#!/bin/sh # # rc.firewall: start/stop/restart/status iptables # # Andrea "bunker" Purificato - 2004/12/10 # http://rawlab.mindcreations.com if [ $UID != 0 ]; then echo -e "\aWARNING: only root can set iptables!" exit fi LOAD=/sbin/modprobe IFCONF=/sbin/ifconfig IPTAB=/usr/sbin/iptables # cable IFACE0=eth0 # wireless IFACE1=eth1 # SETMOD ROUTINE set_modules() { $LOAD ip_tables $LOAD ip_conntrack $LOAD ip_conntrack_ftp $LOAD ip_conntrack_irc $LOAD ip_conntrack_tftp $LOAD iptable_filter $LOAD ipt_LOG $LOAD ipt_REJECT $LOAD ipt_limit $LOAD ipt_state #$LOAD iptable_mangle #$LOAD iptable_nat #$LOAD ip_nat_ftp #$LOAD ip_nat_irc #$LOAD ipt_owner #$LOAD ipt_MASQUERADE } # SETOPT ROUTINE set_options() { # rp filter on if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done fi # tcp_syncookies on if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 >/proc/sys/net/ipv4/tcp_syncookies fi # ip_forward off if [ /proc/sys/net/ipv4/ip_forward ]; then echo 0 >/proc/sys/net/ipv4/ip_forward fi # ignore echo icmp broadcast if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi # ignore icmp bogus error responses if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi # unset accept_redirects and send_redirects if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done fi # unset accept_source_routing if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done fi # log_martians on if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done fi # tcp_ecn off (problem with some routers if on) if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn fi # ACK-related 2.6 problem workaround #if [ -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal ]; then # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal #fi } # STOP ROUTINE unset_fw() { $IPTAB -F $IPTAB -P INPUT ACCEPT $IPTAB -P OUTPUT ACCEPT $IPTAB -P FORWARD DROP $IPTAB -t nat -F $IPTAB -t mangle -F $IPTAB -X } # START ROUTINE set_fw() { unset_fw set_modules set_options # default policy $IPTAB -P INPUT DROP $IPTAB -P FORWARD DROP $IPTAB -P OUTPUT ACCEPT # make ausiliary chains $IPTAB -N eth_in $IPTAB -N eth_icmp $IPTAB -N eth_tcp $IPTAB -N eth_udp $IPTAB -N scanlog $IPTAB -N flags # ----- INPUT ----- # accept all lo-to-lo $IPTAB -A INPUT -i lo -j ACCEPT # send the rest to main road $IPTAB -A INPUT -i $IFACE0 -j flags $IPTAB -A INPUT -i $IFACE1 -j flags # ----- FLAGS CONTROL ----- # portscan detection $IPTAB -A flags -p tcp --tcp-flags ALL URG,PSH,FIN -j scanlog $IPTAB -A flags -p tcp --tcp-flags ALL ALL -j scanlog $IPTAB -A flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j scanlog $IPTAB -A flags -p tcp --tcp-flags ALL NONE -j scanlog $IPTAB -A flags -p tcp --tcp-flags SYN,RST SYN,RST -j scanlog $IPTAB -A flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j scanlog $IPTAB -A flags -p tcp --tcp-flags ALL FIN -j scanlog $IPTAB -A flags -i $IFACE0 -j eth_in $IPTAB -A flags -i $IFACE1 -j eth_in # ----- SCANLOG ----- # if here portscan is detected, log and drop $IPTAB -A scanlog -m limit --limit 5/minute -j LOG --log-prefix "Netfilter-SCAN: " $IPTAB -A scanlog -j DROP # ----- ETH_IN ----- # accept related and estabilished packets $IPTAB -A eth_in -m state --state ESTABLISHED,RELATED -j ACCEPT # check protocols and separate by them $IPTAB -A eth_in -p icmp -j eth_icmp $IPTAB -A eth_in -p udp -j eth_udp $IPTAB -A eth_in -p tcp -j eth_tcp # the rest is abnormal, log and drop it $IPTAB -A eth_in -m limit --limit 1/sec -j LOG --log-prefix "Netfilter-REST: " $IPTAB -A eth_in -j DROP # ----- ETH_ICMP ----- # filtering ICMP $IPTAB -A eth_icmp -p icmp --icmp-type 0 -j ACCEPT $IPTAB -A eth_icmp -p icmp --icmp-type 3 -j ACCEPT # (uncomment this if you want to enable ping response) # $IPTAB -A eth_icmp -p icmp --icmp-type 8 -j ACCEPT $IPTAB -A eth_icmp -p icmp --icmp-type 11 -j ACCEPT # (uncomment this for more log) #$IPTAB -A eth_icmp -m limit --limit 5/minute -j LOG --log-prefix "Netfilter-ICMP: " $IPTAB -A eth_icmp -j DROP # ----- ETH_UDP ----- # filtering UDP SYN # direct connect rule for p2p $IPTAB -A eth_udp -m state -p udp --dport 9176 --state NEW -j ACCEPT # (uncomment this for more log) #$IPTAB -A eth_udp -m limit --limit 5/minute -j LOG --log-prefix "Netfilter-UDP: " $IPTAB -A eth_udp -j DROP # ----- ETH_TCP ----- # Filtering TCP SYN # direct connect rule for p2p $IPTAB -A eth_tcp -m state -p tcp --dport 9176 --state NEW -j ACCEPT # the rest (SERVICES) $IPTAB -A eth_tcp -m state -p tcp --dport 22 --state NEW -j ACCEPT #$IPTAB -A eth_tcp -m state -p tcp --dport 80 --state NEW -j ACCEPT $IPTAB -A eth_tcp -m state -p tcp --dport 113 --state NEW -j REJECT $IPTAB -A eth_tcp -m state -p tcp --dport 139 --state NEW -j REJECT $IPTAB -A eth_tcp -m state -p tcp --dport 445 --state NEW -j REJECT # (uncomment this for more log) #$IPTAB -A eth_tcp -m limit --limit 5/minute -j LOG --log-prefix "Netfilter-TCP: " $IPTAB -A eth_tcp -j DROP } # MAIN case "$1" in start) echo "Starting iptables filtering..." set_fw ;; stop) echo "Stopping iptables filtering..." unset_fw ;; restart) echo "Restarting iptables filtering..." set_fw ;; status) $IPTAB -L -v ;; *) echo "Usage: $0 {start|stop|restart|status}" exit ;; esac exit 0