Administrace komentářů

#!/bin/sh
# Internal interface LAN
INTIF=eth0
# Internal interface WIFI
INTIF1=wlan0

IPT=iptables
IFC=ifconfig
G=grep
SED=sed

$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP
$IPT        -F

$IPT -t nat -P PREROUTING  DROP
$IPT -t nat -P POSTROUTING DROP
$IPT -t nat -P OUTPUT      DROP
$IPT -t nat -F

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

echo 1 > /proc/sys/net/ipv4/ip_forward

INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"

INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"

# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP

$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP1 -j ACCEPT
$IPT -A OUTPUT  -o $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A OUTPUT  -o $LPDIF -s   $INTIP  -j ACCEPT
$IPT -A OUTPUT  -o $LPDIF -s   $INTIP1 -j ACCEPT

# Block broadcasts
$IPT -A INPUT   -i $INTIF  -d   $INTBC  -j DROP
$IPT -A INPUT   -i $INTIF1 -d   $INTBC1 -j DROP

# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 161:162 1214 1999 2049 3049 4329 6346 3128
8000 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-515 is rexec, rlogin, rsh, printer(lpd)
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"

echo -n "FW: Blocking attacks to TCP port "
for i in $TCPBLOCK;
do
  echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""

echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
  $IPT -A INPUT   -p udp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
  $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""

TCPSERV="domain http https ftp ftp-data"
UDPSERV="domain"
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
  echo -n "$i "
  $IPT -A OUTPUT  -o $INTIF -p tcp -s $INTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
#  $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
#    --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
  echo -n "$i "
  $IPT -A OUTPUT  -o $INTIF -p udp -s $INTIP  \
    --dport $i -m state --state NEW -j ACCEPT
#  $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
#    --dport $i -m state --state NEW -j ACCEPT
done
echo ""

TCPSAMBA="netbios-ns netbios-dgm netbios-ssn microsoft-ds"
UDPSAMBA="netbios-ns netbios-dgm netbios-ssn microsoft-ds"
echo -n "FW: Allowing inside systems to use SAMBA "
for i in $TCPSAMBA;
do
  echo -n "$i "
  $IPT -A INPUT  -i $INTIF -p tcp -s $INTNET \
    --dport $i --syn -m state --state NEW -j ACCEPT
  $IPT -A OUTPUT -o $INTIF -p tcp -s $INTIP \
    --sport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing inside systems to use SAMBA "
for i in $UDPSAMBA;
do
  echo -n "$i "
  $IPT -A INPUT   -i $INTIF -p udp -s $INTNET  \
    --dport $i -m state --state NEW -j ACCEPT
  $IPT -A OUTPUT  -o $INTIF -p udp -s $INTIP  \
    --dport $i -m state --state NEW -j ACCEPT
done
echo ""

# IPSEC
echo "Allowing IPsec"
$IPT -A INPUT  -i $INTIF1 -p udp --sport 500 --dport 500 -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p udp --sport 500 --dport 500 -j ACCEPT
$IPT -A INPUT  -i $INTIF1 -p 50 -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p 50 -j ACCEPT

# DHCP
$IPT -A INPUT   -i $INTIF -p udp --sport 67 --dport 68 -j ACCEPT
$IPT -A OUTPUT  -o $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTIP \
  --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTIP1 -j ACCEPT

# Allow ping internal systems to firewall
$IPT -A INPUT  -i $INTIF  -p icmp -s $INTNET \
  --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT  -i $INTIF1 -p icmp -s $INTNET1 \
  --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -t nat -A PREROUTING                       -j ACCEPT
#$IPT -t nat -A POSTROUTING -o $INTIF -s $INTNET1 -j SNAT --to $INTIP
$IPT -t nat -A POSTROUTING                      -j ACCEPT
$IPT -t nat -A OUTPUT                           -j ACCEPT

#$IPT -A OUTPUT -o $INTIF1 -j ACCEPT

$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log & block whatever is left
$IPT -A INPUT             -j DROPl
$IPT -A OUTPUT            -j REJECTl
$IPT -A FORWARD           -j DROPl