#!/bin/bash
#################################################################################
# #
# Created......: 17 August 2001 #
# Last Modified: 13/09/2001 20:28 #
# Author.......: Skylinux #
# Version......: 0.2.2 #
# Download.....: http://home.earthlink.net/~skylinux/ #
# #
#################################################################################
# #
# Source: #
# #
# - James Stephens' Iptables script @ #
# http://www.cs.princeton.edu/~jns/security/iptables/index.html #
# - Linux 2.4 Packet Filtering HOWTO #
# - Linux 2.4 NAT HOWTO #
# #
#################################################################################
# #
# Change Log: #
# #
# v0.2.2 -added FORWARD icmp rule #
# #
# v0.2 -fixed the FTP forward problem, #
# -removed some "double rules", #
# v0.11 -added NetBus,Back Orifice & Trin00 protection #
# #
#################################################################################
# #
# To do List: #
# #
# - add Netkiller flood protection #
# - implement script with start/stop function #
# - add mirror function (attacker is scanning himself) #
# - add another TCP_SERVICES_OUT_* Setting like FORWARD_PORTS_2 #
# - fix the error message from the ICQ rule while starting firewall #
# #
#################################################################################
#
# Documentation
# -------------
# This firewall script is using the default policy DROP EVERYTHING, in
order to get all the services working you need to adjust the
# "Standard Settings".
# - IPTABLES="/usr/sbin/iptables" => This defines the path where your
"iptables" executable is. You can find it by using "whereis iptables"
# - INT_IF="eth0" => Change "eth0" to the name of your INTERNAL
NIC
(Network Interface Card) eg: "eth0" "eth1" "eth2"
# - BROADCAST="192.168.3.255/24" => Change the IP to the BROADCAST
address of your network. eg: "192.168.0.255/24" "192.168.1.255/24"
# - EXT_IF="ppp0" => This is you EXTERNAL INTERFACE, if you use
dial
up it is "ppp0", if you use broadband it is one of your Ethernets.
# - FORWARD_PORTS_1="22,80" => These are the ports which will be
FORWARDED from your INTERNAL INTERFACE to your EXTERNAL INTERFACE
(maximum 15 ports)
# - FORWARD_PORTS_2="194,443" => Same as above, this is just here if
you need more than 15 ports (To prevent error messages you should
enter at least one port in here)
# - TCP_SERVICES_IN_INT_IF="6" => Server ports you want to export to
your LOCAL NETWORK. (To prevent error messages enter at least one
value, port 6 is Unassigned)
# - TCP_SERVICES_IN_EXT_IF="80" => Server ports you want to export to
your EXTERNAL INTERFACE (Internet). (To prevent error messages enter
at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_INT_IF="22,80" => If you want to access ports
from the machine where you install the firewall INSIDE your network
you need to specify the ports. (To prevent error messages enter at
least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_EXT_IF="22,80" => Ports you want to connect to
OUTSIDE your local network from the machine where the firewall is
installed. (To prevent error messages enter at least one value, port
6 is Unassigned)
# - NAMESERVER_1="XXX.XXX.XXX.XXX" => The IP of your EXTERNAL
DNS1/NAMESERVER (you can get the IP from your ISP)
# - NAMESERVER_2="XXX.XXX.XXX.XXX" => The IP of your EXTERNAL
DNS2/NAMESERVER (you can get the IP from your ISP)
# - LOOPBACK="127.0.0.0/8" => This is your loopback IP, don't change
this unless you know what you are doing
# - CLASS_A="10.0.0.0/8" => This will block a /8 (Class A) IP coming
in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_B="172.16.0.0/16" => This will block a /16 (Class B) IP
coming in through your EXTERNAL interface, because it will be
spoofed.
# - CLASS_C="192.168.0.0/16" => This will block a /24 (Class C) IP
coming in through your EXTERNAL interface, because it will be
spoofed.
# - XSERVER_PORTS="6000:6063" => Most X servers listen at these
ports, this will block the specified ports
# - ICQ_PORT_TCP="5190" => This is the default port where ICQ
connects to the ICQ network
# - ICQ_PORT_UDP="4000" => This is the default port where ICQ
connects to the ICQ network
# - TROJAN_PORTS_TCP="12345,12346" => This will block INCOMING
requests for Trojans on your Network tcp. You can add more ports (max
15 ports) or use port 6 to disable this feature.
# - TROJAN_PORTS_UDP="27444,31335" => This will block INCOMING
requests for Trojans on your Network udp. You can add more ports (max
15 ports) or use port 6 to disable this feature.
#
#
##########
# Standard Settings
IPTABLES="/usr/sbin/iptables"
INT_IF="eth0"
BROADCAST="192.168.1.255/24"
EXT_IF="ppp0"
FORWARD_PORTS_1="20,21,22,23,25,79,80,81,110,119"
FORWARD_PORTS_2="194,443"
TCP_SERVICES_IN_INT_IF="22,80"
TCP_SERVICES_IN_EXT_IF="80"
TCP_SERVICES_OUT_INT_IF="22,80"
TCP_SERVICES_OUT_EXT_IF="21,22,80,119"
NAMESERVER_1="207.217.126.81"
NAMESERVER_2="207.217.77.82"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"
UP_PORTS="1024:65535"
XSERVER_PORTS="6000:6063"
ICQ_PORT_TCP="5190"
ICQ_PORT_UDP="4000"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
#
#
echo "Starting Firewall ....."
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#
##########
# Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
#
#
##########
# Changing Kernel Parameters, you need CONFIG_SYSCTL defined in your
kernel
#
# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
##########
# Rules
#
# Standard Rules
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
#
# Deny packets claiming to be to or from a /8,/16,/24 (Class A,B,C)
Network ($EXT_IF)
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_C -j DROP
#
# Firewall syn/flood and port scanner protection $INT_IF
$IPTABLES -N syn-flood_INT_IF
$IPTABLES -F syn-flood_INT_IF
$IPTABLES -A INPUT -i $INT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST
-j syn-flood_INT_IF
#$IPTABLES -A INPUT -i $INT_IF -p tcp --syn -j syn-flood_INT_IF
$IPTABLES -A syn-flood_INT_IF -m limit --limit 1/s --limit-burst 4 -j
RETURN
$IPTABLES -A syn-flood_INT_IF -j DROP
#
# Firewall syn/flood and port scanner protection $EXT_IF
$IPTABLES -N syn-flood_EXT_IF
$IPTABLES -F syn-flood_EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST
-j syn-flood_EXT_IF
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -j syn-flood_EXT_IF
$IPTABLES -A syn-flood_EXT_IF -m limit --limit 1/s --limit-burst 4 -j
RETURN
$IPTABLES -A syn-flood_EXT_IF -j DROP
#
# Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -i $INT_IF -p tcp ! --syn -m state --state NEW -j
DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j
DROP
#
# Block incoming fragments $INT_IF
$IPTABLES -A INPUT -i $INT_IF -f -j LOG --log-prefix "IPTABLES
FRAGMENTS $INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -f -j DROP
#
# Block incoming fragments $EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -f -j LOG --log-prefix "IPTABLES
FRAGMENTS $EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -f -j DROP
#
# Drop broadcast packets
$IPTABLES -A INPUT -i $EXT_IF -d $BROADCAST -j DROP
#
# Trojan protection
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport
$TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport
$TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport
$TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport
$TROJAN_PORTS_UDP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport
$TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport
$TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport
$TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport
$TROJAN_PORTS_UDP -j DROP
#
# ICQ INPUT/OUTPUT rules (I get the error message that the hostname is
not found, if somebody knows why PLZ let me know)
#$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d icq.mirabilis.com --dport
$ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -d login.icq.com --dport
$ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# icmp INPUT/OUTPUT rules $INT_IF. For a list of icmp types check the
end of this file.
$IPTABLES -A INPUT -i $INT_IF -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p icmp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $INT_IF -p icmp --icmp-type 0 -j DROP
#
# icmp INPUT/OUTPUT rules $EXT_IF. For a list of icmp types check the
end of this file.
$IPTABLES -A INPUT -i $EXT_IF -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p icmp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j DROP
#
# Nameserver INPUT/OUTPUT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_1 -m state --state
ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_2 -m state --state
ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m
state --state NEW,ESTABLISHED -j ACCEPT
#
# INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport
$TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport
$TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --sport 21 -m state --state
ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp --sport 20 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp --sport $UP_PORTS --dport
$UP_PORTS -m state --state ESTABLISHED -j ACCEPT
#
# FORWARD
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p icmp -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_1
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_2
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport
$FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport
$FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport
$FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport
$FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d icq.mirabilis.com
--dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -d login.icq.com
--dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --dport 20 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --sport $UP_PORTS
--dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 21 -m state
--state ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 20 -m state
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -m state --state
ESTABLISHED,RELATED -j ACCEPT
#
# OUTPUT
$IPTABLES -A OUTPUT -o $EXT_IF -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --sport
$TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --sport
$TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --dport
$TCP_SERVICES_OUT_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --dport
$TCP_SERVICES_OUT_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 20 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --sport $UP_PORTS --dport
$UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
##########
# icmp types
#
# 0 Echo Reply [RFC792]
# 1 Unassigned [JBP]
# 2 Unassigned [JBP]
# 3 Destination Unreachable [RFC792]
# 4 Source Quench [RFC792]
# 5 Redirect [RFC792]
# 6 Alternate Host Address [JBP]
# 7 Unassigned [JBP]
# 8 Echo [RFC792]
# 9 Router Advertisement [RFC1256]
# 10 Router Solicitation [RFC1256]
# 11 Time Exceeded [RFC792]
# 12 Parameter Problem [RFC792]
# 13 Timestamp [RFC792]
# 14 Timestamp Reply [RFC792]
# 15 Information Request [RFC792]
# 16 Information Reply [RFC792]
# 17 Address Mask Request [RFC950]
# 18 Address Mask Reply [RFC950]
# 19 Reserved (for Security) [Solo]
# 20-29 Reserved (for Robustness Experiment) [ZSu]
# 30 Traceroute [RFC1393]
# 31 Datagram Conversion Error [RFC1475]
# 32 Mobile Host Redirect [David Johnson]
# 33 IPv6 Where-Are-You [Bill Simpson]
# 34 IPv6 I-Am-Here [Bill Simpson]
# 35 Mobile Registration Request [Bill Simpson]
# 36 Mobile Registration Reply [Bill Simpson]
# 37 Domain Name Request [Simpson]
# 38 Domain Name Reply [Simpson]
# 39 SKIP [Markson]
# 40 Photuris [Simpson]
# 41-255 Reserved [JBP]
##########
echo "Firewall STARTED"
### END ###
#iptables -t nat -A PREROUTING --dport <the listening port of internal
host> -i <outer iface(eth0 for you)> -j DNAT --to
#iptables -t nat -A PREROUTING -p tcp -i (inet iface) --dport 80 -j
DNAT --to-destination xxx.xxx.xxx.xxx:80
#iptables -t filter -A FORWARD -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j
ACCEPT
#iptables -A OUTPUT -o $IFACE -p icmp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i $IFACE -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT
--
m k h _ s g n
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
VietLUG-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/vietlug-users
