Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

ale338.sh —

#!/bin/bash -x
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall initscript
# Description: Packet filtering iptables firewall
# placed in /usr/local/bin.
### END INIT INFO
### Mario V. Guenzi giugno 2000
### Last modified february 2017
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
######################
# start firewall
######################
start()
{
# set a few variables
echo “Welcome in ale338”
echo “Alessandra sei la mia vita”
echo “”
echo ” setting global variables”
echo “”
DATE `date` #todays time stamp
IPT=”`whereis -b iptables | cut -d \” \” -f 2`”
EXTIF=”eth0″ ## word interface
INTIF=”eth1″ ## lan interface
DMZIF=”eth3″ ## DMZ interface
LOOPBACK=”127.0.0.1″ ## lo interface
VIDEO=”eth0:1″ ## interfaccia per verifica da remoto di videosorveglianza
WEBIF=”eth0:0″ ## interfaccia su cui girano le applicazioni web da esterno
LAN=”192.168.2.0/24″ #our lan
DMZ=”192.168.200.0/24″ #DMZ lan
EXTIP=”`ifconfig $EXTIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
INTIP=”`ifconfig $INTIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
DMZIP=”`ifconfig $DMZIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
VIDIP=”`ifconfig $VIDEO | grep inet| cut -f2 -d:| cut -f1 -d” “`”
WEBIP=”`ifconfig $WEBIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
LOG_LEVEL=”info”
CHIMERA=”192.168.2.224″
CASA=”xx.174.xxx.214″
GRECALE=”192.168.2.251″
PERSEO=”192.168.2.240″
STRONMBOLI=”192.168.2.232″
CRM=”192.168.200.10″
RESERVED_NET=”0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
224.0.0.0/4 240.0.0.0/5″
LOG_LEVEL=”info”
# adjust /proc
echo ” applying general security settings to /proc filesystem”
echo “”
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn; fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects; fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi
if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout; fi
if [ -f /proc/sys/net/ipv4/conf/$EXTIF/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/$EXTIF/log_martians; fi
if [ -f /proc/sys/net/ipv4/conf/$INTIF/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/$INTIF/log_martians; fi
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps; fi

### Attempt to flush All rules in filter table
$IPT -F > /dev/null
### Mmmm I’m not sure old way maybe is better
$IPT -F INPUT > /dev/null
$IPT -F FORWARD > /dev/null
$IPT -F OUTPUT > /dev/null
$IPT -F -t nat > /dev/null
## Flush Rules/delete User chains in mangle table, if any
$IPT -F -t mangle
$IPT -t mangle -X
### Delete all user-defined chains, reduces dumb warning if you run
### this script more than once.
$IPT -X

### Set default policy
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -P INPUT DROP ###Higly Reccomended Default Policy
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -A POSTROUTING -s $LAN -o $EXTIF -j SNAT –to-source $EXTIP
#$IPT -t nat -A POSTROUTING -s $DMZ -o $WEBIF -j SNAT –to-source $WEBIP
### lo interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
### Some check on packets status
$IPT -N KEEP_STATE
$IPT -F KEEP_STATE

$IPT -A KEEP_STATE -m state –state INVALID -j DROP
$IPT -A KEEP_STATE -m state –state RELATED,ESTABLISHED -j ACCEPT

### Some check on packets flag
$IPT -N CHECK_FLAGS
$IPT -F CHECK_FLAGS

NMAP FIN/URG/PSH
$IPT -A CHECK_FLAGS -p tcp –tcp-flags ALL FIN,URG,PSH -m limit –limit 5/minute -j LOG –log-level $LOG_LEVEL –log-prefix “NMAP-XMAS:”
$IPT -A CHECK_FLAGS -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
### SYN/RST
$IPT -A CHECK_FLAGS -p tcp –tcp-flags SYN,RST SYN,RST -m limit –limit 5/minute -j LOG –log-level $LOG_LEVEL –log-prefix “SYN/RST:”
$IPT -A CHECK_FLAGS -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
### SYN/FIN Scan(probably)
$IPT -A CHECK_FLAGS -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/minute -j LOG –log-level $LOG_LEVEL –log-prefix “SYN/FIN:”
$IPT -A CHECK_FLAGS -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
## Chain DENY_PORTS This rules will DROP/LOG pachets based on port number
$IPT -N DENY_PORTS
$IPT -F DENY_PORTS
$IPT -N DENY_NET
$IPT -F DENY_NET
### do not allow forbiden addresses on eth0
$IPT -I INPUT -i $EXTIF -s 0.0.0.0/8 -j DROP
$IPT -I INPUT -i $EXTIF -s 2.0.0.0/8 -j DROP
$IPT -I INPUT -i $EXTIF -s 10.0.0.0/8 -j DROP
$IPT -I INPUT -i $EXTIF -s 172.16.0.0/12 -j DROP
$IPT -I INPUT -i $EXTIF -s 192.168.0.0/16 -j DROP
$IPT -I INPUT -i $EXTIF -s 127.0.0.0/8 -j DROP
$IPT -I INPUT -i $EXTIF -s 224.0.0.0/4 -j DROP
$IPT -I INPUT -i $EXTIF -s 240.0.0.0/5 -j DROP
$IPT -I FORWARD -i $EXTIF -s 0.0.0.0/8 -j DROP
$IPT -I FORWARD -i $EXTIF -s 2.0.0.0/8 -j DROP
$IPT -I FORWARD -i $EXTIF -s 10.0.0.0/8 -j DROP
$IPT -I FORWARD -i $EXTIF -s 172.16.0.0/12 -j DROP
$IPT -I FORWARD -i $EXTIF -s 192.168.0.0/16 -j DROP
$IPT -I FORWARD -i $EXTIF -s 127.0.0.0/8 -j DROP
$IPT -I FORWARD -i $EXTIF -s 224.0.0.0/4 -j DROP
$IPT -I FORWARD -i $EXTIF -s 240.0.0.0/5 -j DROP
$IPT -A INPUT -i $EXTIF -d $LOOPBACK -j DROP
$IPT -A INPUT -i $EXTIF -s $EXTIP -j DROP

DENIED_TCP_PORTS=”111 137:139 635 2049 6000:6063 10498 12754 20034 12345:12346 \
27374 27444 27665 31335″
for PORT in $DENIED_TCP_PORTS; do
$IPT -A DENY_PORTS -p tcp –dport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p tcp –sport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p tcp –dport $PORT -j DROP
$IPT -A DENY_PORTS -p tcp –sport $PORT -j DROP
done
$IPT -A DENY_PORTS -p tcp –dport 113 -j REJECT –reject-with tcp-reset
DENIED_UDP_PORTS=”111 512 514 515 635 2049 10498 27444 31335 31337″
for PORT in $DENIED_UDP_PORTS; do
$IPT -A DENY_PORTS -p udp –dport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p udp –sport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p udp –dport $PORT -j DROP
$IPT -A DENY_PORTS -p udp –sport $PORT -j DROP
done

Blocking TOR traffic read from /usr/local/bin/torblock.sh
$IPT -N TOR_BLOCK
$IPT -F TOR_BLOCK
$IPT -I INPUT -j TOR_BLOCK
$IPT -I OUTPUT -j TOR_BLOCK
$IPT -I FORWARD -j TOR_BLOCK
### ICMP FILTER
### Deny icmp-type
$IPT -N FilterICMP
$IPT -F FilterICMP
$IPT -A FilterICMP -p icmp –icmp-type echo-request -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type router-advertisement -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type router-solicitation -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type address-mask-request -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type address-mask-reply -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type fragmentation-needed -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type host-precedence-violation -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type precedence-cutoff -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type source-quench -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type network-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type host-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type TOS-network-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type TOS-host-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type timestamp-request -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type timestamp-reply -i $EXTIF -j DROP
###Accept icmp-type
$IPT -A FilterICMP -p icmp -i $INTIF -s $EXTIP -j ACCEPT
$IPT -A FilterICMP -p icmp -i $DMZIF -s $EXTIP -j ACCEPT
$IPT -A FilterICMP -p icmp -i $DMZIF -j ACCEPT
$IPT -A OUTPUT -p icmp -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type echo-reply -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type destination-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type protocol-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type port-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type source-route-failed -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-unknown -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-unknown -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-prohibited -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-prohibited -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type communication-prohibited -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type time-exceeded -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type ttl-zero-during-transit -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type ttl-zero-during-reassembly -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type parameter-problem -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type ip-header-bad -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type required-option-missing -m limit –limit 1/s -j ACCEPT
###ACCEPT Rules
$IPT -A INPUT -p tcp –dport 1722 -j ACCEPT
$IPT -A FORWARD -p tcp –dport 1722 -j ACCEPT
$IPT -A FORWARD -i eth0 -p tcp –dport 21 -j ACCEPT
$IPT -A INPUT -i $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $INTIF -m state –state NEW -j ACCEPT
$IPT -A INPUT -i $DMZIF -m state –state NEW -j ACCEPT
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTIF -m state –state NEW -j ACCEPT
$IPT -A FORWARD -i $DMZIF -m state –state NEW -j ACCEPT
$IPT -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
### Squid
#$IPT -t nat -A PREROUTING -i $INTIF -s ! 192.168.2.1 -p tcp –dport 80 -j DNAT –to 192.168.2.1:3128
#$IPT -t nat -A POSTROUTING -o $INTIF -s 192.168.2.0/24 -d 192.168.2.1 -j SNAT $INTIP
#$IPT -A FORWARD -s $LAN -d 192.168.2.1 -i $INTIF -o $INTIF -p tcp –dport 3128 -j ACCEPT

### DMZ
### from Internet to DMZ
#$IPT -A INPUT -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 80 -j ACCEPT
#$IPT -A INPUT -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 443 -j ACCEPT
#$IPT -A INPUT -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 1722 -j ACCEPT
#$IPT -A FORWARD -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 80 -j ACCEPT
#$IPT -A FORWARD -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 443 -j ACCEPT
#$IPT -A FORWARD -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 1722 -j ACCEPT
#$IPT -A PREROUTING -p tcp -i $EXTIF -d $WEBIP –dport 80 -j DNAT –to-destination $CRM:80
#$IPT -A PREROUTING -p tcp -i $EXTIF -d $WEBIP –dport 443 -j DNAT –to-destination $CRM:443
#$IPT -A PREROUTING -p tcp -i $EXTIF -d $WEBIP –dport 1722 -j DNAT –to-destination $CRM:1722
### from LAN TO DMZ
#$IPT -A FORWARD -s $LAN -d $DMZ -j ACCEPT
### from DMZ to LAN
#$IPT -A FORWARD -s $DMZ -d $LAN -j REJECT
### FTP
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP –dport 21 -j DNAT –to-destination $GRECALE:21
### openvpn
$IPT -A INPUT -i $EXTIF -m state –state NEW,ESTABLISHED,RELATED \
-p tcp –dport 775 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP –dport 775 -j DNAT –to-destination $CHIMERA:775
$IPT -A FORWARD -i $EXTIF -p tcp –dport 775 -o $INTIF -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTIF -j SNAT –to $INTIP
### openvpn road warriors
$IPT -A INPUT -i $EXTIF -m state –state NEW,ESTABLISHED,RELATED \
-p udp –dport 1194 -j ACCEPT
$IPT -t nat -A PREROUTING -p udp -i $EXTIF -d $EXTIP –dport 1194 -j DNAT –to-destination $CHIMERA:1194

$IPT -A FORWARD -i $EXTIF -p udp –dport 1194 -o $INTIF -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTIF -j SNAT –to $INTIP

$IPT -A INPUT -i eth0 -p tcp –dport 0:65535 -j DROP
$IPT -A INPUT -i eth0 -p udp –dport 0:65535 -j DROP

###

}

#################
# stop firewall
#################
stop()
{
IPT=”`whereis -b iptables | cut -d \” \” -f 2`”
#Flush regole e policy in accept
$IPT -F INPUT > /dev/null
$IPT -F OUTPUT > /dev/null
$IPT -F FORWARD > /dev/null
$IPT -F > /dev/null
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -F
$IPT -t mangle -F

#Disattivazione IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
}

IPT=”`whereis -b iptables | cut -d \” \” -f 2`”
case “$1” in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
$IPT -L -v
;;
*)
echo “Usage: $0 {start | stop | status}”
exit 1
;;
esac
exit 0

 

 

Tagged with: | | |

Categorised as: Linux | Networking | Script | Work

Comments are disabled on this post

Comments are closed.

Hide picture