Iptables - мережевий екран (netfilter firewall)/iptables acc dev.sh

Матеріал з docs.linux.org.ua — збірника документації з Unix/Linux українською мовою.

Перейти до: навігація, пошук
#!/bin/bash
# 20070330 iptables-workstation hse@ukr.net
# Distributed under the terms of the GNU General Public License v2 or later

# Like workstation in local lan only on spesial interface!

# !!!!!!!!!!!!!!!!!
# need iptables-lo
# !!!!!!!!!!!!!!!!!

# Exampel of iptables script for ppp
# start in: /etc/ppp/ip-up.local
# stop in: /etc/ppp/ip-down.local
# usage: /etc/ppp/iptables-workstation <dev> <action>
# parametr <action> can be "start" in /etc/ppp/ip-up.local, or "stop" in /etc/ppp/ip-down.local
# parametr <dev> for ppp is "ppp0", for eth0 is eth0..


#  0  *******************       VARIABLE setup   *****************************
ifconfig='/sbin/ifconfig'
iptables='/sbin/iptables'
modprobe='/sbin/modprobe'

# Check parameters
if [[ "$2" == 'stop' || "$2" == 'start' ]]
  then
    if [[ `ls /dev/$1 2>&1 |grep 'No such file or directory'` != '' ]]
      then
	echo "Device /dev/$1 not exist!!!"
#	exit 1
    fi

    # parametr action can be "-A" or "-D" only!!!
    if [[ "$2" == 'start' ]]
      then
	action='-A'
	actionchain='-N'
    elif [[ "$2" == 'stop' ]]
      then
	action='-D'
	actionchain='-X'
    fi

  else
    echo 'Usage:
    iptables-workstation <device> <action>
    
Example:
    iptables-workstation eth0 start
    iptables-workstation eth0 stop'
    exit 1
fi

# befor runing this script setup configuration of yore network here:
# begin

#Interface setup
Interface="$1"
Device='modem'
 
#Ip Address setup
LoopInterface='lo'
LoopIP='127.0.0.0/8'

#Interface setup
#Figure out curent ip configuretion
if [[ "${action}" == "-A" ]]
  then
    HostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'`
    BroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'`
    NetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $4 } '`
    mkdir -p /etc/iptables/${Interface}
    echo ${HostIP} > /etc/iptables/${Interface}/HostIP
    echo ${BroadcastIP} > /etc/iptables/${Interface}/BroadcastIP
    echo ${NetMask} > /etc/iptables/${Interface}/NetMask
  else
    HostIP=`cat /etc/iptables/${Interface}/HostIP`
    BroadcastIP=`cat /etc/iptables/${Interface}/BroadcastIP`
    NetMask=`cat /etc/iptables/${Interface}/NetMask`
fi
LocalNet="${HostIP}/${NetMask}"

#SpoofingHostIP="10.0.0.10"


# ISP Servers setup

# ISP Servers setup
# DHCP can be: "server", "client" or "static"
DHCP='static'
# If DHCP='client' you must setup DHCP_SERVER:
DHCP_SERVER='10.0.0.10'
#ns_1='10.0.0.10'
#TimeServer='10.0.0.10'
#POP_Server='10.0.0.10'
#IMAP_Server='10.0.0.10'
#SMTP_Server='10.0.0.10'
monitoring_Server='10.0.0.10'


#Check for some kernel modules
#
# Needed to initially load modules
#
#/sbin/depmod -a
#
# Required modules
#${modprobe} ip_tables
#${modprobe} ip_conntrack
#${modprobe} iptable_filter
#${modprobe} iptable_mangle
#${modprobe} iptable_nat
#${modprobe} ipt_LOG
#${modprobe} ipt_limit
#${modprobe} ipt_state
#${modprobe} ipt_owner
#${modprobe} ipt_REJECT
#${modprobe} ipt_MASQUERADE
#${modprobe} ip_conntrack_ftp
#${modprobe} ip_conntrack_irc
#${modprobe} ip_nat_ftp
#${modprobe} ip_nat_irc


# Required proc configuration
# Enable forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward
# no IP spoofing
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
#  then
#    for i in /proc/sys/net/ipv4/conf/*/rp_filter
#      do
#       echo 1 > $i
#      done
#fi
# Disable Source Routed Packets
#for i in /proc/sys/net/ipv4/conf/*/accept_source_route
#  do
#    echo 0 > $i
#  done
#echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo 0 > /proc/sys/net/ipv4/ip_dynaddr


echo " Machine type: ${MACHTYPE}  hostname:  ${HOSTNAME}.${DOMAINNAME}
 Interface=${Interface}  HostIP=${HostIP}  BroadcastIP=${BroadcastIP}  NetMask=${NetMask}"

# end

# fill free to chang next firewall ruls to yore sute


#   I  *******************       FILTERING TABEL ruls           ****************************

# (0) Policies (default)

${iptables} -t filter -P INPUT DROP
${iptables} -t filter -P OUTPUT DROP
${iptables} -t filter -P FORWARD DROP

# (1) User-defined chains

#if [[ "${action}chain" == '-N' ]]
#  then
#    ${iptables} ${action}chain TCPRules_${Interface}
#fi


#${iptables} ${action} TCPRules_${Interface} -p TCP --syn -j ACCEPT
#${iptables} ${action} TCPRules_${Interface} -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Loging incorect packets:
#${iptables} ${action} TCPRules_${Interface} -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables tcp INPUT " --log-tcp-options --log-ip-options
# Bann all IP which try acces to other
#${iptables} ${action} TCPRules_${Interface} -p TCP -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP


# (2) INPUT chain rules

# Attempt to detect TCP and UDP port scans!

# Bad Guy list, we will remember them :-)
# echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo clear > /proc/net/ipt_recent/DEFAULT
# Forever
${iptables} ${action} INPUT -i ${Interface} -m recent --name BadGuy --rcheck -j DROP
# Cache bad guy TCP
${iptables} ${action} INPUT -p TCP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 20,21,22,23,79,135,139,311,389,445,593,1025,1026,3128 -m recent --name BadGuy --set -j DROP
# List of temporiary banned, we will remember them too :)
# When seen last 60 seconds
${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --seconds 60 -j DROP
# When seen 5 time during 600 seconds it's enoph
${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --rcheck --seconds 600 --hitcount 7 -j BadGuy
# When seen 1 time during 1200 seconds it's good
${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --rcheck --seconds 3600 --hitcount 1 -j GoodGuy
# When TTL of the current packet matches that of the packet which hit the --set rule. DoS!
${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --rttl -j DROP


# Bad TCP packets we don't want.
${iptables} ${action} INPUT -p TCP -j BadTcp


# Rules for incoming packets from local computer:
${iptables} ${action} INPUT -p ALL -i ${LoopInterface} -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -p ALL -i ${Interface} -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT


# Rules for broadcast
if [[ "${BroadcastIP}" != '' ]]
  then
    # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs.
    ${iptables} ${action} INPUT -p UDP -i ${Interface} -d ${BroadcastIP} --dport 135:139 -j DROP

    ${iptables} ${action} INPUT -p ALL -i ${Interface} -d ${BroadcastIP} -j ACCEPT
fi

# Rules for multicasts
# If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs
${iptables} ${action} INPUT -i ${Interface} -d 224.0.0.0/8 -j DROP


# Cache bad guy UDP
${iptables} ${action} INPUT -p UDP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 20,21,22,23,135,139,1025,1026 -m recent --name BadGuy --set -j DROP


# Packets for established conections
# Rules for incoming packets from Internet
${iptables} ${action} INPUT -p ALL -i ${Interface} -s 0/0 -d ${HostIP} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 
#TCP rules

#Internet:
### FTP 21 # SHH 22 # MTA 25 # DNS 53 # HTTP 80 HTTPS 443 # ICQ 4000
#${iptables} ${action} INPUT -p TCP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport 53,4000 -j TCPRules

#Local:
### TFTP 69,1758 # NFS 111,2049 # CUPS 631 # SWAT 901 # rndc 953 # mysql 3306 # distccd 3632 # privoxy 8118 # tor 9050
${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 111,631,901,2049,3632 -j TCPRules	#TCPRules_${Interface}

# for monitoring
${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${monitoring_Server} -d ${HostIP} -m multiport --dport 9045,9046,9047,9048,9049 -j TCPRules	#TCPRules_${Interface}

# Loging acces to other TCP ports
${iptables} ${action} INPUT -p TCP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options


# UDP rules

#Internet:
### DNS 53 # ICQ 4000
#${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport 53,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

###incoming from:# DNS 53 # NTP 123 # multimedia appl 2074,4000
#${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --sport 53,123,2074,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

### DHCP
case "${DHCP}" in
    'server' )
	# For DHCP server
	${iptables} ${action} INPUT -p UDP -i ${Interface} --dport 67 --sport 68 -j ACCEPT
    ;;
    'client' )
	# Information pertaining to DHCP over the Internet, if needed.
	${iptables} ${action} INPUT -p UDP -i ${Interface} -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
    ;;
    'static' )
	# If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged.
	${iptables} ${action} INPUT -p UDP -i ${Interface} -d 255.255.255.255 --dport 67:68 -j DROP
    ;;
esac

#Local:
### TFTP 69,1758 # NFS 111,2049 # NTP 123 # CUPS 631  # multimedia appl 2074,4000 # distccd 3632
${iptables} ${action} INPUT -p UDP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 111,123,631,2049,2074,3632,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

# Loging acces to other UDP ports
${iptables} ${action} INPUT -p UDP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options


#ICMP rules

#Internet:

#Local:
# echo reply (ping)
${iptables} ${action} INPUT -p ICMP -i ${Interface} -s ${LocalNet} -d ${HostIP} --icmp-type 8 -j ACCEPT

# time to live (traceroute)
${iptables} ${action} INPUT -p ICMP -i ${Interface} -s ${LocalNet} -d ${HostIP} --icmp-type 11 -j ACCEPT

# Loging other ICMP
${iptables} ${action} INPUT -p ICMP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables icmp? INPUT " --log-ip-options


# Bann all IP which try acces to other
${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP


#(3) FORWARD chain rules

# Bad TCP packets we don't want.
#${iptables} ${action} FORWARD -p TCP -j BadTcp

# ACCEPT packets we wont to forward

# Loging incorect FORWARD
${iptables} ${action} FORWARD -i ${Interface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options

# Bann all IP which try acces to other
${iptables} ${action} FORWARD -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP


# (4) OUTPUT chain rules

# Bad TCP packets we don't want.
#${iptables} ${action} OUTPUT -p TCP -j BadTcp

#Only output packets from local addresses no spoofing
${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#Only output packets from tor & named services!!!
${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner named -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#Allow some other output
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner ebuild -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#Output packets from all local appl
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#for spoofing edit next line
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${SpoofingHostIP} -j ACCEPT

# Loging incorect OUTPUT
${iptables} ${action} OUTPUT -o ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options


# (1 Delete) User-defined chains

#if [[ "${action}chain" == '-X' ]]
#  then
#    ${iptables} ${action}chain TCPRules_${Interface}
#fi



#  II   *****************       MANGLE TABEL ruls         *****************************

# (0) Policies (default)

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer

# Rules for incoming packets from Internet

# (3) Mangel INPUT chain rules

# (4) Mangel FORWARD chain rules

# (5) Mangel OUTPUT chain rules

# (6) Mangel POSTROUTING chain rules

#Only output packets from local addresses no spoofing

#for spoofing edit next line

# Rules for outgoing packets to Internet



#  III  *****************         NAT TABEL ruls          *******************************

# (0) Policies (default)

${iptables} -t nat -P PREROUTING DROP
#${iptables} -t nat -P OUTPUT DROP
#${iptables} -t nat -P POSTROUTING DROP

# (1) NAT USER define chain rules

# (2) PREROUTING chain rles REDIRECTION and PORTMAPING

#Pacets from INTERNET

# Maping to external address use socks5

#Redirection to different port on this server

#Packet from internet (Interface)


#INPUT
# Rules for incoming packets from local computer and broadcast
# Rules for incoming packets from Internet
${iptables} -t nat ${action} PREROUTING -p ALL -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#OUTPUT
#Only output packets from local addresses no spoofing
${iptables} -t nat ${action} PREROUTING -p ALL -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#for spoofing edit next line
#${iptables} -t nat ${action} PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT

# Loging incorect acces
${iptables} -t nat ${action} PREROUTING -p ALL -i ${Interface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options

# Bann all IP which try acces to other
${iptables} -t nat ${action} PREROUTING -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP


# (3) OUTPUT chain rules
#Only output packets from local addresses no spoofing
#for spoofing edit next line

# (4) POSTROUTING chain rules NAT or MASQUERADE

# NetWork address translation (NAT or MASQUERADE)

#INPUT

# Rules for incoming packets from local computer:

# Rules for broadcast:

# Rules for incoming packets from Internet

#OUTPUT
#Only output packets from local addresses no spoofing

#for spoofing edit next line



#  IV  *****************         RAW TABEL ruls          *******************************

# (0) Policies (default)

#${iptables} -t raw -P PREROUTING ACCEPT
#${iptables} -t raw -P OUTPUT ACCEPT

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer

# Rules for incoming packets from Internet

# (3) Mangel OUTPUT chain rules


exit 0
Отримано з http://docs.linux.org.ua/Iptables_-_%D0%BC%D0%B5%D1%80%D0%B5%D0%B6%D0%B5%D0%B2%D0%B8%D0%B9_%D0%B5%D0%BA%D1%80%D0%B0%D0%BD_%28netfilter_firewall%29/iptables_acc_dev.sh
Особисті інструменти