LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-08-2006, 08:02 AM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Rep: Reputation: 30
Cool My firewall script


I invite everyone to find bugs in my iptables script.I first map you my lan:
router netgear 192.168.0.1
LinuxBox gatewayFW2eths eth0 192.168.0.2
eth1 192.168.1.1
---------------------- [switch]
winbox 192.168.1.2
www-box 192.168.1.3
mail-ftp 2eths eth0 192.168.1.4
eth1 192.168.2.1
mac-laptop 192.168.2.2

FIREWALL script LinuxBox gatewayFW2eths:

#!/bin/bash -x

# Imposto Variabili
IPT=/sbin/iptables
LO=127.0.0.1
NET1=192.168.0.0/24
NET2=192.168.1.0/24
ROUTER=192.168.0.1
ARG0=192.168.0.2
ARG1=192.168.1.1
HC=192.168.1.3
GAB0=192.168.1.4
GAB1=192.168.2.1
MAC=192.168.2.2
DNS1=85.37.17.11
DNS2=85.38.28.69
NETBIOS=137,138,139,445,631

#Carico moduli
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ip_nat_ftp
modprobe ipt_MARK
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe ip_conntrack_ftp

#cancello prima masquerading
echo "0" > /proc/sys/net/ipv4/ip_forward

#cancello eventuali regole presenti
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F PREROUTING
$IPT -t mangle -F OUTPUT
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -t nat -F OUTPUT

#impongo catene di default
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -A INPUT -p icmp -i eth0 -j LOG --log-level debug


#libero localhost
$IPT -I INPUT 1 -i lo -j ACCEPT
$IPT -I OUTPUT 1 -o lo -j ACCEPT
$IPT -A INPUT -j ACCEPT -i lo
$IPT -A OUTPUT -j ACCEPT -o lo
$IPT -A INPUT -j LOG -i ! lo -s $LO
$IPT -A INPUT -j DROP -i ! lo -s $LO


#PREROUTING
# | ---------| NMAP - SCAN |----------- |
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "NMAP-XMAS SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NMAP-NULL SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN/RST SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "SYN/FIN SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#---------FTP - - - - GABRIX ------------------------>
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m multiport --dports 20,21 -j LOG --log-prefix "Anon_FTP_user:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state ESTABLISHED,RELATED --dport 20 -j DNAT --to $GAB0:20
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW,ESTABLISHED,RELATED --dport 21 -j DNAT --to $GAB0:21
$IPT -t nat -A PREROUTING -p tcp -d $ARG0 --dport 50000:50050 -j DNAT --to $GAB0:50000:50050

#---SSH () GABRIX---------------------------|
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j DNAT --to $GAB0:22
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_Bruteforce:"
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

#----------- ( SMTP # GABRIX ) -----------------------------------------------------------|
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 --dport 25 -j LOG --log-prefix "MAIL From:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 25 -j DNAT --to $GAB0:25

#---------------------WWW.HARDCODE.ATH.CX ) ) )))))))))))))))))))))
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 80 -j LOG --log-prefix "WWW-visitor:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 80 -j DNAT --to $HC:80

#-----------------------------POP3SSL )( GABRIX--------------------------------|
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 995 -j DNAT --to $GAB0:995
$IPT -t nat -A PREROUTING -p udp -i eth0 -d $ARG0 -m state --state NEW --dport 995 -j DNAT --to $GAB0:995

#---JABBER
#$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -m state --state NEW --dport 5222 -j DNAT --to 192.168.1.4:5222
#$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -m state --state NEW --dport 5269 -j DNAT --to 192.168.1.4:5269

#-----------------squid
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128



# ------- ANTISPOOF #########
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
$IPT -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
$IPT -A INPUT -i eth0 -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 127.0.0.1/8 -j DROP
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 172.16.0.0/16 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 172.16.0.0/16 -j DROP
$IPT -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
$IPT -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
$IPT -A INPUT -i eth0 -f -j DROP

#Input
#Stop invalid e portscan attempts
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "NMAP-XMAS SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NMAP-NULL SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN/RST SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "SYN/FIN SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Accetto SSH e prevengo SSH-Bruteforces
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m state --state NEW -m recent --set --name SSH -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_bruteforce:"
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

#Accetto connessione gia' stabilita
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Abilito la mia LAN
$IPT -A INPUT -s $NET2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $MAC -j ACCEPT

# DNS TIM provider
$IPT -A INPUT -p udp -s $DNS1/32 --source-port 53 -d $ARG0 --destination-port 1024:65535 -j ACCEPT
$IPT -A INPUT -p udp -s $DNS2/32 --source-port 53 -d $ARG0 --destination-port 1024:65535 -j ACCEPT

# Netbios_monitor
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.1.2 -j ACCEPT
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.1.4 -j ACCEPT
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.255.255 -j LOG --log-prefix "NETBIOS_SHIT:"
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.255.255 -j DROP
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.1.2 -j ACCEPT
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.1.4 -j ACCEPT
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.255.255 -j LOG --log-prefix "NETBIOS_SHIT:"
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.255.255 -j DROP

#FORWARD
$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -s $NET2 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -d $NET2 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 20 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 21 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 22 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 25 -d $GAB0 -j ACCEPT
#$IPT -A FORWARD -i eth0 -p tcp -s $ARG0 --dport 5222 -d $HC -j ACCEPT
#$IPT -A FORWARD -i eth0 -p tcp -s $ARG0 --dport 5269 -d $HC -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 80 -d $HC -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s ! $ARG0 --dport 110 -d $GAB0 -j DROP
$IPT -A FORWARD -p udp -i eth0 -o eth1 -s ! $ARG0 --dport 110 -d $GAB0 -j DROP
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 995 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p udp -i eth0 -o eth1 -s $ARG0 --dport 995 -d $GAB0 -j ACCEPT

# Invalid ---
$IPT -A FORWARD -i eth0 -o eth1 -j LOG --log-prefix "Invalid_Forwards:"
$IPT -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP

#IN USCITA
$IPT -A OUTPUT -s $ARG0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -s $NET2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -j ACCEPT -d 255.255.255.255/32
$IPT -A OUTPUT -j ACCEPT -s 192.168.0.2/32
$IPT -A OUTPUT -j ACCEPT -s 192.168.0.255/32
$IPT -A OUTPUT -j ACCEPT -d 255.255.255.255/32
$IPT -A OUTPUT -j ACCEPT -d 192.168.1.1/255.255.255.0
$IPT -A OUTPUT -j ACCEPT -d 224.0.0.0/4 -p ! 6

#loggo e droppo il resto
$IPT -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
$IPT -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0


#POSTROUTING&MASQUERADING#
$IPT -t nat -A POSTROUTING -o eth0 -s $NET2 -j MASQUERADE

#riabilito forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward


I hope is clear .... HAVE FUN !
 
Old 04-08-2006, 08:31 AM   #2
Samoth
Member
 
Registered: Apr 2005
Distribution: Exherbo
Posts: 474
Blog Entries: 1

Rep: Reputation: 32
If you are doing that much You could use a Perl script featured in the Linux Journal March 2006 issue.(www.linuxjournal.com). That is a very nice script and does most everything you are doing. It reads rules in from whitelist/blacklist traffic files and automagically makes a iptables script out of it. It is really cool.

Reqires PERL,iptables. I think it also needs a few CPAN modules

ALso in SSH bruteforce why cant you combine the "-j DROP" and the LOG lines? I am not that good at iptables but it would seem you could do that.

PS. I know that the PERL script has no logging but it could be implemented.

Last edited by Samoth; 04-08-2006 at 08:36 AM.
 
Old 04-08-2006, 01:19 PM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Original Poster
Rep: Reputation: 30
well!I like make the firewall myself,in iptables you can make a log-drop of one rule i will give it a try ... the perl script !
 
  


Reply

Tags
firewall, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where should this firewall script be placed? wardialer Linux - Security 84 02-14-2005 07:06 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 09:15 PM
Firewall script help!!!! cirkut5732 Linux - Newbie 8 04-17-2003 06:09 PM
Could you look over my firewall script please... Grim Reaper Linux - Networking 8 03-26-2003 03:33 AM
Firewall script help jfall Linux - Networking 6 10-23-2002 03:46 AM


All times are GMT -5. The time now is 04:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration