Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1:# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
- 2:#export LC_ALL="en"
- 3:# External interface
- 4:EXTIF=ppp0
- 5:# Internal interface
- 6:INTIF1=eth1
- 7:INTIF2=eth2
- 8:# Loop device/localhost
- 9:LPDIF=lo
- 10:LPDIP=127.0.0.1
- 11:LPDMSK=255.0.0.0
- 12:LPDNET="$LPDIP/$LPDMSK"
- 13:# Text tools variables
- 14:IPT='/sbin/iptables'
- 15:IFC='/sbin/ifconfig'
- 16:G='/bin/grep'
- 17:SED='/bin/sed'
- 18:# Last but not least, the users
- 19:USERA=192.168.1.4
- 20:USERB=192.168.1.2
- 21:
- 22:# Deny then accept: this keeps holes from opening up
- 23:# while we close ports and such
- 24:$IPT -P INPUT DROP
- 25:$IPT -P OUTPUT DROP
- 26:$IPT -P FORWARD DROP
- 27:
- 28:# Flush all existing chains and erase personal chains
- 29:CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
- 30:for i in $CHAINS;
- 31:do
- 32: $IPT -t $i -F
- 33:done
- 34:for i in $CHAINS;
- 35:do
- 36: $IPT -t $i -X
- 37:done
- 38:
- 39:
- 40:echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- 41:echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- 42:
- 43:# Source Address Verification
- 44:for f in /proc/sys/net/ipv4/conf/*/rp_filter;
- 45:do
- 46: echo 1 > $f
- 47:done
- 48:# Disable IP source routing and ICMP redirects
- 49:for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
- 50:do
- 51: echo 0 > $f
- 52:done
- 53:for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
- 54:do
- 55: echo 0 > $f
- 56:done
- 57:
- 58:echo 1 > /proc/sys/net/ipv4/ip_forward
- 59:
- 60:# Setting up external interface environment variables
- 61:#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
- 62:
- 63:EXTIP="xx.xx.xx.xx"
- 64:# Ip qui semblait poser problème, mais change rien au blocage
- 65:MASTERIP="xx.xx.xx.xx"
- 66:
- 67:#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
- 68:EXTBC="255.255.255.255"
- 69:EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
- 70:#EXTNET="$EXTIP/$EXTMSK"
- 71:EXTNET="$EXTIP/255.255.255.255"
- 72:#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
- 73:echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
- 74:# Due to absence of EXTBC I manually set it to 255.255.255.255
- 75:# this (hopefully) will serve the same purpose
- 76:# Setting up environment variables for internal interface one
- 77:#INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
- 78:INTIP1="192.168.1.5"
- 79:INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
- 80:#INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
- 81:INTMSK1="255.255.255.0"
- 82:INTNET1="$INTIP1/$INTMSK1"
- 83:echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
- 84:#Setting up environment variables for internal interface two
- 85:#INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
- 86:INTIP2="192.168.1.3"
- 87:INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
- 88:#INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
- 89:INTMSK2="255.255.255.0"
- 90:INTNET2="$INTIP2/$INTMSK2"
- 91:echo "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"
- 92:
- 93:# We are now going to create a few custom chains that will result in
- 94:# logging of dropped packets. This will enable us to avoid having to
- 95:# enter a log command prior to every drop we wish to log. The
- 96:# first will be first log drops the other will log rejects.
- 97:# Do not complain if chain already exists (so restart is clean)
- 98:$IPT -N DROPl 2> /dev/null
- 99:$IPT -A DROPl -j LOG --log-prefix 'DROPl:'
- 100:$IPT -A DROPl -j DROP
- 101:# --
- 102:$IPT -N REJECTl 2> /dev/null
- 103:$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
- 104:$IPT -A REJECTl -j REJECT
- 105:
- 106:# Now we are going to accept all traffic from our loopback device
- 107:# if the IP matches any of our interfaces.
- 108:$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
- 109:$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
- 110:$IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
- 111:$IPT -A INPUT -i $LPDIF -s $INTIP2 -j ACCEPT
- 112:
- 113:# Blocking Broadcasts
- 114:#$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
- 115:#$IPT -A INPUT -i $INTIF1 -d $INTBC1 -j DROPl
- 116:#$IPT -A INPUT -i $INTIF2 -d $INTBC2 -j DROPl
- 117:#$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
- 118:#$IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j DROPl
- 119:#$IPT -A OUTPUT -o $INTIF2 -d $INTBC2 -j DROPl
- 120:#$IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
- 121:#$IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j DROPl
- 122:#$IPT -A FORWARD -o $INTIF2 -d $INTBC2 -j DROPl
- 123:
- 124:# Port forwarding EXT -> INT
- 125:# -- Accepte le port
- 126:#$IPT -A FORWARD -i $EXTIF -o $INTIF2 -p tcp --dport 45650 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- 127:# -- Dirige vers le bon pc
- 128:#$IPT -A PREROUTING -t nat -p tcp -d $EXTIP --dport 45650 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.4:45650
- 129:
- 130:# Accepte le master ppp
- 131:$IPT -A INPUT -p tcp -s $MASTERIP -m state --state NEW -j ACCEPT
- 132:$IPT -A INPUT -p udp -s $MASTERIP -m state --state NEW -j ACCEPT
- 133:$IPT -A OUTPUT -p tcp -d $MASTERIP -m state --state NEW -j ACCEPT
- 134:$IPT -A OUTPUT -p udp -d $MASTERIP -m state --state NEW -j ACCEPT
- 135:
- 136:#$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --syn -m state --state NEW -j ACCEPT
- 137:#$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --syn -m state --state NEW -j ACCEPT
- 138:#$IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --syn -m state --state NEW -j ACCEPT
- 139:
- 140:#$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP -m state --state NEW -j ACCEPT
- 141:#$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 -m state --state NEW -j ACCEPT
- 142:#$IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 -m state --state NEW -j ACCEPT
- 143:# --
- 144:
- 145:
- 146:# Block WAN access to internal network
- 147:# This also stops nefarious crackers from using our network as a
- 148:# launching point to attack other people
- 149:# iptables translation:
- 150:# "if input going into our external interface does not originate from our isp assigned
- 151:# ip address, drop it like a hot potato
- 152:$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
- 153:
- 154:# Now we will block internal addresses originating from anything but our
- 155:# two predefined interfaces.....just remember that if you jack your
- 156:# your laptop or another pc into one of these NIC's directly, you'll need
- 157:# to ensure that they either have the same ip or that you add a line explicitly
- 158:# for that IP as well
- 159:# Interface one/internal net one
- 160:$IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j DROPl
- 161:$IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j DROPl
- 162:$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
- 163:$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
- 164:# Interface two/internal net two
- 165:$IPT -A INPUT -i $INTIF2 -s ! $INTNET2 -j DROPl
- 166:$IPT -A OUTPUT -o $INTIF2 -d ! $INTNET2 -j DROPl
- 167:$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
- 168:$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl
- 169:
- 170:# An additional Egress check
- 171:$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
- 172:
- 173:# Block outbound ICMP (except for PING)
- 174:$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
- 175:$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
- 176:
- 177:# COMmon ports:
- 178:# 0 is tcpmux; SGI had vulnerability, 1 is common attack
- 179:# 13 is daytime
- 180:# 98 is Linuxconf
- 181:# 111 is sunrpc (portmap)
- 182:# 137:139, 445 is Microsoft
- 183:# SNMP: 161,2
- 184:# Squid flotilla: 3128, 8000, 8008, 8080
- 185:# 1214 is Morpheus or KaZaA
- 186:# 2049 is NFS
- 187:# 3049 is very virulent Linux Trojan, mistakable for NFS
- 188:# Common attacks: 1999, 4329, 6346
- 189:# Common Trojans 12345 65535
- 190:# -- deleted
- 191:#COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
- 192:
- 193:# TCP ports:
- 194:# 98 is Linuxconf
- 195:# 512-515 is rexec, rlogin, rsh, printer(lpd)
- 196:# [very serious vulnerabilities; attacks continue daily]
- 197:# 1080 is Socks proxy server
- 198:# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
- 199:# Block 6112 (Sun's/HP's CDE)
- 200:# -- deleted
- 201:#TCPBLOCK="$COMBLOCK 98 113 512:515 1080 6000:6009 6112"
- 202:
- 203:# UDP ports:
- 204:# 161:162 is SNMP
- 205:# 520=RIP, 9000 is Sangoma
- 206:# 517:518 are talk and ntalk (more annoying than anything)
- 207:# -- deleted
- 208:#UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
- 209:
- 210:echo -n "FW: Blocking attacks to TCP port "
- 211:for i in $TCPBLOCK;
- 212:do
- 213: echo -n "$i "
- 214: $IPT -A INPUT -p tcp --dport $i -j DROPl
- 215: $IPT -A OUTPUT -p tcp --dport $i -j DROPl
- 216: $IPT -A FORWARD -p tcp --dport $i -j DROPl
- 217:done
- 218:echo ""
- 219:echo -n "FW: Blocking attacks to UDP port "
- 220:for i in $UDPBLOCK;
- 221:do
- 222: echo -n "$i "
- 223: $IPT -A INPUT -p udp --dport $i -j DROPl
- 224: $IPT -A OUTPUT -p udp --dport $i -j DROPl
- 225: $IPT -A FORWARD -p udp --dport $i -j DROPl
- 226:done
- 227:echo ""
- 228:
- 229:# Opening up ftp connection tracking
- 230:#MODULES="ip_nat_ftp ip_conntrack_ftp"
- 231:#for i in $MODULES;
- 232:#do
- 233:# echo "Inserting module $i"
- 234:# modprobe $i
- 235:#done
- 236:
- 237:# Defining some common chat clients. Remove these from your accepted list for better security.
- 238:# ICQ and AOL are 5190
- 239:# MSN is 1863
- 240:# Y! is 5050
- 241:# Jabber is 5222
- 242:# Y! and Jabber ports not added by author and therefore left out of the script
- 243:IRC='ircd'
- 244:MSN=1863
- 245:ICQ=5190
- 246:NFS='sunrpc'
- 247:# We have to sync!!
- 248:PORTAGE='rsync'
- 249:OpenPGP_HTTP_Keyserver=11371
- 250:# All services ports are read from /etc/services
- 251:TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 \
- 252: time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver 443"
- 253:UDPSERV="domain time 443"
- 254:echo -n "FW: Allowing inside systems to use service:"
- 255:for i in $TCPSERV;
- 256:do
- 257: echo -n "$i "
- 258: $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
- 259: $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT
- 260: $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --dport $i --syn -m state --state NEW -j ACCEPT
- 261:done
- 262:echo ""
- 263:
- 264:echo -n "FW: Allowing inside systems to use service:"
- 265:for i in $UDPSERV;
- 266:do
- 267: echo -n "$i "
- 268: $IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
- 269: $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state --state NEW -j ACCEPT
- 270: $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 --dport $i -m state --state NEW -j ACCEPT
- 271:done
- 272:echo ""
- 273:
- 274:# Accepte tous les ports en sortie
- 275:$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --syn -m state --state NEW -j ACCEPT
- 276:$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --syn -m state --state NEW -j ACCEPT
- 277:$IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --syn -m state --state NEW -j ACCEPT
- 278:
- 279:$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP -m state --state NEW -j ACCEPT
- 280:$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 -m state --state NEW -j ACCEPT
- 281:$IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 -m state --state NEW -j ACCEPT
- 282:# --
- 283:
- 284:# Allow to ping out
- 285:$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
- 286:$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
- 287:$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT
- 288:
- 289:# Allow firewall to ping internal systems
- 290:$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
- 291:$IPT -A OUTPUT -o $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT
- 292:
- 293:# Ports
- 294:$IPT -A INPUT -i $INTIF2 -s 192.168.1.4 -d 192.168.1.3 -j ACCEPT
- 295:$IPT -A OUTPUT -o $INTIF2 -d 192.168.1.4 -s 192.168.1.3 -j ACCEPT
- 296:$IPT -A INPUT -i $INTIF2 -s 192.168.1.2 -d 192.168.1.3 -j ACCEPT
- 297:$IPT -A OUTPUT -o $INTIF2 -d 192.168.1.2 -s 192.168.1.3 -j ACCEPT
- 298:#$IPT -A INPUT -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
- 299:#$IPT -A INPUT -i $INTIF2 -p udp --dport 53 --syn -m state --state NEW -j ACCEPT
- 300:# ajout
- 301:#$IPT -A FORWARD -i $INTIF1 -s 192.168.1.4 -j ACCEPT
- 302:
- 303:# --------------------------
- 304:
- 305:$IPT -t nat -A PREROUTING -j ACCEPT
- 306:$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
- 307:$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
- 308:$IPT -t nat -A POSTROUTING -j ACCEPT
- 309:$IPT -t nat -A OUTPUT -j ACCEPT
- 310:$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
- 311:$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- 312:$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- 313:$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- 314:
- 315:# Block and log what me may have forgot
- 316:$IPT -A INPUT -j DROPl
- 317:$IPT -A OUTPUT -j REJECTl
- 318:$IPT -A FORWARD -j DROPl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement