 |
||
| ||
| |||||
| Dernière réponse | ||
|---|---|---|
| Sujet : Je cherche les règles de firewall de Ping (iptables) | ||
| ethernal | merci :jap:
[edtdd]--Message édité par ethernal--[/edtdd] |
|
| Aperçu |
|---|
| Vue Rapide de la discussion |
|---|
| ethernal | merci :jap:
[edtdd]--Message édité par ethernal--[/edtdd] |
| Dark_Schneider |
|
| ethernal |
|
| Dark_Schneider | j'en ai trouvé un sympa un peu à la PinG -> http://www.net-security.org/text/a [...] basics.txt |
| Martinez |
|
| ethernal | sinon, il existe des logiciels de conception de firewall iptables graphique (je sens que ça va plaire ;) ).
celui-ci par exemple m'a été recommandé par un copain : http://www.fwbuilder.org/ |
| die488 | Merci, je venais justement de trouver le http://www.sentry.net/~obsid/IPTab [...] ables.dual Ca à l'air d'être très bien ;) |
| ethernal | celui que 911GT3 utilise (et qui a été ma base) est correct (à part le forward en accept)
http://www.sentry.net/~obsid/IPTab [...] ables.dual sinon tu devrais trouver ton bonheur ici : http://www.linuxguruz.org/iptables/ |
| 911GT3 | Ca marche pas :D
Je résume: 1 Pc sous Adsl (eth0} et au client par eth1(192.168.0.1) et un client estampillé 192.168.0.3. Quand je lance le script, j'ai donc pleins d'erreurs: iptables: No chain/target/match by that name Le client accède au net. Le serveur non. Un ping vers l'IP d'HFR me donne un message 'operation not permitted' un "w3c http://212.43.221.155" me donne un timed out un "w3c http://www.hardware.fr" me donne un gethostname operation failed http://forum.hardware.fr/icones/icon16.gif j'ai donc modifié (sur la base de celui trouvé sur le net) External="ppp0" (mais eth0 c'est pareil) Internal_net="192.168.0.3" et c'est tout. :( |
| die488 | Moi je suis en train de "tenter d'essayer de faire" ( :ouch: ) mon petit script mais je pense pas avoir besoin de tout cà...
J'ai ma passerelle qui doit écouter sur 21,22,25,53,110,80,953,3306. Je voudrais que tout le reste soit forwardé au reseau local (dans un premier temps). Je vais essayer de m'inspirer de vos scripts mais si jamais vous en connaissiez un qui pourrait me servir de base, n'hésitez pas ;) [edtdd]--Message édité par die488--[/edtdd] |
| ethernal | un peu trop de la mort qui tue je trouve aussi ;)
mais bon... je voulais pouvoir distinguer le traffic de chaque type (internet->gateway,...) pour pouvoir ajouter, retirer des ports facilement, alors j'ai pas trouvé de solution plus simple... Il y a plein de trucs inutiles, qui ne sont pas utilisés à l'heure actuelle, mais qui le seront peut-être un jour |
| die488 | ethernal> c'est un script qui tue, il doit prende 5 pages ! |
| the_fireball | En tout cas, ethernal, tu as fait un script de la mort qui tue !!!! Moi j'autorise seulement ce que je veux et tout le reste, ben je le bloque sans distinction à part l'antispoofing et ça me fait un script plus petit, dans le style de celui de Ping. Et ça marche bien. Je suis impressioné par la complexité de ton scripts et je me demande pourquoi en faire de si compliqué... Mais je ne le critique pas, on est bien d'accord la dessus :hello: |
| ethernal | vi je suis pas sur à 100% mais c'est plus logique |
| 911GT3 | euh....nan....j'ai laissé eth0 :D
pourquoi fallait ? :sweat: |
| ethernal | lol ;) vi ça peut être les mêmes :D comme je scinde tout dans mon script, je peux si j'ai un serveur dns dire à la gateway d'actuliser le sien avec le net et n'autoriser les clients réseau qu'à se connecter au dns interne par exemple ;) [edtdd]--Message édité par ethernal--[/edtdd] |
| ethernal | tu as modifié EXTERNAL=ppp0 ?
je vois pas trop trop ce que ça pourrait être d'autre |
| 911GT3 | ok :D
j'ai pris celui-là parce je me suis un peu perdu entre DNS for Gateway et DNS for network. J'ai dans l'idée que ce sont les mêmes pour moi, à savoir ceux de Wanadoo. Mais comme après le premier test ca marchait pas, j'ai tenté plus simple ;). |
| ethernal | c'est celui que j'ai pris comme base... il me semblait correct ;)
Warning !! y a juste comme problème que sont Forward est en ACCEPT !! Evite ça à tout prix !
|
| 911GT3 | j'ai évidemment quelques problèmes :D
J'ai du recompilé un kernel pour avoir le iptable_mangle (j'en ai profité pour passer à un 2.4.12-ac3 ;)). En fouillant les liens de ton script, j'ai trouvé celui-ci qui semble plus correspondre à mes besoins (1 post connecté au net et un post client respectivement 192.168.0.1 et 192.168.0.3): http://www.sentry.net/~obsid/IPTab [...] ables.dual -quelques messages bizarres à la lecture -quand je lance le truc, j'ai pleins de fois : iptables: No chain/target/match by that name -au final, mon client peut aller sur le net mais pas mon post. J'ai juste modifié la ligne donnant le chemin vers iptables et modifié ca: INTERNAL_NET="192.168.1.0/24" ## Network address for the internal network en INTERNAL_NET="192.168.0.1/24" ## Network address for the internal network Martinez > lopocompri :??: |
| Martinez | ben moi ouvrir un port, ca se fait en 3 secondes... |
| ethernal | si tu l'enlève enlèves tout les echo_succcess et echo_failure
--> vi firewall :s/caractères à rechercher/caractères de remplacement/ |
| 911GT3 | C'est juste pour avoir un :
Les règles de firewall sont lues [OK] ? Je peux me contenté de commenté la ligne ou ca fait des trucs en plus ? |
| ethernal | ha évidemment ;)
regarde dans le post "pour Dark". c'est pour faire appel aux fonctions echo_success ou echo_failure (qui affichent un bo [OK] en vert ou un [FAILED] en rouge) |
| 911GT3 | ba à vrai dire :D
c'est quoi /etc/init.d/functions parce que j'ai pas. (Debian Sid) J'ai pas été plus loin ;) |
| ethernal | lol, j'ai mis qq jours à l'élaborer :D
Tout est automatisé (détection de ton ip interne et masque, ...) normalement tu n'as qu'à - introduire tes adresses de dns, smtp, pop, news - je redirrige les demande pour mon site web sur le port 8050 (tu n'as qu'a l'enlever) - donner pour chaque type de traffic (internet -> gateway, internet -> network, ...) ce que tu accèptes ou pas. j'avoue qu'il est un peu exagéré... :lol: mais qd j'ai besoin d'ouvrir un port, ça me prends - de 30 sec... si tu as besoin d'aide ;) |
| 911GT3 | merci :jap:
je vais l'eplucher (enfin essayé) et l'adapté à ma conf si nécessaire. Y me fait peur :sweat: |
| ethernal | la suite (il accèpte pas de poster tout en une fois)
##========================================================================## ## Jump to our INPUT chains. ##===================================================================## ## Accept packets to the loopback interface. $IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT ##===================================================================## ## NETWORK TO GATEWAY (INPUT to our internal interface). $IPTABLES -A INPUT -i $LAN1_IF -j NETWORK_2_GATEWAY ##===================================================================## ## INTERNET TO GATEWAY (INPUT to the external Interface). $IPTABLES -A INPUT -i $EXT_IF -j INTERNET_2_GATEWAY ##===================================================================## ## End INPUT Chain Rules ## ##========================================================================## ##========================================================================## ## Jump to our OUTPUT chains. ##===================================================================## ## Accept All traffic across loopback device. $IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT ##===================================================================## ## GATEWAY TO NETWORK (OUTPUT on the internal interface). $IPTABLES -A OUTPUT -o $LAN1_IF -j GATEWAY_2_NETWORK ##===================================================================## ## GATEWAY TO INTERNET (OUTPUT on the external interface). $IPTABLES -A OUTPUT -o $EXT_IF -j GATEWAY_2_INTERNET ##===================================================================## ## End OUTPUT Chain Rules ## ##========================================================================## ##========================================================================## ## Jump to our FORWARD chains. $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ##===================================================================## ## INTERNET TO NETWORK (IN:EXT_IF OUT:LAN1_IF-SRC:Any DST:LAN1_SUBNET). $IPTABLES -A FORWARD -i $EXT_IF -j INTERNET_2_NETWORK ##===================================================================## ## NETWORK TO INTERNET (IN:LAN1_IF OUT:EXT_IF-SRC:LAN1_SUBNET DST:Any). $IPTABLES -A FORWARD -o $EXT_IF -j NETWORK_2_INTERNET ##===================================================================## ## End FORWARD Chain Rules ## ##========================================================================## ### END FIREWALL RULES ### ############################################################################### ## IPTABLES Network Address Translation(NAT) Rules ############################################################################### ## Only the first packet of the connection is checked with -t nat PRREROUTING. ## Once the first packet has traversed the nat table the result of that ## traversal is applied to all other packet belonging that connection ! ## Empecher les class A/B/C/D/Spoof d'acceder au reseau # Internet to Gateway/Network $IPTABLES -t nat -A PREROUTING -i $EXT_IF -j NAT_SRC_EGRESS $IPTABLES -t nat -A PREROUTING -i $EXT_IF -s $EXT_IP -j LOG_AND_DROP $IPTABLES -t nat -A PREROUTING -i $EXT_IF -d ! $EXT_IP -j LOG_AND_DROP #equivalent as DST_EGRESS $IPTABLES -t nat -A PREROUTING -i $EXT_IF -s $LOOPBACK_SUBNET -j LOG_AND_DROP ## Destination NAT -- (DNAT) ##========================================================================## ## "Redirect" packets headed for certain ports on our external interface ## to other machines on the network. (Examples) # Refuse les connection directes sur le port 8050 $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $LAN1_IP --dport 8050 -j LOG_AND_DROP # Redirrige les connections du port 80 vers le port 8050 $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $LAN1_IP --dport 80 -j REDIRECT --to-port 8050 ## Reseau interne vers ip externe $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $EXT_IP --dport 8050 -j LOG_AND_DROP # Redirrige les connections internes vers l'ip externe du port 80 vers le port 8050 $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $EXT_IP --dport 80 -j DNAT --to-destination 192.168.1.11:8050 # Refuse les connection directes sur le port 8050 $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp \ -s 0.0.0.0/0 --sport $UNPRIVPORTS \ -d $EXT_IP --dport 8050 -j LOG_AND_DROP # Redirrige les connections du port 80 vers le port 8050 $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp \ -s 0.0.0.0/0 --sport $UNPRIVPORTS \ -d $EXT_IP --dport 80 -j DNAT --to-destination 192.168.1.11:8050 # -d $EXT_IP --dport 80 -j REDIRECT --to-port 8050 # EDONKEY # Redirrige les connections du port 4662 vers le reseau interne # $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp \ # -s 0.0.0.0/0 --sport $UNPRIVPORTS \ # -d $EXT_IP --dport 4662 -j DNAT --to-destination 192.168.1.10:4662 # redirrige les demandes du reseau interne vers l'ip externe port 21 vers l'ip interne # $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ # -s $LAN1_SUBNET --sport $UNPRIVPORTS \ # -d $EXT_IP --dport 21 -j DNAT --to-destination 192.168.1.11:21 ##------------------------------------------------------------------------## ## SSH # $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_IP --dport 22 \ # -j DNAT --to-destination 192.168.69.69:22 ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## WWW # $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_IP --dport 80 \ # -j DNAT --to-destination 192.168.69.69:80 ##------------------------------------------------ ------------------------## ################################################## ############################# ## Source NAT -- (SNAT/Masquerading) # Gateway/Network to Internet $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -d $LOOPBACK_SUBNET -j LOG_AND_DROP $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j NAT_DST_EGRESS ## Source NAT allows us to "masquerade" our internal machines behind our ## firewall. (Examples) ##========================================================================## ## Static IP address ## $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $LAN1_SUBNET \ -j SNAT --to-source $EXT_IP ##========================================================================## ## Dynamic IP address ## # $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $LAN1_SUBNET \ # -j MASQUERADE ##========================================================================## ### END NAT RULES ### ############################################################################### ## Additional Kernel Configuration ############################################################################### ## Adjust for your requirements/preferences. ## For more information regarding the options below see the resources ## listed at the top of the script or the Documentation that comes with ## the Linux Kernel source. ## For Example: linux/Documentation/filesystems/proc.txt ## linux/Documentation/networking/ip-sysctl.txt ##========================================================================## ## Kill timestamps. They have been the subject of a recent bugtraq thread # if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then echo "0" > /proc/sys/net/ipv4/tcp_timestamps # fi ##========================================================================## ## Prevent SYN Flood attack # if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo "1" > /proc/sys/net/ipv4/tcp_syncookies # fi ##========================================================================## ## Set the maximum number of connections to track. (Kernel Default: 2048) # if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max # fi ##========================================================================## ## Local port range for TCP/UDP connections # if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range # fi ##========================================================================## ## Disable TCP Explicit Congestion Notification Support # if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then # echo "0" > /proc/sys/net/ipv4/tcp_ecn # fi ##========================================================================## ## Disable source routing of packets # if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo "0" > $i; done # fi ##========================================================================## ## Enable rp_filter # if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $i; #echo "2" > $i; done # fi ##========================================================================## ## Ignore any broadcast icmp echo requests # if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # fi ##========================================================================## ## Ignore all icmp echo requests on all interfaces # if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # fi ##========================================================================## ## Log packets with impossible addresses to kernel log. # if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # fi ##========================================================================## ## Don't accept ICMP redirects ## Disable on all interfaces # if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then # echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # fi ## Disable only on the external interface. # if [ -e /proc/sys/net/ipv4/conf/$EXT_IF/accept_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/$EXT_IF/accept_redirects # fi ##========================================================================## ## Additional options for dialup connections with a dynamic ip address ## See: linux/Documentation/networking/ip_dynaddr.txt # if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then echo "1" > /proc/sys/net/ipv4/ip_dynaddr # fi ##========================================================================## ## Enable Bad error message protection # if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # fi ##========================================================================## ## Reduce DoS'ing ability by reducing timeouts # if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout # fi # if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time # fi # if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then echo "0" > /proc/sys/net/ipv4/tcp_window_scaling # fi # if [ -e /proc/sys/net/ipv4/tcp__sack ]; then echo "0" > /proc/sys/net/ipv4/tcp_sack # fi ##========================================================================## ## Enable IP Forwarding if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo "1" > /proc/sys/net/ipv4/ip_forward else echo "Uh oh: /proc/sys/net/ipv4/ip_forward does not exist" echo "(That may be a problem)" echo fi ##========================================================================## ## EOF ## } stop() { echo -n "Internal rules only" echo "0" > /proc/sys/net/ipv4/ip_forward $IPTABLES -F ## Flush Built-in Rules $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD ## Flush Rules/Delete User Chains in Mangle Table, if any $IPTABLES -F -t mangle $IPTABLES -X -t mangle $IPTABLES -F -t nat $IPTABLES -X -t nat $IPTABLES -F -t filter $IPTABLES -X -t filter ## Delete all user-defined chains, reduces dumb warnings if you run ## this script more than once. $IPTABLES -X ## Set Default Policies $IPTABLES -P INPUT DROP ## Highly Recommended Default Policy $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ## Accept packets to the loopback interface. $IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT $IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT ## NETWORK TO GATEWAY (INPUT to our internal interface). $IPTABLES -A INPUT -i $LAN1_IF -j ACCEPT ## GATEWAY TO NETWORK (OUTPUT on the internal interface). $IPTABLES -A OUTPUT -o $LAN1_IF -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $LAN1_IP --dport 8050 -j DROP # Redirrige les connections du port 80 vers le port 8050 $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $LAN1_IP --dport 80 -j REDIRECT --to-port 8050 } debug() { echo -n "DEBUG Full ACCESS (Log ALL)" echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -F ## Flush Built-in Rules $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD ## Flush Rules/Delete User Chains in Mangle Table, if any $IPTABLES -F -t mangle $IPTABLES -X -t mangle $IPTABLES -F -t nat $IPTABLES -X -t nat $IPTABLES -F -t filter $IPTABLES -X -t filter ## Delete all user-defined chains, reduces dumb warnings if you run ## this script more than once. $IPTABLES -X ## Set Default Policies $IPTABLES -P INPUT ACCEPT ## Highly Recommended Default Policy $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT ## Accept packets to the loopback interface. $IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 1 \ --log-prefix "INPUT " --log-level $LOG_LEVEL \ -j LOG $IPTABLES -A INPUT -j ACCEPT $IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 1 \ --log-prefix "FORWARD " --log-level $LOG_LEVEL \ -j LOG $IPTABLES -A FORWARD -j ACCEPT $IPTABLES -A OUTPUT -m limit --limit 5/minute --limit-burst 1 \ --log-prefix "OUTPUT " --log-level $LOG_LEVEL \ -j LOG $IPTABLES -A OUTPUT -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $LAN1_IP --dport 8050 -j DROP # Redirrige les connections du port 80 vers le port 8050 $IPTABLES -t nat -A PREROUTING -i $LAN1_IF -p tcp \ -s $LAN1_SUBNET --sport $UNPRIVPORTS \ -d $LAN1_IP --dport 80 -j REDIRECT --to-port 8050 # $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $LAN1_SUBNET \ # -j SNAT --to-source $EXT_IP $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $LAN1_SUBNET \ -j MASQUERADE } remove(){ echo -n "Remove iptables from modules" echo "0" > /proc/sys/net/ipv4/ip_forward $IPTABLES -F ## Flush Built-in Rules $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD ## Flush Rules/Delete User Chains in Mangle Table, if any $IPTABLES -F -t mangle $IPTABLES -X -t mangle $IPTABLES -F -t nat $IPTABLES -X -t nat $IPTABLES -F -t filter $IPTABLES -X -t filter $IPTABLES -X /sbin/rmmod iptable_mangle /sbin/rmmod ipt_LOG /sbin/rmmod ipt_limit /sbin/rmmod ipt_state /sbin/rmmod ipt_TOS /sbin/rmmod ipt_REJECT /sbin/rmmod ip_nat_ftp /sbin/rmmod ip_conntrack_ftp /sbin/rmmod iptable_filter /sbin/rmmod ipt_REDIRECT /sbin/rmmod iptable_nat /sbin/rmmod ip_conntrack /sbin/rmmod ip_tables depmod -a } case "$1" in start) if [ -z "$EXT_IP" ]; then # Adresse externe null stop else start fi echo_success echo "" /usr/bin/logger -t Firewall "External IP $EXT_IP" ;; stop) stop echo_success echo "" /usr/bin/logger -t Firewall "Internal Rules" ;; debug) debug ;; remove) remove ;; *) echo "usage : adsl {start|stop|debug|remove}" exit 1 esac |
| ethernal | vla le miens ;)
#!/bin/sh # # Startup/shutdown script for iptables (firewall) # # chkconfig: 2345 11 89 # description: iptFirewall is based on rc.firewall.iptables.dual -- Version 1.2b3 # written by Obsid@sentry.net (http://www.sentry.net/~obsid/) # on 04/28/01 and Adapted by Ethernal # on 09/10/01 . /etc/rc.d/init.d/functions ## ############################################################### # Current versions and documentation are available at ## http://www.sentry.net/~obsid/IPTab [...] r/current/ ## Visit one of the NetFilter Project Home Pages for more information about IPTables. ## http://netfilter.filewatcher.org/ ## http://netfilter.samba.org/ ## More Resources: ## http://netfilter.filewatcher.org/netfilter-faq.html ## http://netfilter.filewatcher.org/u [...] index.html ## http://netfilter.filewatcher.org/u [...] index.html ## http://netfilter.filewatcher.org/u [...] index.html ## http://www.ds9a.nl/2.4Routing/HOWT [...] uting.html ######################### # NETWORK CONFIGURATION # ######################### EXT_IF="ppp0" ## External Interface LAN1_IF="eth0" ## Internal Interface connected to internal network #------------# # LOG OPTION # #------------# LOG_LEVEL="info" ## Default log level: kern.notice #--------------------# # OTHER informations # #--------------------# ## ISP informations ## DNS_SERVER_G2I="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx" #DNS for Gateway : list separated by blank DNS_SERVER_N2I="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx" #DNS for network : list separated by blank SMTP_SERVER="smtp.isp.xx smtp.isp.xx smtp.isp.xx" POP_SERVER="pop.isp.xx pop.isp.xx pop.isp.xx" NEWS_SERVER="news.xxxxxx.xx" PROXY_SERVER="" NTP_SERVER="195.13.23.5/32" #ntp.skynet.be # "" if empty NTP_SERVER_N2I="195.13.23.5/32" #ntp.skynet.be # "" if empty ENABLE_SMB="yes" #internal only !! TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DST_PORTS="33434:33523" #----------# # SERVICES # #----------# ## GATEWAY CAN ACCESS TO THESE SERVICES ON INTERNET FULL_OUTPUT_G2I="yes" G2I_SERVICES_TCP="20 21 25 80 110 3306 8080 4661 4662 4665" # ftp, dns, http, ntp, edonkey G2I_SERVICES_UDP="4000 $TRACEROUTE_SRC_PORTS 4665" ## NETWORK CAN ACCESS TO THESE SERVICES ON INTERNET FULL_OUTPUT_N2I="no" N2I_SERVICES_TCP="20 21 22 53 80 25 110 119 443 554 6699 7755 8080 3306" N2I_SERVICES_UDP="4000 7755 7778 $TRACEROUTE_SRC_PORTS" # icq, ut ## INTERNET CAN ACCESS TO THESE SERVICES ON THE GATEWAY #Thus the gateway have the following services running for internet I2G_SERVICES_TCP="4661 4662 4665" # Edonkey I2G_SERVICES_UDP="4665" ## INTERNET CAN ACCESS TO THESE SERVICES ON THE INTERNAL NETWORK I2N_SERVICES_TCP="" I2N_SERVICES_UDP="" ## GATEWAY CAN ACCESS TO THESE SERVICES ON THE INTERNAL NETWORK FULL_ICMP_G2N="yes" G2N_SERVICES_TCP="" G2N_SERVICES_UDP="" ## INTERNAL NETWORK CAN ACCESS TO THESE SERVICES ON THE GATEWAY #Thus the gateway have the following services running for internal network FULL_ICMP_N2G="yes" N2G_SERVICES_TCP="20 21 22 25 30 110 443 515 6566 8050" # ftp, http, print, scanner N2G_SERVICES_UDP="" ## DENY ACCESS TO DST PORTS - format name>port (for logging and access) ## Internet can never access to these ports src or dst of the Network I2N_DENY_PORTS_TCP="DNS>53 RPC>111 SMB>137:139 NFS>2049 MYSQL>3306 \ OPEN_WINDOW>2000 XWINDOW>6000:6063" I2N_DENY_PORTS_UDP="DNS>53 RPC>111 SMB>137:139 NFS>2049" ## Internet can never access to these ports src or dst of the Gateway I2G_DENY_PORTS_TCP="DNS>53 RPC>111 SMB>137:139 NFS>2049 MYSQL>3306 \ OPEN_WINDOW>2000 XWINDOW>6000:6063" I2G_DENY_PORTS_UDP="DNS>53 RPC>111 SMB>137:139 NFS>2049" ## Gateway can never access to these ports src or dst of the Network G2N_DENY_PORTS_TCP="NFS>2049" G2N_DENY_PORTS_UDP="NFS>2049" ## Gateway can never access to these ports src or dst of the Internet G2I_DENY_PORTS_TCP="SMB>137:139 NFS>2049 XWINDOW>6000:6063" G2I_DENY_PORTS_UDP="SMB>137:139 NFS>2049" ## Network can never access to these ports src or dst of the Gateway N2G_DENY_PORTS_TCP="NFS>2049 MYSQL>3306 XWINDOW>6000:6063" N2G_DENY_PORTS_UDP="NFS>2049" ## Network can never access to these ports src or dst of the Internet N2I_DENY_PORTS_TCP="" N2I_DENY_PORTS_UDP="" ## Format for each port: name>port (name for log, port for drop) ALWAYS_DENY_PORTS_TCP=" Trojan_NetBus2_Pro>20034 \ Trojan_NetBus>12345:12346 \ Trojan_SubSeven>27374 \ Trojan_Trinoo>27665 \ Trojan_Trinoo>27444 \ Trojan_Trinoo>31335 \ Trojan_Mstream>10498 \ Trojan_Mstream>12754" ALWAYS_DENY_PORTS_UDP=" Back_Orifice2K>31337 \ Trojan_Trinoo>27444 \ Trojan_Trinoo>31335 \ Trojan_Mstream>10498" ########################## ## END OF CONFIGURATION ## ########################## #------------------# # Iptables command # #------------------# IPTABLES="`whereis -b iptables | cut -d \ -f2`" #/sbin/iptables ## Default IPTables >= v. 1.2.0 #-----------------------# # Network configuration # #-----------------------# LOOPBACK="lo" ## Loopback interface LOOPBACK_SUBNET="127.0.0.0/8" EXT_IP=`ifconfig $EXT_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1` MYISP=`ifconfig $EXT_IF | grep inet | cut -d : -f 3 | cut -d \ -f 1` LAN1_IP=`ifconfig $LAN1_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1` MASK1=`ifconfig $LAN1_IF | grep inet | cut -d : -f 4 | cut -d \ -f 1` LAN1_SUBNET="$LAN1_IP/$MASK1" ## 192.168.xx.xx/255.255.255.0 LAN2_IP=`ifconfig $LAN2_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1` MASK2=`ifconfig $LAN2_IF | grep inet | cut -d : -f 4 | cut -d \ -f 1` LAN2_SUBNET="$LAN2_IP/$MASK2" ## 10.0.0.10/255.255.255.0 ## Only Services launched by priviliged user (root) runs with PRIVPORTS PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" #-----------# # VARIABLES # #-----------# #SPECIAL ADDRESS CLASS_A="10.0.0.0/8" # Class A Private Network CLASS_B="172.16.0.0/12" # Class B Private Network CLASS_C="192.168.0.0/16" # Class C Private Network CLASS_D_MULTICAST="224.0.0.0/4" # Class D Multicast Network CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E Reserved Network BROADCAST_SRC="0.0.0.0" BROADCAST_DST="255.255.255.255" SMURF_ATTACK="255.255.255.0/32" ## Reserved/Private IP Addresses ## ## The following was adapted from Jean-Sebastien Morisset's excellent IPChains ## firewall script, available at -- http://jsmoriss.mvlan.net/linux/rcf.html ## See DOCUMENTATION for optimization notes. RESERVED_NET=" 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \ 5.0.0.0/8 \ 7.0.0.0/8 \ 23.0.0.0/8 \ 27.0.0.0/8 \ 31.0.0.0/8 \ 36.0.0.0/8 37.0.0.0/8 \ 39.0.0.0/8 \ 41.0.0.0/8 42.0.0.0/8 \ 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \ 67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \ 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \ 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \ 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \ 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \ 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \ 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \ 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \ 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \ 126.0.0.0/8 127.0.0.0/8 \ 197.0.0.0/8 \ 201.0.0.0/8 \ 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \ 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \ 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \ 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8" ########################## ## Begin Function Start ## ########################## start() { echo -n "Starting Firewalling" /sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1 /sbin/modprobe ip_nat_ftp >/dev/null 2>&1 ## Attempt to Flush All Rules in Filter Table $IPTABLES -F $IPTABLES -X ## Flush Rules/Delete User Chains in Mangle Table, if any # TOS chains (Applied first and last) $IPTABLES -F -t mangle $IPTABLES -X -t mangle # NAT chains (Applied in second position) $IPTABLES -F -t nat $IPTABLES -X -t nat # All others chains (INPUT-FORWARD-OUTPUT) $IPTABLES -F -t filter $IPTABLES -X -t filter ## Set Default Policies # Used to define TOS rules $IPTABLES -t mangle -P PREROUTING ACCEPT # par defaut $IPTABLES -t mangle -P OUTPUT ACCEPT # par defaut # Chain applied on the first packet is applied to all othes of this connection $IPTABLES -t nat -P PREROUTING ACCEPT # par defaut $IPTABLES -t nat -P POSTROUTING ACCEPT # par defaut $IPTABLES -t nat -P OUTPUT ACCEPT # par defaut # All other rules $IPTABLES -t filter -P INPUT DROP ## Highly Recommended Default Policy $IPTABLES -t filter -P OUTPUT DROP $IPTABLES -t filter -P FORWARD DROP ## NOTE: User-defined chains first, regular INPUT/OUTPUT chains will follow. ############################################################################### ## Special Chains ################################################## ############################# ################################################## ############################# ## Special chain KEEP_STATE to handle incoming, outgoing, and ## established connections. $IPTABLES -N KEEP_STATE $IPTABLES -F KEEP_STATE ##------------------------------------------------------------------------## ## DROP packets associated with an "INVALID" connection. $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP ##------------------------------------------------------------------------## ## UNCLEAN match target, somewhat experimental at this point. # $IPTABLES -A KEEP_STATE -m unclean -j DROP ##------------------------------------------------------------------------## ## ACCEPT packets which are related to an established connection. $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT ############################################################################### ## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain ## TCP flags set. ## We set some limits here to limit the amount of crap that gets sent to the logs. ## Keep in mind that these rules should never match normal traffic, they ## are designed to capture obviously messed up packets... but there's alot of ## wierd shit out there, so who knows. $IPTABLES -N CHECK_FLAGS $IPTABLES -F CHECK_FLAGS ##------------------------------------------------------------------------## ## NMAP FIN/URG/PSH $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ##------------------------------------------------------------------------## ## SYN/RST $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ##------------------------------------------------------------------------## ## SYN/FIN -- Scan(probably) $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN (scan):" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ##------------------------------------------------------------------------## ## Make some types of port scans annoyingly slow, also provides some ## protection against certain DoS attacks. The rule in chain KEEP_STATE ## referring to the INVALID state should catch most TCP packets with the ## RST or FIN bits set that aren't associate with an established connection. ## Still, these will limit the amount of stuff that is accepted through our ## open ports(if any). I suggest you test these for your configuration before ## you uncomment them, as they could cause problems. # $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL RST -j ACCEPT # $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -j ACCEPT # $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -j ACCEPT ############################################################################### ## Special Chain ALWAYS_DENY_PORTS ## This chain will DROP/LOG packets based on port number (applied in all cases). ## src ports & dst ports denied !! $IPTABLES -N ALWAYS_DENY_PORTS $IPTABLES -F ALWAYS_DENY_PORTS ##--------------------------------------------------------------------## ## DROP TCP packets based on port number. ## TCP ## for INFO in $ALWAYS_DENY_PORTS_TCP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A ALWAYS_DENY_PORTS -p tcp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A ALWAYS_DENY_PORTS -p tcp --sport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A ALWAYS_DENY_PORTS -p tcp --dport $PORT -j DROP $IPTABLES -A ALWAYS_DENY_PORTS -p tcp --sport $PORT -j DROP } done ##--------------------------------------------------------------------## ## DROP UDP packets based on port number. ## UDP for INFO in $ALWAYS_DENY_PORTS_UDP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A ALWAYS_DENY_PORTS -p udp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A ALWAYS_DENY_PORTS -p udp --sport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A ALWAYS_DENY_PORTS -p udp --dport $PORT -j DROP $IPTABLES -A ALWAYS_DENY_PORTS -p udp --sport $PORT -j DROP } done ##------------------------------------------------ --------------------## ################################################## ############################# ## Special Chain I2G_DENY_PORTS ## This chain will DROP/LOG packets based on port number. $IPTABLES -N I2G_DENY_PORTS $IPTABLES -F I2G_DENY_PORTS ##--------------------------------------------------------------------## ## DROP TCP packets based on port number. ## TCP ## for INFO in $I2G_DENY_PORTS_TCP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A I2G_DENY_PORTS -p tcp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A I2G_DENY_PORTS -p tcp --dport $PORT -j DROP } done ##--------------------------------------------------------------------## ## DROP UDP packets based on port number. ## UDP ## for INFO in $I2G_DENY_PORTS_UDP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A I2G_DENY_PORTS -p udp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A I2G_DENY_PORTS -p udp --dport $PORT -j DROP } done ##------------------------------------------------ --------------------## ################################################## ############################# ## Special Chain I2N_DENY_PORTS ## This chain will DROP/LOG packets based on port number. $IPTABLES -N I2N_DENY_PORTS $IPTABLES -F I2N_DENY_PORTS ##--------------------------------------------------------------------## ## DROP TCP packets based on port number. ## TCP ## for INFO in $I2N_DENY_PORTS_TCP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A I2N_DENY_PORTS -p tcp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A I2N_DENY_PORTS -p tcp --dport $PORT -j DROP } done ##--------------------------------------------------------------------## ## DROP UDP packets based on port number. ## UDP ## for INFO in $I2N_DENY_PORTS_UDP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A I2N_DENY_PORTS -p udp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A I2N_DENY_PORTS -p udp --dport $PORT -j DROP } done ##------------------------------------------------ --------------------## ################################################## ############################# ## Special Chain G2N_DENY_PORTS ## This chain will DROP/LOG packets based on port number. $IPTABLES -N G2N_DENY_PORTS $IPTABLES -F G2N_DENY_PORTS ##--------------------------------------------------------------------## ## DROP TCP packets based on port number. ## TCP ## for INFO in $G2N_DENY_PORTS_TCP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A G2N_DENY_PORTS -p tcp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A G2N_DENY_PORTS -p tcp --dport $PORT -j DROP } done ##--------------------------------------------------------------------## ## DROP UDP packets based on port number. ## UDP ## for INFO in $G2N_DENY_PORTS_UDP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A G2N_DENY_PORTS -p udp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A G2N_DENY_PORTS -p udp --dport $PORT -j DROP } done ##------------------------------------------------ --------------------## ################################################## ############################# ## Special Chain G2I_DENY_PORTS ## This chain will DROP/LOG packets based on port number. $IPTABLES -N G2I_DENY_PORTS $IPTABLES -F G2I_DENY_PORTS ##--------------------------------------------------------------------## ## DROP TCP packets based on port number. ## TCP ## for INFO in $G2I_DENY_PORTS_TCP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A G2I_DENY_PORTS -p tcp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A G2I_DENY_PORTS -p tcp --dport $PORT -j DROP } done ##--------------------------------------------------------------------## ## DROP UDP packets based on port number. ## UDP ## for INFO in $G2I_DENY_PORTS_UDP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A G2I_DENY_PORTS -p udp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A G2I_DENY_PORTS -p udp --dport $PORT -j DROP } done ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain N2G_DENY_PORTS ## This chain will DROP/LOG packets based on port number. $IPTABLES -N N2G_DENY_PORTS $IPTABLES -F N2G_DENY_PORTS ##--------------------------------------------------------------------## ## DROP TCP packets based on port number. ## TCP ## for INFO in $N2G_DENY_PORTS_TCP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A N2G_DENY_PORTS -p tcp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A N2G_DENY_PORTS -p tcp --dport $PORT -j DROP } done ##--------------------------------------------------------------------## ## DROP UDP packets based on port number. ## UDP ## for INFO in $N2G_DENY_PORTS_UDP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A N2G_DENY_PORTS -p udp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A N2G_DENY_PORTS -p udp --dport $PORT -j DROP } done ##------------------------------------------------ --------------------## ################################################## ############################# ## Special Chain N2I_DENY_PORTS ## This chain will DROP/LOG packets based on port number. $IPTABLES -N N2I_DENY_PORTS $IPTABLES -F N2I_DENY_PORTS ##--------------------------------------------------------------------## ## DROP TCP packets based on port number. ## TCP ## for INFO in $N2I_DENY_PORTS_TCP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A N2I_DENY_PORTS -p tcp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A N2I_DENY_PORTS -p tcp --dport $PORT -j DROP } done ##--------------------------------------------------------------------## ## DROP UDP packets based on port number. ## UDP ## for INFO in $N2I_DENY_PORTS_UDP; do echo $INFO | { IFS='>' read NAME PORT $IPTABLES -A N2I_DENY_PORTS -p udp --dport $PORT \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "$NAME PORT:" $IPTABLES -A N2I_DENY_PORTS -p udp --dport $PORT -j DROP } done ##------------------------------------------------ --------------------## ################################################## ############################# ## Special Chain N2G_ALLOW_PORTS ## These rules allows the Internal Network to access to Gateway Services. $IPTABLES -N N2G_ALLOW_PORTS $IPTABLES -F N2G_ALLOW_PORTS ##------------------------------------------------------------------------## ## SAMBA Special Rules (security hole) if [ "$ENABLE_SMB" = "yes" ]; then $IPTABLES -A N2G_ALLOW_PORTS -s $LAN1_SUBNET \ -m state --state NEW \ -p udp --sport 137:138 --dport 137:138 -j ACCEPT $IPTABLES -A N2G_ALLOW_PORTS -s $LAN1_SUBNET \ -m state --state NEW \ -p tcp --sport $UNPRIVPORTS --dport 139 -j ACCEPT fi ##------------------------------------------------------------------------## ## REJECT port 113 ident requests. $IPTABLES -A N2G_ALLOW_PORTS -s $LAN1_SUBNET -d $LAN1_IP -p tcp \ --dport 113 -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## ## ACCEPT TCP traffic based on port number. (Examples) for PORT in $N2G_SERVICES_TCP; do $IPTABLES -A N2G_ALLOW_PORTS -s $LAN1_SUBNET -d $LAN1_IP \ -m state --state NEW -p tcp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## ACCEPT UDP traffic based on port number. for PORT in $N2G_SERVICES_UDP; do $IPTABLES -A N2G_ALLOW_PORTS -s $LAN1_SUBNET -d $LAN1_IP \ -m state --state NEW -p udp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## DROP All Other NEW attempts $IPTABLES -A N2G_ALLOW_PORTS -m state --state NEW \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "N2G try to connect to:" $IPTABLES -A N2G_ALLOW_PORTS -m state --state NEW -j DROP ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain G2N_ALLOW_PORTS ## Theses rules allows the Gateway to access to Internal Network services. ## Not often used ... $IPTABLES -N G2N_ALLOW_PORTS $IPTABLES -F G2N_ALLOW_PORTS ##------------------------------------------------------------------------## ## SAMBA Special Rules (Security Hole). if [ "$ENABLE_SMB" = "yes" ]; then $IPTABLES -A G2N_ALLOW_PORTS -s $LAN1_IP \ -m state --state NEW \ -p udp --sport 137:138 --dport 137:138 -j ACCEPT $IPTABLES -A G2N_ALLOW_PORTS -s $LAN1_IP \ -m state --state NEW \ -p tcp --sport $UNPRIVPORTS --dport 139 -j ACCEPT fi ##------------------------------------------------------------------------## ## REJECT port 113 ident requests. $IPTABLES -A G2N_ALLOW_PORTS -s $LAN1_IP -d $LAN1_SUBNET -p tcp \ --dport 113 -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## #---------------------------------------------------------------------## ## ACCEPT TCP traffic based on port number. (Examples) for PORT in $G2N_SERVICES_TCP; do $IPTABLES -A G2N_ALLOW_PORTS -s $LAN1_IP -d $LAN1_SUBNET \ -m state --state NEW -p tcp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done #---------------------------------------------------------------------## ## ACCEPT UDP traffic based on port number. (Examples) for PORT in $G2N_SERVICES_UDP; do $IPTABLES -A G2N_ALLOW_PORTS -s $LAN1_IP -d $LAN1_SUBNET \ -m state --state NEW -p udp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## DROP All Other NEW attempts $IPTABLES -A G2N_ALLOW_PORTS -m state --state NEW \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "G2N try to connect to:" $IPTABLES -A G2N_ALLOW_PORTS -m state --state NEW -j DROP ##------------------------------------------------------------------------## ############################################################################### ## Special Chain I2G_ALLOW_PORTS ## These rules allows Internet to access to these gateway Services $IPTABLES -N I2G_ALLOW_PORTS $IPTABLES -F I2G_ALLOW_PORTS ##------------------------------------------------------------------------## ## REJECT port 113 ident requests. $IPTABLES -A I2G_ALLOW_PORTS -d $EXT_IP -p tcp --dport 113 \ -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## ## ACCEPT TCP traffic based on port number. for PORT in $I2G_SERVICES_TCP; do $IPTABLES -A I2G_ALLOW_PORTS -d $EXT_IP \ -m state --state NEW -p tcp \ -m limit --limit 1/s \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## ACCEPT UDP traffic based on port number. for PORT in $I2G_SERVICES_UDP; do $IPTABLES -A I2G_ALLOW_PORTS -d $EXT_IP \ -m state --state NEW -p udp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## DROP All Other NEW attempts $IPTABLES -A I2G_ALLOW_PORTS -m state --state NEW \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "I2G try to connect to:" $IPTABLES -A I2G_ALLOW_PORTS -m state --state NEW -j DROP ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain G2I_ALLOW_PORTS ## These rules allows the Gateway to access to these Internet Services. $IPTABLES -N G2I_ALLOW_PORTS $IPTABLES -F G2I_ALLOW_PORTS ##------------------------------------------------------------------------## ## DNS Special Rules. if [ "$DNS_SERVER_G2I" != "" ]; then for SERVER in $DNS_SERVER_G2I; do $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP -d $SERVER \ -m state --state NEW \ -p udp --sport $UNPRIVPORTS --dport 53 -j ACCEPT $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP -d $SERVER \ -m state --state NEW \ -p tcp --sport $UNPRIVPORTS --dport 53 -j ACCEPT done $IPTABLES -A G2I_ALLOW_PORTS -m state --state NEW -p udp --dport 53 \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "G2I DNS:" $IPTABLES -A G2I_ALLOW_PORTS -m state --state NEW -p tcp --dport 53 \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "G2I DNS:" $IPTABLES -A G2I_ALLOW_PORTS -m state --state NEW -p udp --dport 53 -j DROP $IPTABLES -A G2I_ALLOW_PORTS -m state --state NEW -p tcp --dport 53 -j DROP fi ##------------------------------------------------------------------------## ## ACCEPT port 113 ident requests. $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP -p tcp --dport 113 -j ACCEPT ##------------------------------------------------------------------------## ## NTP Special Rules (Security Hole). if [ "$NTP_SERVER" != "" ]; then $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP -d $NTP_SERVER \ -m state --state NEW \ -p udp --sport 123 --dport 123 -j ACCEPT $IPTABLES -A G2I_ALLOW_PORTS -m state --state NEW -p udp --dport 123 \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "G2I NTP:" $IPTABLES -A G2I_ALLOW_PORTS -m state --state NEW -p udp --dport 123 -j DROP fi ##------------------------------------------------------------------------## if [ "$FULL_OUTPUT_G2I" = "yes" ]; then echo -n " (full output G2I)" $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP -m state --state NEW -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP -m state --state NEW -p udp --sport $UNPRIVPORTS -j ACCEPT else ## ACCEPT TCP traffic based on port number. for PORT in $G2I_SERVICES_TCP; do $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP \ -m state --state NEW -p tcp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## ACCEPT UDP traffic based on port number. for PORT in $G2I_SERVICES_UDP; do $IPTABLES -A G2I_ALLOW_PORTS -s $EXT_IP \ -m state --state NEW -p udp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## DROP All Other NEW attempts $IPTABLES -A G2I_ALLOW_PORTS -m state --state NEW -p ! icmp \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "G2I try to connect to:" $IPTABLES -A G2I_ALLOW_PORTS -p ! icmp -m state --state NEW -j DROP ##------------------------------------------------------------------------## fi ############################################################################### ## Special Chain N2I_ALLOW_PORTS ## These rules allows the Gateway to access to these Internet Services. $IPTABLES -N N2I_ALLOW_PORTS $IPTABLES -F N2I_ALLOW_PORTS ##------------------------------------------------------------------------## ## DNS Special Rules. if [ "$DNS_SERVER_N2I" != "" ]; then for SERVER in $DNS_SERVER_N2I; do $IPTABLES -A N2I_ALLOW_PORTS -s $LAN1_SUBNET -d $SERVER \ -m state --state NEW \ -p udp --sport $UNPRIVPORTS --dport 53 -j ACCEPT $IPTABLES -A N2I_ALLOW_PORTS -s $LAN1_SUBNET -d $SERVER \ -m state --state NEW \ -p tcp --sport $UNPRIVPORTS --dport 53 -j ACCEPT done $IPTABLES -A N2I_ALLOW_PORTS -m state --state NEW -p udp --dport 53 \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "N2I DNS:" $IPTABLES -A N2I_ALLOW_PORTS -m state --state NEW -p tcp --dport 53 \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "N2I DNS:" $IPTABLES -A N2I_ALLOW_PORTS -m state --state NEW -p udp --dport 53 -j DROP $IPTABLES -A N2I_ALLOW_PORTS -m state --state NEW -p tcp --dport 53 -j DROP fi ##------------------------------------------------------------------------## ## ACCEPT port 113 ident requests. $IPTABLES -A N2I_ALLOW_PORTS -s $LAN1_SUBNET -p tcp --dport 113 -j ACCEPT ##------------------------------------------------------------------------## if [ "$FULL_OUTPUT_N2I" = "yes" ]; then echo -n " (full output N2I)" $IPTABLES -A N2I_ALLOW_PORTS -s $LAN1_SUBNET -m state --state NEW -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A N2I_ALLOW_PORTS -s $LAN1_SUBNET -m state --state NEW -p udp --sport $UNPRIVPORTS -j ACCEPT else ## ACCEPT TCP traffic based on port number. (Examples) for PORT in $N2I_SERVICES_TCP; do $IPTABLES -A N2I_ALLOW_PORTS -s $LAN1_SUBNET \ -m state --state NEW -p tcp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## ACCEPT UDP traffic based on port number. for PORT in $N2I_SERVICES_UDP; do $IPTABLES -A N2I_ALLOW_PORTS -s $LAN1_SUBNET \ -m state --state NEW -p udp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## DROP All Other NEW attempts $IPTABLES -A N2I_ALLOW_PORTS -m state --state NEW -p ! icmp \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "N2I try to connect to:" $IPTABLES -A N2I_ALLOW_PORTS -p ! icmp -m state --state NEW -j DROP ##------------------------------------------------------------------------## fi ############################################################################### ## Special Chain I2N_ALLOW_PORTS ## These rules allows Internet to access to the network Services ## not used ... $IPTABLES -N I2N_ALLOW_PORTS $IPTABLES -F I2N_ALLOW_PORTS ##------------------------------------------------------------------------## ## REJECT port 113 ident requests. $IPTABLES -A I2N_ALLOW_PORTS -d $LAN1_SUBNET -p tcp --dport 113 \ -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## ##--------------------------------------------------------------------## ## ACCEPT TCP traffic based on port number. (Examples) for PORT in $I2N_SERVICES_TCP; do $IPTABLES -A I2N_ALLOW_PORTS -d $LAN1_SUBNET \ -m state --state NEW -p tcp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##--------------------------------------------------------------------## ## ACCEPT UDP traffic based on port number. for PORT in $I2N_SERVICES_UDP; do $IPTABLES -A I2N_ALLOW_PORTS -d $LAN1_SUBNET \ -m state --state NEW -p udp \ --sport $UNPRIVPORTS --dport $PORT -j ACCEPT done ##------------------------------------------------------------------------## ## DROP All Other NEW attempts $IPTABLES -A I2N_ALLOW_PORTS -m state --state NEW \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "I2N try to connect to:" $IPTABLES -A I2N_ALLOW_PORTS -m state --state NEW -j DROP ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain N2G_ALLOW_ICMP ## This chain contains rules to allow/drop specific types of ICMP datagrams. $IPTABLES -N N2G_ALLOW_ICMP $IPTABLES -F N2G_ALLOW_ICMP if [ "$FULL_ICMP_N2G" = "yes" ]; then ##------------------------------------------------------------------------## ## Full ICMP $IPTABLES -A N2G_ALLOW_ICMP -p icmp -j ACCEPT else ##------------------------------------------------------------------------## ## Echo Request (ping) (8) (Ping request) $IPTABLES -A N2G_ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT ##------------------------------------------------------------------------## ## Echo Reply (pong) (0) (Ping response) $IPTABLES -A N2G_ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT ##------------------------------------------------------------------------## ## Request to slow down (4) $IPTABLES -A N2G_ALLOW_ICMP -p icmp --icmp-type source-quench -j ACCEPT ##------------------------------------------------------------------------## ## Parameter Problem (12) $IPTABLES -A N2G_ALLOW_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT ##------------------------------------------------------------------------## ## TTL Time Exeeded (11) (Traceroute response) $IPTABLES -A N2G_ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT ##------------------------------------------------------------------------## ## Fragmentatino needed (for some site) (3 type 4) $IPTABLES -A N2G_ALLOW_ICMP -p icmp --icmp-type fragmentation-needed \ -j ACCEPT ##------------------------------------------------------------------------## ## Destination Unreachable (3) $IPTABLES -A N2G_ALLOW_ICMP -p icmp --icmp-type destination-unreachable \ -j ACCEPT ##------------------------------------------------------------------------## fi ############################################################################### ## Special Chain G2N_ALLOW_ICMP ## This chain contains rules to allow/drop specific types of ICMP datagrams. $IPTABLES -N G2N_ALLOW_ICMP $IPTABLES -F G2N_ALLOW_ICMP ##------------------------------------------------------------------------## ## Protect against SMURF ATTACK $IPTABLES -A G2N_ALLOW_ICMP -p icmp -d $SMURF_ATTACK -j DROP ##------------------------------------------------------------------------## if [ "$FULL_ICMP_G2N" = "yes" ]; then ## Full ICMP $IPTABLES -A G2N_ALLOW_ICMP -p icmp -j ACCEPT else ##------------------------------------------------------------------------## ## Echo Request (ping) (Ping request) $IPTABLES -A G2N_ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT ##------------------------------------------------------------------------## ## Echo Reply (pong) (Ping response) $IPTABLES -A G2N_ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT ##------------------------------------------------------------------------## ## Request to slow down (4) $IPTABLES -A G2N_ALLOW_ICMP -p icmp --icmp-type source-quench -j ACCEPT ##------------------------------------------------------------------------## ## Parameter Problem (12) $IPTABLES -A G2N_ALLOW_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT ##------------------------------------------------------------------------## ## TTL Exceeded (11) (traceroute response) $IPTABLES -A G2N_ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT ##------------------------------------------------------------------------## ## Fragmentatino needed (for some site) (3 type 4) $IPTABLES -A G2N_ALLOW_ICMP -p icmp --icmp-type fragmentation-needed \ -j ACCEPT ##------------------------------------------------------------------------## ## Destination Unreachable (3) $IPTABLES -A G2N_ALLOW_ICMP -p icmp --icmp-type destination-unreachable \ -j ACCEPT ##------------------------------------------------------------------------## fi ############################################################################### ## Special Chain G2I_ALLOW_ICMP ## This chain contains rules to allow/drop specific types of ICMP datagrams. $IPTABLES -N G2I_ALLOW_ICMP $IPTABLES -F G2I_ALLOW_ICMP ##------------------------------------------------------------------------## ## Protect against SMURF ATTACK $IPTABLES -A G2I_ALLOW_ICMP -p icmp -d $SMURF_ATTACK -j REJECT ##------------------------------------------------------------------------## ## Echo Request (ping) (8) (Ping request) $IPTABLES -A G2I_ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT ##------------------------------------------------------------------------## ## Echo Reply (pong) (0) (Ping response) $IPTABLES -A G2I_ALLOW_ICMP -d 212.100.160.38 -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A G2I_ALLOW_ICMP -d $MYISP -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A G2I_ALLOW_ICMP -p icmp --icmp-type echo-reply -j DROP ##------------------------------------------------------------------------## ## Request to slow down (4) $IPTABLES -A G2I_ALLOW_ICMP -p icmp --icmp-type source-quench -j ACCEPT ##------------------------------------------------------------------------## ## Parameter Problem (12) $IPTABLES -A G2I_ALLOW_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT ##------------------------------------------------------------------------## ## TTL Exceeded (11) (traceroute response) $IPTABLES -A G2I_ALLOW_ICMP -p icmp --icmp-type time-exceeded -j DROP ##------------------------------------------------------------------------## ## Fragmentatino needed (for some site) (3 type 4) $IPTABLES -A G2I_ALLOW_ICMP -p icmp --icmp-type fragmentation-needed \ -j ACCEPT ##------------------------------------------------------------------------## ## Destination Unreachable (3) $IPTABLES -A G2I_ALLOW_ICMP -p icmp --icmp-type destination-unreachable \ -j DROP ##------------------------------------------------------------------------## ############################################################################### ## Special Chain I2G_ALLOW_ICMP ## This chain contains rules to allow/drop specific types of ICMP datagrams. $IPTABLES -N I2G_ALLOW_ICMP $IPTABLES -F I2G_ALLOW_ICMP ##------------------------------------------------------------------------## ## Protect against SMURF ATTACK $IPTABLES -A I2G_ALLOW_ICMP -p icmp -d $SMURF_ATTACK -j DROP ##------------------------------------------------------------------------## ## Echo Request (ping) (8) (Ping request) $IPTABLES -A I2G_ALLOW_ICMP -d $MYISP -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A I2G_DENY_PORTS -p icmp -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "PING I2G:" $IPTABLES -A I2G_ALLOW_ICMP -p icmp --icmp-type echo-request -j DROP ##------------------------------------------------------------------------## ## Echo Reply (pong) (0) (Ping response) $IPTABLES -A I2G_ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT ##------------------------------------------------------------------------## ## Request to slow down (4) $IPTABLES -A I2G_ALLOW_ICMP -p icmp --icmp-type source-quench -j ACCEPT ##------------------------------------------------------------------------## ## Parameter Problem (12) $IPTABLES -A I2G_ALLOW_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT ##------------------------------------------------------------------------## ## TTL Exceeded (11) (traceroute response) $IPTABLES -A I2G_ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT ##------------------------------------------------------------------------## ## Fragmentatino needed (for some site) (3 type 4) $IPTABLES -A I2G_ALLOW_ICMP -p icmp --icmp-type fragmentation-needed \ -j ACCEPT ##------------------------------------------------------------------------## ## Destination Unreachable (3) $IPTABLES -A I2G_ALLOW_ICMP -p icmp --icmp-type destination-unreachable \ -j ACCEPT ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain I2N_ALLOW_ICMP ## This chain contains rules to allow/drop specific types of ICMP datagrams. $IPTABLES -N I2N_ALLOW_ICMP $IPTABLES -F I2N_ALLOW_ICMP ##------------------------------------------------------------------------## ## Echo Request (ping) (8) (Ping request) ## LOG all pings ## $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type echo-request \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL --log-prefix "PING I2N:" $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type echo-request -j DROP ##------------------------------------------------------------------------## ## Echo Reply (pong) (0) (Ping response) $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT ##------------------------------------------------------------------------## ## Request to slow down (4) $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type source-quench -j ACCEPT ##------------------------------------------------------------------------## ## Parameter Problem (12) $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT ##------------------------------------------------------------------------## ## TTL Exceeded (11) (Traceroute response) $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT ##------------------------------------------------------------------------## ## Fragmentatino needed (for some site) (3 type 4) $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type fragmentation-needed \ -j ACCEPT ##------------------------------------------------------------------------## ## Destination Unreachable (3) $IPTABLES -A I2N_ALLOW_ICMP -p icmp --icmp-type destination-unreachable \ -j DROP ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain N2I_ALLOW_ICMP ## This chain contains rules to allow/drop specific types of ICMP datagrams. $IPTABLES -N N2I_ALLOW_ICMP $IPTABLES -F N2I_ALLOW_ICMP ##------------------------------------------------------------------------## ## Protect against SMURF ATTACK $IPTABLES -A N2I_ALLOW_ICMP -p icmp -d $SMURF_ATTACK -j REJECT ##------------------------------------------------------------------------## ## Echo Request (8) (Ping request) $IPTABLES -A N2I_ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT ##------------------------------------------------------------------------## ## Echo Reply (pong) (0) (Ping response) $IPTABLES -A N2I_ALLOW_ICMP -p icmp --icmp-type echo-reply -j DROP ##------------------------------------------------------------------------## ## Request to slow down (4) $IPTABLES -A N2I_ALLOW_ICMP -p icmp --icmp-type source-quench -j ACCEPT ##------------------------------------------------------------------------## ## Parameter Problem (12) $IPTABLES -A N2I_ALLOW_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT ##------------------------------------------------------------------------## ## TTL Exceeded (11) (Traceroute response) $IPTABLES -A N2I_ALLOW_ICMP -p icmp --icmp-type time-exceeded -j DROP ##------------------------------------------------------------------------## ## Fragmentatino needed (for some site) (3 type 4) $IPTABLES -A N2I_ALLOW_ICMP -p icmp --icmp-type fragmentation-needed \ -j ACCEPT ##------------------------------------------------------------------------## ## Destination Unreachable (3) $IPTABLES -A N2I_ALLOW_ICMP -p icmp --icmp-type destination-unreachable \ -j ACCEPT ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain To LOG and then DROP $IPTABLES -t nat -N LOG_AND_DROP $IPTABLES -t nat -F LOG_AND_DROP $IPTABLES -t nat -A LOG_AND_DROP -j LOG \ -m limit --limit 5/minute --limit-burst 1 \ --log-level $LOG_LEVEL $IPTABLES -t nat -A LOG_AND_DROP -j DROP ############################################################################### ## Special Chain SRC_EGRESS ## Rules to Provide Egress Filtering Based on Source IP Address. $IPTABLES -t nat -N NAT_SRC_EGRESS $IPTABLES -t nat -F NAT_SRC_EGRESS ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses. Some of these may be legit ## for certain networks and configurations. For connection problems, ## traceroute is your friend. $IPTABLES -t nat -A NAT_SRC_EGRESS -s $CLASS_A -j LOG_AND_DROP $IPTABLES -t nat -A NAT_SRC_EGRESS -s $CLASS_B -j LOG_AND_DROP $IPTABLES -t nat -A NAT_SRC_EGRESS -s $CLASS_C -j LOG_AND_DROP $IPTABLES -t nat -A NAT_SRC_EGRESS -s $CLASS_D_MULTICAST -j LOG_AND_DROP $IPTABLES -t nat -A NAT_SRC_EGRESS -s $CLASS_E_RESERVED_NET -j LOG_AND_DROP $IPTABLES -t nat -A NAT_SRC_EGRESS -s $BROADCAST_DST -j LOG_AND_DROP ## DENY SUBNET reserved by IANA for NET in $RESERVED_NET; do $IPTABLES -t nat -A NAT_SRC_EGRESS -s $NET -j DROP done ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain SRC_EGRESS ## Rules to Provide Egress Filtering Based on Source IP Address. $IPTABLES -N SRC_EGRESS $IPTABLES -F SRC_EGRESS ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses. Some of these may be legit ## for certain networks and configurations. For connection problems, ## traceroute is your friend. $IPTABLES -A SRC_EGRESS -s $CLASS_A -j DROP $IPTABLES -A SRC_EGRESS -s $CLASS_B -j DROP $IPTABLES -A SRC_EGRESS -s $CLASS_C -j DROP $IPTABLES -A SRC_EGRESS -s $CLASS_D_MULTICAST -j DROP $IPTABLES -A SRC_EGRESS -s $CLASS_E_RESERVED_NET -j DROP $IPTABLES -A SRC_EGRESS -s $BROADCAST_DST -j DROP ## DENY SUBNET reserved by IANA for NET in $RESERVED_NET; do $IPTABLES -A SRC_EGRESS -s $NET -j DROP done ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain DST_EGRESS ## Rules to Provide Egress Filtering Based on Destination IP Address. $IPTABLES -t nat -N NAT_DST_EGRESS $IPTABLES -t nat -F NAT_DST_EGRESS ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses. Some of these may be legit ## for certain networks and configurations. For connection problems, ## traceroute is your friend. $IPTABLES -t nat -A NAT_DST_EGRESS -d $CLASS_A -j LOG_AND_DROP $IPTABLES -t nat -A NAT_DST_EGRESS -d $CLASS_B -j LOG_AND_DROP $IPTABLES -t nat -A NAT_DST_EGRESS -d $CLASS_C -j LOG_AND_DROP $IPTABLES -t nat -A NAT_DST_EGRESS -d $CLASS_D_MULTICAST -j LOG_AND_DROP $IPTABLES -t nat -A NAT_DST_EGRESS -d $CLASS_E_RESERVED_NET -j LOG_AND_DROP $IPTABLES -t nat -A NAT_DST_EGRESS -d $BROADCAST_SRC -j LOG_AND_DROP ## DENY SUBNET reserved by IANA for NET in $RESERVED_NET; do $IPTABLES -t nat -A NAT_DST_EGRESS -d $NET -j DROP done ############################################################################### ## Special Chain DST_EGRESS ## Rules to Provide Egress Filtering Based on Destination IP Address. $IPTABLES -N DST_EGRESS $IPTABLES -F DST_EGRESS ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses. Some of these may be legit ## for certain networks and configurations. For connection problems, ## traceroute is your friend. $IPTABLES -A DST_EGRESS -d $CLASS_A -j DROP $IPTABLES -A DST_EGRESS -d $CLASS_B -j DROP $IPTABLES -A DST_EGRESS -d $CLASS_C -j DROP $IPTABLES -A DST_EGRESS -d $CLASS_D_MULTICAST -j DROP $IPTABLES -A DST_EGRESS -d $CLASS_E_RESERVED_NET -j DROP $IPTABLES -A DST_EGRESS -d $BROADCAST_SRC -j DROP ## DENY SUBNET reserved by IANA for NET in $RESERVED_NET; do $IPTABLES -A DST_EGRESS -d $NET -j DROP done ##------------------------------------------------ ------------------------## ################################################## ############################# ## Special Chain MANGLE_OUTPUT ## Mangle values of packets created locally. Only TOS values are mangled right ## now. ## TOS stuff: (type: iptables -m tos -h) ## Minimize-Delay 16 (0x10) ## Maximize-Throughput 8 (0x08) ## Maximize-Reliability 4 (0x04) ## Minimize-Cost 2 (0x02) ## Normal-Service 0 (0x00) $IPTABLES -t mangle -N MANGLE_OUTPUT $IPTABLES -t mangle -F MANGLE_OUTPUT ##------------------------------------------------------------------------------## ## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary. ## - To view mangle table, type: iptables -L -t mangle $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8 ##------------------------------------------------ ------------------------------## ################################################## ############################# ## Special Chain MANGLE_PREROUTING ## Rules to mangle TOS values of packets routed through the firewall. Only TOS ## values are mangled right now. ## TOS stuff: (type: iptables -m tos -h) ## Minimize-Delay 16 (0x10) ## Maximize-Throughput 8 (0x08) ## Maximize-Reliability 4 (0x04) ## Minimize-Cost 2 (0x02) ## Normal-Service 0 (0x00) $IPTABLES -t mangle -N MANGLE_PREROUTING $IPTABLES -t mangle -F MANGLE_PREROUTING ##-------------------------------------------------------------------------------## ## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary. ## - To view mangle table, type: iptables -L -t mangle $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8 ##------------------------------------------------ -------------------------------## ################################################## ############################# ## New chain for Access from Network to Gateway ############################################################################### # IN:LAN1_IF OUT:- SRC:LAN1_SUBNET DST:LAN1_IP $IPTABLES -N NETWORK_2_GATEWAY $IPTABLES -F NETWORK_2_GATEWAY ## CHECK_FLAGS will DROP and log TCP packets with certain TCP flags set. $IPTABLES -A NETWORK_2_GATEWAY -p tcp -j CHECK_FLAGS ## Filter incoming packets based on port number (Trojan,NFS,...) $IPTABLES -A NETWORK_2_GATEWAY -p ! icmp -j ALWAYS_DENY_PORTS $IPTABLES -A NETWORK_2_GATEWAY -p ! icmp -j N2G_DENY_PORTS ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A NETWORK_2_GATEWAY -s $LAN1_SUBNET -d $LAN1_IP -j KEEP_STATE ## Network can access Services on the Gateway $IPTABLES -A NETWORK_2_GATEWAY -p ! icmp -j N2G_ALLOW_PORTS ## Network can send icmp to the Gateway $IPTABLES -A NETWORK_2_GATEWAY -s $LAN1_SUBNET -d $LAN1_IP \ -p icmp -j N2G_ALLOW_ICMP ################################################## ############################# ## New chain for Access from Gateway to Network ############################################################################### # IN: OUT:LAN1_IF SRC:LAN1_IP DST:LAN1_SUBNET $IPTABLES -N GATEWAY_2_NETWORK $IPTABLES -F GATEWAY_2_NETWORK ## CHECK_FLAGS will DROP and log TCP packets with certain TCP flags set. $IPTABLES -A GATEWAY_2_NETWORK -p tcp -j CHECK_FLAGS ## Filter outgoing packets based on port number. $IPTABLES -A GATEWAY_2_NETWORK -p ! icmp -j ALWAYS_DENY_PORTS $IPTABLES -A GATEWAY_2_NETWORK -p ! icmp -j G2N_DENY_PORTS ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A GATEWAY_2_NETWORK -s $LAN1_IP -d $LAN1_SUBNET \ -j KEEP_STATE ## Gateway can access Services on Network $IPTABLES -A GATEWAY_2_NETWORK -p ! icmp -j G2N_ALLOW_PORTS ## Gateway can send icmp to the Network $IPTABLES -A GATEWAY_2_NETWORK -s $LAN1_IP -d $LAN1_SUBNET \ -p icmp -j G2N_ALLOW_ICMP ################################################## ############################# ## New chain for Access from Gateway to Internet ############################################################################### # IN:- OUT:EXT_IF SRC:EXT_IP DST:Any $IPTABLES -N GATEWAY_2_INTERNET $IPTABLES -F GATEWAY_2_INTERNET ## Filter out Reserved/Private IP addresses based on source IP. # $IPTABLES -A GATEWAY_2_INTERNET -j SRC_EGRESS ## Filter out Reserved/Private IP addresses based on destination IP. $IPTABLES -A GATEWAY_2_INTERNET -j DST_EGRESS ## CHECK_FLAGS will DROP and log TCP packets with certain TCP flags set. $IPTABLES -A GATEWAY_2_INTERNET -p tcp -j CHECK_FLAGS ## Filter incoming packets based on port number. $IPTABLES -A GATEWAY_2_INTERNET -p ! icmp -j ALWAYS_DENY_PORTS $IPTABLES -A GATEWAY_2_INTERNET -p ! icmp -j G2I_DENY_PORTS ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A GATEWAY_2_INTERNET -j KEEP_STATE ## After keep_state for internal services offered to internet ## Refuse All traffic not coming from my network $IPTABLES -A GATEWAY_2_INTERNET -s ! $EXT_IP -j DROP ## Gateway can access Services on Internet $IPTABLES -A GATEWAY_2_INTERNET -p ! icmp -j G2I_ALLOW_PORTS ## Gateway can send icmp to the Internet $IPTABLES -A GATEWAY_2_INTERNET -p icmp -j G2I_ALLOW_ICMP ################################################## ############################# ## New chain for Access from Network to Internet ############################################################################### # IN: OUT:EXT_IF SRC:LAN1_SUBNET DST:Any $IPTABLES -N NETWORK_2_INTERNET $IPTABLES -F NETWORK_2_INTERNET ## Refuse all traffic not coming from MY network $IPTABLES -A NETWORK_2_INTERNET -s ! $LAN1_SUBNET -j DROP ## Filter out Reserved/Private IP addresses based on destination IP. $IPTABLES -A NETWORK_2_INTERNET -j DST_EGRESS ## Check TCP packets coming in on the external interface for wierd flags. $IPTABLES -A NETWORK_2_INTERNET -p tcp -j CHECK_FLAGS ## Filter outgoing packets based on port number. $IPTABLES -A NETWORK_2_INTERNET -p ! icmp -j ALWAYS_DENY_PORTS $IPTABLES -A NETWORK_2_INTERNET -p ! icmp -j N2I_DENY_PORTS ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A NETWORK_2_INTERNET -j KEEP_STATE ## Network can access Services on Internet $IPTABLES -A NETWORK_2_INTERNET -p ! icmp -j N2I_ALLOW_PORTS ## Network can send icmp to the Internet $IPTABLES -A NETWORK_2_INTERNET -p icmp -j N2I_ALLOW_ICMP ################################################## ############################# ## New chain for Access from Internet to Gateway ############################################################################### # IN:EXT_IF OUT:- SRC:Any DST:EXT_IP $IPTABLES -N INTERNET_2_GATEWAY $IPTABLES -F INTERNET_2_GATEWAY ## Refuse fragmented paquets $IPTABLES -A INTERNET_2_GATEWAY -f -j DROP # Nimda -> iptables 1.2.3 # $IPTABLES -A INTERNET_2_GATEWAY -m string --string "cmd.exe" -p tcp --dport 8050 -j REJECT # $IPTABLES -A INTERNET_2_GATEWAY -m string --string "root.exe" -p tcp --dport 8050 -j REJECT # $IPTABLES -A INTERNET_2_GATEWAY -m string --string "msadc.exe" -p tcp --dport 8050 -j REJECT ## Refuse all traffic not for the gateway ! # $IPTABLES -A INTERNET_2_GATEWAY -j LOG # $IPTABLES -A INTERNET_2_GATEWAY -d ! $EXT_IP -j DROP ## CHECK_FLAGS will DROP and log TCP packets with certain TCP flags set. $IPTABLES -A INTERNET_2_GATEWAY -p tcp -j CHECK_FLAGS ## Filter incoming packets based on port number (Trojan,NFS,...) $IPTABLES -A INTERNET_2_GATEWAY -p ! icmp -j ALWAYS_DENY_PORTS $IPTABLES -A INTERNET_2_GATEWAY -p ! icmp -j I2G_DENY_PORTS ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A INTERNET_2_GATEWAY -j KEEP_STATE ## Services that the gateway provide to the internet ## Web SERVER $IPTABLES -A INTERNET_2_GATEWAY -m state --state NEW -p tcp \ -m limit --limit 1/s \ -d $LAN1_IP --dport 8050 -j ACCEPT ## Refuse all traffic not for the gateway ! $IPTABLES -A INTERNET_2_GATEWAY -d ! $EXT_IP -j DROP $IPTABLES -A INTERNET_2_GATEWAY -p ! icmp -j I2G_ALLOW_PORTS ## Internet can send icmp to Gateway $IPTABLES -A INTERNET_2_GATEWAY -p icmp -j I2G_ALLOW_ICMP ################################################## ############################# ## New chain for Access from Internet to Network ############################################################################### # IN:EXT_IF OUT:LAN1_IF SRC:Any DST:LAN1_SUBNET $IPTABLES -N INTERNET_2_NETWORK $IPTABLES -F INTERNET_2_NETWORK ## Refuse all traffic not for MY network $IPTABLES -A INTERNET_2_NETWORK -d ! $LAN1_SUBNET -j DROP ## Check TCP packets coming in on the external interface for wierd flags $IPTABLES -A INTERNET_2_NETWORK -p tcp -j CHECK_FLAGS ## Filter incoming packets based on port number (Trojan,NFS,...) $IPTABLES -A INTERNET_2_NETWORK -p ! icmp -j ALWAYS_DENY_PORTS $IPTABLES -A INTERNET_2_NETWORK -p ! icmp -j I2N_DENY_PORTS ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A INTERNET_2_NETWORK -d $LAN1_SUBNET -j KEEP_STATE ## Internet can access Services on the Internal Network $IPTABLES -A INTERNET_2_NETWORK -p ! icmp -j I2N_ALLOW_PORTS ## Internet can send icmp to the Internal Network $IPTABLES -A INTERNET_2_NETWORK -p icmp -j I2N_ALLOW_ICMP ################################################## ############################# ## Main Stuff ################################################## ############################# ################################################## ############################# ## This is where we get to jump to our user-defined chains from the built-in ## chains. ##========================================================================## ## Jump to the mangle table rules. $IPTABLES -t mangle -A OUTPUT -o $EXT_IF -j MANGLE_OUTPUT $IPTABLES -t mangle -A PREROUTING -i $LAN1_IF -j MANGLE_PREROUTING ##========================================================================## ##========================================================================## ## LOG and DROP TCP packets with no flags set. ## Possible NULL scan. $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE \ -m limit --limit 5/minute --limit-burst 1 \ -j LOG --log-level $LOG_LEVEL \ --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP ##========================================================================## [edtdd]--Message édité par ethernal--[/edtdd] |
| 911GT3 | un grand merci :jap: Mais je cherchais des règles iptables ;) [edtdd]--Message édité par 911GT3--[/edtdd] |
| juvenis |
|
| 911GT3 | Version avec LAN. J'ai fait une recherche en ces lieux mais j'ai trouvé que sans LAN. J'ai feuilleté quelques howtos mais je le sens pas.
Je préfère de l'éprouvé (et en plus commenté). Si quelqu'un ou l'auteur pouvaient me fournir ce document :jap: |
