patatables

#!/bin/sh

#
#                                XXXXXXXXXXXXXXXXX
#                                XXXX Network XXXX
#                                XXXXXXXXXXXXXXXXX
#                                        +
#                                        |
#                                        v
#  +-------------+              +------------------+
#  |table: filter| <---+        | table: nat       |
#  |chain: INPUT |     |        | chain: PREROUTING|
#  +-----+-------+     |        +--------+---------+
#        |             |                 |
#        v             |                 v
#  [local process]     |           ****************          +--------------+
#        |             +---------+ Routing decision +------> |table: filter |
#        v                         ****************          |chain: FORWARD|
# ****************                                           +------+-------+
# Routing decision                                                  |
# ****************                                                  |
#        |                                                          |
#        v                        ****************                  |
# +-------------+       +------>  Routing decision  <---------------+
# |table: nat   |       |         ****************
# |chain: OUTPUT|       |               +
# +-----+-------+       |               |
#       |               |               v
#       v               |      +-------------------+
# +--------------+      |      | table: nat        |
# |table: filter | +----+      | chain: POSTROUTING|
# |chain: OUTPUT |             +--------+----------+
# +--------------+                      |
#                                       v
#                               XXXXXXXXXXXXXXXXX
#                               XXXX Network XXXX
#                               XXXXXXXXXXXXXXXXX
#
# iptables [-t table] {-A|-C|-D} chain rule-specification
#
# iptables [-t table] {-A|-C|-D} chain  rule-specification
#
# iptables  [-t table] -I chain [rulenum] rule-specification
#
# iptables [-t table] -R chain rulenum  rule-specification
#
# iptables [-t table] -D chain rulenum
#
# iptables [-t table] -S [chain [rulenum]]
#
# iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
#
# iptables [-t table] -N chain
#
# iptables [-t table] -X [chain]
#
# iptables [-t table] -P chain target
#
# iptables [-t table]  -E  old-chain-name  new-chain-name
#
# rule-specification = [matches...] [target]
#
# match = -m matchname [per-match-options]
#
#
# Targets
#
# can be a user defined chain
#
# ACCEPT - accepts the packet
# DROP   - drop the packet on the floor
# QUEUE  - packet will be stent to queue
# RETURN - stop traversing this chain and
#          resume ate the next rule in the
#          previeus (calling) chain.
#
# if packet reach the end of the chain or
# a target RETURN, default policy for that
# chain is applayed.
#
# Target Extensions
#
# AUDIT
# CHECKSUM
# CLASSIFY
# DNAT
# DSCP
# LOG
#     Torn on kernel logging, will print some
#     some information on all matching packets.
#     Log data can be read with dmesg or syslogd.
#     This is a non-terminating target and a rule
#     should be created with matching criteria.
#
#     --log-level level
#           Level of logging (numeric or see sys-
#           log.conf(5)
#
#     --log-prefix prefix
#           Prefix log messages with specified prefix
#           up to 29 chars log
#
#     --log-uid
#           Log the userid of the process with gener-
#           ated the packet
# NFLOG
#     This target pass the packet to loaded logging
#     backend to log the packet. One or more userspace
#     processes may subscribe to the group to receive
#     the packets.
#
# ULOG
#     This target provides userspace logging of maching
#     packets. One or more userspace processes may then
#     then subscribe to various multicast groups and
#     then receive the packets.
#
#
# Commands
#
# -A, --append chain rule-specification
# -C, --check chain rule-specification
# -D, --delete chain rule-specification
# -D, --delete chain rulenum
# -I, --insert chain [rulenum] rule-specification
# -R, --replace chain rulenum rule-specification
# -L, --list [chain]
# -P, --policy chain target
#
# Parameters
#
# -p, --protocol protocol
#       tcp, udp, udplite, icmp, esp, ah, sctp, all
# -s, --source address[/mask][,...]
# -d, --destination address[/mask][,...]
# -j, --jump target
# -g, --goto chain
# -i, --in-interface name
# -o, --out-interface name
# -f, --fragment
# -m, --match options module-name
#       iptables can use extended packet matching
#       modules.
# -c, --set-counters packets bytes

IPT="/usr/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
# public interface to network/internet
PUB_IF="wlp7s0"
DHCP_SERV="192.168.1.1"
PUB_IP="192.168.1.33"
NET_ADDR="192.168.0.0/24"
# private interface for virtual/internal
PRIV_IF="br0"
PRIV_IP="10.0.0.1"

modprobe ip_conntrack
modprobe ip_conntrack_ftp

echo "Stopping ipv4 firewall and deny everyone..."

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X


echo "Starting ipv4 firewall filter table..."

# Set Default Rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

###### AP rules  ######
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT


# Block sync
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Block Fragments
$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
$IPT -A INPUT -f -j DROP

# Block bad stuff
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT

$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}

###### Input Chain ######

# Unlimited on local
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
#$IPT -A INPUT -i lo -s ${PRIV_IP} -j ACCEPT

echo "Drop RIP protocol"
$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s $NET_ADDR -j DROP

echo "Allow input from IRC server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 6667 -m state --state ESTABLISHED -j ACCEPT

echo "Allow input from FTP server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 21 -m state --state ESTABLISHED -j ACCEPT

echo "Allow input to HTTPS Server"
$IPT -A INPUT -i ${PRIV_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

#echo "Allow input to HTTP Server"
#$IPT -A INPUT -i ${PRIV_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allow input from HTTP Server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

echo "Allow input from git server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

echo "Allow input from POP3S server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

echo "Allow input from SMTPS server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

echo "Allow input from Https server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -j ACCEPT

#echo "Allow input to DNS Server"
#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT

echo "Allow input from DNS Server"
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 1024:65535 --sport 53  -j ACCEPT

echo "Allow input to SSH server"
$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT


###### Output Chain ######

# Unlimited on local
$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
#$IPT -A OUTPUT -o lo -d ${PRIV_IP} -j ACCEPT

echo "Allow output from https server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

#echo "Allow output from http server"
#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

echo "Allow output to https server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443  -j ACCEPT

#echo "Allow to HTTP server"
#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allow output to SSH server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allow output to DNS server"
$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 53 --sport 1024:65535 -j ACCEPT

echo "Allow output to ftp server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allow output to git server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allow output to IRC  server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allow output to SMTPS server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allow output to POP3S server"
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

## DHCP

## less logs
#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -j DROP
#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 80 -j DROP
$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT

## log everything else and drop
$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
#
exit 0