1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
|
#!/bin/bash
#
# firewall.sh - 2002 black star
#
# iptables-based firewall/masq-script for networks with dial-up
# and static connections.
#
# with special edonkey/winmx-client support
#
# state: 07-16-2002 1:13am
#--------------------------------------VARS
IPTABLES="/usr/sbin/iptables" # iptables-bin
INT_IF="eth0" # local network interface
EXT_IF="ppp0" # dial-up interface
LOCAL_IPS="192.168.1.0/24" # localnetwork
# through this ports services may connect to machines inside
ALLOW_FORWARD_TCP="2000 2004 4661 4662 4663 4664 4665 4666 4667 4668 4669 6662 6663 6664 6665 6666 6667 6699"
ALLOW_FORWARD_UDP=$ALLOW_FORWARD_TCP
# connections to the firewal machine itself
ALLOW_OUTSIDE_TCP="21 22 80 113 116 118 4661 4662"
ALLOW_OUTSIDE_UDP="21 22 80 4665 4666 6112"
# ports inside allowed - to enable all use "all"
# use google to verify/find ports ;)
PROTECT_FROM_INTERNAL="no" # use no to open all ports/protocols from internal
# ALLOW_FORWARD_XXX will automaticly be appended
# only makes sence with PROTECT_FROM_INTERNAL="yes"
ALLOW_INSIDE_TCP="21 22 23 25 53 80 110 3128"
ALLOW_INSIDE_UDP=$ALLOW_INSIDE_TCP
#these machines may connect on evry port
ALLOW_HOSTS_INSIDE="192.168.1.2"
# ip of the edonkey-machine - to disable use "disabled"
EDONKEY_CLIENT="192.168.1.12"
# ip of the winmx-machine
WINMX_CLIENT="192.168.1.3"
#running a donkey-server
SERVICE_DONKEYSERVER="enabled"
VER=v1.2.5
#--------------------------------------KERNEL-STUFF
#modules
echo -n -e "iptables-firewall-script $VER - 2002 by Black Star\n\nloading modules"
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo -e -n " - done\nenabling/disabling some kernel-stuff"
echo 1 > /proc/sys/net/ipv4/ip_forward # ip-forwarding
echo "1" > /proc/sys/net/ipv4/ip_dynaddr # dhcp
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Enable bad error message Protection
# Enable IP spoofing protection turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
echo " - done"
#--------------------------------------FLUSH
echo -n "flushing chains and creating new ones"
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP # if script is broken on execute
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -P PREROUTING DROP # same reason
$IPTABLES -t nat -P POSTROUTING DROP
$IPTABLES -t nat -P OUTPUT DROP
#new chains
$IPTABLES -N input_int
$IPTABLES -F input_int
$IPTABLES -N input_ext
$IPTABLES -F input_ext
$IPTABLES -N forward_int
$IPTABLES -F forward_int
$IPTABLES -N forward_ext
$IPTABLES -F forward_ext
$IPTABLES -N log_drop
$IPTABLES -F log_drop
echo " - done"
#--------------------------------------FILTER
#enable loopback
echo -n "enabling loopback"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo " - done"
#-----------------input_ext
echo -n "setting up chain input_ext"
$IPTABLES -A input_ext -m state --state ESTABLISHED,RELATED -j ACCEPT
for PORT in $ALLOW_OUTSIDE_TCP; do
$IPTABLES -A input_ext -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport $PORT -j ACCEPT
done
for PORT in $ALLOW_OUTSIDE_UDP; do
$IPTABLES -A input_ext -m state --state NEW,ESTABLISHED,RELATED -p udp --dport $PORT -j ACCEPT
done
# the following options may open a security whole, but will speed up edonkey and winmx,...
for PORT in $ALLOW_FORWARD_TCP; do
$IPTABLES -A input_ext -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport $PORT -j ACCEPT
done
for PORT in $ALLOW_FORWARD_UDP; do
$IPTABLES -A input_ext -m state --state NEW,ESTABLISHED,RELATED -p udp --sport $PORT -j ACCEPT
done
test "$SERVICE_DONKEYSERVER" = "enabled" && {
$IPTABLES -A INPUT -p tcp --dport 4661 -m string --string file -j DROP
$IPTABLES -A INPUT -p tcp --dport 4661 -m string --string mldonkey -j DROP
}
$IPTABLES -A input_ext -p tcp --dport 22 -j ACCEPT
$IPTABLES -A input_ext -p tcp -j LOG --log-prefix "BLACK-STAR-FW input blocked:" -m limit --limit 1/s
$IPTABLES -A input_ext -p udp -j LOG --log-prefix "BLACK-STAR-FW input blocked:" -m limit --limit 1/s
$IPTABLES -A input_ext -m state --state NEW,INVALID -j DROP
$IPTABLES -A input_ext -j DROP
echo " - done"
#-----------------forward_ext from outside to inside
echo -n "setting up chain forward_ext"
$IPTABLES -A forward_ext -m state --state ESTABLISHED,RELATED -j ACCEPT
for PORT in $ALLOW_FORWARD_TCP; do
$IPTABLES -A forward_ext -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport $PORT -j ACCEPT
done
for PORT in $ALLOW_FORWARD_UDP; do
$IPTABLES -A forward_ext -m state --state NEW,ESTABLISHED,RELATED -p udp --dport $PORT -j ACCEPT
done
$IPTABLES -A forward_ext -p tcp -j LOG --log-prefix "BLACK-STAR-FW fwd-in blocked:" -m limit --limit 1/s
$IPTABLES -A forward_ext -p udp -j LOG --log-prefix "BLACK-STAR-FW fwd-in blocked:" -m limit --limit 1/s
$IPTABLES -A forward_ext -m state --state NEW,INVALID -j DROP
$IPTABLES -A forward_ext -j DROP
echo " - done"
#-----------------input_int
echo -n "setting up chain input_int"
test "$PROTECT_FROM_INTERNAL" = "no" && $IPTABLES -A input_int -j ACCEPT
test "$PROTECT_FROM_INTERNAL" = "yes" && {
for IP in $ALLOW_HOSTS_INSIDE; do
$IPTABLES -A input_int -s $IP -j ACCEPT
done
$IPTABLES -A input_int -m state --state ESTABLISHED,RELATED -j ACCEPT
for PORT in $ALLOW_INSIDE_TCP $ALLOW_FORWARD_TCP; do
$IPTABLES -A input_int -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport $PORT -j ACCEPT
done
for PORT in $ALLOW_INSIDE_UDP $ALLOW_FORWARD_UDP; do
$IPTABLES -A input_int -m state --state NEW,ESTABLISHED,RELATED -p udp --dport $PORT -j ACCEPT
done
$IPTABLES -A input_int -p icmp -j ACCEPT
$IPTABLES -A input_int -p tcp -j LOG --log-prefix "BLACK-STAR-FW tcp-in blocked:" -m limit --limit 1/s
$IPTABLES -A input_int -p udp -j LOG --log-prefix "BLACK-STAR-FW udp-in blocked:" -m limit --limit 1/s
$IPTABLES -A input_int -j DROP
}
echo " - done"
#-----------------forward_int fro inside to outside
echo -n "setting up chain forward_int"
test "$PROTECT_FROM_INTERNAL" = "no" && $IPTABLES -A forward_int -j ACCEPT
test "$PROTECT_FROM_INTERNAL" = "yes" && {
for IP in $ALLOW_HOSTS_INSIDE; do
$IPTABLES -A forward_int -s $IP -j ACCEPT
done
$IPTABLES -A forward_int -m state --state ESTABLISHED,RELATED -j ACCEPT
for PORT in $ALLOW_INSIDE_TCP $ALLOW_FORWARD_TCP; do
$IPTABLES -A forward_int -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport $PORT -j ACCEPT
done
for PORT in $ALLOW_INSIDE_UDP $ALLOW_FORWARD_UDP; do
$IPTABLES -A forward_int -m state --state NEW,ESTABLISHED,RELATED -p udp --dport $PORT -j ACCEPT
done
for PORT in $ALLOW_FORWARD_TCP; do
$IPTABLES -A forward_int -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport $PORT -j ACCEPT
done
for PORT in $ALLOW_FORWARD_UDP; do
$IPTABLES -A forward_int -m state --state NEW,ESTABLISHED,RELATED -p udp --sport $PORT -j ACCEPT
done
$IPTABLES -A forward_int -p icmp -j ACCEPT
$IPTABLES -A forward_int -p tcp -j LOG --log-prefix "BLACK-STAR-FW tcp-fw blocked:" -m limit --limit 1/s
$IPTABLES -A forward_int -p udp -j LOG --log-prefix "BLACK-STAR-FW udp-fw blocked:" -m limit --limit 1/s
$IPTABLES -A forward_int -j DROP
}
echo " - done"
#------------------------------------------------SEVERAL PROTECTIONS
echo -n "enabling some protections (syn-flood,pod,some portscans,...)"
#syn-flood
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#port-scan
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#ping of death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# another port-scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
echo " - done"
#-------------------------------------------nat
echo -n "setting up some nat-stuff"
#masq
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -p all -s $LOCAL_IPS -j MASQUERADE
#edonkey
test "$EDONKEY_CLIENT" = "disabled" || $IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF --dport 4662 -j DNAT --to-destination $EDONKEY_CLIENT
#winmx
test "$WINMX_CLIENT" = "disabled" || $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6699 -j DNAT --to $WINMX_CLIENT
test "$WINMX_CLIENT" = "disabled" || $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6257 -j DNAT --to $WINMX_CLIENT
echo " - done"
#-------------------------------------------sort connections to chains
echo -n "enabling chains"
$IPTABLES -A INPUT -i $EXT_IF -j input_ext
$IPTABLES -A INPUT -i $INT_IF -s $LOCAL_IPS -j input_int
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -d $LOCAL_IPS -j forward_ext
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -s $LOCAL_IPS -j forward_int
echo -n -e " - done\nkilling the rest and resetting default policy"
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
# reset policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
echo " - done"
#------------------------------------------------TUNING
echo -n "setting up some tuning options"
TABLES="OUTPUT PREROUTING"
for i in $TABLES; do
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 22 --set-tos Minimize-Delay # SSH in
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 22 --set-tos Minimize-Delay # SSH out
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 21 --set-tos Maximize-Throughput # FTP Data
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 21 --set-tos Maximize-Throughput # FTP Data
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 80 --set-tos Maximize-Throughput # HTTP
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 80 --set-tos Maximize-Throughput # HTTP
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 53 --set-tos Minimize-Delay # DNS
$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 53 --set-tos Minimize-Delay # DNS
#test "$EDONKEY_CLIENT" = "disabled" || \
#$IPTABLES -A $i -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 4662 -d $EDONKEY_CLIENT --set-tos Maximize-Throughput #ed2k-in
done
echo -e " - done\n\nready!" |