Advertisement
synthnassizer

sg_fw

Jul 31st, 2015
275
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.31 KB | None | 0 0
  1. root@slackware:~# cat /etc/firewall
  2. SYSCTL="/sbin/sysctl -w"
  3. IPT="/usr/sbin/iptables"
  4. IPTS="/usr/sbin/iptables-save"
  5. IPTR="/usr/sbin/iptables-restore"
  6.  
  7. INET_IFACE="eth1"
  8. INET_NET="192.168.231.0/24"
  9. INET_ADDRESS="192.168.231.165" #eth1 address
  10.  
  11. LOCAL_IFACE="eth0"
  12. LOCAL_IP="192.168.112.112"
  13. LOCAL_NET="192.168.112.0/24"
  14. LOCAL_BCAST="192.168.112.255"
  15.  
  16. VPN_IFACE="tun+"
  17. VPN_LOC_IP="192.168.26.1"
  18. VPN_NET="192.168.26.0/24"
  19. VPN_BCAST="192.168.26.255"
  20.  
  21. HOME_NET="192.168.114.0/24"
  22. DSA_NET="192.168.18.0/24"
  23.  
  24. STARGAZE="192.168.112.112"
  25. MODEM="192.168.231.117"
  26.  
  27. LO_IFACE="lo"
  28. LO_IP="127.0.0.1"
  29.  
  30. DISK_IFACE="eth2"
  31. DISK_IP="192.168.113.113"
  32. DISK_NET="192.168.113.0/24"
  33. DISK_BCAST="192.168.113.255"
  34.  
  35. if [ "$1" = "save" ]
  36. then
  37. echo -n "Saving firewall to /etc/sysconfig/iptables ... "
  38. $IPTS > /etc/sysconfig/iptables
  39. echo "done"
  40. exit 0
  41. elif [ "$1" = "restore" ]
  42. then
  43. echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
  44. $IPTR < /etc/sysconfig/iptables
  45. echo "done"
  46. exit 0
  47. fi
  48. echo "Loading kernel modules ..."
  49. /sbin/modprobe ip_tables
  50. /sbin/modprobe ip_conntrack
  51. /sbin/modprobe ip_nat_ftp
  52. /sbin/modprobe ip_conntrack_ftp
  53. /sbin/modprobe ip_conntrack_irc
  54. if [ "$SYSCTL" = "" ]
  55. then
  56. echo "1" > /proc/sys/net/ipv4/ip_forward
  57. else
  58. $SYSCTL net.ipv4.ip_forward="1"
  59. fi
  60. if [ "$SYSCTL" = "" ]
  61. then
  62. echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  63. else
  64. $SYSCTL net.ipv4.tcp_syncookies="1"
  65. fi
  66. if [ "$SYSCTL" = "" ]
  67. then
  68. echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
  69. else
  70. $SYSCTL net.ipv4.conf.all.rp_filter="1"
  71. fi
  72. if [ "$SYSCTL" = "" ]
  73. then
  74. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  75. else
  76. $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
  77. fi
  78. if [ "$SYSCTL" = "" ]
  79. then
  80. echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
  81. else
  82. $SYSCTL net.ipv4.conf.all.accept_source_route="0"
  83. fi
  84. if [ "$SYSCTL" = "" ]
  85. then
  86. echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
  87. else
  88. $SYSCTL net.ipv4.conf.all.secure_redirects="1"
  89. fi
  90. if [ "$SYSCTL" = "" ]
  91. then
  92. echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
  93. else
  94. $SYSCTL net.ipv4.conf.all.log_martians="1"
  95. fi
  96. echo "Flushing Tables ..."
  97. $IPT -P INPUT ACCEPT
  98. $IPT -P FORWARD ACCEPT
  99. $IPT -P OUTPUT ACCEPT
  100. $IPT -t nat -P PREROUTING ACCEPT
  101. $IPT -t nat -P POSTROUTING ACCEPT
  102. $IPT -t nat -P OUTPUT ACCEPT
  103. $IPT -t mangle -P PREROUTING ACCEPT
  104. $IPT -t mangle -P OUTPUT ACCEPT
  105. $IPT -F
  106. $IPT -t nat -F
  107. $IPT -t mangle -F
  108. $IPT -X
  109. $IPT -t nat -X
  110. $IPT -t mangle -X
  111. if [ "$1" = "stop" ]
  112. then
  113. echo "Firewall completely flushed! Now running with no firewall."
  114. exit 0
  115. fi
  116.  
  117. #firewall starts HERE
  118.  
  119. $IPT -P INPUT DROP
  120. $IPT -P OUTPUT DROP
  121. $IPT -P FORWARD DROP
  122.  
  123. echo "Create and populate custom rule chains ..."
  124. $IPT -N bad_packets
  125. $IPT -N bad_tcp_packets
  126. $IPT -N icmp_packets
  127. $IPT -N udp_inbound
  128. $IPT -N udp_fwdbound
  129. $IPT -N udp_infwdbound
  130. $IPT -t nat -N udp_prebound
  131. $IPT -N udp_vpnbound
  132. $IPT -N tcp_inbound
  133. $IPT -N tcp_fwdbound
  134. $IPT -N tcp_infwdbound
  135. $IPT -N tcp_vpnbound
  136. $IPT -t nat -N tcp_prebound
  137.  
  138. $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j ULOG --ulog-prefix "Illegal source: " --ulog-nlgroup 1
  139. $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
  140. $IPT -A bad_packets -p ALL -m state --state INVALID -j ULOG --ulog-prefix "Invalid packet: " --ulog-nlgroup 1
  141. $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
  142. $IPT -A bad_packets -p tcp -j bad_tcp_packets
  143. $IPT -A bad_packets -p ALL -j RETURN
  144. $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
  145. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j ULOG --ulog-prefix "New not syn: " --ulog-nlgroup 1
  146. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
  147. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
  148. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
  149. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
  150. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
  151. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
  152. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  153. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
  154. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  155. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
  156. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  157. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j ULOG --ulog-prefix "Stealth scan: " --ulog-nlgroup 1
  158. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  159. $IPT -A bad_tcp_packets -p tcp -j RETURN
  160.  
  161. $IPT -A icmp_packets --fragment -p ICMP -j ULOG --ulog-prefix "ICMP Fragment: " --ulog-nlgroup 1
  162. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT #requested by openvpn AS : ICMP Destination Unreachable: Fragmentation Needed (ICMP Type 3, Code 4)
  163. $IPT -A icmp_packets --fragment -p ICMP -j DROP
  164. #$IPT -A icmp_packets -p ICMP -s $LOCAL_NET -d $VPN_NET --icmp-type 0 -j ACCEPT
  165. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
  166. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
  167. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
  168. $IPT -A icmp_packets -p ICMP -j RETURN
  169.  
  170. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
  171. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
  172. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
  173. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 34567 -j ACCEPT #KTORRENT
  174. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 34568 -j ACCEPT #KTORRENT
  175. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 34569 -j ACCEPT #KTORRENT
  176. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 32386 -j ACCEPT #OPENVPN
  177. $IPT -A udp_inbound -p UDP -s $MODEM --destination-port 123 -j ACCEPT #NTP
  178. $IPT -A udp_inbound -p UDP -j RETURN
  179.  
  180. #$IPT -t nat -A udp_prebound --destination-port 31286 -j DNAT --to-destination $RODOS
  181. $IPT -t nat -A udp_prebound -p UDP -j RETURN
  182.  
  183. #$IPT -A udp_infwdbound --destination-port 32386 -j ACCEPT #intranet vpn
  184. $IPT -A udp_infwdbound -p UDP -j RETURN
  185.  
  186. $IPT -A udp_fwdbound -p UDP -j RETURN
  187.  
  188. $IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT #DNS for vpn clients and zone tranfers
  189. $IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 137:139 -j ACCEPT #samba
  190. $IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 445 -j ACCEPT #samba
  191. #$IPT -A udp_vpnbound -p UDP -s 0/0 --destination-port 34122:34128 -j ACCEPT #vpn nfs
  192. $IPT -A udp_vpnbound -p UDP -j RETURN
  193.  
  194. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
  195. #$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 80 -j ACCEPT #APACHE
  196. #$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 3128 -j ACCEPT #SQUID
  197. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 51237 -j ACCEPT #SSH
  198. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 34567 -j ACCEPT #KTORRENT
  199. $IPT -A udp_inbound -p TCP -s 0/0 --destination-port 34568 -j ACCEPT #KTORRENT
  200. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 3551 -j ACCEPT #APCUPSD
  201. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT #WEBMIN
  202. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 18083 -j ACCEPT #VBOXweb
  203. # Email Servers:SMTP(25),POP3(110),IMAP4(143),SSL-POP3(995),SSL-IMAP4(993)
  204. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
  205. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
  206. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
  207. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT
  208. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT
  209. $IPT -A tcp_inbound -p TCP -j RETURN
  210.  
  211. #$IPT -t nat -A tcp_prebound --destination-port 51236 -j DNAT --to-destination $SAMOTHRAKI
  212. #$IPT -t nat -A tcp_prebound -p TCP -s 0/0 --destination-port 12321 -j DNAT --to-destination 192.168.112.163
  213. #$IPT -t nat -A tcp_prebound --destination-port 21 -j DNAT --to-destination $SAMOTHRAKI
  214. #$IPT -t nat -A tcp_prebound --destination-port 62000:62100 -j DNAT --to-destination $SAMOTHRAKI
  215. #$IPT -t nat -A tcp_prebound -p TCP -s 0/0 --destination-port 29397 -j DNAT --to-destination $STARGAZE #torrent
  216. $IPT -t nat -A tcp_prebound -p TCP -j RETURN
  217.  
  218. #$IPT -A tcp_infwdbound --destination-port 51236 -j ACCEPT
  219. $IPT -A tcp_infwdbound -p TCP -s 0/0 --destination-port 12321 -j ACCEPT
  220. #$IPT -A tcp_infwdbound --destination-port 21 -j ACCEPT
  221. #$IPT -A tcp_infwdbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
  222. #$IPT -A tcp_infwdbound --destination-port 62000:62100 -j ACCEPT
  223. #$IPT -A tcp_infwdbound -p TCP -s 0/0 --destination-port 29397 -j ACCEPT #torrent
  224. $IPT -A tcp_infwdbound -p TCP -j RETURN
  225.  
  226. $IPT -A tcp_fwdbound -p TCP -j RETURN
  227.  
  228. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT #HTTP
  229. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 3389:3391 -j ACCEPT #vboxRDP vms
  230. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 3395 -j ACCEPT #xRDP
  231. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 5901 -j ACCEPT #VNC
  232. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 5801 -j ACCEPT #VNC browser
  233. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 8080 -j ACCEPT #HTTP
  234. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 6600 -j ACCEPT #MPD
  235. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT #WEBMIN
  236. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 38000 -j ACCEPT #ICECAST
  237. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT #SSH
  238. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 51237 -j ACCEPT #SSH STARGAZE
  239. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 139 -j ACCEPT #vpn smb-cifs
  240. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 445 -j ACCEPT #vpn smb-cifs (secure)
  241. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT #DNS zone transfers
  242. #$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 111 -j ACCEPT #vpn nfs for other clients
  243. #$IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 2049 -j ACCEPT #vpn nfs for other clients
  244. $IPT -A tcp_vpnbound -p TCP -s 0/0 --destination-port 34122:34128 -j ACCEPT #vpn nfs
  245. $IPT -A tcp_vpnbound -j RETURN
  246.  
  247. echo "Process INPUT chain ..."
  248. $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
  249. $IPT -A INPUT -p ALL -j bad_packets
  250. $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
  251. $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
  252. $IPT -A INPUT -p ALL -i $VPN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
  253. $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
  254. $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
  255. $IPT -A INPUT -p ICMP -i $LOCAL_IFACE -j icmp_packets
  256. $IPT -A INPUT -p ALL -i $DISK_IFACE -j ACCEPT
  257. $IPT -A INPUT -p TCP -i $VPN_IFACE -s $VPN_NET -j tcp_vpnbound
  258. $IPT -A INPUT -p TCP -i $VPN_IFACE -s $HOME_NET -j tcp_vpnbound
  259. $IPT -A INPUT -p TCP -i $VPN_IFACE -s $DSA_NET -j tcp_vpnbound
  260. $IPT -A INPUT -p UDP -i $VPN_IFACE -s $VPN_NET -j udp_vpnbound
  261. $IPT -A INPUT -p UDP -i $VPN_IFACE -s $HOME_NET -j udp_vpnbound
  262. $IPT -A INPUT -p UDP -i $VPN_IFACE -s $DSA_NET -j udp_vpnbound
  263. $IPT -A INPUT -p ALL -i $VPN_IFACE -d $VPN_BCAST -j ACCEPT
  264. $IPT -A INPUT -p ICMP -i $VPN_IFACE -j ACCEPT
  265. $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
  266. $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
  267. $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
  268. $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
  269. $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j ULOG --ulog-prefix "INPUT packet died: " --ulog-nlgroup 1
  270.  
  271. echo "Process FORWARD chain ..."
  272. $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
  273. $IPT -A FORWARD -i $VPN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
  274. $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_fwdbound
  275. $IPT -A FORWARD -i $DISK_IFACE -j ACCEPT
  276. $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_fwdbound
  277. $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT #accept whats not blocked above
  278. $IPT -A FORWARD -p tcp -i $VPN_IFACE -s $VPN_NET -j tcp_vpnbound
  279. $IPT -A FORWARD -p tcp -i $VPN_IFACE -s $HOME_NET -j tcp_vpnbound
  280. $IPT -A FORWARD -p tcp -i $VPN_IFACE -s $DSA_NET -j tcp_vpnbound
  281. $IPT -A FORWARD -p udp -i $VPN_IFACE -s $VPN_NET -j udp_vpnbound
  282. $IPT -A FORWARD -p udp -i $VPN_IFACE -s $HOME_NET -j udp_vpnbound
  283. $IPT -A FORWARD -p udp -i $VPN_IFACE -s $DSA_NET -j udp_vpnbound
  284. $IPT -A FORWARD -p icmp -i $VPN_IFACE -j icmp_packets
  285. $IPT -A FORWARD -p tcp -i $INET_IFACE -j tcp_infwdbound
  286. $IPT -A FORWARD -p udp -i $INET_IFACE -j udp_infwdbound
  287. $IPT -A FORWARD -p ICMP -i $INET_IFACE -j icmp_packets
  288. $IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j ULOG --ulog-prefix "FORWARD packet died: " --ulog-nlgroup 1
  289.  
  290. echo "Process nat table in OUTPUT chain"
  291. #$IPT -A OUTPUT -t nat -p TCP --dport 80 -m owner --uid-owner root -j ACCEPT #accept root request, but redirect all other local requests below
  292. #$IPT -A OUTPUT -t nat -p TCP --dport 80 -m owner --uid-owner squid -j ACCEPT #accept squid request, but redirect all other local requests below
  293. #$IPT -A OUTPUT -t nat -p TCP --dport 80 -j REDIRECT --to-ports 3128 #TRANSP PROXY for local browsers
  294.  
  295. echo "Process OUTPUT chain ..."
  296. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
  297. $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
  298. $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
  299. $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
  300. $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
  301. $IPT -A OUTPUT -p ALL -o $DISK_IFACE -j ACCEPT
  302. $IPT -A OUTPUT -p ALL -o $VPN_IFACE -j ACCEPT
  303. $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
  304. $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j ULOG --ulog-prefix "OUTPUT packet died: " --ulog-nlgroup 1
  305.  
  306. echo "Load rules for nat table ..."
  307. #$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE --destination-port 80 -j REDIRECT --to-ports 3128 #TRANSP PROXY
  308. #$IPT -t nat -A PREROUTING -p tcp -i $LO_IFACE --destination-port 80 -j REDIRECT --to-ports 3128 #TRANSP PROXY for local browsers
  309. $IPT -t nat -A PREROUTING -p udp -i $INET_IFACE -j udp_prebound
  310. $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE -j tcp_prebound
  311.  
  312. #$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS
  313. $IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
  314.  
  315. echo "Load rules for mangle table ..."
  316. root@slackware:~#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement