Problema iptables

**pilovis** · 21-09-2005, 23:15

e per finire un firewall da manuale, il meglio che c'e'

(in Inglese)

--------------------------------------------------

#!/bin/sh
# $Id: dedfirewall.sh,v 1.8 2003/12/11 13:44:39 rws Exp $

###### CONFIGURATION

# All configuration entries can be made in /etc/firewall.conf

# Log what appears to be scans
logscans="NO"

#####
# Limit incoming connections to ports specified
strictincoming="NO" # Recommended
# Ports you can configure, should you say yes
webserver="YES"
mailserver="YES"
ftpserver="YES"
rtspserver="NO"
nameserver="YES"
sshlogin="YES"
telnetlogin="NO"
rlogin="NO"
remotemysql="NO"
#For any other incoming TCP port needed, please specify here:
customports="YES"

######
# The general philosophy is to be paranoid for incoming,
# but loose for outgoing. The following rules affect this.

# Restrict outgoing ports, which are generally not allowed
# Currently only blocks well known IRC ports.
restrictoutgoing="NO" # Recommended

# This is used for ratelimiting outbound packets.
# Keep this machine from trying to confuse one of the routers
limit="3333" # Per second, unset for none

# Suck in site-based config, if it exists.
if [ -r /etc/firewall.conf ]; then
. /etc/firewall.conf
fi

################################################## ###################

# Do not block us!
internal="192.168.1.0/23"

# This should probably not be changed.
fwcmd="/sbin/iptables"

${fwcmd} -F OUTPUT
${fwcmd} -F INPUT

# Want SYN cookies
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Do not want to forward
echo 0 > /proc/sys/net/ipv4/ip_forward
# Do not want ECN
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Setup Local net
# Allow 127/8 IN via lo
${fwcmd} -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# Allow 127/8 OUT via lo
${fwcmd} -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
# No 127/8 anywhere else.
${fwcmd} -A INPUT -s 127.0.0.0/8 -j DROP
${fwcmd} -A OUTPUT -d 127.0.0.0/8 -j DROP

# RFC3330 For a more complete summary
# RFC1918 private nets: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# DHCP Autoconf: 169.254.0.0/16
# RFC1700: 0.0.0.0/8
# Multicast: 224.0.0.0/4 240.0.0.0/4
# "TEST-NET": 192.0.2.0/24
iptables -N BADNETS
iptables -F BADNETS

# To supply additional bad networks, please put them in /etc/firewall.conf.
# Comments are nice!
badnets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8
169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
for net in ${badnets} ${localbadnets}; do
${fwcmd} -A BADNETS -s ${net} -j DROP
${fwcmd} -A BADNETS -d ${net} -j DROP
done

iptables -I INPUT -j BADNETS
iptables -I OUTPUT -j BADNETS

if [ ${logscans} = "YES" ]; then
${fwcmd} -N SCAN
${fwcmd} -F SCAN

# Ping Scans
${fwcmd} -A SCAN -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-prefix ':FW:PingScan:'
# Stealth scans (Disabled, too many false positives)
#${fwcmd} -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j LOG --log-level info --log-prefix ':FW:StealthScan:'
# XMAS Scan
${fwcmd} -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level info --log-prefix ':FW:XMASScan:'
# SYN/RST Scan
${fwcmd} -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j LOG --log-level info --log-prefix ':FW:SYN/RSTScan:'
# SYN/FIN Scan
${fwcmd} -A SCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j LOG --log-level info --log-prefix ':FW:SYN/FINScan:'

${fwcmd} -A INPUT -j SCAN
fi

# ICMP (commented out, no longer doing any ICMP filtering)
# Echo
#${fwcmd} -A INPUT -p icmp --icmp-type 0 -j ACCEPT
#${fwcmd} -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Host unreachable
#${fwcmd} -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# Traceroute
#${fwcmd} -A INPUT -p icmp --icmp-type 11 -j ACCEPT
#${fwcmd} -A INPUT -p icmp --icmp-type 30 -j ACCEPT

if [ ${restrictoutgoing} = "YES" ]; then
${fwcmd} -N BADPORTS
${fwcmd} -F BADPORTS
# IRC
${fwcmd} -A BADPORTS -p tcp --dport 6660:6669 -j LOG -m limit --limit 5/m --log-level info --log-prefix ":FW:IRC-Client:"
${fwcmd} -A BADPORTS -p tcp --dport 6660:6669 -j DROP
${fwcmd} -A BADPORTS -p tcp --sport 6660:6669 -j LOG -m limit --limit 5/m --log-level info --log-prefix ":FW:IRC-Server:"
${fwcmd} -A BADPORTS -p tcp --sport 6660:6669 -j DROP

# Common source of no-good
${fwcmd} -A BADPORTS -p tcp --dport 13337 -j DROP

# These are not windows machines
${fwcmd} -A BADPORTS -p tcp --dport 138:139 -j DROP

${fwcmd} -A INPUT -j BADPORTS
${fwcmd} -A OUTPUT -j BADPORTS

#${fwcmd} -A OUTPUT -p tcp --dport 6660:6669 --syn -j DROP
# Restrict user running httpd to only http* outbound
#echo ${fwcmd} -A OUTPUT -m owner -p tcp --sport 80 --uid-owner ${httpuser} -j ACCEPT
#${fwcmd} -A OUTPUT -p tcp -m owner --uid-owner ${httpuser} --sport 443 --syn -j ACCEPT
#${fwcmd} -A OUTPUT -p tcp -s 127.0.0.0/8 -m owner --uid-owner ${httpuser} --syn -j ACCEPT
fi

if [ -n ${limit} ]; then
${fwcmd} -N RATE
${fwcmd} -F RATE

# Limit outgoing packets to ~ $limit/sec, bursting up to $limit/3 to allow legit traffic
limitburst="$(( ${limit} / 3 ))"
${fwcmd} -A RATE -m limit --limit ${limit}/second --limit-burst ${limitburst} -j RETURN
${fwcmd} -A RATE -j LOG -m limit --limit 5/m --log-level info --log-prefix ":FW:PacketRate:"
${fwcmd} -A RATE -j DROP

${fwcmd} -I INPUT -j RATE
${fwcmd} -I OUTPUT -j RATE
fi

# Why would a new connection "forget" their SYN flag?
${fwcmd} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

if [ ${strictincoming} = "YES" ]; then
${fwcmd} -N GOODPORTS
${fwcmd} -F GOODPORTS

# Established connections can continue to stay that way.
${fwcmd} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

mytcpports=""
myudpports=""

if [ ${webserver} = "YES" ]; then
mytcpports="${mytcpports} 80 443"
fi

if [ ${ftpserver} = "YES" ]; then
mytcpports="${mytcpports} 20 21"
fi

if [ ${mailserver} = "YES" ]; then
mytcpports="${mytcpports} 25 110 143"
fi

if [ ${sshlogin} = "YES" ]; then
mytcpports="${mytcpports} 22"
fi

if [ ${telnetlogin} = "YES" ]; then
mytcpports="${mytcpports} 23"
fi

if [ ${rlogin} = "YES" ]; then
mytcpports="${mytcpports} 513 514"
fi

if [ ${remotemysql} = "YES" ]; then
mytcpports="${mytcpports} 3306"
fi

if [ ${nameserver} = "YES" ]; then
mytcpports="${mytcpports} 53"
myudpports="${myudpports} 53"
fi
if [ ${rtspserver} = "YES" ]; then
mytcpports="${mytcpports} 554 3030 7070 7802 7878 8080 20903"
myudpports="${myudpports} 9875"
fi

myports="${myports} ${customports}10001 20001"

for port in ${mytcpports}; do
${fwcmd} -A GOODPORTS -p tcp --dport ${port} --syn -j ACCEPT
done

for port in ${myudpports}; do
${fwcmd} -A GOODPORTS -p udp --dport ${port} -j ACCEPT
done

${fwcmd} -A INPUT -j GOODPORTS
${fwcmd} -P INPUT DROP
else
${fwcmd} -P INPUT ACCEPT
fi

# Allow internal connections to all
if [ -n ${internal} ]; then
${fwcmd} -I INPUT -s ${internal} -j ACCEPT
${fwcmd} -I OUTPUT -d ${internal} -j ACCEPT
fi

${fwcmd} -P FORWARD DROP
${fwcmd} -P OUTPUT ACCEPT

Discussione: Problema iptables

Strumenti discussione

Ricerca discussione

Visualizza

Visualizzazione discussione

Permessi di invio