Ang aking unang blog

Saturday, February 23, 2008

Complete IPTables Firewall Rules

#!/bin/sh -e
# /etc/init.d/firewall-rule.sh : start/stop firewalls
# written by Gabriel L. Briones III
#

FW=`which iptables`

if [ ! "$FW" ]; then
echo
echo "FATAL: Unable to locate iptables, is it installed?"
echo " or you may want to check first your PATH"
echo
echo "unable to continue, exiting ...."
sleep 2
echo
exit 1
fi

INT_IFACE=eth2 # Facing the LAN
DMZ_IFACE=eth1 # Facing the DMZ Network
EXT_IFACE=eth0 # Facing the hardware firewall
LO_IFACE=lo # loop back interface
INT_IP=`ifconfig $INT_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`
DMZ_IP=`ifconfig $DMZ_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`
EXT_IP=`ifconfig $EXT_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`

DMZ_WEB=192.168.0.1
DMZ_EXT_MAIL=192.168.0.3
DMZ_LDAP=192.168.0.1
DMZ_PROXY=192.168.0.4
DMZ_DNS=192.168.0.1
INT_MAIL=131.107.2.6

LAN_IP=131.107.2.0
DMZ_NET=192.168.0.0


case "$1" in

start)

echo -n "Starting Jon's Firewall Rules"

# Set default policy to DROP
$FW -P INPUT DROP
$FW -P OUTPUT DROP
$FW -P FORWARD DROP

# Flush all rules first to make sure that we are starting from scratch
$FW -t nat -F
$FW -t mangle -F
$FW -X
$FW -F

# Explicitly turn off ECN (explicit congestion notification)
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow traffic to loop back interface
$FW -A INPUT -i $LO_IFACE -j ACCEPT

# Spoof protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# SYN Flood protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#The Mangle portion of the ruleset.
#Here is where unwanted packet types get dropped.
#This helps in making port scans against your server
#a bit more time consuming and difficult, but not impossible.
$FW -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$FW -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$FW -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$FW -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

################## CUSTOM RULES !!!!!!! ##################
$FW -N firewalled
$FW -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$FW -A firewalled -j DROP

$FW -N bad_tcpflags
$FW -A bad_tcpflags -m limit --limit 15/minute -j LOG --log-prefix BAD_TCP_FLAGS:
$FW -A bad_tcpflags -j DROP
###########################################################

################## INPUT CHAIN !!!!!!! ####################
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$FW -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ACK,URG URG -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,ACK NONE -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,URG SYN,URG -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL NONE -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL ALL -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL RST,ACK -m state --state RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL FIN,ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,ACK,PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL FIN,PSH,ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j bad_tcpflags

# Allow ESTABLISHED and RELATED connections
$FW -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow some services only
$FW -A INPUT -p tcp --dport 22 -j ACCEPT
#################################################################

################# FORWARD CHAIN !!!!! ###########################

$FW -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow only access to the internal network on the proxy server
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_PROXY -s $LAN_IP/24 --dport 8080 -j ACCEPT


# Allow external packet destined to publicly accessed services like SMTP, HTTP and HTTPS
$FW -A FORWARD -p tcp --dport 22 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s 131.107.2.92/32 -j ACCEPT

$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_WEB/32 --dport 80 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_WEB/32 --dport 443 -j ACCEPT

$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 25 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 80 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 443 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 993 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp --dport 80 -s $INT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp --dport 443 -s $INT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp --dport 21 -s $INT_MAIL/32 -j ACCEPT

# Allow Local networks to access servers on DMZ
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_PROXY --dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_PROXY --dport 443 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_DNS --dport 53 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p udp -d $DMZ_DNS --dport 53 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 25 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 443 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 143 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 993 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_WEB --dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_WEB --dport 443 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_LDAP --dport 389 -j ACCEPT

# Allow machines on DMZ to access the net for security updates and bug fixes
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_EXT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_PROXY/32 -j ACCEPT
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_WEB/32 -j ACCEPT

##################################################################

################ OUTPUT CHAIN !!!!! ##############################
$FW -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$FW -A OUTPUT -o $LO_IFACE -j ACCEPT
$FW -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
###################################################################

for CHAINS in INPUT FORWARD OUTPUT
do
# Allow some icmp packet and DROP the rest
$FW -A $CHAINS -p icmp --icmp-type 0 -j ACCEPT
$FW -A $CHAINS -p icmp --icmp-type 3 -j ACCEPT
$FW -A $CHAINS -p icmp --icmp-type 11 -j ACCEPT
$FW -A $CHAINS -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$FW -A $CHAINS -p icmp -j firewalled
done

# SNAT LAN's IP
$FW -t nat -A POSTROUTING -o $EXT_IFACE -s $DMZ_NET/24 -j SNAT --to $EXT_IP
$FW -t nat -A POSTROUTING -o $EXT_IFACE -s 131.107.2.92/32 -j SNAT --to $EXT_IP

$FW -t nat -A POSTROUTING -o $EXT_IFACE -s $INT_MAIL/32 -j SNAT --to $EXT_IP

# DNAT connections from outside
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp --dport 80 -j DNAT --to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp --dport 443 -j DNAT --to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp --dport 993 -j DNAT --to $DMZ_EXT_MAIL

$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 25 -j DNAT --to $DMZ_EXT_MAIL

$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 80 -j DNAT --to $DMZ_WEB
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 443 -j DNAT --to $DMZ_WEB
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 993 -j DNAT --to $DMZ_WEB


# Layer 7 filterring
$FW -t mangle -A POSTROUTING -m layer7 --l7proto yahoo -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto msn-filetransfer -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto irc -j DROP

echo "."

;;

stop)

echo -n "Flushing Jon's Firewall Rules"

$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
$FW -t nat -F
$FW -t mangle -F
$FW -F
$FW -X

echo "."

;;

status)

$FW -t nat -L
$FW -t mangle -L
$FW -L

;;

restart)
$0 stop
$0 start
;;


*)
echo 'Usage: /etc/init.d/firewall.rules {start:stop:restart}'
exit 1

esac

exit 0