#!/bin/bash # 20070330 iptables-workstation hse@ukr.net # Distributed under the terms of the GNU General Public License v2 or later # Like workstation in local lan only on spesial interface! # !!!!!!!!!!!!!!!!! # need iptables-lo # !!!!!!!!!!!!!!!!! # Exampel of iptables script for ppp # start in: /etc/ppp/ip-up.local # stop in: /etc/ppp/ip-down.local # usage: /etc/ppp/iptables-workstation <dev> <action> # parametr <action> can be "start" in /etc/ppp/ip-up.local, or "stop" in /etc/ppp/ip-down.local # parametr <dev> for ppp is "ppp0", for eth0 is eth0.. # 0 ******************* VARIABLE setup ***************************** ifconfig='/sbin/ifconfig' iptables='/sbin/iptables' modprobe='/sbin/modprobe' # Check parameters if ? "$2" == 'stop' then if ? `ls /dev/$1 2>&1 then echo "Device /dev/$1 not exist!!!" # exit 1 fi # parametr action can be "-A" or "-D" only!!! if ?span> <span class="hl opt"> then action='-A' actionchain='-N' elif ?span> <span class="hl opt"> then action='-D' actionchain='-X' fi else echo 'Usage: iptables-workstation <device> <action> Example: iptables-workstation eth0 start iptables-workstation eth0 stop' exit 1 fi # befor runing this script setup configuration of yore network here: # begin #Interface setup Interface="$1" Device='modem' #Ip Address setup LoopInterface='lo' LoopIP='127.0.0.0/8' #Interface setup #Figure out curent ip configuretion if ?span> <span class="hl opt"> then HostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'` BroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'` NetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $4 } '` mkdir -p /etc/iptables/${Interface} echo ${HostIP} > /etc/iptables/${Interface}/HostIP echo ${BroadcastIP} > /etc/iptables/${Interface}/BroadcastIP echo ${NetMask} > /etc/iptables/${Interface}/NetMask else HostIP=`cat /etc/iptables/${Interface}/HostIP` BroadcastIP=`cat /etc/iptables/${Interface}/BroadcastIP` NetMask=`cat /etc/iptables/${Interface}/NetMask` fi LocalNet="${HostIP}/${NetMask}" #SpoofingHostIP="10.0.0.10" # ISP Servers setup # ISP Servers setup # DHCP can be: "server", "client" or "static" DHCP='static' # If DHCP='client' you must setup DHCP_SERVER: DHCP_SERVER='10.0.0.10' #ns_1='10.0.0.10' #TimeServer='10.0.0.10' #POP_Server='10.0.0.10' #IMAP_Server='10.0.0.10' #SMTP_Server='10.0.0.10' monitoring_Server='10.0.0.10' #Check for some kernel modules # # Needed to initially load modules # #/sbin/depmod -a # # Required modules #${modprobe} ip_tables #${modprobe} ip_conntrack #${modprobe} iptable_filter #${modprobe} iptable_mangle #${modprobe} iptable_nat #${modprobe} ipt_LOG #${modprobe} ipt_limit #${modprobe} ipt_state #${modprobe} ipt_owner #${modprobe} ipt_REJECT #${modprobe} ipt_MASQUERADE #${modprobe} ip_conntrack_ftp #${modprobe} ip_conntrack_irc #${modprobe} ip_nat_ftp #${modprobe} ip_nat_irc # Required proc configuration # Enable forwarding #echo 1 > /proc/sys/net/ipv4/ip_forward # no IP spoofing #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] # then # for i in /proc/sys/net/ipv4/conf/*/rp_filter # do # echo 1 > $i # done #fi # Disable Source Routed Packets #for i in /proc/sys/net/ipv4/conf/*/accept_source_route # do # echo 0 > $i # done #echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp #echo 0 > /proc/sys/net/ipv4/ip_dynaddr echo " Machine type: ${MACHTYPE} hostname: ${HOSTNAME}.${DOMAINNAME} Interface=${Interface} HostIP=${HostIP} BroadcastIP=${BroadcastIP} NetMask=${NetMask}" # end # fill free to chang next firewall ruls to yore sute # I ******************* FILTERING TABEL ruls **************************** # (0) Policies (default) ${iptables} -t filter -P INPUT DROP ${iptables} -t filter -P OUTPUT DROP ${iptables} -t filter -P FORWARD DROP # (1) User-defined chains #if ? "${action}chain" == '-N' # then # ${iptables} ${action}chain TCPRules_${Interface} #fi #${iptables} ${action} TCPRules_${Interface} -p TCP --syn -j ACCEPT #${iptables} ${action} TCPRules_${Interface} -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Loging incorect packets: #${iptables} ${action} TCPRules_${Interface} -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables tcp INPUT " --log-tcp-options --log-ip-options # Bann all IP which try acces to other #${iptables} ${action} TCPRules_${Interface} -p TCP -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP # (2) INPUT chain rules # Attempt to detect TCP and UDP port scans! # Bad Guy list, we will remember them :-) # echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo clear > /proc/net/ipt_recent/DEFAULT # Forever ${iptables} ${action} INPUT -i ${Interface} -m recent --name BadGuy --rcheck -j DROP # Cache bad guy TCP ${iptables} ${action} INPUT -p TCP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 20,21,22,23,79,135,139,311,389,445,593,1025,1026,3128 -m recent --name BadGuy --set -j DROP # List of temporiary banned, we will remember them too :) # When seen last 60 seconds ${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --seconds 60 -j DROP # When seen 5 time during 600 seconds it's enoph ${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --rcheck --seconds 600 --hitcount 7 -j BadGuy # When seen 1 time during 1200 seconds it's good ${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --rcheck --seconds 3600 --hitcount 1 -j GoodGuy # When TTL of the current packet matches that of the packet which hit the --set rule. DoS! ${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --rttl -j DROP # Bad TCP packets we don't want. ${iptables} ${action} INPUT -p TCP -j BadTcp # Rules for incoming packets from local computer: ${iptables} ${action} INPUT -p ALL -i ${LoopInterface} -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -p ALL -i ${Interface} -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for broadcast if ?span> <span class="hl opt"> then # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs. ${iptables} ${action} INPUT -p UDP -i ${Interface} -d ${BroadcastIP} --dport 135:139 -j DROP ${iptables} ${action} INPUT -p ALL -i ${Interface} -d ${BroadcastIP} -j ACCEPT fi # Rules for multicasts # If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs ${iptables} ${action} INPUT -i ${Interface} -d 224.0.0.0/8 -j DROP # Cache bad guy UDP ${iptables} ${action} INPUT -p UDP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 20,21,22,23,135,139,1025,1026 -m recent --name BadGuy --set -j DROP # Packets for established conections # Rules for incoming packets from Internet ${iptables} ${action} INPUT -p ALL -i ${Interface} -s 0/0 -d ${HostIP} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #TCP rules #Internet: ### FTP 21 # SHH 22 # MTA 25 # DNS 53 # HTTP 80 HTTPS 443 # ICQ 4000 #${iptables} ${action} INPUT -p TCP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport 53,4000 -j TCPRules #Local: ### TFTP 69,1758 # NFS 111,2049 # CUPS 631 # SWAT 901 # rndc 953 # mysql 3306 # distccd 3632 # privoxy 8118 # tor 9050 ${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 111,631,901,2049,3632 -j TCPRules #TCPRules_${Interface} # for monitoring ${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${monitoring_Server} -d ${HostIP} -m multiport --dport 9045,9046,9047,9048,9049 -j TCPRules #TCPRules_${Interface} # Loging acces to other TCP ports ${iptables} ${action} INPUT -p TCP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options # UDP rules #Internet: ### DNS 53 # ICQ 4000 #${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport 53,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ###incoming from:# DNS 53 # NTP 123 # multimedia appl 2074,4000 #${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --sport 53,123,2074,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ### DHCP case "${DHCP}" in 'server' ) # For DHCP server ${iptables} ${action} INPUT -p UDP -i ${Interface} --dport 67 --sport 68 -j ACCEPT ;; 'client' ) # Information pertaining to DHCP over the Internet, if needed. ${iptables} ${action} INPUT -p UDP -i ${Interface} -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT ;; 'static' ) # If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged. ${iptables} ${action} INPUT -p UDP -i ${Interface} -d 255.255.255.255 --dport 67:68 -j DROP ;; esac #Local: ### TFTP 69,1758 # NFS 111,2049 # NTP 123 # CUPS 631 # multimedia appl 2074,4000 # distccd 3632 ${iptables} ${action} INPUT -p UDP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 111,123,631,2049,2074,3632,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Loging acces to other UDP ports ${iptables} ${action} INPUT -p UDP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options #ICMP rules #Internet: #Local: # echo reply (ping) ${iptables} ${action} INPUT -p ICMP -i ${Interface} -s ${LocalNet} -d ${HostIP} --icmp-type 8 -j ACCEPT # time to live (traceroute) ${iptables} ${action} INPUT -p ICMP -i ${Interface} -s ${LocalNet} -d ${HostIP} --icmp-type 11 -j ACCEPT # Loging other ICMP ${iptables} ${action} INPUT -p ICMP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables icmp? INPUT " --log-ip-options # Bann all IP which try acces to other ${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP #(3) FORWARD chain rules # Bad TCP packets we don't want. #${iptables} ${action} FORWARD -p TCP -j BadTcp # ACCEPT packets we wont to forward # Loging incorect FORWARD ${iptables} ${action} FORWARD -i ${Interface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} ${action} FORWARD -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP # (4) OUTPUT chain rules # Bad TCP packets we don't want. #${iptables} ${action} OUTPUT -p TCP -j BadTcp #Only output packets from local addresses no spoofing ${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #Only output packets from tor & named services!!! ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner named -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #Allow some other output #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner ebuild -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #Output packets from all local appl #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${SpoofingHostIP} -j ACCEPT # Loging incorect OUTPUT ${iptables} ${action} OUTPUT -o ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options # (1 Delete) User-defined chains #if ? "${action}chain" == '-X' # then # ${iptables} ${action}chain TCPRules_${Interface} #fi # II ***************** MANGLE TABEL ruls ***************************** # (0) Policies (default) # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer # Rules for incoming packets from Internet # (3) Mangel INPUT chain rules # (4) Mangel FORWARD chain rules # (5) Mangel OUTPUT chain rules # (6) Mangel POSTROUTING chain rules #Only output packets from local addresses no spoofing #for spoofing edit next line # Rules for outgoing packets to Internet # III ***************** NAT TABEL ruls ******************************* # (0) Policies (default) ${iptables} -t nat -P PREROUTING DROP #${iptables} -t nat -P OUTPUT DROP #${iptables} -t nat -P POSTROUTING DROP # (1) NAT USER define chain rules # (2) PREROUTING chain rles REDIRECTION and PORTMAPING #Pacets from INTERNET # Maping to external address use socks5 #Redirection to different port on this server #Packet from internet (Interface) #INPUT # Rules for incoming packets from local computer and broadcast # Rules for incoming packets from Internet ${iptables} -t nat ${action} PREROUTING -p ALL -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #OUTPUT #Only output packets from local addresses no spoofing ${iptables} -t nat ${action} PREROUTING -p ALL -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #${iptables} -t nat ${action} PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT # Loging incorect acces ${iptables} -t nat ${action} PREROUTING -p ALL -i ${Interface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} -t nat ${action} PREROUTING -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP # (3) OUTPUT chain rules #Only output packets from local addresses no spoofing #for spoofing edit next line # (4) POSTROUTING chain rules NAT or MASQUERADE # NetWork address translation (NAT or MASQUERADE) #INPUT # Rules for incoming packets from local computer: # Rules for broadcast: # Rules for incoming packets from Internet #OUTPUT #Only output packets from local addresses no spoofing #for spoofing edit next line # IV ***************** RAW TABEL ruls ******************************* # (0) Policies (default) #${iptables} -t raw -P PREROUTING ACCEPT #${iptables} -t raw -P OUTPUT ACCEPT # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer # Rules for incoming packets from Internet # (3) Mangel OUTPUT chain rules exit 0