#!/bin/bash # -*- Mode: shell-script -*- # Linux FW iptables rules for Home Users; pmateti feb 27, 2001 # usage: source /etc/rc.iptables # credits: many sources on the net -- thanks! # we do *not* want to use port names as /etc/services may not be exhaustive ## . etc/rc.config done via bashrc setDefaultPolicy() { /sbin/iptables --policy INPUT $1 /sbin/iptables --policy OUTPUT $1 /sbin/iptables --policy FORWARD $1 /sbin/iptables -t nat --policy PREROUTING $1 /sbin/iptables -t nat --policy POSTROUTING $1 } masquerade() { # home host behind the fw is masqueraded /sbin/iptables -t nat -A POSTROUTING -s $INTNET -j MASQUERADE } mkLogDROP() { # target for logging and dropping packets /sbin/iptables --new logdrop /sbin/iptables -A logdrop -m limit -j LOG --log-level 5 --log-prefix "DROP " /sbin/iptables -A logdrop -j DROP } mkLogACC() { # log and accept /sbin/iptables --new logacc /sbin/iptables -A logacc -m limit -j LOG --log-level 4 --log-prefix "ACCEPT " /sbin/iptables -A logacc -j ACCEPT } impossibleSourcesDest() { # -s 192.168.0.0/16 is the inside us /sbin/iptables -A FORWARD -s $INTNET -i $EXT -j DROP /sbin/iptables -A FORWARD -s ! $INTNET -i $INT -j DROP /sbin/iptables -A INPUT -s $INTNET -i $EXT -j DROP /sbin/iptables -A INPUT -s ! $INTNET -i $INT -j DROP # output must be from firewall itself /sbin/iptables -A OUTPUT -s ! $FIREWALL -j DROP # private address, except us PRIVATE="10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 224.0.0.0/3 \ 240.0.0.0/5 255.255.255.255/32" # addresses defined as reserved by the IANA RESERVED="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8\ 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 \ 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 \ 58.0.0.0/7 60.0.0.0/8 67.0.0.0/8 68.0.0.0/6 72.0.0.0/5 \ 80.0.0.0/4 96.0.0.0/3 127.0.0.0/8 169.254.0.0/16 \ 192.0.2.0/24 197.0.0.0/8 218.0.0.0/7 220.0.0.0/6" for n in $PRIVATE $RESERVED ; do /sbin/iptables -A FORWARD -s $n -j DROP /sbin/iptables -A FORWARD -d $n -j DROP /sbin/iptables -A INPUT -s $n -j DROP /sbin/iptables -A INPUT -d $n -j DROP /sbin/iptables -A OUTPUT -d $n -j DROP done } strangePackets() { # XMAS packets /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j logdrop /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j logdrop # Another XMAS /sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j logdrop /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j logdrop # NULL packets /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j logdrop /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j logdrop # NMAP probes /sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j logdrop /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j logdrop # SYN/RST /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j logdrop # SYN/FIN scan? /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j logdrop /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j logdrop # Bogus TCP FLAGs 64 128 /sbin/iptables -A FORWARD -p tcp --tcp-option 64 -j logdrop /sbin/iptables -A FORWARD -p tcp --tcp-option 128 -j logdrop /sbin/iptables -A INPUT -p tcp --tcp-option 64 -j logdrop /sbin/iptables -A INPUT -p tcp --tcp-option 128 -j logdrop } cagedServices() { # services that should not leave the LAN # 1433,5432,5993:6063 ?? # tcp 9704,20034,12345:12346,27665,31337 ?? # udp 27444,31335,31337 ?? # rpc.statd, netbus-pro, netbus,trinoo,trinoo, BO /sbin/iptables -A FORWARD -p tcp --dport 136:140 -j DROP /sbin/iptables -A FORWARD -p tcp --dport 512:515 -j DROP /sbin/iptables -A FORWARD -p tcp --dport 5899:5911 -j DROP /sbin/iptables -A FORWARD -p tcp --dport 5999:6011 -j DROP /sbin/iptables -A FORWARD -m multiport -p tcp --sport 111,113,635,2049 -j DROP /sbin/iptables -A FORWARD -m multiport -p udp --sport 111,113,635,2049 -j DROP } allowDNS() { /sbin/iptables -A FORWARD -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT } allowSSH() { # Allow ssh, any one to any one /sbin/iptables -A FORWARD -p tcp --dport 22 -j ACCEPT # from pinger or internal, we can ssh to the firewall /sbin/iptables -A INPUT -p tcp -i $EXT -s $PINGER --dport 22 -j ACCEPT # /sbin/iptables -A OUTPUT -p tcp -o $EXT -d $PINGER --dport 22 -j ACCEPT # see fwToAnyOneOK # internal ssh to firewall itself /sbin/iptables -A INPUT -i $INT -p tcp --dport 22 -j ACCEPT # /sbin/iptables -A OUTPUT -o $INT -p tcp --dport 22 -j ACCEPT # see fwToAnyOneOK } allowMail() { /sbin/iptables -A FORWARD -p tcp -s $SMTP --syn -m multiport \ --dport 25,110 -j ACCEPT /sbin/iptables -A FORWARD -p tcp -m multiport --dport 25,110 \ ! --tcp-flags SYN,ACK ACK -j ACCEPT /sbin/iptables -A FORWARD -p tcp -s $INTNET -m multiport --sport 25,110 \ ! --tcp-flags SYN,ACK ACK -j ACCEPT } fwToAnyOneOK() { # firewall can output to every one /sbin/iptables -A OUTPUT -p tcp -j ACCEPT /sbin/iptables -A OUTPUT -p udp -j ACCEPT /sbin/iptables -A OUTPUT -p icmp -j ACCEPT } enablePings() { # internal can ping anyone /sbin/iptables -A FORWARD -p icmp -i $INT --icmp-type echo-request -j ACCEPT # accept all icmp packets from internal /sbin/iptables -A INPUT -p icmp -i $INT -j ACCEPT # pinger permitted to ping firewall /sbin/iptables -A INPUT -p icmp -s $PINGER --icmp-type echo-request -j ACCEPT # no one else can ping firewall /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # /sbin/iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT # see n1 # /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP # see n1 } restrictConnections() { # no connections to fw /sbin/iptables -A INPUT -p tcp --syn -j DROP # no initiation of services on our protected net # /sbin/iptables -A FORWARD -p tcp --syn -d $INTNET -j DROP # see below # connections to forbidden ports/ip blocked /sbin/iptables -A FORWARD -p tcp -m multiport --dport $BLOCKEDTCP --syn -j DROP /sbin/iptables -A FORWARD -p tcp -d $BLOCKEDIP --syn -j DROP /sbin/iptables -A FORWARD -m multiport -p udp --dport $BLOCKEDUDP -j DROP # we connect to anyone, exceptions noted above /sbin/iptables -A FORWARD -p tcp -i $INT -d 0/0 --syn -j ACCEPT /sbin/iptables -A FORWARD -m state --state NEW -i $INT -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop all other tcp connection attempts /sbin/iptables -A FORWARD -p tcp --syn -j DROP } icmpRules() { /sbin/iptables --new ICMP /sbin/iptables -A INPUT -p icmp -j ICMP /sbin/iptables -A OUTPUT -p icmp -j ICMP /sbin/iptables -A FORWARD -p icmp -j ICMP /sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j DROP /sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type network-unreachable -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type host-unreachable -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type source-route-failed -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type network-unknown -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type host-unknown -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type network-prohibited -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type host-prohibited -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type communication-prohibited -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type redirect -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type network-redirect -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type host-redirect -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j logdrop /sbin/iptables -A ICMP -p icmp --icmp-type router-advertisement -j DROP /sbin/iptables -A ICMP -p icmp --icmp-type router-solicitation -j DROP /sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type parameter-problem -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type ip-header-bad -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type required-option-missing -j logacc /sbin/iptables -A ICMP -p icmp --icmp-type timestamp-request -j DROP /sbin/iptables -A ICMP -p icmp --icmp-type timestamp-reply -j DROP /sbin/iptables -A ICMP -p icmp --icmp-type address-mask-request -j DROP /sbin/iptables -A ICMP -p icmp --icmp-type address-mask-reply -j DROP /sbin/iptables -A ICMP -p icmp -j DROP } flushTables() { /sbin/iptables --flush INPUT /sbin/iptables --flush OUTPUT /sbin/iptables --flush FORWARD } doorsWideOpen() { echo TBD for use during development flushTables setDefaultPolicy ACCEPT } # only definitions of procs above, and source rc.config # ----------------------------------------------------- . etc/rc.ipmodules # source rc.procinits done in rc.network # we just booted; so unnecessary to # flushTables mkLogDROP mkLogACC # drop everything until firewall setup is complete setDefaultPolicy DROP masquerade impossibleSourcesDest strangePackets cagedServices allowDNS allowSSH fwToAnyOneOK enablePings icmpRules # final default policies. we are introducing firewalls into a company # that never had any. so, for now we will be lenient. setDefaultPolicy ACCEPT echo "TBD should we syslog /sbin/iptables -L -n" # -eof-