#!/bin/bash # 20070330 iptables-server hse@ukr.net # Distributed under the terms of the GNU General Public License v2 or later # Like server in local lan only on spesial interface! # !!!!!!!!!!!!!!! # need iptables-lo # !!!!!!!!!!!!!!! # Exampel of iptables script for ppp # start in: /etc/ppp/ip-up.local # stop in: /etc/ppp/ip-down.local # usage: /etc/ppp/iptables-server <dev> <action> # parametr <action> can be "start" in /etc/ppp/ip-up.local, or "stop" in /etc/ppp/ip-down.local # parametr <dev> for ppp is "ppp0", for eth0 is eth0.. # 0 ******************* VARIABLE setup ***************************** # befor runing this script setup configuration of youre network here: ifconfig='/sbin/ifconfig' iptables='/sbin/iptables' modprobe='/sbin/modprobe' # Check parameters if ? "$2" == 'stop' then if ? `ls /dev/$1 2>&1 then echo "Device /dev/$1 not exist!!!" # exit 1 fi # parametr action can be "-A" or "-D" only!!! if ?span> <span class="hl opt"> then action='-A' actionchain='-N' elif ?span> <span class="hl opt"> then action='-D' actionchain='-X' fi else echo 'Usage: iptables-server <device> <action> Example: iptables-server eth0 start iptables-server eth0 stop' exit 1 fi # befor runing this script setup configuration of yore network here: # begin #Interface setup Interface="$1" Device='eth0' #Ip Address setup LoopInterface='lo' LoopIP='127.0.0.0/8' #Interface setup #Figure out curent ip configuretion if ?span> <span class="hl opt"> then HostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'` BroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'` NetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $4 } '` mkdir -p /etc/iptables/${Interface} echo ${HostIP} > /etc/iptables/${Interface}/HostIP echo ${BroadcastIP} > /etc/iptables/${Interface}/BroadcastIP echo ${NetMask} > /etc/iptables/${Interface}/NetMask else HostIP=`cat /etc/iptables/${Interface}/HostIP` BroadcastIP=`cat /etc/iptables/${Interface}/BroadcastIP` NetMask=`cat /etc/iptables/${Interface}/NetMask` fi LocalNet="${HostIP}/${NetMask}" #SpoofingHostIP="10.0.0.10" # ISP Servers setup # DHCP can be: "server", "client" or "static" DHCP='server' # If DHCP='client' you must setup DHCP_SERVER: DHCP_SERVER='10.0.0.10' #ns_1='10.0.0.10' #TimeServer='10.0.0.10' #POP_Server='10.0.0.10' #IMAP_Server='10.0.0.10' #SMTP_Server='10.0.0.10' monitoring_Server='10.0.0.10' #Check for some kernel modules # # Needed to initially load modules # #/sbin/depmod -a # # Required modules #${modprobe} ip_tables #${modprobe} ip_conntrack #${modprobe} iptable_filter #${modprobe} iptable_mangle #${modprobe} iptable_nat #${modprobe} ipt_LOG #${modprobe} ipt_limit #${modprobe} ipt_state #${modprobe} ipt_owner #${modprobe} ipt_REJECT #${modprobe} ipt_MASQUERADE #${modprobe} ip_conntrack_ftp #${modprobe} ip_conntrack_irc #${modprobe} ip_nat_ftp #${modprobe} ip_nat_irc # Required proc configuration # Enable forwarding #echo 1 > /proc/sys/net/ipv4/ip_forward # no IP spoofing #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] # then # for i in /proc/sys/net/ipv4/conf/*/rp_filter # do # echo 1 > $i # done #fi # Disable Source Routed Packets #for i in /proc/sys/net/ipv4/conf/*/accept_source_route # do # echo 0 > $i # done #echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp #echo 0 > /proc/sys/net/ipv4/ip_dynaddr echo " Machine type: ${MACHTYPE} hostname: ${HOSTNAME}.${DOMAINNAME} Interface=${Interface} HostIP=${HostIP} BroadcastIP=${BroadcastIP} NetMask=${NetMask}" # Fill free to chang next firewall ruls to youre sute # I ******************* FILTERING TABEL ruls **************************** # (0) Policies (default) ${iptables} -t filter -P INPUT DROP ${iptables} -t filter -P OUTPUT DROP ${iptables} -t filter -P FORWARD DROP # (1) User-defined chains #${iptables} ${action} TCPRules -p TCP --syn -j ACCEPT #${iptables} ${action} TCPRules -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Loging incorect packets: #${iptables} ${action} TCPRules -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables tcp INPUT " --log-tcp-options --log-ip-options # Bann all IP which try acces to other #${iptables} ${action} TCPRules -p TCP -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP # (2) INPUT chain rules # Attempt to detect TCP and UDP port scans! # Bad Guy list, we will remember them :-) # echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo clear > /proc/net/ipt_recent/DEFAULT # Forever ${iptables} ${action} INPUT -i ${Interface} -m recent --name BadGuy --rcheck -j DROP # Cache bad TCP ${iptables} ${action} INPUT -p TCP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 23,79,135,139,311,389,445,464,513,548,554,587,593,1025,1026 -m recent --name BadGuy --set -j DROP # List of temporiary banned, we will remember them too :) # When seen last 60 seconds ${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --seconds 60 -j DROP # When seen 5 time during 600 seconds it's enoph ${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --rcheck --seconds 600 --hitcount 10 -j BadGuy # When seen 1 time during 1200 seconds it's good ${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --rcheck --seconds 3600 --hitcount 1 -j GoodGuy # When TTL of the current packet matches that of the packet which hit the --set rule. DoS! ${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --rttl -j DROP # Bad TCP packets we don't want. ${iptables} ${action} INPUT -p TCP -j BadTcp # Rules for incoming packets from local computer: ${iptables} ${action} INPUT -p ALL -i ${LoopInterface} -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -p ALL -i ${Interface} -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for broadcast if ?span> <span class="hl opt"> then # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs. ${iptables} ${action} INPUT -p UDP -i ${Interface} -d ${BroadcastIP} --dport 135:139 -j DROP ${iptables} ${action} INPUT -p ALL -i ${Interface} -d ${BroadcastIP} -j ACCEPT fi # Rules for multicasts # If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs ${iptables} ${action} INPUT -i ${Interface} -d 224.0.0.0/8 -j DROP # Cache bad guy UDP ${iptables} ${action} INPUT -p UDP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 19,23,79,135,139,445,1025,1026 -m recent --name BadGuy --set -j DROP # Packets for established conections # Rules for incoming packets from Internet ${iptables} ${action} INPUT -p ALL -i ${Interface} -s 0/0 -d ${HostIP} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #TCP rules #Internet: ### FTP DATA 20 # FTP 21 # SHH 22 # MTA 25 # DNS 53 # HTTP 80 HTTPS 443 ${iptables} ${action} INPUT -p TCP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport 20,21,22,25,53,80,443 -j TCPRules #Local: ### TFTP 69,1758 # NFS 111,2049 # CUPS 631 # SWAT 901 # rndc 953 # mysql 3306 # distccd 3632 # privoxy 8118 # tor 9050 ${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 69,111,631,901,953,1758,2049,3306,3632,8118,9050 -j TCPRules # for monitoring ${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${monitoring_Server} -d ${HostIP} -m multiport --dport 9045,9046,9047,9048,9049 -j TCPRules # Loging acces to other TCP ports ${iptables} ${action} INPUT -p TCP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options # UDP rules #Internet: ### DNS ${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport domain -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ###incoming from:# DNS 53 # NTP 123 # multimedia appl 2074,4000 ${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --sport 53,123,2074,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ### DHCP case "${DHCP}" in 'server' ) # For DHCP server ${iptables} ${action} INPUT -p UDP -i ${Interface} --dport 67 --sport 68 -j ACCEPT ;; 'client' ) # Information pertaining to DHCP over the Internet, if needed. ${iptables} ${action} INPUT -p UDP -i ${Interface} -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT ;; 'static' ) # If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged. ${iptables} ${action} INPUT -p UDP -i ${Interface} -d 255.255.255.255 --dport 67:68 -j DROP ;; esac #Local: ### TFTP 69,1758 # NFS 111,2049 # NTP 123 # multimedia appl 2074,4000 ${iptables} ${action} INPUT -p UDP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 69,111,123,1758,2049,2074,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Loging acces to other UDP ports ${iptables} ${action} INPUT -p UDP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options #ICMP rules #Internet # echo reply (ping) ${iptables} ${action} INPUT -p ICMP -i ${Interface} -s 0/0 -d ${HostIP} --icmp-type 8 -j ACCEPT # time to live (traceroute) ${iptables} ${action} INPUT -p ICMP -i ${Interface} -s 0/0 -d ${HostIP} --icmp-type 11 -j ACCEPT # Loging other ICMP ${iptables} ${action} INPUT -p ICMP -i ${Interface} -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "iptables icmp? INPUT " # Bann all IP which try acces to other ${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP #(3) FORWARD chain rules # Bad TCP packets we don't want. #${iptables} ${action} FORWARD -p TCP -j BadTcp # ACCEPT packets we wont to forward # Loging incorect FORWARD ${iptables} ${action} FORWARD -i ${Interface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} ${action} FORWARD -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP # (4) OUTPUT chain rules # Bad TCP packets we don't want. #${iptables} ${action} OUTPUT -p TCP -j BadTcp #Only output packets from local addresses no spoofing ${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #Only output packets from spasial users!!! It betare do in selinux... ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner amanda -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner apache -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner cluster -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner dhcp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner distcc -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner ftp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner ldap -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner monitoring -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner mysql -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner named -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner privoxy -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner postfix -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner radiusd -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner rpc -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner squid -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner sshd -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner root -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner ebuild -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #Output packets from all local appl #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${SpoofingHostIP} -j ACCEPT # Loging incorect OUTPUT ${iptables} ${action} OUTPUT -o ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options # (1 Delete) User-defined chains # II ***************** MANGLE TABEL ruls ***************************** # (0) Policies (default) ${iptables} -t mangle -P PREROUTING ACCEPT ${iptables} -t mangle -P INPUT ACCEPT ${iptables} -t mangle -P FORWARD ACCEPT ${iptables} -t mangle -P OUTPUT ACCEPT ${iptables} -t mangle -P POSTROUTING ACCEPT # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer # Rules for incoming packets from Internet # (3) Mangel INPUT chain rules # (4) Mangel FORWARD chain rules # (5) Mangel OUTPUT chain rules # (6) Mangel POSTROUTING chain rules #Only output packets from local addresses no spoofing #for spoofing edit next line # Rules for outgoing packets to Internet # III ***************** NAT TABEL ruls ******************************* # (0) Policies (default) ${iptables} -t nat -P PREROUTING DROP # (1) NAT USER define chain rules # (2) PREROUTING chain rles REDIRECTION and PORTMAPING #Pacets from INTERNET # Maping to external address use socks5 #Redirection to different port on this server #Packet from internet (Interface) #INPUT # Rules for incoming packets from local computer and broadcast # Rules for incoming packets from Internet ${iptables} -t nat ${action} PREROUTING -p ALL -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #OUTPUT #Only output packets from local addresses no spoofing ${iptables} -t nat ${action} PREROUTING -p ALL -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #${iptables} -t nat ${action} PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT # Loging incorect acces ${iptables} -t nat ${action} PREROUTING -p ALL -i ${Interface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} -t nat ${action} PREROUTING -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP #OUTPUT #Only output packets from local addresses no spoofing # (3) OUTPUT chain rules #Only output packets from local addresses no spoofing #for spoofing edit next line # (4) POSTROUTING chain rules NAT or MASQUERADE # NetWork address translation (NAT or MASQUERADE) #INPUT # Rules for incoming packets from local computer: # Rules for broadcast: # Rules for incoming packets from Internet #OUTPUT #Only output packets from local addresses no spoofing #for spoofing edit next line # IV ***************** RAW TABEL ruls ******************************* # (0) Policies (default) #${iptables} -t raw -P PREROUTING ACCEPT #${iptables} -t raw -P OUTPUT ACCEPT # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer # Rules for incoming packets from Internet # (3) Mangel OUTPUT chain rules exit 0