Re: my script !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Intresting... :)

Take a look on my script also... :)

Swifty

gabrix írta:

I would like your opinion on my firewall script.I will also list all
services avialable on each machine in lan and how lan is configured...
keep tight !!!
my lan :

...

#!/bin/bash -x


#LOAD mODULES
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_irc

# ALCUNE VARIABILI PER INIZIARE
NET1=192.168.0.0/16
NET2=192.168.0.0/30
NET3=192.168.1.0/29
NET4=192.168.1.0/24
ROUT=192.168.0.1/32
ARG0=192.168.0.2/32
ARG1=192.168.1.1/32
WWW=192.168.1.4/32
MAIL=192.168.6/32
MAC=192.168.0.3/32
DNS1=85.37.17.11/32
DNS2=85.38.28.69/32
IPT=/sbin/iptables
IF0=eth0
IF1=eth1

# FLUSH
echo "0" > /proc/sys/net/ipv4/ip_forward

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

Policy: ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT

Default policy is always ACCEPT....

$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# DEFAULTS
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

Policy: DROP

Why ACCEPT before, and DROP now?

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT



Default policy

# FREE_LOCALHOST
$IPT -A INPUT -j ACCEPT -i lo
$IPT -A INPUT -j ULOG --ulog-prefix "LOCAL_SPOOF:" -i ! lo -s
127.0.0.1/255.0.0.0
$IPT -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
$IPT -A OUTPUT -j ACCEPT -o lo


# LAN eth0
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IF0 -s $NET2 -j ACCEPT
$IPT -A INPUT -i $IF0 -s $MAC -j ACCEPT
$IPT -A INPUT -i $IF0 -s $NET1 -j ULOG --ulog-prefix " ### ETH0__SPOOF:"
$IPT -A INPUT -i $IF0 -s $NET1 -j DROP

# LAN eth1
$IPT -A INPUT -i eth1 -s 192.168.1.0/29 -j ACCEPT

##
WW=135,136,137,138,139,445
$IPT -t nat -I PREROUTING -p tcp -i $IF0 -d $ARG0 -m multiport --dport
$WW -j DROP
$IPT -t nat -I PREROUTING -p udp -i $IF0 -d $ARG0 -m multiport --dport
$WW -j DROP

# MSSQL
$IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -m limit -j
ULOG --ulog-prefix "Firewalled packet: MSSQL "
$IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -m limit -j
ULOG --ulog-prefix "Firewalled packet: MSSQL "
$IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -j DROP

# Traceroutes depend on finding a rejected port.  DROP the ones it uses
$IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j ULOG
--ulog-prefix "TRACEROUTE_UDP:"
$IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j DROP


# GNUTELLA NETWORK
$IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 6346:6348 -d $NET2 -j
DROP

# PORTS_BLACK_LIST
PBL=1024,1025,1026,1027,33058,34120,40193
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m multiport
--dports $PBL -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p udp -d $NET2 -m multiport
--dports $PBL -j DROP

# UDP Traceroute
$IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport
33434:33523 -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport
33434:33523 -j ULOG --ulog-prefix "UDP_TRACEROUTES :"


#-----------------------------------------------------------------------------------#
#                                  ICMP
TYPES                                       #
#-----------------------------------------------------------------------------------#
# # 
#    0 = Echo Reply, what gets sent back after a type 8 is received
here            #
#    3 = Destination Unreachable (inbound) or Fragmentation Needed
(out) [RFC792]   #
#    4 = Source Quench tells sending IP to slow down its rate to
destination        #
#    5 = Redirect
[RFC792]                                                          #
#    6 = Alternate Host
Address                                                     #
#    8 = Echo Request used for pinging hosts, but see the note
above                #
#    9 = Router Advertisement
[RFC1256]                                             #
#   10 = Router Selection
[RFC1256]                                                 #
#   11 = Time Exceeded used for traceroute (TTL) or sometimes frag
packets          #
#   12 = Parameter Problem is some error or weirdness detected in
header            #
# 13 = Timestamp [RFC792] # # 14 = Timestamp Reply [RFC792] # # 15 = Information Request [RFC792] # # 16 = Information Reply [RFC792] # # 17 = Address Mask Request [RFC950] # # 18 = Address Mask Reply [RFC950] # # 30 = Traceroute [RFC1393] # # # 
#-----------------------------------------------------------------------------------#

# ICMP
$IPT -t nat -I PREROUTING -i $IF0 -p icmp -d $NET1 -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 0 -m limit
--limit 3/s -d $NET1 -j ACCEPT
$IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 3 -m limit
--limit 3/s -d $NET1 -j ACCEPT

# CHECK_FLAGS
$IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j ULOG --ulog-prefix
"FRAGMENTS:"
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state
INVALID -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state
INVALID -j ULOG --ulog-prefix "INVALID_FLAGS:"
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL
FIN,URG,PSH -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL
FIN,URG,PSH -m limit --limit 3/s -j ULOG --ulog-prefix "NMAP-XMAS_SCAN:"
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST
SYN,RST -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST
SYN,RST -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/RST_SCAN: "
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN
SYN,FIN -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN
SYN,FIN -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/FIN_SCAN: "
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN
-j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN
-m limit --limit 3/s -j ULOG --ulog-prefix "FIN_SCAN:"
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL
-j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL
-m limit --limit 3/s -j ULOG --ulog-prefix "ALL/ALL__SCAN : "
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE
-j DROP
$IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE
-m limit --limit 3/s -j ULOG --ulog-prefix "NULL_SCAN: "


# _____________ANTISPOOF

cat /home/gabrix/bogon-bn-nonagg.txt |\
egrep -ve
"(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
$IPT -t nat -I PREROUTING -i $IF0 -s $s -j DROP
$IPT -t nat -I PREROUTING -i $IF0 -s $s -j ULOG --ulog-prefix
'BOGON_SPOOF:'
done

# Make laptop get into LAN
#echo
"-----------------------------------------------------------------------------------------------------"
#$IPT -t nat -A PREROUTING -i eth0 -p ALL -s 192.168.0.3/32 -d
192.168.1.0/24 -j DNAT --to-dest 192.168.1.1

# PREROUTING DNAT ################################# -------------------- >
# HTTP & HTTPS per .... www.gabrix.ath.cx
/sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 80 -d
192.168.0.2/32 -j DNAT --to 192.168.1.4:80
/sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 443 -d
192.168.0.2/32 -j DNAT --to 192.168.1.4:443
# HTTP ... per .... mail.gabrix.ath.cx
$IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 80 -m state --state
NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:80
$IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 443 -m state --state
NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:443



# SMTP
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 25
-j DNAT --to 192.168.1.6:25


# INN
#$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.2/32 --dport
119 -j DNAT --to 192.168.1.4:119


# IRCD
IRC=6664:6669
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
$IRC -j DNAT --to 192.168.1.4:6664-6669
$IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
32768 -j DNAT --to 192.168.1.4:32768


# FTP
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 20
-j DNAT --to 192.168.1.4:20
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 21
-j DNAT --to 192.168.1.4:21
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
60000:65535 -m state --state ESTABLISHED,RELATED -j DNAT --to
192.168.1.4:60000-65534


# POP-SSL
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 995
-j DNAT --to 192.168.1.6:995
$IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport 995
-j DNAT --to 192.168.1.6:995


# TIM --- DNS
$IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS1 -d $ARG0 -j DNAT
--to 192.168.1.6
$IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS2 -d $ARG0 -j DNAT
--to 192.168.1.6

#  PROXY
#$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s $NET3 --dport 80 -j DNAT
--to 192.168.1.1:8888

# EMULE
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
18744 -j DNAT --to 192.168.1.2:18744
$IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
57692 -j DNAT --to 192.168.1.2:57692
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
4711 -j DNAT --to 192.168.1.2:4711
$IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
4672 -j DNAT --to 192.168.1.2:4672
$IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
4661:4662 -j DNAT --to 192.168.1.2:4661-4662

##########################################################################################
# INPUT ARGO SERVICES # 
##########################################################################################
# I want broadcats to reach only machines in lan and avoid packets to
go out in the internet and other #machines

# BROADCASTS
# ETH0
$IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j ULOG --ulog-prefix
"NET_BROADCASTS:"
$IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j DROP

# ETH1
$IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 192.168.1.255/29
$IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_BROADCASTS:" -s
192.168.1.0/29 -d 192.168.1.255/32
$IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 192.168.1.255/32

$IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 255.255.255.255/29
$IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_NBIOS_BROADCASTS:" -s
192.168.1.0/29 -d 255.255.255.255/32
$IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 255.255.255.255/32

# MULTICASTS
$IPT -A INPUT -i $IF0 -j DROP -m state --state NEW -d 224.0.0.0/4 -p ! 6

# INPUT ARGO_SERVICES -----------------------------------------
# TOR
$IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 22 -j REDIRECT
--to-port 9090
$IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 110 -j REDIRECT
--to-port 9091
$IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9090 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9091 -j ACCEPT


# Accetto SSH e prevengo bruteforces
$IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG
--ulog-prefix "SSH_BRUTEFORCE:"
$IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m state
--state NEW -m recent --set --name SSH -j ACCEPT


# TIM_DNS
$IPT -A INPUT -i eth0 -s $DNS1 -d $ARG0 -j ACCEPT
$IPT -A INPUT -i eth0 -s $DNS2 -d $ARG0 -j ACCEPT

# DROP Anything else
$IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j ULOG
--ulog-prefix "TCP:"
$IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j DROP
$IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j ULOG
--ulog-prefix "UDP:"
$IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j DROP
$IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j ULOG --ulog-prefix "#######|
STOP_ALL_ |######:"
$IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j DROP


# FORWARD
#

# 192.168.0.0 NETWORK
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -s 192.168.0.3 -d 192.168.1.0/29 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -s $ARG0 -d $NET3 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -s $ROUT -d $NET3 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j ULOG
--ulog-prefix "Forward_SPOOF:"
$IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j DROP

# LAN
$IPT -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT


# # Services FORWARD-------->

# TIM DNS
$IPT -A FORWARD -s $DNS1 -d 192.168.1.0/24 -j ACCEPT
$IPT -A FORWARD -s $DNS2 -d 192.168.1.0/24 -j ACCEPT

# FTP
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 20 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 21 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport
60000:65534 -j ACCEPT


# INN
#$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 119 -d 192.168.1.4 -j
ACCEPT

# SMTP
$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 25 -d 192.168.1.6 -j ACCEPT


# IRCD
IRC=6665:6669
$IPT -A FORWARD -i eth0 -p tcp --dport $IRC -d 192.168.1.4/32 -j ACCEPT
$IPT -A FORWARD -i eth0 -p udp --dport 32768 -d 192.168.1.4/32 -j ACCEPT


# HTTP
$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.4 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.4 -j
ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.6 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.6 -j
ACCEPT


# POP SSL
$IPT -A FORWARD -i eth0 -p tcp --dport 995 -d 192.168.1.6 -j ACCEPT
$IPT -A FORWARD -i eth0 -p udp --dport 995 -d 192.168.1.6 -j ACCEPT

# EMULE
$IPT -A FORWARD -p tcp -i $IF0 --dport 18744 -d 192.168.1.2 -j ACCEPT
$IPT -A FORWARD -p udp -i $IF0 --dport 57692 -d 192.168.1.2 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF0 --dport 4711 -d 192.168.1.2 -j ACCEPT
$IPT -A FORWARD -p udp -i $IF0 --dport 4672 -d 192.168.1.2 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF0 --dport 4661:4662 -d 192.168.1.2 -j ACCEPT

# OUTPUT
$IPT -A OUTPUT -o eth0 -s 192.168.0.2/32 -j ACCEPT
$IPT -A OUTPUT -j ACCEPT -o eth1 -d 192.168.1.0/24
$IPT -A OUTPUT -s 192.168.0.0/16 -j ACCEPT
$IPT -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

$IPT -A OUTPUT -p icmp --icmp-type time-exceeded -j DROP
$IPT -A OUTPUT -p icmp --icmp-type 0 -j DROP

# MASQUERADE
$IPT -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward


If you have question just ask .... thanks !!!
I do not really believe that this is the best form of a script but if you understand your script (and hopefully you do :D ) then this is good... :) 

I prefer scripts much like the output of  "iptables -vnL"


Swifty
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux