IP_TMP/$PRIVATE_CIDR`/$PRIVATE_CIDR"
trace " + private interface: $PRIVATE_IF"
trace " + private IP: $PRIVATE_IP"
trace " + private network: $PRIVATE_NET"
trace " + private broadcast: $PRIVATE_BROADCAST"
trace "set_private_vars: begin"
} # end of function set_private_vars
# --------------------------------------------------------------------
# --------------------------------------------------------------------
usage() {
cat <<EOF
Usage: $PROG_NAME start <target> [ <interface> <ip> ]
$PROG_NAME stop <target>
$PROG_NAME status
$PROG_NAME help
<target> specify which part to control [main|private|dmz|public|log]
<interface> the public interface (that connects to the internet/ISP)
<ip> the public IP address (assigned by the ISP)
The two arguments <interface> and <ip> are only needed
for the <internet> and <dmz> targets with the <start> command.
The 'log' target logs all dropped packets.
EOF
} # end of function usage
# --------------------------------------------------------------------
# --------------------------------------------------------------------
trace() {
[ "$TRACE" = "on" ] && $ECHO "$*" >> $FD_TRACE
} # end of function trace
# --------------------------------------------------------------------
# --------------------------------------------------------------------
debug() {
[ "$DEBUG_CMD" = "on" ] && $ECHO "$*" >> $FD_DEBUG
} # end of function debug
# --------------------------------------------------------------------
# --------------------------------------------------------------------
error() {
$ECHO "Error: $*" >> $FD_ERROR
} # end of function error
# --------------------------------------------------------------------
# --------------------------------------------------------------------
missing_variable() {
case $# in
1)
error "Variable $1 is undefined."
;;
2)
error "Variable $1 is undefined (use option '$2')."
;;
*)
error "Variable $1 is undefined & unknown option."
esac
exit $ERR_INIT
} # end of function missing_variable
# --------------------------------------------------------------------
while [ $# -gt 0 ]; do
FW_CMD="$1"
shift_n=1
trace "main loop: cmd=$FW_CMD"
case "$FW_CMD" in
help)
usage
exit $ERR_NO_ERROR
;;
start)
if [ $# -lt 2 ]; then
error "missing arguments for 'start' command"
usage
exit $ERR_INIT
fi
FW_TARGET="$2"
shift_n=2
trace "main loop: start: target=$FW_TARGET"
case "$FW_TARGET" in
dmz)
echo "UNUSED, YET..."
# ctrl_dmz $FW_CMD $INTERNAL_INTERFACE $DMZ_IF
;;
main)
ctrl_main $FW_CMD $INTERNAL_INTERFACE
;;
open)
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
;;
private)
ctrl_private $FW_CMD $INTERNAL_INTERFACE
;;
public)
if [ $# -lt 4 ]; then
error "missing arguments for 'start public' command"
usage
exit $ERR_INIT
fi
PUBLIC_IF="$3"
PUBLIC_IP="$4"
shift_n=4
ctrl_public $FW_CMD $INTERNAL_INTERFACE $PUBLIC_IF $PUBLIC_IP
;;
*)
error "Unknown target '$FW_TARGET'"
usage
exit $ERR_INIT
;;
esac
;;
status)
trace "....'status' command"
$IPTABLES -L -v -n
exit $ERR_NO_ERROR
;;
stop)
trace "....'stop' command"
if [ $# -lt 2 ]; then
error "missing arguments for 'stop' command"
usage
exit $ERR_INIT
fi
FW_TARGET="$2"
shift_n=2
trace "main loop: stop: target=$FW_TARGET"
case "$FW_TARGET" in
dmz)
echo "UNUSED, YET..."
# ctrl_dmz $FW_CMD $INTERNAL_INTERFACE $DMZ_IF
;;
main)
ctrl_main $FW_CMD $INTERNAL_INTERFACE
;;
private)
ctrl_private $FW_CMD $INTERNAL_INTERFACE
;;
public)
ctrl_public $FW_CMD $INTERNAL_INTERFACE $PUBLIC_IF $PUBLIC_IP
;;
*)
error "Unknown target '$FW_TARGET' for '$FW_CMD' command"
usage
exit $ERR_INIT
;;
esac
;;
*)
error "Unknown command '$FW_CMD'"
usage
exit $ERR_INIT
;;
esac
shift $shift_n
done
exit $ERR_NO_ERROR
**********************************************************************
tom
--
as seen in a signature:
"In an open world without walls and fences,
who needs Gates and windows?"
--
http://www-internal.alphanet.ch/linux-leman/ avant de poser
une question. Ouais, pour se d�sabonner aussi.
