Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

ale339.sh —

In questi giorni sto riprendendo in mano il firewalling visto che ci son in giro troppi elementi che hanno come unica missione nella vita rendere la vita altrui il più difficile possibile.
Parlando con un caro Amico di ale338.sh mi ha posto una domanda molto semplice come reagisce in caso di DDoS? Ho risposto blocca perché il default è nel dubbio blocca, ma mi son trovato con una fastidiosa anzi molto fastidiosa pulce nell’orecchio, mi son messo quindi a ragionare un momento e a cercare in rete chi avesse avuto problemi simili, son rimasto folgorato sulla via di Damasco quando leggendo ho trovato questa frase:”

The issue with this approach is that the INPUT chain is only processed after the PREROUTING and FORWARD chains and therefore only applies if the packet doesn’t match any of these two chains.

This causes a delay in the filtering of the packet which consumes resources. In conclusion, to make our rules as effective as possible, we need to move our anti-DDoS rules as far up the chains as possible. The first chain that can apply to a packet is the PREROUTING chain, so ideally we’ll want to filter the bad packets in this chain already.”
Certo, ferma ma si ammazza di lavoro usando INPUT, quindi alla fine non eroga più il servizio che deve dare.
Ma non è tutto, bisogna anche pensare in termini di parametri da passare al kernel per rendere la situazione il più robusta possibile.
Partendo da ale338 che era lo stato dell’arte mi son messo d’impegno a riscrivere le regole per la protezione da DDoS, mi son cercato in rete i parametri da passare al kernel e il risultato finale è il seguente, Un grazie Giovanni “Cin” che mi ha fatto riflettere su una cosa che davo per scontata.

#!/bin/bash -x
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall initscript
# Description: Packet filtering iptables firewall
# placed in /usr/local/bin.
### END INIT INFO
### Mario V. Guenzi giugno 2000
### Last modified february 2017
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
######################
# start firewall
######################
start()
{
# set a few variables
echo “Welcome in ale339”
echo “Alessandra sei la mia vita”
echo “”
echo ” setting global variables”
echo “”
DATE=`date` #todays time stamp
IPT=”`whereis -b iptables | cut -d \” \” -f 2`”
EXTIF=”eth0″ ## word interface
INTIF=”eth1″ ## lan interface
DMZIF=”eth3″ ## DMZ interface
LOOPBACK=”127.0.0.1″ ## lo interface
VIDEO=”eth0:1″ ## interfaccia per verifica da remoto di videosorveglianza
WEBIF=”eth0:0″ ## interfaccia su cui girano le applicazioni web da esterno
LAN=”192.168.2.0/24″ #our lan
DMZ=”192.168.200.0/24″ #DMZ lan
EXTIP=”`ifconfig $EXTIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
INTIP=”`ifconfig $INTIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
DMZIP=”`ifconfig $DMZIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
VIDIP=”`ifconfig $VIDEO | grep inet| cut -f2 -d:| cut -f1 -d” “`”
WEBIP=”`ifconfig $WEBIF | grep inet| cut -f2 -d:| cut -f1 -d” “`”
LOG_LEVEL=”info”
CHIMERA=”192.168.2.224″
CASA=”xx.xxx.xx.xxx”
GRECALE=”192.168.2.251″
PERSEO=”192.168.2.240″
STRONMBOLI=”192.168.2.232″
CRM=”192.168.200.10″
LOG_LEVEL=”info”
# adjust /proc
echo ” applying general security settings to /proc filesystem”
echo “”
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 2 > /proc/sys/net/ipv4/tcp_ecn; fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects; fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi
if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout; fi
if [ -e /proc/sys/net/ipv4/conf/$EXTIF/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/$EXTIF/log_martians; fi
if [ -e /proc/sys/net/ipv4/conf/$INTIF/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/$INTIF/log_martians; fi
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps; fi
### Thanks to candycrawler for “wake up”
echo ” appling settings for ddos attack ”
echo “”
if [ -e /proc/sys/kernel/kernel.panic ]; then echo 10 > /proc/sys/kernel/kernel.panic; fi
if [ -e /proc/sys/kernel/sysrq ]; then echo 0 > /proc/sys/kernel/sysrq; fi
if [ -e /proc/sys/kernel/shmmax ]; then echo 4294967296 > /proc/sys/kernel/shmmax; fi
if [ -e /proc/sys/kernel/shmall ]; then echo 4194304 > /proc/sys/kernel/shmall; fi
if [ -e /proc/sys/kernel/core_uses_pid ]; then echo 1 > /proc/sys/kernel/core_uses_pid; fi
if [ -e /proc/sys/kernel/msgmnb ]; then echo 65536 > /proc/sys/kernel/msgmnb; fi
if [ -e /proc/sys/kernel/msgmax ]; then echo 65536 > /proc/sys/kernel/msgmax; fi
if [ -e /proc/sys/vm/swappiness ]; then echo 20 > /proc/sys/vm/swappiness; fi
if [ -e /proc/sys/vm/dirty_ratio ]; then echo 80 > /proc/sys/vm/dirty_ratio; fi
if [ -e /proc/sys/vm/dirty_background_ratio ]; then echo 5 > /proc/sys/vm/dirty_background_ratio; fi
if [ -e /proc/sys/fs/file-max ]; then echo 2097152 > /proc/sys/fs/file-max; fi
if [ -e /proc/sys/net/core/netdev_max_backlog ]; then echo 262144 > /proc/sys/net/core/netdev_max_backlog; fi
if [ -e /proc/sys/net/core/rmem_default ]; then echo 31457280 > /proc/sys/net/core/rmem_default; fi
if [ -e /proc/sys/net/core/rmem_max ]; then echo 67108864 > /proc/sys/net/core/rmem_max; fi
if [ -e /proc/sys/net/core/vmem_default ]; then echo 31457280 > /proc/sys/net/core/vmem_default; fi
if [ -e /proc/sys/net/core/vmem_max ]; then echo 31457280 > /proc/sys/net/core/vmem_max; fi
if [ -e /proc/sys/net/core/somaxconn ]; then echo 65535 > /proc/sys/net/core/somaxconn; fi
if [ -e /proc/sys/net/core/optmem_max ]; then echo 25165824 > /proc/sys/net/core/optmem_max; fi
if [ -e /proc/sys/net/ipv4/neigh/default/gc_thresh1 ]; then echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1; fi
if [ -e /proc/sys/net/ipv4/neigh/default/gc_thresh2 ]; then echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh2; fi
if [ -e /proc/sys/net/ipv4/neigh/default/gc_thresh3 ]; then echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh3; fi
if [ -e /proc/sys/net/ipv4/neigh/default/gc_stale_time ]; then echo 120 > /proc/sys/net/ipv4/neigh/default/gc_stale_time; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_max ]; then echo 10000000 > /proc/sys/net/netfilter/nf_conntrack_max; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_loose ]; then echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established ]; then echo 1800 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close ]; then echo 10 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait ]; then echo 10 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait ]; then echo 20 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_last_ack ]; then echo 20 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_last_ack; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv ]; then echo 20 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_sent ]; then echo 20 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_sent; fi
if [ -e /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait ]; then echo 10 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait; fi
if [ -e /proc/sys/net/ipv4/tcp_slow_start_after_idle ]; then echo 0 > /proc/sys/net/ipv4/tcp_slow_start_after_idle; fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range; fi
if [ -e /proc/sys/net/ipv4/ip_no_pmtu_disc ]; then echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc; fi
if [ -e /proc/sys/net/ipv4/route/flush ]; then echo 1 > /proc/sys/net/ipv4/route/flush; fi
if [ -e /proc/sys/net/ipv4/route/max_size ]; then echo 8048576 > /proc/sys/net/ipv4/route/max_size; fi
if [ -e /proc/sys/net/ipv4/tcp_congestion_control ]; then echo htcp > /proc/sys/net/ipv4/tcp_congestion_control; fi
if [ -e /proc/sys/net/ipv4/tcp_mem ]; then echo 65536 131072 262144 > /proc/sys/net/ipv4/tcp_mem; fi
if [ -e /proc/sys/net/ipv4/udp_mem ]; then echo 65536 131072 262144 > /proc/sys/net/ipv4/udp_mem; fi
if [ -e /proc/sys/net/ipv4/tcp_rmem ]; then echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_rmem; fi
if [ -e /proc/sys/net/ipv4/udp_rmem_min ]; then echo 16384 > /proc/sys/net/ipv4/udp_rmem_min; fi
if [ -e /proc/sys/net/ipv4/tcp_vmem ]; then echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_vmem; fi
if [ -e /proc/sys/net/ipv4/udp_vmem_min ]; then echo 16384 > /proc/sys/net/ipv4/udp_vmem_min; fi
if [ -e /proc/sys/net/ipv4/tcp_max_tw_buckets ]; then echo 1440000 > /proc/sys/net/ipv4/tcp_max_tw_buckets; fi
if [ -e /proc/sys/net/ipv4/tcp_max_tw_recycle ]; then echo 0 > /proc/sys/net/ipv4/tcp_max_tw_recycle; fi
if [ -e /proc/sys/net/ipv4/tcp_max_tw_reuse ]; then echo 1 > /proc/sys/net/ipv4/tcp_max_tw_reuse; fi
if [ -e /proc/sys/net/ipv4/tcp_max_orphans ]; then echo 400000 > /proc/sys/net/ipv4/tcp_max_orphans; fi
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then echo 1 > /proc/sys/net/ipv4/tcp_window_scaling; fi
if [ -e /proc/sys/net/ipv4/tcp_rfc1337 ]; then echo 1 > /proc/sys/net/ipv4/tcp_rfc1337; fi
if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]; then echo 1 > /proc/sys/net/ipv4/tcp_synack_retries; fi
if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]; then echo 2 > /proc/sys/net/ipv4/tcp_syn_retries; fi
if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]; then echo 16384 > /proc/sys/net/ipv4/tcp_max_syn_backlog; fi
if [ -e /proc/sys/net/ipv4/tcp_sack ]; then echo 1 > /proc/sys/net/ipv4/tcp_sack; fi
if [ -e /proc/sys/net/ipv4/tcp_fack ]; then echo 1 > /proc/sys/net/ipv4/tcp_fack; fi
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout; fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time; fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_intvl ]; then echo 60 > /proc/sys/net/ipv4/tcp_keepalive_intvl; fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_probes ]; then echo 10 > /proc/sys/net/ipv4/tcp_keepalive_probes; fi
if [ -e /proc/sys/net/ipv4/tcp_no_metrics_save ]; then echo 1 > /proc/sys/net/ipv4/tcp_no_metrics_save; fi
### Attempt to flush All rules in filter table
$IPT -F > /dev/null
### Mmmm I’m not sure old way maybe is better
$IPT -F INPUT > /dev/null
$IPT -F FORWARD > /dev/null
$IPT -F OUTPUT > /dev/null
$IPT -F -t nat > /dev/null
## Flush Rules/delete User chains in mangle table, if any
$IPT -F -t mangle
$IPT -t mangle -X
### Delete all user-defined chains, reduces dumb warning if you run
### this script more than once.
$IPT -X

### Set default policy
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -P INPUT DROP ###Higly Reccomended Default Policy
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -A POSTROUTING -s $LAN -o $EXTIF -j SNAT –to-source $EXTIP
#$IPT -t nat -A POSTROUTING -s $DMZ -o $WEBIF -j SNAT –to-source $WEBIP
### lo interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
### some rules to mitigate a ddos attack
# if invalid drop
$IPT -t mangle -A PREROUTING -m conntrack –ctstate INVALID -j DROP
## if non SYN drop
$IPT -t mangle -A PREROUTING -p tcp ! –syn -m conntrack –ctstate NEW -j DROP
# if uncommon MSS values drop
$IPT -t mangle -A PREROUTING -p tcp -m conntrack –ctstate NEW -m tcpmss ! –mss 536:65535 -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags FIN,ACK FIN -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ALL ALL -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPT -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

### Some check on packets status
$IPT -N KEEP_STATE
$IPT -F KEEP_STATE
$IPT -A KEEP_STATE -m state –state RELATED,ESTABLISHED -j ACCEPT
### do not allow forbiden subnets on eth0
$IPT -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
$IPT -t mangle -A PREROUTING -s 2.0.0.0/8 -j DROP
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPT -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPT -t mangle -A PREROUTING -p tcp -i $EXTIF -s 192.168.0.0/16 -j DROP
$IPT -t mangle -A PREROUTING -p tcp -i $INTIF -s $LAN -j ACCEPT
$IPT -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
$IPT -t mangle -A PREROUTING -s 224.0.0.0/4 -j DROP
$IPT -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP

# if fragmented
$IPT -t mangle -A PREROUTING -f -j DROP
## Chain DENY_PORTS This rules will DROP/LOG pachets based on port number
$IPT -N DENY_PORTS
$IPT -F DENY_PORTS

DENIED_TCP_PORTS=”111 137:139 635 2049 6000:6063 10498 12754 20034 12345:12346 \
27374 27444 27665 31335″
for PORT in $DENIED_TCP_PORTS; do
$IPT -A DENY_PORTS -p tcp –dport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p tcp –sport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p tcp –dport $PORT -j DROP
$IPT -A DENY_PORTS -p tcp –sport $PORT -j DROP
done
$IPT -A DENY_PORTS -p tcp –dport 113 -j REJECT –reject-with tcp-reset
DENIED_UDP_PORTS=”111 512 514 515 635 2049 10498 27444 31335 31337″
for PORT in $DENIED_UDP_PORTS; do
$IPT -A DENY_PORTS -p udp –dport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p udp –sport $PORT -m limit –limit 5/minute \
-j LOG –log-level $LOG_LEVEL –log-prefix “DENIED PORT:”
$IPT -A DENY_PORTS -p udp –dport $PORT -j DROP
$IPT -A DENY_PORTS -p udp –sport $PORT -j DROP
done

### Blocking TOR traffic read from /usr/local/bin/torblock.sh
$IPT -N TOR_BLOCK
$IPT -F TOR_BLOCK
$IPT -I INPUT -j TOR_BLOCK
$IPT -I OUTPUT -j TOR_BLOCK
$IPT -I FORWARD -j TOR_BLOCK
### ICMP FILTER
### Deny icmp-type
$IPT -N FilterICMP
$IPT -F FilterICMP
$IPT -A FilterICMP -p icmp –icmp-type echo-request -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type router-advertisement -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type router-solicitation -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type address-mask-request -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type address-mask-reply -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type fragmentation-needed -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type host-precedence-violation -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type precedence-cutoff -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type source-quench -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type network-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type host-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type TOS-network-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type TOS-host-redirect -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type timestamp-request -i $EXTIF -j DROP
$IPT -A FilterICMP -p icmp –icmp-type timestamp-reply -i $EXTIF -j DROP
###Accept icmp-type
$IPT -A FilterICMP -p icmp -i $INTIF -s $EXTIP -j ACCEPT
$IPT -A FilterICMP -p icmp -i $DMZIF -s $EXTIP -j ACCEPT
$IPT -A FilterICMP -p icmp -i $DMZIF -j ACCEPT
$IPT -A OUTPUT -p icmp -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type echo-reply -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type destination-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type protocol-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type port-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type source-route-failed -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-unknown -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-unknown -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-prohibited -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-prohibited -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type network-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type host-unreachable -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type communication-prohibited -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type time-exceeded -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type ttl-zero-during-transit -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type ttl-zero-during-reassembly -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type parameter-problem -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type ip-header-bad -m limit –limit 1/s -j ACCEPT
$IPT -A FilterICMP -i $EXTIF -p icmp –icmp-type required-option-missing -m limit –limit 1/s -j ACCEPT
###ACCEPT Rules
$IPT -A INPUT -p tcp –dport 1722 -j ACCEPT
$IPT -A FORWARD -p tcp –dport 1722 -j ACCEPT
$IPT -A FORWARD -i eth0 -p tcp –dport 21 -j ACCEPT
$IPT -A INPUT -i $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $INTIF -m state –state NEW -j ACCEPT
$IPT -A INPUT -i $DMZIF -m state –state NEW -j ACCEPT
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTIF -m state –state NEW -j ACCEPT
$IPT -A FORWARD -i $DMZIF -m state –state NEW -j ACCEPT
$IPT -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
### Squid
#$IPT -t nat -A PREROUTING -i $INTIF -s ! 192.168.2.1 -p tcp –dport 80 -j DNAT –to 192.168.2.1:3128
#$IPT -t nat -A POSTROUTING -o $INTIF -s 192.168.2.0/24 -d 192.168.2.1 -j SNAT $INTIP
#$IPT -A FORWARD -s $LAN -d 192.168.2.1 -i $INTIF -o $INTIF -p tcp –dport 3128 -j ACCEPT
### DMZ
### from Internet to DMZ
#$IPT -A INPUT -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 80 -j ACCEPT
#$IPT -A INPUT -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 443 -j ACCEPT
#$IPT -A INPUT -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 1722 -j ACCEPT
#$IPT -A FORWARD -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 80 -j ACCEPT
#$IPT -A FORWARD -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 443 -j ACCEPT
#$IPT -A FORWARD -p tcp -i $EXTIF -d $WEBIP –sport 1024:65535 –dport 1722 -j ACCEPT
#$IPT -A PREROUTING -p tcp -i $EXTIF -d $WEBIP –dport 80 -j DNAT –to-destination $CRM:80
#$IPT -A PREROUTING -p tcp -i $EXTIF -d $WEBIP –dport 443 -j DNAT –to-destination $CRM:443
#$IPT -A PREROUTING -p tcp -i $EXTIF -d $WEBIP –dport 1722 -j DNAT –to-destination $CRM:1722
### from LAN TO DMZ
#$IPT -A FORWARD -s $LAN -d $DMZ -j ACCEPT
### from DMZ to LAN
#$IPT -A FORWARD -s $DMZ -d $LAN -j REJECT
### FTP
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP –dport 21 -j DNAT –to-destination $GRECALE:21
### openvpn
$IPT -A INPUT -i $EXTIF -m state –state NEW,ESTABLISHED,RELATED \
-p tcp –dport 775 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP –dport 775 -j DNAT –to-destination $CHIMERA:775
$IPT -A FORWARD -i $EXTIF -p tcp –dport 775 -o $INTIF -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTIF -j SNAT –to $INTIP
### openvpn road warriors
$IPT -A INPUT -i $EXTIF -m state –state NEW,ESTABLISHED,RELATED \
-p udp –dport 1194 -j ACCEPT
$IPT -t nat -A PREROUTING -p udp -i $EXTIF -d $EXTIP –dport 1194 -j DNAT –to-destination $CHIMERA:1194

$IPT -A FORWARD -i $EXTIF -p udp –dport 1194 -o $INTIF -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTIF -j SNAT –to $INTIP

$IPT -A INPUT -i eth0 -p tcp –dport 0:65535 -j DROP
$IPT -A INPUT -i eth0 -p udp –dport 0:65535 -j DROP

###

}

#################
# stop firewall
#################
stop()
{
IPT=”`whereis -b iptables | cut -d \” \” -f 2`”
#Flush regole e policy in accept
$IPT -F INPUT > /dev/null
$IPT -F OUTPUT > /dev/null
$IPT -F FORWARD > /dev/null
$IPT -F > /dev/null
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -F
$IPT -t mangle -F

#Disattivazione IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
}

IPT=”`whereis -b iptables | cut -d \” \” -f 2`”
case “$1” in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
$IPT -L -v
;;
*)
echo “Usage: $0 {start | stop | status}”
exit 1
;;
esac
exit 0


Categorised as: firewall | Linux | Networking | Script | Work

Comments are disabled on this post


Comments are closed.