API tools faq
paste
Advertisement
Guest User

rc.firewall

a guest
Oct 29th, 2014
136
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 8.03 KB | None | 0 0
raw download clone embed print report
  1. #! /bin/sh
  2. ### BEGIN INIT INFO
  3. # Provides: rc.firewall
  4. # Required-Start: $remote_fs $syslog $network
  5. # Required-Stop: $remote_fs $syslog $network
  6. # Default-Start: 2 3 4 5
  7. # Default-Stop: 0 1 6
  8. # Short-Description: Run /etc/init.d/rc.firewall if it exist
  9. ### END INIT INFO
  10. start_fw() {
  11.     echo ""
  12.     # Set up using https://wiki.archlinux.org/index.php/simple_stateful_firewall
  13.     #
  14.     # For traffic incoming directly to this machine, we will create two user-defined chains that we will use to open up ports in the firewall.
  15.     iptables -N TCP
  16.     iptables -N UDP
  17.     # And a table for brutforce attacks on SSH prevention
  18.     iptables -N IN_SSH
  19.     # And two tables for forwarding ports through the NAT
  20.     iptables -N fw-interfaces
  21.     iptables -N fw-ports-open
  22.     # We have no intention of filtering any outgoing traffic
  23.     iptables -P OUTPUT ACCEPT
  24.     # Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.
  25.     iptables -P INPUT DROP
  26.     # This rule will allow traffic that belongs to established connections, or new valid traffic that is related to
  27.     # these connections
  28.     iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  29.     # Accept all traffic from the (lo) interface, which is necessary for many applications and services.
  30.     iptables -A INPUT -i lo -j ACCEPT
  31.     # This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages
  32.     # (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can
  33.     # be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any
  34.     # response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT"
  35.     # response to packets that are INVALID, and we do not want to acknowledge that we received these packets. ICMPv6
  36.     # Neighbor Discovery packets remain untracked, and will always be classified "INVALID", accept them
  37.     iptables -A INPUT -p 41 -j ACCEPT
  38.     iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  39.     # The next rule will accept all new incoming ICMP echo requests and log them
  40.     iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j LOG --log-prefix "IPTABLES: Ping detected: "
  41.     iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
  42.     # The next rule will use IN_SSH rule for incoming SSH traffic IN_SSH defined in the very beggining and is made
  43.     # for brutforce attacks prevention
  44.     iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
  45.     # Now we attach the TCP and UDP chains to the INPUT chain to handle all new incoming connections. Once a
  46.     # connection is accepted by either TCP or UDP chain, it is handled by the RELATED/ESTABLISHED traffic rule. The
  47.     # TCP and UDP chains will either accept new incoming connections, or politely reject them. New TCP connections
  48.     # must be started with SYN packets. NEW but not SYN is the only invalid TCP flag not covered by the INVALID
  49.     # state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead,
  50.     # we simply do not accept them, so they are rejected with a TCP RST by the next rule.
  51.     iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
  52.     iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
  53.     # We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports
  54.     # are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close
  55.     # the connection and clean up.
  56.     iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
  57.     iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
  58.     # For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp
  59.     # protocol unreachable messages. This imitates Linux's default behavior.
  60.     iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
  61.     # SSH BF prevention set here
  62.     #That's very easy: if failed to login for three times -- ban for 10 seconds And the
  63.     # fourth trial will result in ban for 30 min And everything is logged To view logs do something like "cat
  64.     # /var/log/messages | grep IPTABLES"
  65.     # PLEASE NOTE THAT IT DOESN'T FILTER LOCAL NET
  66.     echo "Blocking SSH brutforce attacks..."
  67.     iptables -A IN_SSH -s 192.168.0.0/20 -j LOG --log-prefix "IPTABLES: [INFO] SSH FROM LOCALNET: "
  68.     iptables -A IN_SSH -s 192.168.0.0/20 -j ACCEPT
  69.     iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j LOG --log-prefix "IPTABLES: [ALARM] SSH POSSIBLE BRUTFORCE: "
  70.     iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
  71.     iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j LOG --log-prefix "IPTABLES: [ALARM] SSH 30 MIN COOLDOWN: "
  72.     iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
  73.     iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
  74.     # Router-specific settings
  75.     echo "Setting router-specific rules..."
  76.     iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  77.     iptables -A FORWARD -j fw-interfaces
  78.     iptables -A FORWARD -j fw-ports-open
  79.     iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach
  80.     iptables -P FORWARD DROP
  81.     # Now, we have to define who is allowed to connect to the internet. next lines define our internal ifaces do
  82.     # notice that all of them are virtual ifaces made using vconfig
  83.     iptables -A fw-interfaces -i eth1.100 -j ACCEPT
  84.     iptables -A fw-interfaces -i eth1.101 -j ACCEPT
  85.     iptables -A fw-interfaces -i eth1.2 -j ACCEPT
  86.     iptables -A fw-interfaces -i eth1.3 -j ACCEPT
  87.     iptables -A fw-interfaces -i eth0 -j ACCEPT
  88.     #iptables -A fw-interfaces -i eth1.6 -j ACCEPT
  89.     # enable NAT on external iface this needs to be modified for two ifaces
  90.     echo "Enabling NAT..."
  91.     iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
  92.     #
  93.     ### OPEN PORTS HERE
  94.     #
  95.     # Ports specifically for this machine
  96.     # Ports for dnsmasq
  97.     iptables -A TCP -p tcp --dport 53 -s 192.168.0.0/20 -j ACCEPT
  98.     iptables -A UDP -p udp --dport 53 -s 192.168.0.0/20 -j ACCEPT
  99.     # Port-forwarding for NAT
  100.     # This example will show you how to change packets to a different port
  101.     # than the incoming port. We want to change any incoming connection on port 8000 to our web server on
  102.     # 192.168.0.6, port 80: iptables -A fw-ports-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT iptables -t nat -A
  103.     # PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80
  104.     ### WARNING!!! THIS IS FULLY EXPERIMETNAL
  105.     ### TCP/UDP TIMEOUT TUNING
  106.     echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
  107.         echo 524288 > /proc/sys/net/netfilter/nf_conntrack_max
  108.         echo 120 > /proc/sys/net/netfilter/nf_conntrack_generic_timeout
  109.         echo 7440 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
  110.     echo "Setting NAT-specific options..."
  111. }
  112. flush_fw() {
  113.     # Flush everything, restore default iptables
  114.     iptables -P INPUT ACCEPT
  115.     iptables -P FORWARD ACCEPT
  116.     iptables -P OUTPUT ACCEPT
  117.     iptables -t nat -P PREROUTING ACCEPT
  118.     iptables -t nat -P POSTROUTING ACCEPT
  119.     iptables -t nat -P OUTPUT ACCEPT
  120.     iptables -t mangle -P PREROUTING ACCEPT
  121.     iptables -t mangle -P OUTPUT ACCEPT
  122.  
  123.     iptables -F
  124.     iptables -t nat -F
  125.     iptables -t mangle -F
  126.  
  127.     iptables -X
  128.     iptables -t nat -X
  129.     iptables -t mangle -X
  130. }
  131. case "$1" in start) echo -n "Starting firewall: iptables"
  132.     start_fw
  133.     echo ""
  134.         echo -n "Starting firewall Ok!"
  135.     echo ""
  136.     ;; stop) echo -n "Stopping firewall: iptables"
  137.     flush_fw
  138.     echo ""
  139.         echo -n "Stopping firewall Ok!"
  140.     echo ""
  141.         ;; save) echo -n "Saving firewall: iptables"
  142.     iptables-save > /etc/rules-save
  143.     echo ""
  144.     echo -n "Status save Ok!."
  145.     echo ""
  146.     ;; restart) echo -n "Restarting firewall: iptables"
  147.     flush_fw
  148.     start_fw
  149.     echo ""
  150.     echo -n "Status restart Ok!"
  151.     echo ""
  152.         ;; *) echo "Usage: /etc/init.d/rc.firewall start|stop|save|restart"
  153.         exit 1
  154.         ;; esac
  155. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!