Administrace komentářů

#!/bin/sh
#
# fw-on - script pro spusteni firewallu
#
# Prevzato od Mirka Petricka http://www.petricek.cz
#
# Upraveno by B0biN

# IP adresa a vnejsi rozhrani
INET_IP="X.X.X.X"
INET_IFACE="eth0"

# Lokalni loopback rozhrani
LO_IFACE="lo"
LO_IP="127.0.0.1/32"

# Cesta k programu iptables
IPTABLES="/sbin/iptables"

# Inicializace databaze modulu
/sbin/depmod -a

# Zavedeme moduly pro nestandardni cile
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT

# Modul pro FTP prenosy
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

# Vypneme routovani paketu
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/tcp_syncookies

# rp_filter na zamezeni IP spoofovani
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo "1" > ${interface}
done

# Implicitni politikou je zahazovat nepovolene pakety
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

#
# Pridavne retezce pro snazsi kontrolu na rezervovane adresy
#

# Zahazovat a logovat (max. 5 x 3 pakety za hod)
$IPTABLES -N logdrop
$IPTABLES -A logdrop -m limit --limit 5/h --limit-burst 3 -j LOG --log-prefix "Rezervovana adresa: "
$IPTABLES -A logdrop -j DROP

# V tomto retezci se kontroluje, zda prichozi pakety nemaji nesmyslnou IP adresu
$IPTABLES -N IN_FW
$IPTABLES -A IN_FW -s 192.168.0.0/16 -j logdrop # rezervovano podle RFC1918
$IPTABLES -A IN_FW -s 10.0.0.0/8 -j logdrop     #   ---- dtto ----
$IPTABLES -A IN_FW -s 172.16.0.0/12 -j logdrop  #   ---- dtto ----  
$IPTABLES -A IN_FW -s 96.0.0.0/4 -j logdrop     # rezervovano podle IANA
# ... dalsi rezervovane adresy mozno doplnit podle 
#       http://www.iana.com/assignments/ipv4-address-space


# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput
#
# Retezec INPUT
#

# Portscan s nastavenym SYN,FIN
$IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
$IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP

# Pravidla pro povolene sluzby 
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 20 -j ACCEPT  #FTP server
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 21 -j ACCEPT  #FTP server
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 25 -j ACCEPT  #SMTP server
$IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport 53 -j ACCEPT  #DNS server UDP
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 53 -j ACCEPT  #DNS server TCP
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 80 -j ACCEPT  #WWW server
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 110 -j ACCEPT #POP3 server
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 143 -j ACCEPT #IMAP server
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 443 -j ACCEPT #HTTPS server

#Povoleni pro SSH z urcite IP adresy
$IPTABLES -A INPUT -i $INET_IFACE -s X.X.X.X -p TCP --dport 22 -j ACCEPT # misto X.X.X.X dosadit IP ze ktere je povoleno ssh


# Sluzbu AUTH neni dobre filtrovat pomoci DROP, protoze to muze
# vest k prodlevam pri navazovani nekterych spojeni. Proto jej
# sice zamitneme, ale tak, aby nedoslo k nezadoucim prodlevam.
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -m limit --limit 12/h -j LOG
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server

# Propoustime pouze ICMP ping
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j ACCEPT

# Loopback neni radno omezovat
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

# Pakety od navazanych spojeni jsou v poradku
$IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Vsechno ostatni je zakazano - tedy logujeme, maxim. 12x5 pkt/hod 
$IPTABLES -A INPUT -m limit --limit 12/h -j LOG --log-prefix "INPUT drop: "

#
# Retezec OUTPUT
#

# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput

# Povolime odchozi pakety, ktere maji nase IP adresy
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT

# Ostatni pakety logujeme (nemely by byt zadne takove)
$IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT drop: "

#!/bin/bash

IPTABLES="/sbin/iptables"

function delete_chain() {
	echo -n "$1/$2: ";
	while [ -z "`$IPTABLES -t $1 -D $2 1 2>&1 `" ]; do
		echo -n "#"
	done
	echo " OK";
}

$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT

delete_chain filter INPUT;
delete_chain filter OUTPUT;
delete_chain filter FORWARD;
delete_chain filter IN_FW;
delete_chain filter logdrop;
delete_chain filter syn-flood;

$IPTABLES -X IN_FW 2> /dev/null;
$IPTABLES -X logdrop 2> /dev/null;
$IPTABLES -X syn-flood 2> /dev/null;

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

delete_chain nat PREROUTING;
delete_chain nat OUTPUT;
delete_chain nat POSTROUTING;

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

delete_chain mangle PREROUTING;
delete_chain mangle OUTPUT;

#!/bin/sh -e

# Start a stop firewallu
#

case "$1" in
    start)
	echo -n "Spoustim Firewall"
	echo ""
	/usr/local/sbin/fw-on
	echo ""
	echo "Firewall spusten!"
    ;;

    stop)
	echo -n "Zastavuji Firewall!"
	echo ""
	/usr/local/sbin/fw-off
	echo ""
	echo "Firewall zastaven!"
    ;;

    restart)
        $0 stop || true
        $0 start
    ;;
    status)
	echo ""
	/sbin/iptables -L -n
	echo ""
    ;;    
    
    *)
	echo "Pouziti: /etc/init.d/firewall {start|stop|restart|status}"
	exit 1
    ;;
esac

exit 0