-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall
executable file
·226 lines (185 loc) · 6.91 KB
/
firewall
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
#!/bin/sh
#################################################
# iptables firewall, by Brad Conte ([email protected])
#################################################
# Parameters for the firewall
IPTABLES="`which iptables`" # Replace these if iptables is not in your $PATH
#IP6TABLES="`which ip6tables`" # Disable ip6tables for the moment
PORT_BITTORRENT_BOTTOM="7000"
PORT_BITTORRENT_TOP="7100"
PORT_NFS="2049"
PORT_NFS_MOUNT_BOTTOM="4000"
PORT_NFS_NOUNT_TOP="4003"
PORT_PORTMAPPER="111"
PORT_SMB_NETBIOS="445"
PORT_SMB_MSDS="139"
PORT_SSH="31415"
PORTS_PLEX_SERVER_TCP="32400,32469"
PORTS_PLEX_SERVER_UDP="32400,32469,5353,1900"
[ ! -x "$IPTABLES" ] && exit 1
#################################################
# Kernel packet filtering
#################################################
# Logic Flow:
# - Cleanse existing IP tables and create necessary chains
# - Accept connections from local
# - Drop invalid packets
# - Check source IP against list of banned IPs before doing anything else.
# - If the packet is est. or related, ACCEPT by default unless you have a need to drop
# - If the packet is new, DROP by default unless you have a need to accept
# - Drop anything else.
case $1 in
start)
# IPv6 only
if [ -x "$IP6TABLES" ]; then
$IP6TABLES -F
$IP6TABLES -X
# Accept IPv6 on local interface (some apps stupidly use it)
$IP6TABLES -A INPUT -i lo -j ACCEPT 2> /dev/null
$IP6TABLES -A INPUT -j DROP 2> /dev/null
fi
# Create the chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -N BANNED_IPS
$IPTABLES -N NEW_CONNECT
$IPTABLES -N EST
$IPTABLES -N LOG_DROP
####################
# INPUT chain
####################
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j LOG_DROP
$IPTABLES -A INPUT -j BANNED_IPS
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j EST
$IPTABLES -A INPUT -m state --state NEW -j NEW_CONNECT
$IPTABLES -A INPUT -j LOG_DROP
####################
# OUTPUT chain
####################
$IPTABLES -P OUTPUT ACCEPT
####################
# Banned IPs
####################
$IPTABLES -A BANNED_IPS -j RETURN
####################
# Established Communication
####################
# TCP
# Drop all RST packets on bittorrent ports
#$IPTABLES -A EST -p tcp --rst --dport $PORT_BITTORRENT_BOTTOM:$PORT_BITTORRENT_TOP -j DROP
# UDP
# ICMP
$IPTABLES -A EST -p icmp -f -j LOG_DROP # Disallow fragmented ICMP
$IPTABLES -A EST -j ACCEPT
####################
# Open/Listening Ports
####################
# TCP
$IPTABLES -A NEW_CONNECT -p tcp ! --syn -j LOG_DROP
# Add IP to the list of "new" packets
#$IPTABLES -A NEW_CONNECT -m recent --set --name NEW
# SYN floods (based on SYN queue size and lifetime)
#$IPTABLES -A NEW_CONNECT -m recent --update --seconds 10 --hitcount 10 --rttl --name NEW -j LOG_DROP
# Listening services
$IPTABLES -A NEW_CONNECT -p tcp --dport $PORT_SSH -j ACCEPT
$IPTABLES -A NEW_CONNECT -p tcp --dport $PORT_BITTORRENT_BOTTOM:$PORT_BITTORRENT_TOP -j ACCEPT
$IPTABLES -A NEW_CONNECT -p udp --dport $PORT_BITTORRENT_BOTTOM:$PORT_BITTORRENT_TOP -j ACCEPT
$IPTABLES -A NEW_CONNECT -p tcp --dport $PORT_SMB_NETBIOS -j ACCEPT
$IPTABLES -A NEW_CONNECT -p tcp --dport $PORT_SMB_MSDS -j ACCEPT
$IPTABLES -A NEW_CONNECT -p tcp -m multiport --dports $PORTS_PLEX_SERVER_TCP -j ACCEPT
$IPTABLES -A NEW_CONNECT -p udp -m multiport --dports $PORTS_PLEX_SERVER_UDP -j ACCEPT
# $IPTABLES -A NEW_CONNECT -p tcp --dport $PORT_NFS_MOUNT_BOTTOM:$PORT_NFS_MOUNT_TOP -j ACCEPT
# $IPTABLES -A NEW_CONNECT -p tcp --dport $PORT_NFS -j ACCEPT
# $IPTABLES -A NEW_CONNECT -p tcp --dport $PORT_PORTMAPPER -j ACCEPT
# $IPTABLES -A NEW_CONNECT -p udp --dport $PORT_NFS_MOUNT_BOTTOM:$PORT_NFS_MOUNT_TOP -j ACCEPT
# $IPTABLES -A NEW_CONNECT -p udp --dport $PORT_NFS -j ACCEPT
# $IPTABLES -A NEW_CONNECT -p udp --dport $PORT_PORTMAPPER -j ACCEPT
# ICMP
$IPTABLES -A NEW_CONNECT -j LOG_DROP
####################
# Drop and Log
####################
# Currently don't log, just drop.
#$IPTABLES -A LOG_DROP -p udp --dport 37 -j DROP # NETBIOS scans
#$IPTABLES -A LOG_DROP -m limit --limit 1/sec -j LOG --log-ip-options -p tcp --log-tcp-options --log-prefix "rejected_tcp: " --log-level 7
#$IPTABLES -A LOG_DROP -m limit --limit 1/sec -j LOG --log-ip-options -p tcp --log-prefix "rejected_nontcp: " --log-level 7
$IPTABLES -A LOG_DROP -j DROP
#################################################
# Harden TCP/ARP
#################################################
# Don't forward anything
sysctl -q -w net.ipv4.ip_forward=0
# Check ACK's against valid SYN cookie values
sysctl -q -w net.ipv4.tcp_syncookies=1
# Max num of connections with no ACK from client
sysctl -q -w net.ipv4.tcp_max_syn_backlog="4096"
# Num times a SYN|ACK will be sent back
sysctl -q -w net.ipv4.tcp_synack_retries=3
# Drop gratuitous ARP frames
sysctl -q -w net.ipv4.conf.all.arp_accept=0
# Do not accept ICMP broadcast packets
sysctl -q -w net.ipv4.icmp_echo_ignore_broadcasts=1
# Do not listen to IP source routing
sysctl -q -w net.ipv4.conf.all.accept_source_route=0
#################################################
# Misc
#################################################
# Static route to the home network router
if [ "`hostname`" = "beacon" ]; then
arp -s 192.168.1.1 10:bf:48:e7:3f:b6 2> /dev/null
fi
;;
stop)
$IPTABLES -F
$IPTABLES -X
if [ -x "$IP6TABLES" ]; then
$IP6TABLES -F
$IP6TABLES -X
fi
sysctl -q -w net.ipv4.tcp_syncookies=1
sysctl -q -w net.ipv4.tcp_max_syn_backlog="2048"
sysctl -q -w net.ipv4.tcp_synack_retries=5
sysctl -q -w net.ipv4.conf.all.arp_accept=0
sysctl -q -w net.ipv4.icmp_echo_ignore_broadcasts=0
sysctl -q -w net.ipv4.conf.all.accept_source_route=1
;;
restart)
# This is also a convenient way to flush any custom
# iptables rules added since the firewall was started.
"$0" stop
"$0" start
;;
add)
# Allow easy access to add rules to the main chains.
# iptables -I inserts a rule at the head of the chain. We can't add
# at the end of the chain because we have custom rules to return to the
# main chain at the end.
case "$2" in
banned)
# Todo: Add function that verifies the argument is a valid IP.
# Note that this allows mask ranges to be specified.
$IPTABLES -I BANNED_IPS --source "$3" -j LOG_DROP
;;
new)
# Can't insert at position 1 because this chain first checks
# that this is a SYN packet if it is TCP.
proto="`echo $3 | cut -d ':' -f 1`"
port="`echo $3 | cut -d ':' -f 2`"
if [ -z "$proto" -o -z "$port" ]; then
echo "Must specify the protocol and port, eg 'tcp:21'" >&2
exit 1;
fi
$IPTABLES -I NEW_CONNECT 2 -p "$proto" --dport "$port" -j ACCEPT
;;
est)
# Don't have any easy rules that need to be accomodated yet.
;;
esac
;;
*)
echo " Usage: $0 [start|stop|restart|add] <banned|new|est> <tcp:port|udp:port|ip>"
exit 2
;;
esac
exit 0