Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python -OO
- '''
- set up iptables for typical server
- make sure to edit /etc/services accordingly
- '''
- import sys, os, socket
- from subprocess import Popen, PIPE
- TCP_SERVICES = ['ssh', 'smtp', 'http', 'https', 'rootssh',
- 'lighttpd']
- UDP_SERVICES = ['domain', 'bootps', 'resolver', 'ntp']
- CRYPTO_COINS = ['americancoin', 'coinyecoin', 'bitcoin', 'dogecoin',
- 'betacoin', 'ppcoin', 'freicoin', 'nexuscoin']
- TCP_CLIENTS = ['ssh', 'http', 'https', 'whois', 'ircd'] + CRYPTO_COINS
- UDP_CLIENTS = ['domain', 'bootps', 'resolver', 'ntp', 'skype']
- ACCEPT_ALL_LOCAL = True # if False, must enable cryptocoin RPC
- # be sure to also add _rpc entries for each, e.g. bitcoin_rpc in /etc/services
- def check_service(service_name):
- try:
- return socket.getservbyname(service_name)
- except:
- raise Exception('no such service "%s"' % service_name)
- def iptables(args):
- command = ['iptables'] + args
- pipeline = Popen(command, stdout = PIPE, stderr = PIPE)
- result = pipeline.wait()
- if result:
- raise Exception('"%s" error: "%s"' % (' '.join(command),
- pipeline.stderr.readlines()[-1].rstrip()))
- def accept_all_local():
- iptables(['--append', 'INPUT', '--in-interface', 'lo', '--jump', 'ACCEPT'])
- iptables(['--append', 'OUTPUT', '--out-interface', 'lo', '--jump', 'ACCEPT'])
- def accept_local_input(port, protocol = 'tcp'):
- iptables(['--append', 'INPUT', '--in-interface', 'lo', '--protocol', protocol,
- '--destination-port', port, '--jump', 'ACCEPT'])
- def accept_local_output(port, protocol = 'tcp'):
- iptables(['--append', 'OUTPUT', '--out-interface', 'lo',
- '--protocol', protocol, '--source-port', port, '--jump', 'ACCEPT'])
- def accept_local(port, protocol = 'tcp'):
- accept_local_input(port, protocol)
- accept_local_output(port, protocol)
- def accept_server_input(port, protocol = 'tcp'):
- iptables(['--append', 'INPUT', '--protocol', protocol,
- '--destination-port', port, '--jump', 'ACCEPT'])
- def accept_server_output(port, protocol = 'tcp'):
- iptables(['--append', 'OUTPUT', '--protocol', protocol,
- '--source-port', port, '--jump', 'ACCEPT'])
- def accept_client_input(port, protocol = 'tcp'):
- iptables(['--append', 'INPUT', '--protocol', protocol,
- '--source-port', port, '--jump', 'ACCEPT'])
- def accept_client_output(port, protocol = 'tcp'):
- iptables(['--append', 'OUTPUT', '--protocol', protocol,
- '--destination-port', port, '--jump', 'ACCEPT'])
- def accept_server_traffic(port, protocol = 'tcp'):
- accept_server_input(port, protocol)
- accept_server_output(port, protocol)
- def accept_client_traffic(port, protocol = 'tcp'):
- accept_client_input(port, protocol)
- accept_client_output(port, protocol)
- def init():
- for service in TCP_SERVICES + CRYPTO_COINS:
- check_service(service)
- for service in CRYPTO_COINS:
- service += '_rpc'
- check_service(service)
- init_firewall()
- def init_firewall():
- 'start from a clean but paranoid slate, dropping everything on the floor'
- flush_firewall()
- for chain in ['INPUT', 'OUTPUT', 'FORWARD']:
- iptables(['--policy', chain, 'DROP'])
- def flush_firewall():
- 'flush built-in chains, delete non-builtins, and zero counters'
- for initializer in ['--flush', '--delete-chain', '--zero']:
- iptables([initializer])
- def reset_firewall():
- 'start from a clean slate, allowing all traffic'
- flush_firewall
- for chain in ['INPUT', 'OUTPUT', 'FORWARD']:
- iptables(['--policy', chain, 'ACCEPT'])
- def firewall(*args):
- '''
- set up firewall
- if anything breaks, undo firewall so we aren't locked out
- '''
- if os.geteuid() > 0:
- print >>sys.stderr, 'Must be root (sudo may work)'
- sys.exit(1)
- if __debug__:
- bad_command()
- try:
- init()
- enable_some_inputs()
- enable_some_outputs()
- for service in TCP_SERVICES + CRYPTO_COINS:
- accept_server_traffic(service)
- for service in UDP_SERVICES:
- accept_server_traffic(service, protocol = 'udp')
- for client in TCP_CLIENTS:
- accept_client_traffic(client)
- for client in UDP_CLIENTS:
- accept_client_traffic(client, protocol = 'udp')
- if ACCEPT_ALL_LOCAL:
- accept_all_local()
- else:
- for service in CRYPTO_COINS:
- service += '_rpc'
- accept_local(service)
- block_unwanted_inputs()
- block_unwanted_outputs()
- except Exception, error:
- reset_firewall()
- raise error
- def bad_command():
- 'something that iptables will reject, as a test'
- iptables(['not', 'understood'])
- def block_unwanted_inputs():
- '''
- log and reject connection attempts and other questionable packets
- null packets, pingflood, christmastree
- '''
- iptables(['--append', 'INPUT', '--match', 'state', '!', '--state', 'NEW',
- '--jump', 'LOG', '--log-prefix', 'unmatched INPUT '])
- iptables(['--append', 'INPUT', '--match', 'state', '!', '--state', 'NEW',
- '--jump', 'REJECT'])
- iptables(['--append', 'INPUT', '--protocol', 'tcp', '--tcp-flags', 'ALL',
- 'NONE', '--jump', 'DROP']) # null packets
- iptables(['--append', 'INPUT', '--protocol', 'tcp', '--tcp-flags', 'ALL',
- 'ALL', '--jump', 'DROP']) # christmastree
- iptables(['--append', 'INPUT', '--protocol', 'tcp', '!', '--syn', '--match',
- 'state', '--state', 'NEW', '--jump', 'DROP']) # pingflood
- def enable_some_inputs():
- 'allow established and other selected inputs'
- iptables(['--append', 'INPUT', '--match', 'state', '--state',
- 'ESTABLISHED,RELATED', '--jump', 'ACCEPT'])
- iptables(['--append', 'INPUT', '--protocol', 'icmp', '--match', 'icmp',
- '--icmp-type', '8', '--jump', 'ACCEPT']) # ping
- def enable_some_outputs():
- iptables(['--append', 'OUTPUT', '--protocol', 'icmp', '--match', 'icmp',
- '--icmp-type', '8', '--jump', 'ACCEPT']) # ping requests
- iptables(['--append', 'OUTPUT', '--protocol', 'icmp', '--match', 'icmp',
- '--icmp-type', '3', '--jump', 'ACCEPT']) # report errors
- def block_unwanted_outputs():
- iptables(['--append', 'OUTPUT', '--jump', 'LOG',
- '--log-prefix', 'unmatched OUTPUT '])
- iptables(['--append', 'OUTPUT', '--jump', 'REJECT'])
- iptables(['--append', 'FORWARD', '--jump', 'LOG',
- '--log-prefix', 'unmatched FORWARD '])
- iptables(['--append', 'FORWARD', '--jump', 'REJECT'])
- if __name__ == '__main__':
- firewall(*sys.argv[1:])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement