SHARE
TWEET

jamesbch

a guest Jan 25th, 2009 2,072 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 1:# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
  2. 2:#export LC_ALL="en"
  3. 3:# External interface
  4. 4:EXTIF=ppp0
  5. 5:# Internal interface
  6. 6:INTIF1=eth1
  7. 7:INTIF2=eth2
  8. 8:# Loop device/localhost
  9. 9:LPDIF=lo
  10. 10:LPDIP=127.0.0.1
  11. 11:LPDMSK=255.0.0.0
  12. 12:LPDNET="$LPDIP/$LPDMSK"
  13. 13:# Text tools variables
  14. 14:IPT='/sbin/iptables'
  15. 15:IFC='/sbin/ifconfig'
  16. 16:G='/bin/grep'
  17. 17:SED='/bin/sed'
  18. 18:# Last but not least, the users
  19. 19:USERA=192.168.1.4
  20. 20:USERB=192.168.1.2
  21. 21:
  22. 22:# Deny then accept: this keeps holes from opening up
  23. 23:# while we close ports and such
  24. 24:$IPT        -P INPUT       DROP
  25. 25:$IPT        -P OUTPUT      DROP
  26. 26:$IPT        -P FORWARD     DROP
  27. 27:
  28. 28:# Flush all existing chains and erase personal chains
  29. 29:CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
  30. 30:for i in $CHAINS;
  31. 31:do
  32. 32: $IPT -t $i -F
  33. 33:done
  34. 34:for i in $CHAINS;
  35. 35:do
  36. 36: $IPT -t $i -X
  37. 37:done
  38. 38:
  39. 39:
  40. 40:echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  41. 41:echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  42. 42:
  43. 43:# Source Address Verification
  44. 44:for f in /proc/sys/net/ipv4/conf/*/rp_filter;
  45. 45:do
  46. 46: echo 1 > $f
  47. 47:done
  48. 48:# Disable IP source routing and ICMP redirects
  49. 49:for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
  50. 50:do
  51. 51: echo 0 > $f
  52. 52:done
  53. 53:for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
  54. 54:do
  55. 55: echo 0 > $f
  56. 56:done
  57. 57:
  58. 58:echo 1 > /proc/sys/net/ipv4/ip_forward
  59. 59:
  60. 60:# Setting up external interface environment variables
  61. 61:#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
  62. 62:
  63. 63:EXTIP="xx.xx.xx.xx"
  64. 64:# Ip qui semblait poser problème, mais change rien au blocage
  65. 65:MASTERIP="xx.xx.xx.xx"
  66. 66:
  67. 67:#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
  68. 68:EXTBC="255.255.255.255"
  69. 69:EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
  70. 70:#EXTNET="$EXTIP/$EXTMSK"
  71. 71:EXTNET="$EXTIP/255.255.255.255"
  72. 72:#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
  73. 73:echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
  74. 74:# Due to absence of EXTBC I manually set it to 255.255.255.255
  75. 75:# this (hopefully) will serve the same purpose
  76. 76:# Setting up environment variables for internal interface one
  77. 77:#INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
  78. 78:INTIP1="192.168.1.5"
  79. 79:INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
  80. 80:#INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
  81. 81:INTMSK1="255.255.255.0"
  82. 82:INTNET1="$INTIP1/$INTMSK1"
  83. 83:echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
  84. 84:#Setting up environment variables for internal interface two
  85. 85:#INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
  86. 86:INTIP2="192.168.1.3"
  87. 87:INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
  88. 88:#INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
  89. 89:INTMSK2="255.255.255.0"
  90. 90:INTNET2="$INTIP2/$INTMSK2"
  91. 91:echo "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"
  92. 92:
  93. 93:# We are now going to create a few custom chains that will result in
  94. 94:# logging of dropped packets. This will enable us to avoid having to
  95. 95:# enter a log command prior to every drop we wish to log. The
  96. 96:# first will be first log drops the other will log rejects.
  97. 97:# Do not complain if chain already exists (so restart is clean)
  98. 98:$IPT -N DROPl   2> /dev/null
  99. 99:$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
  100. 100:$IPT -A DROPl   -j DROP
  101. 101:# --
  102. 102:$IPT -N REJECTl 2> /dev/null
  103. 103:$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
  104. 104:$IPT -A REJECTl -j REJECT
  105. 105:
  106. 106:# Now we are going to accept all traffic from our loopback device
  107. 107:# if the IP matches any of our interfaces.
  108. 108:$IPT -A INPUT   -i $LPDIF -s   $LPDIP   -j ACCEPT
  109. 109:$IPT -A INPUT   -i $LPDIF -s   $EXTIP   -j ACCEPT
  110. 110:$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT
  111. 111:$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT
  112. 112:
  113. 113:# Blocking Broadcasts
  114. 114:#$IPT -A INPUT   -i $EXTIF  -d   $EXTBC   -j DROPl
  115. 115:#$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl
  116. 116:#$IPT -A INPUT   -i $INTIF2 -d   $INTBC2  -j DROPl
  117. 117:#$IPT -A OUTPUT  -o $EXTIF  -d   $EXTBC   -j DROPl
  118. 118:#$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl
  119. 119:#$IPT -A OUTPUT  -o $INTIF2 -d   $INTBC2  -j DROPl
  120. 120:#$IPT -A FORWARD -o $EXTIF  -d   $EXTBC   -j DROPl
  121. 121:#$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
  122. 122:#$IPT -A FORWARD -o $INTIF2 -d   $INTBC2  -j DROPl
  123. 123:
  124. 124:# Port forwarding EXT -> INT
  125. 125:# -- Accepte le port
  126. 126:#$IPT -A FORWARD -i $EXTIF -o $INTIF2 -p tcp --dport 45650 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  127. 127:# -- Dirige vers le bon pc
  128. 128:#$IPT -A PREROUTING -t nat -p tcp -d $EXTIP --dport 45650 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.4:45650
  129. 129:
  130. 130:# Accepte le master ppp
  131. 131:$IPT -A INPUT  -p tcp -s $MASTERIP -m state --state NEW -j ACCEPT
  132. 132:$IPT -A INPUT  -p udp -s $MASTERIP -m state --state NEW -j ACCEPT
  133. 133:$IPT -A OUTPUT -p tcp -d $MASTERIP -m state --state NEW -j ACCEPT
  134. 134:$IPT -A OUTPUT -p udp -d $MASTERIP -m state --state NEW -j ACCEPT
  135. 135:
  136. 136:#$IPT -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --syn -m state --state NEW -j ACCEPT
  137. 137:#$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --syn -m state --state NEW -j ACCEPT
  138. 138:#$IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --syn -m state --state NEW -j ACCEPT
  139. 139:
  140. 140:#$IPT -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   -m state --state NEW -j ACCEPT
  141. 141:#$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 -m state --state NEW -j ACCEPT
  142. 142:#$IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 -m state --state NEW -j ACCEPT
  143. 143:# --
  144. 144:
  145. 145:
  146. 146:# Block WAN access to internal network
  147. 147:# This also stops nefarious crackers from using our network as a
  148. 148:# launching point to attack other people
  149. 149:# iptables translation:
  150. 150:# "if input going into our external interface does not originate from our isp assigned
  151. 151:# ip address, drop it like a hot potato
  152. 152:$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
  153. 153:
  154. 154:# Now we will block internal addresses originating from anything but our
  155. 155:# two predefined interfaces.....just remember that if you jack your
  156. 156:# your laptop or another pc into one of these NIC's directly, you'll need
  157. 157:# to ensure that they either have the same ip or that you add a line explicitly
  158. 158:# for that IP as well
  159. 159:# Interface one/internal net one
  160. 160:$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
  161. 161:$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
  162. 162:$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
  163. 163:$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
  164. 164:# Interface two/internal net two
  165. 165:$IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl
  166. 166:$IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl
  167. 167:$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
  168. 168:$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl
  169. 169:
  170. 170:# An additional Egress check
  171. 171:$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
  172. 172:
  173. 173:# Block outbound ICMP (except for PING)
  174. 174:$IPT -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
  175. 175:$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
  176. 176:
  177. 177:# COMmon ports:
  178. 178:# 0 is tcpmux; SGI had vulnerability, 1 is common attack
  179. 179:# 13 is daytime
  180. 180:# 98 is Linuxconf
  181. 181:# 111 is sunrpc (portmap)
  182. 182:# 137:139, 445 is Microsoft
  183. 183:# SNMP: 161,2
  184. 184:# Squid flotilla: 3128, 8000, 8008, 8080
  185. 185:# 1214 is Morpheus or KaZaA
  186. 186:# 2049 is NFS
  187. 187:# 3049 is very virulent Linux Trojan, mistakable for NFS
  188. 188:# Common attacks: 1999, 4329, 6346
  189. 189:# Common Trojans 12345 65535
  190. 190:# -- deleted
  191. 191:#COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
  192. 192:
  193. 193:# TCP ports:
  194. 194:# 98 is Linuxconf
  195. 195:# 512-515 is rexec, rlogin, rsh, printer(lpd)
  196. 196:#   [very serious vulnerabilities; attacks continue daily]
  197. 197:# 1080 is Socks proxy server
  198. 198:# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
  199. 199:# Block 6112 (Sun's/HP's CDE)
  200. 200:# -- deleted
  201. 201:#TCPBLOCK="$COMBLOCK 98 113 512:515 1080 6000:6009 6112"
  202. 202:
  203. 203:# UDP ports:
  204. 204:# 161:162 is SNMP
  205. 205:# 520=RIP, 9000 is Sangoma
  206. 206:# 517:518 are talk and ntalk (more annoying than anything)
  207. 207:# -- deleted
  208. 208:#UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
  209. 209:
  210. 210:echo -n "FW: Blocking attacks to TCP port "
  211. 211:for i in $TCPBLOCK;
  212. 212:do
  213. 213:  echo -n "$i "
  214. 214:  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  215. 215:  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  216. 216:  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
  217. 217:done
  218. 218:echo ""
  219. 219:echo -n "FW: Blocking attacks to UDP port "
  220. 220:for i in $UDPBLOCK;
  221. 221:do
  222. 222:  echo -n "$i "
  223. 223:  $IPT -A INPUT   -p udp --dport $i  -j DROPl
  224. 224:  $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
  225. 225:  $IPT -A FORWARD -p udp --dport $i  -j DROPl
  226. 226:done
  227. 227:echo ""
  228. 228:
  229. 229:# Opening up ftp connection tracking
  230. 230:#MODULES="ip_nat_ftp ip_conntrack_ftp"
  231. 231:#for i in $MODULES;
  232. 232:#do
  233. 233:# echo "Inserting module $i"
  234. 234:# modprobe $i
  235. 235:#done
  236. 236:
  237. 237:# Defining some common chat clients. Remove these from your accepted list for better security.
  238. 238:# ICQ and AOL are 5190
  239. 239:# MSN is 1863
  240. 240:# Y! is 5050
  241. 241:# Jabber is 5222
  242. 242:# Y! and Jabber ports not added by author and therefore left out of the script
  243. 243:IRC='ircd'
  244. 244:MSN=1863
  245. 245:ICQ=5190
  246. 246:NFS='sunrpc'
  247. 247:# We have to sync!!
  248. 248:PORTAGE='rsync'
  249. 249:OpenPGP_HTTP_Keyserver=11371
  250. 250:# All services ports are read from /etc/services
  251. 251:TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 \
  252. 252:         time $PORTAGE $IRC $MSN $ICQ  $OpenPGP_HTTP_Keyserver 443"
  253. 253:UDPSERV="domain time 443"
  254. 254:echo -n "FW: Allowing inside systems to use service:"
  255. 255:for i in $TCPSERV;
  256. 256:do
  257. 257:  echo -n "$i "
  258. 258:  $IPT -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --dport $i --syn -m state --state NEW -j ACCEPT
  259. 259:  $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT
  260. 260:  $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --dport $i --syn -m state --state NEW -j ACCEPT
  261. 261:done
  262. 262:echo ""
  263. 263:
  264. 264:echo -n "FW: Allowing inside systems to use service:"
  265. 265:for i in $UDPSERV;
  266. 266:do
  267. 267:  echo -n "$i "
  268. 268:  $IPT -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   --dport $i -m state --state NEW -j ACCEPT
  269. 269:  $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state --state NEW -j ACCEPT
  270. 270:  $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 --dport $i -m state --state NEW -j ACCEPT
  271. 271:done
  272. 272:echo ""
  273. 273:
  274. 274:# Accepte tous les ports en sortie
  275. 275:$IPT -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --syn -m state --state NEW -j ACCEPT
  276. 276:$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --syn -m state --state NEW -j ACCEPT
  277. 277:$IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --syn -m state --state NEW -j ACCEPT
  278. 278:
  279. 279:$IPT -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   -m state --state NEW -j ACCEPT
  280. 280:$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 -m state --state NEW -j ACCEPT
  281. 281:$IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 -m state --state NEW -j ACCEPT
  282. 282:# --
  283. 283:
  284. 284:# Allow to ping out
  285. 285:$IPT -A OUTPUT  -o $EXTIF  -p icmp -s $EXTIP   --icmp-type 8 -m state --state NEW -j ACCEPT
  286. 286:$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
  287. 287:$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT
  288. 288:
  289. 289:# Allow firewall to ping internal systems
  290. 290:$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
  291. 291:$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT
  292. 292:
  293. 293:# Ports
  294. 294:$IPT -A INPUT   -i $INTIF2 -s 192.168.1.4 -d 192.168.1.3 -j ACCEPT
  295. 295:$IPT -A OUTPUT  -o $INTIF2 -d 192.168.1.4 -s 192.168.1.3 -j ACCEPT
  296. 296:$IPT -A INPUT   -i $INTIF2 -s 192.168.1.2 -d 192.168.1.3 -j ACCEPT
  297. 297:$IPT -A OUTPUT  -o $INTIF2 -d 192.168.1.2 -s 192.168.1.3 -j ACCEPT
  298. 298:#$IPT -A INPUT   -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
  299. 299:#$IPT -A INPUT   -i $INTIF2 -p udp --dport 53 --syn -m state --state NEW -j ACCEPT
  300. 300:# ajout
  301. 301:#$IPT -A FORWARD -i $INTIF1   -s 192.168.1.4 -j ACCEPT
  302. 302:
  303. 303:# --------------------------
  304. 304:
  305. 305:$IPT -t nat -A PREROUTING  -j ACCEPT
  306. 306:$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
  307. 307:$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
  308. 308:$IPT -t nat -A POSTROUTING -j ACCEPT
  309. 309:$IPT -t nat -A OUTPUT -j ACCEPT
  310. 310:$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
  311. 311:$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
  312. 312:$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
  313. 313:$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  314. 314:
  315. 315:# Block and log what me may have forgot
  316. 316:$IPT -A INPUT   -j DROPl
  317. 317:$IPT -A OUTPUT  -j REJECTl
  318. 318:$IPT -A FORWARD -j DROPl
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top