API tools faq
paste
brubaker

Iptables Statefull Workstation (script)

brubaker
Feb 5th, 2017
227
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.70 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. ### BEGIN INIT INFO
  3. # Provides: fwipv4-StateFull
  4. # Required-Start: $network
  5. # Required-Stop: $network
  6. # Default-Start: 2 3 4 5
  7. # Default-Stop: 0 1 6
  8. # Short-Description: Activating Iptables StateFull
  9. ### END INIT INFO
  10. flush_reglas(){
  11. iptables -F
  12. iptables -X
  13. iptables -t raw -F
  14. iptables -t raw -X
  15. iptables -t mangle -F
  16. iptables -t mangle -X
  17. }
  18. set_policy(){
  19. iptables -P INPUT DROP
  20. iptables -P FORWARD DROP
  21. iptables -P OUTPUT DROP
  22. }
  23. unset_policy(){
  24. iptables -P INPUT ACCEPT
  25. iptables -P FORWARD ACCEPT
  26. iptables -P OUTPUT ACCEPT
  27. }
  28. reglas(){
  29. # Core netfilter module
  30. /sbin/modprobe ip_tables
  31. # Stateful connection tracking module
  32. /sbin/modprobe ip_conntrack
  33. ### Reglas loopback y ping ###
  34. iptables -A INPUT -i lo -j ACCEPT
  35. iptables -A OUTPUT -o lo -j ACCEPT
  36. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  37. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  38. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
  39. iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
  40. ### 1: Drop invalid packets ###
  41. iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  42. ### 2: Drop TCP packets that are new and are not SYN ###
  43. iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  44. ### 3: Drop SYN packets with suspicious MSS value ###
  45. iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  46. ### 4: Block packets with bogus TCP flags ###
  47. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  48. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  49. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  50. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  51. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  52. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  53. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  54. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
  55. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  56. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  57. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  58. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  59. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
  60. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  61. ### 5: Block spoofed packets ###
  62. iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  63. iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  64. iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  65. iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  66. #iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
  67. iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  68. iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
  69. iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  70. iptables -t mangle -A PREROUTING -s 248.0.0.0/5 -j DROP
  71. iptables -t mangle -A PREROUTING -s 255.255.255.255/32 -j DROP
  72. iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
  73. ### 6: Drop ICMP (useless protocol) ###
  74. iptables -t mangle -A PREROUTING -p icmp -j DROP
  75. ### 7: Drop fragments in all chains ###
  76. iptables -t mangle -A PREROUTING -f -j DROP
  77. ### 8: Limit connections per source IP ###
  78. iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
  79. ### 9: Limit RST packets ###
  80. iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  81. iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  82. ### 10: Limit new TCP connections per second per source IP ###
  83. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
  84. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
  85. ### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
  86. iptables -A INPUT -p tcp -m tcp -d ip_local -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
  87. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  88. ### 12: Protection against port scanning ###
  89. iptables -N port-scanning
  90. iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
  91. iptables -A port-scanning -j DROP
  92. ### 13: SSH brute-force protection ###
  93. iptables -A INPUT -p tcp --dport ssh_port -m conntrack --ctstate NEW -m recent --set
  94. iptables -A INPUT -p tcp --dport ssh_port -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  95. ### As a server ###
  96. iptables -A INPUT -p tcp --dport ssh_port -m state -s net/mask --state NEW,ESTABLISHED -j ACCEPT
  97. iptables -A OUTPUT -p tcp --sport ssh_port -m state -d net/mask --state ESTABLISHED -j ACCEPT
  98. ### As a client ###
  99. iptables -A OUTPUT -p udp --dport 53 -m state -d ip_dns_server --state NEW,ESTABLISHED -j ACCEPT
  100. iptables -A INPUT -p udp --sport 53 -m state -s ip_dns_server --state ESTABLISHED -j ACCEPT
  101. iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
  102. iptables -A INPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
  103. iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
  104. iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
  105. ### 14: MAKE SURE NEW OUTGOING TCP CONNECTIONS ARE SYN PACKETS; OTHERWISE WE NEED TO DROP THEM
  106. iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
  107. ### 15: DROP PACKETS WITH OUTGOING FRAGMENTS. THIS ATTACK RESULT INTO LINUX SERVER PANIC SUCH DATA LOSS
  108. iptables -A OUTPUT -f -j DROP
  109. ### 16: DROP OUTGOING MALFORMED XMAS PACKETS
  110. iptables -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP
  111. ### 17: DROP OUTGOING MALFORMED NULL PACKETS
  112. iptables -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP
  113. ### 18: Invalid icmp packets need to be dropped to prevent a possible exploit.
  114. iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
  115. #Logueo de DROPS (Habilitar en caso necesario)
  116. #iptables -N LOGGING #Make the chain
  117. #iptables -A INPUT -j LOGGING #Pasa los input por la cadena de logs
  118. #iptables -A FORWARD -j LOGGING #Pasa los forward por la cadena de logs
  119. #iptables -A OUTPUT -j LOGGING #Pasa los outgoing por la cadena de logs
  120. #iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
  121. #iptables -A LOGGING -j DROP
  122. }
  123. case "$1" in
  124.  
  125. start)
  126. flush_reglas
  127. set_policy
  128. reglas
  129. echo "Started"
  130. ;;
  131.  
  132. stop)
  133. flush_reglas
  134. unset_policy
  135. echo "Stopped"
  136. ;;
  137.  
  138. restart)
  139. $0 stop
  140. $0 start
  141. ;;
  142.  
  143. *)
  144.  
  145. echo "Use running: /etc/init.d/$0 {start|stop|restart}"
  146. ;;
  147.  
  148. esac
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!