Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-08-2006, 08:02 AM
|
#1
|
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Rep: 
|
My firewall script
I invite everyone to find bugs in my iptables script.I first map you my lan:
router netgear 192.168.0.1
LinuxBox gatewayFW2eths eth0 192.168.0.2
eth1 192.168.1.1
---------------------- [switch]
winbox 192.168.1.2
www-box 192.168.1.3
mail-ftp 2eths eth0 192.168.1.4
eth1 192.168.2.1
mac-laptop 192.168.2.2
FIREWALL script LinuxBox gatewayFW2eths:
#!/bin/bash -x
# Imposto Variabili
IPT=/sbin/iptables
LO=127.0.0.1
NET1=192.168.0.0/24
NET2=192.168.1.0/24
ROUTER=192.168.0.1
ARG0=192.168.0.2
ARG1=192.168.1.1
HC=192.168.1.3
GAB0=192.168.1.4
GAB1=192.168.2.1
MAC=192.168.2.2
DNS1=85.37.17.11
DNS2=85.38.28.69
NETBIOS=137,138,139,445,631
#Carico moduli
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ip_nat_ftp
modprobe ipt_MARK
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe ip_conntrack_ftp
#cancello prima masquerading
echo "0" > /proc/sys/net/ipv4/ip_forward
#cancello eventuali regole presenti
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F PREROUTING
$IPT -t mangle -F OUTPUT
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -t nat -F OUTPUT
#impongo catene di default
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -A INPUT -p icmp -i eth0 -j LOG --log-level debug
#libero localhost
$IPT -I INPUT 1 -i lo -j ACCEPT
$IPT -I OUTPUT 1 -o lo -j ACCEPT
$IPT -A INPUT -j ACCEPT -i lo
$IPT -A OUTPUT -j ACCEPT -o lo
$IPT -A INPUT -j LOG -i ! lo -s $LO
$IPT -A INPUT -j DROP -i ! lo -s $LO
#PREROUTING
# | ---------| NMAP - SCAN |----------- |
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "NMAP-XMAS SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NMAP-NULL SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN/RST SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "SYN/FIN SCAN:"
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#---------FTP - - - - GABRIX ------------------------>
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m multiport --dports 20,21 -j LOG --log-prefix "Anon_FTP_user:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state ESTABLISHED,RELATED --dport 20 -j DNAT --to $GAB0:20
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW,ESTABLISHED,RELATED --dport 21 -j DNAT --to $GAB0:21
$IPT -t nat -A PREROUTING -p tcp -d $ARG0 --dport 50000:50050 -j DNAT --to $GAB0:50000:50050
#---SSH () GABRIX---------------------------|
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j DNAT --to $GAB0:22
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_Bruteforce:"
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
#----------- ( SMTP # GABRIX ) -----------------------------------------------------------|
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 --dport 25 -j LOG --log-prefix "MAIL From:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 25 -j DNAT --to $GAB0:25
#---------------------WWW.HARDCODE.ATH.CX ) ) )))))))))))))))))))))
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 80 -j LOG --log-prefix "WWW-visitor:"
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 80 -j DNAT --to $HC:80
#-----------------------------POP3SSL )( GABRIX--------------------------------|
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d $ARG0 -m state --state NEW --dport 995 -j DNAT --to $GAB0:995
$IPT -t nat -A PREROUTING -p udp -i eth0 -d $ARG0 -m state --state NEW --dport 995 -j DNAT --to $GAB0:995
#---JABBER
#$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -m state --state NEW --dport 5222 -j DNAT --to 192.168.1.4:5222
#$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 -m state --state NEW --dport 5269 -j DNAT --to 192.168.1.4:5269
#-----------------squid
$IPT -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128
# ------- ANTISPOOF #########
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
$IPT -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
$IPT -A INPUT -i eth0 -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 255.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 127.0.0.1/8 -j DROP
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 172.16.0.0/16 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 172.16.0.0/16 -j DROP
$IPT -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
$IPT -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "Spoofed_IP:"
$IPT -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
$IPT -A INPUT -i eth0 -f -j DROP
#Input
#Stop invalid e portscan attempts
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "NMAP-XMAS SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NMAP-NULL SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN/RST SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "SYN/FIN SCAN INPUT:" --log-tcp-options --log-ip-options
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Accetto SSH e prevengo SSH-Bruteforces
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m state --state NEW -m recent --set --name SSH -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_bruteforce:"
$IPT -A INPUT -i eth0 -p tcp --dport 666 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
#Accetto connessione gia' stabilita
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Abilito la mia LAN
$IPT -A INPUT -s $NET2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $MAC -j ACCEPT
# DNS TIM provider
$IPT -A INPUT -p udp -s $DNS1/32 --source-port 53 -d $ARG0 --destination-port 1024:65535 -j ACCEPT
$IPT -A INPUT -p udp -s $DNS2/32 --source-port 53 -d $ARG0 --destination-port 1024:65535 -j ACCEPT
# Netbios_monitor
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.1.2 -j ACCEPT
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.1.4 -j ACCEPT
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.255.255 -j LOG --log-prefix "NETBIOS_SHIT:"
$IPT -A INPUT -m multiport -p tcp --sports $NETBIOS -d 192.168.255.255 -j DROP
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.1.2 -j ACCEPT
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.1.4 -j ACCEPT
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.255.255 -j LOG --log-prefix "NETBIOS_SHIT:"
$IPT -A INPUT -m multiport -p udp --sports $NETBIOS -d 192.168.255.255 -j DROP
#FORWARD
$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -s $NET2 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -d $NET2 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 20 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 21 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 22 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 25 -d $GAB0 -j ACCEPT
#$IPT -A FORWARD -i eth0 -p tcp -s $ARG0 --dport 5222 -d $HC -j ACCEPT
#$IPT -A FORWARD -i eth0 -p tcp -s $ARG0 --dport 5269 -d $HC -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 80 -d $HC -j ACCEPT
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s ! $ARG0 --dport 110 -d $GAB0 -j DROP
$IPT -A FORWARD -p udp -i eth0 -o eth1 -s ! $ARG0 --dport 110 -d $GAB0 -j DROP
$IPT -A FORWARD -p tcp -i eth0 -o eth1 -s $ARG0 --dport 995 -d $GAB0 -j ACCEPT
$IPT -A FORWARD -p udp -i eth0 -o eth1 -s $ARG0 --dport 995 -d $GAB0 -j ACCEPT
# Invalid ---
$IPT -A FORWARD -i eth0 -o eth1 -j LOG --log-prefix "Invalid_Forwards:"
$IPT -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP
#IN USCITA
$IPT -A OUTPUT -s $ARG0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -s $NET2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -j ACCEPT -d 255.255.255.255/32
$IPT -A OUTPUT -j ACCEPT -s 192.168.0.2/32
$IPT -A OUTPUT -j ACCEPT -s 192.168.0.255/32
$IPT -A OUTPUT -j ACCEPT -d 255.255.255.255/32
$IPT -A OUTPUT -j ACCEPT -d 192.168.1.1/255.255.255.0
$IPT -A OUTPUT -j ACCEPT -d 224.0.0.0/4 -p ! 6
#loggo e droppo il resto
$IPT -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
$IPT -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
#POSTROUTING&MASQUERADING#
$IPT -t nat -A POSTROUTING -o eth0 -s $NET2 -j MASQUERADE
#riabilito forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
I hope is clear .... HAVE FUN !
|
|
|
|
|
04-08-2006, 08:31 AM
|
#2
|
|
Member
Registered: Apr 2005
Distribution: Exherbo
Posts: 474
Rep:
|
If you are doing that much You could use a Perl script featured in the Linux Journal March 2006 issue.( www.linuxjournal.com). That is a very nice script and does most everything you are doing. It reads rules in from whitelist/blacklist traffic files and automagically makes a iptables script out of it. It is really cool.
Reqires PERL,iptables. I think it also needs a few CPAN modules
ALso in SSH bruteforce why cant you combine the "-j DROP" and the LOG lines? I am not that good at iptables but it would seem you could do that.
PS. I know that the PERL script has no logging but it could be implemented.
Last edited by Samoth; 04-08-2006 at 08:36 AM.
|
|
|
|
|
04-08-2006, 01:19 PM
|
#3
|
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
well!I like make the firewall myself,in iptables you can make a log-drop of one rule i will give it a try ... the perl script !
|
|
|
|
All times are GMT -5. The time now is 09:35 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
