|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] my 1st fw script, rev.3
|
Hi list
Thanks for all your help! now I'm posting my latest
firewall iptables script. In case anybody wants
to use it, expand on it, or to comment on it...
Its works fine and almost complete--the only missing
details are:
1. the icmp stuff at the end. For one thing,
The type 5 should be allowed only from the gateway.
2. WAN_DEVICE_BROADCAST. I still cant really decide
wether to allow it, or what. Thats probably depends
to the network the server is in. I'd just
disallow broadcast packets if i werent using
dhcp or samba.
this script is designed only for machines with 1
nic (no forwarding or masq), i tried to write
as simple as possible that will do the job.
jondz / epike
#! /bin/sh
###################################################################
# SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY
#
# OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc)
# 2. Log everything else thats not allowed, then drop them
#
# JondZ Mon Dec 23 16:12:14 EST 2002
# JondZ Thu Dec 26 14:57:26 EST 2002 revised (thanks to PLUG)
# JondZ Fri Dec 27 11:56:25 EST 2002 revised (thanks to PLUG)
####################################################################
VERSION="JondZ 12/2002"
WAN_DEVICE=eth0
WAN_DEVICE_BROADCAST=192.168.1.255/32
TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,443,3128
UDP_OPENPORTS=53,137,138,139
IPTABLES=/sbin/iptables
echo "$0 ($VERSION): Starting custom firewall..."
###########################################################
# INITIALIZE CHAINS
###########################################################
echo "$0: initializing chains..."
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X
$IPTABLES -Z
#############################################3
# IMPLEMENT DEFAULT POLICIES
#############################################3
echo "$0: applying default policies..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#############################################
# lo CONNECTIONS
#############################################
echo "$0: Accepting lo connections..."
$IPTABLES -A INPUT -i lo -j ACCEPT
#############################################
# LOG FORWARDING ATTEMPTS
#############################################
$IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED "
#######################################################################
# ENABLE BROADCAST PACKETS
#
# NOTES
# -----
# On some setups you may want to ACCEPT broadcasts (eg, SAMBA, DHCP)
# On some setups you may want to DENY broadcasts
#######################################################################
echo "$0: accepting broadcast packets.."
$IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT
#############################################
# INCOMING TCP CONNECTIONS for WAN_DEVICE
#############################################
echo "$0: Allowing TCP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
-m state --state INVALID -j DROP
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
-m state --state NEW -m multiport \
--destination-port $TCP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
-m limit --limit 3/s -j LOG --log-prefix "TCP_IN "
############################################################################
# INCOMING UDP CONNECTIONS for WAN_DEVICE
# WARNING: DO NOT -p udp -m state --state NEW!!! does not seem to work!
############################################################################
echo "$0: Allowing UDP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
-m multiport --destination-port $UDP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
-m limit --limit 3/s -j LOG --log-prefix "UDP_IN "
#############################################
# INCOMING ICMP CONNECTIONS
#############################################
echo "$0: allowing some ICMP Connections..."
########################################################################
# ICMP TYPES (incomplete)
# --------------------------
# 0 - echo reply
# 3 - Destination Unreachable
# 4 - source quench
# 5 - redirect
# 8 - echo
# 11 - Time Exceeded
# 30 - Traceroute (not implemented) (??)
#
# Ping - udp types 0,8
# destination unreachable - 3
# traceroute - 11,30
#
# NOTES - icmp type 5 is needed for routing with other network segments!
# - no need to limit icmp type 5!
# - icmp type 4 source quench - when packets arrive too fast to
# be processed type 4 is sent (??).
# INCOMPLETE - ICMP type 5 - for route discovery. Allow only FROM
# the default gateway!
########################################################################
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
--icmp-type 0 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp \
--icmp-type 3 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
--icmp-type 4 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 5 -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
--icmp-type 8 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
--icmp-type 11 -m limit --limit 3/s -j ACCEPT
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|