[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [SIKKERHED] Iptables - firewall (inspirations-scripts)



Hej Jesper.

Jeg har her de sidste par dage strikket et lille fw-script sammen som er
baseret på 2.4/iptables og 3 interfaces. Jeg ved ikke om du kan bruge det
direkte, men om ikke andet der ihvertfald mulighed for at hente inspiration.
Jeg har faktisk selv testet alle regler/NAT, men er gået lidt istå da jeg
mangler et krydset kabel (og alle forretninger har lukket).

Der er bl.a. vist NAT for en transparent proxy - det mener jeg du tidligere
har spurgt om

Mvh Jeppe


-----Original Message-----
From: Jesper Hegaard [mailto:jesper.hegaard@brovandeskolen.dk].sslug.dk
Sent: 5. juni 2001 12:06
To: sslug-sikkerhed@sslug.dk
Subject: [SIKKERHED] Iptables - firewall (inspirations-scripts)


I forbindelse med opsætning af firewall (kernel 2.4 - iptables) efterlyser
jeg "inspirations-scripts" eller links til howto's m.m.

Fw-boxen skal kun køre fw (evt. DHCP) og kun tillade indgående HTTP.
Udgående skal foreløbig tillades alt fra fast/DHCP ip-adresser.

Jeg råder over ca. 100 ip-adresser, jeg fortsat gerne vil bruge. Men i
forbindelse med Iptables, vil NAT/Masquerading måske være at foretrække.


Mvh
Jesper Hegaard
Brovandeskolen i Skagen
################################################################################################
### 05/06-2001 Jeppe Koefoed                                                                 ###
### jeppe@koefoed.to                                                                         ###
###                                                                                          ###
### Revision history                                                                         ###
### Version 0.3:   Added DMZ interface, new chain structure                                  ###
### Version 0.2:   Added pool nat, redirection, static nat                                   ###
### Version 0.1:   Initial script, 2 interfaces, simple masq                                 ###
################################################################################################

# For debugging:
#set -x 

# External programs
IPTABLES=/sbin/iptables

case "$1" in
	start)
	# Just fall through..... (no exit)
	;;
	stop)
        # Clear filter entries
        $IPTABLES -F
        # Clear chains
        $IPTABLES -X
        # Clear NAT entries
        $IPTABLES -t nat -F
        # Clear chains
        $IPTABLES -t nat -X
        # Clear mangle entries
        $IPTABLES -t mangle -F
        # Set default chain policies 
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
	# Disable routing
        echo "0" > /proc/sys/net/ipv4/ip_forward
	exit 0
	;;
	unload)
	echo "Warning: Your are routing packets WITHOUT a security policy"
        # Clear filter entries
        $IPTABLES -F
        # Clear chains
        $IPTABLES -X
        # Clear chains
        $IPTABLES -t nat -X
        # Set default chain policies 
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
	exit 0
	;;
	status)
	$IPTABLES -L -n -v --line-numbers
	;;
	nat)
	$IPTABLES -L -n -v --line-numbers -t nat
	;;
	*)
	echo "Usage: $0 {start|stop|unload|status|nat}"
	echo "          start  : applies rules/nat and enable routing"
	echo "          stop   : removes rules/nat and disable routing"
	echo "          unload : removes rules, applies nat and enable routing (dangerous)"
	echo "          status : Shows rules"
	echo "          status : Shows NAT"
	exit 1
	;;
esac

# This is done when argument 'start' : 
#####################################################################
###    Site specific
#####################################################################

# Interfaces
ext_if=eth1
int_if=eth2
dmz_if=eth0

# Networks
localnet="192.168.222.0/24"
dmznet="192.168.244.0/24"

# Hosts

# Gateway
ext_ip=192.168.1.2
int_ip=192.168.222.1
dmz_ip=192.168.244.1

#ext_ip=`ifconfig $ext_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
#int_ip=`ifconfig $int_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
#dmz_ip=`ifconfig $dmz_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`

# Webserver
webserver=192.168.222.1

# Management client
management=192.168.222.10

# Pool nat (remember to route pool / proxy arp)
IP_POOL=192.168.1.129-192.168.1.254

### Port definition ###
# Redirection
SQUID_PORT=8080

# Static nat
terminalserver_int=192.168.244.2
terminalserver_ext=192.168.1.100

#########################################################################
# Setting up forwarding
       echo 1 > /proc/sys/net/ipv4/ip_forward

#Setting up Dynamic address (ppp)
#   echo "1" >/proc/sys/net/ipv4/ip_dynaddr
        
# Setting up anti-ipspoofing
       echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# turn on antispoofing protection
#for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# Enable syn-cookies (syn-flooding attacks)
	echo "1" >/proc/sys/net/ipv4/tcp_syncookies
 
# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
	echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  
# Disable ICMP echo-request altogether (see also below for ICMP filtering)
#	echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all                                                                  
# Disable ICMP redirects
	echo "0" >/proc/sys/net/ipv4/conf/all/accept_redirects

# Disable source route
	echo "0" >/proc/sys/net/ipv4/conf/all/accept_source_route

# Starting IP Bogus Error Response Protection
	echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log impossible addresses
	echo "1" >/proc/sys/net/ipv4/conf/all/log_martians

# Set local port range
 echo "50000 60999" >/proc/sys/net/ipv4/ip_local_port_range
      

##################################################################################
####  RULES        (remember corresponding NAT)
##################################################################################

## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp

###
### Policy:
###

# Set default chain policies (paranoid)
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

# Clear filter entries
$IPTABLES -F
# Clear chains
$IPTABLES -X

# Clear NAT entries
$IPTABLES -t nat -F
# Clear chains
$IPTABLES -t nat -X
# Clear mangle entries
$IPTABLES -t mangle -F

### Anti-ip-spoofing
$IPTABLES -N spoof
$IPTABLES -A FORWARD -i $int_if -s ! $localnet -j spoof
$IPTABLES -A FORWARD -i $dmz_if -s ! $dmznet -j spoof

$IPTABLES -A FORWARD -i $ext_if -s $localnet -j spoof
$IPTABLES -A FORWARD -i $ext_if -s $dmznet -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 172.16.0.0/12 -j spoof
#$IPTABLES -A FORWARD -i $ext_if -s 192.168.0.0/16 -j spoof

$IPTABLES -A FORWARD -o $ext_if -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -o $ext_if -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -o $ext_if -s 172.16.0.0/12 -j spoof
#$IPTABLES -A FORWARD -o $ext_if -s 192.168.0.0/16 -j spoof

# Allow dhcp
$IPTABLES -A spoof -i $int_if -d 255.255.255.255 -j ACCEPT
$IPTABLES -A spoof -m limit --limit 5/minute -j LOG --log-prefix "Spoofing:"
$IPTABLES -A spoof -j DROP
###

### General ICMP 
$IPTABLES -N icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type source-quench -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type destination-unreachable -j ACCEPT
# Don't allow other icmp (or comment out and add specific icmp-rule at each chain)
$IPTABLES -A icmp_allowed -j DROP
###


#################################################################################################
### Rules starts here                                                               
###

# First, make fw statefull:
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j DROP

# General ICMP
$IPTABLES -A FORWARD -p icmp -j icmp_allowed
$IPTABLES -A INPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed

# Create chains ...
$IPTABLES -N int_ext 
$IPTABLES -N int_dmz
$IPTABLES -N ext_int
$IPTABLES -N ext_dmz
$IPTABLES -N dmz_ext
$IPTABLES -N dmz_int
$IPTABLES -N accept_dmz
$IPTABLES -N accept_int
$IPTABLES -N accept_ext
$IPTABLES -N accept_fw
$IPTABLES -N cleanup


### Rules from inside
# Allow everything from inside to internet (ext)
$IPTABLES -A int_ext -m state --state NEW  -j accept_int
# Allow everything from inside to dmz
$IPTABLES -A int_dmz -m state --state NEW  -j accept_int
###

### Rules from dmz
# Allow everything from dmz to internet (ext)
$IPTABLES -A dmz_ext -m state --state NEW -j accept_dmz
# Allow everything from dmz to inside
$IPTABLES -A dmz_int -m state --state NEW -j accept_dmz
###

### Rules from internet (ext)
# Reject ident (speeds up sending mail)
$IPTABLES -A ext_int -m state --state NEW -p tcp --dport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A ext_dmz -m state --state NEW -p tcp --dport 113 -j REJECT --reject-with tcp-reset
###

### Acceptrules:
# No logging from inside:
$IPTABLES -A accept_int -j ACCEPT
# No logging from dmz:
$IPTABLES -A accept_dmz -j ACCEPT
# Log from outside
$IPTABLES -A accept_ext -j LOG --log-prefix "Accepted packet on $ext_if:"      
$IPTABLES -A accept_ext -j ACCEPT
# Log against FW
#$IPTABLES -A accept_fw -j LOG --log-prefix "Accepted packet on"      
$IPTABLES -A accept_fw -j ACCEPT
###

### Cleanup rule (not specified, not allowed)
# Reject ident (speeds up sending mail)
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 113 -j REJECT --reject-with tcp-reset
# Dolby rule:
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 138 -j DROP
$IPTABLES -A cleanup -m limit --limit 5/minute -j LOG --log-prefix "Cleanup-rule:"      
$IPTABLES -A cleanup -j DROP
###

### Allow some connections to FW
# Loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT                                                          
# Allow management from inside
$IPTABLES -A INPUT -m state --state NEW -i $int_if -s $management -p tcp --dport ssh -j accept_fw
# Allow everything from inside - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $int_if -s $localnet -j accept_fw
# Allow dhcp from inside - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $int_if -j accept_fw
# Allow everything from dmz - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $dmz_if -s $dmznet -j accept_fw

## From internet - not recommended
# Allow ssh from outside
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport ssh -j accept_fw
# Allow mail from outside
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j accept_fw
## Allow www from outside
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j accept_fw
# Allow ftp from outside
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j accept_fw
##
# ..the rest goes to cleanup
$IPTABLES -A INPUT -j cleanup
###

###
# Allow all connections from FW
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -j cleanup
###

## Jump to that chain from FORWARD chains.
$IPTABLES -A FORWARD -s $localnet -d $dmznet -j int_dmz
$IPTABLES -A FORWARD -s $localnet -d ! $dmznet -j int_ext
$IPTABLES -A FORWARD -s $dmznet -d $localnet -j dmz_int
$IPTABLES -A FORWARD -s $dmznet -d ! $localnet -j dmz_ext
$IPTABLES -A FORWARD -s ! $dmznet -d $localnet -j ext_int
$IPTABLES -A FORWARD -s ! $localnet -d $dmznet -j ext_dmz
$IPTABLES -A FORWARD -j cleanup

###
### Rules end here
###########################################################################################

###########################################################################################
## Address translation (NAT)      (remember corresponding rule)
###########################################################################################
# Hiding of internal net (many-to-one-NAT)
$IPTABLES -t nat -A POSTROUTING -o $ext_if -j SNAT --to $ext_ip

# Static portforwarding :   External to internal 
# Internal Webserver
$IPTABLES -A PREROUTING -t nat -p tcp -d $ext_ip --dport 80 -j DNAT --to $webserver:80
# A range
#$IPTABLES -A PREROUTING -t nat -p tcp -d $ext_ip --dport 2000:3000 -j DNAT --to $webserver:2000-3000

# Static nat (one-to-one-NAT) (NAT before rules)
$IPTABLES -A PREROUTING -t nat -d $terminalserver_ext  -j DNAT --to-destination $terminalserver_int
$IPTABLES -A POSTROUTING -t nat -s $terminalserver_int -j SNAT --to-source $terminalserver_ext

# Pool nat (one-to-one-NAT)
$IPTABLES -A POSTROUTING -t nat -s $dmznet -o $ext_if -j SNAT --to-source $IP_POOL

# Redirect nat (here: transparent http to squid on local machine)
$IPTABLES -A PREROUTING -t nat -i $int_if -d ! $localnet -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# Load balancing
# Basic load balancing by redirecting www requests to any of several local www servers
#virtual_www=www.koefoed.to
#www_range=192.168.244.200-192.168.244.205
#$IPTABLES -A PREROUTING -t nat -i $ext_if -d $virtual_www -p tcp --dport 80 -j DNAT --to-dest $www_range

#test
#$IPTABLES -A POSTROUTING -t nat -s 192.168.222.10 -o $ext_if -j SNAT --to-source 192.168.1.205
#$IPTABLES -A PREROUTING -t nat -i $ext_if -d 192.168.1.205 -j DNAT --to-dest 192.168.222.10

###########################################################################################
## Quality of Service   (A poor man's version)
###########################################################################################

$IPTABLES -A PREROUTING -t mangle -p tcp --sport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay


############################################################################################
############################################################################################
############################################################################################
# clean exit:
exit 0