LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   My firewall script (http://www.linuxquestions.org/questions/linux-security-4/my-firewall-script-432996/)

gabsik 04-08-2006 08:02 AM

My firewall script
 
I invite everyone to find bugs in my iptables script.I first map you my lan:
router netgear 192.168.0.1
LinuxBox gatewayFW2eths eth0 192.168.0.2
eth1 192.168.1.1
---------------------- [switch]
winbox 192.168.1.2
www-box 192.168.1.3
mail-ftp 2eths eth0 192.168.1.4
eth1 192.168.2.1
mac-laptop 192.168.2.2

FIREWALL script LinuxBox gatewayFW2eths:

#!/bin/bash -x

# Imposto Variabili
IPT=/sbin/iptables
LO=127.0.0.1
NET1=192.168.0.0/24
NET2=192.168.1.0/24
ROUTER=192.168.0.1
ARG0=192.168.0.2
ARG1=192.168.1.1
HC=192.168.1.3
GAB0=192.168.1.4
GAB1=192.168.2.1
MAC=192.168.2.2
DNS1=85.37.17.11
DNS2=85.38.28.69
NETBIOS=137,138,139,445,631

#Carico moduli
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ip_nat_ftp
modprobe ipt_MARK
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe ip_conntrack_ftp

#cancello prima masquerading
echo "0" > /proc/sys/net/ipv4/ip_forward

#cancello eventuali regole presenti
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F PREROUTING
$IPT -t mangle -F OUTPUT
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -t nat -F OUTPUT

#impongo catene di default
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -A INPUT -p icmp -i eth0 -j LOG --log-level debug


#libero localhost
$IPT -I INPUT 1 -i lo -j ACCEPT
$IPT -I OUTPUT 1 -o lo -j ACCEPT
$IPT -A INPUT -j ACCEPT -i lo
$IPT -A OUTPUT -j ACCEPT -o lo
$IPT -A INPUT -j LOG -i ! lo -s $LO
$IPT -A INPUT -j DROP -i ! lo -s $LO


#PREROUTING
# | ---------| NMAP - SCAN |----------- |
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "NMAP-XMAS SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NMAP-NULL SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN/RST SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "SYN/FIN SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#---------FTP - - - - GABRIX ------------------------>
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m multiport --dports 20,21 -j LOG --log-prefix "Anon_FTP_user:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state ESTABLISHED,RELATED --dport 20 -j DNAT --to $GAB0:20
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW,ESTABLISHED,RELATED --dport 21 -j DNAT --to $GAB0:21
$IPT -t nat -A PREROUTING -p tcp -d $ARG0 --dport 50000:50050 -j DNAT --to $GAB0:50000:50050

#---SSH () GABRIX---------------------------|
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j DNAT --to $GAB0:22
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_Bruteforce:"
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

#----------- ( SMTP # GABRIX ) -----------------------------------------------------------|
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 --dport 25 -j LOG --log-prefix "MAIL From:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 25 -j DNAT --to $GAB0:25

#---------------------WWW.HARDCODE.ATH.CX ) ) )))))))))))))))))))))
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 80 -j LOG --log-prefix "WWW-visitor:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 80 -j DNAT --to $HC:80

#-----------------------------POP3SSL )( GABRIX--------------------------------|
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 995 -j DNAT --to $GAB0:995
$IPT -t nat -A PREROUTING -p udp -i eth0 -d $ARG0 -m state --state NEW --dport 995 -j DNAT --to $GAB0:995

#---JABBER
#$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -m state --state NEW --dport 5222 -j DNAT --to 192.168.1.4:5222
#$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -m state --state NEW --dport 5269 -j DNAT --to 192.168.1.4:5269

#-----------------squid
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128



# ------- ANTISPOOF #########
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
$IPT -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
$IPT -A INPUT -i eth0 -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 127.0.0.1/8 -j DROP
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 172.16.0.0/16 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 172.16.0.0/16 -j DROP
$IPT -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
$IPT -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
$IPT -A INPUT -i eth0 -f -j DROP

#Input
#Stop invalid e portscan attempts
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "NMAP-XMAS SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NMAP-NULL SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN/RST SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "SYN/FIN SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Accetto SSH e prevengo SSH-Bruteforces
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m state --state NEW -m recent --set --name SSH -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_bruteforce:"
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

#Accetto connessione gia' stabilita
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Abilito la mia LAN
$IPT -A INPUT -s $NET2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $MAC -j ACCEPT

# DNS TIM provider
$IPT -A INPUT -p udp -s $DNS1/32 --source-port 53 -d $ARG0 --destination-port 1024:65535 -j ACCEPT
$IPT -A INPUT -p udp -s $DNS2/32 --source-port 53 -d $ARG0 --destination-port 1024:65535 -j ACCEPT

# Netbios_monitor
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.1.2 -j ACCEPT
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.1.4 -j ACCEPT
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.255.255 -j LOG --log-prefix "NETBIOS_SHIT:"
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.255.255 -j DROP
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.1.2 -j ACCEPT
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.1.4 -j ACCEPT
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.255.255 -j LOG --log-prefix "NETBIOS_SHIT:"
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.255.255 -j DROP

#FORWARD
$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -s $NET2 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -d $NET2 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 20 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 21 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 22 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 25 -d $GAB0 -j ACCEPT
#$IPT -A FORWARD -i eth0 -p tcp -s $ARG0 --dport 5222 -d $HC -j ACCEPT
#$IPT -A FORWARD -i eth0 -p tcp -s $ARG0 --dport 5269 -d $HC -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 80 -d $HC -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s ! $ARG0 --dport 110 -d $GAB0 -j DROP
$IPT -A FORWARD -p udp -i eth0 -o eth1 -s ! $ARG0 --dport 110 -d $GAB0 -j DROP
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 995 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p udp -i eth0 -o eth1 -s $ARG0 --dport 995 -d $GAB0 -j ACCEPT

# Invalid ---
$IPT -A FORWARD -i eth0 -o eth1 -j LOG --log-prefix "Invalid_Forwards:"
$IPT -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP

#IN USCITA
$IPT -A OUTPUT -s $ARG0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -s $NET2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -j ACCEPT -d 255.255.255.255/32
$IPT -A OUTPUT -j ACCEPT -s 192.168.0.2/32
$IPT -A OUTPUT -j ACCEPT -s 192.168.0.255/32
$IPT -A OUTPUT -j ACCEPT -d 255.255.255.255/32
$IPT -A OUTPUT -j ACCEPT -d 192.168.1.1/255.255.255.0
$IPT -A OUTPUT -j ACCEPT -d 224.0.0.0/4 -p ! 6

#loggo e droppo il resto
$IPT -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
$IPT -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0


#POSTROUTING&MASQUERADING#
$IPT -t nat -A POSTROUTING -o eth0 -s $NET2 -j MASQUERADE

#riabilito forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward


I hope is clear .... HAVE FUN !

Samoth 04-08-2006 08:31 AM

If you are doing that much You could use a Perl script featured in the Linux Journal March 2006 issue.(www.linuxjournal.com). That is a very nice script and does most everything you are doing. It reads rules in from whitelist/blacklist traffic files and automagically makes a iptables script out of it. It is really cool.

Reqires PERL,iptables. I think it also needs a few CPAN modules

ALso in SSH bruteforce why cant you combine the "-j DROP" and the LOG lines? I am not that good at iptables but it would seem you could do that.

PS. I know that the PERL script has no logging but it could be implemented.

gabsik 04-08-2006 01:19 PM

well!I like make the firewall myself,in iptables you can make a log-drop of one rule i will give it a try ... the perl script !


All times are GMT -5. The time now is 07:54 AM.