[Date
Prev][Date
Next][Thread
Prev][Thread
Next][Date
Index][Thread
Index]
RE: [SIKKERHED] Iptables - firewall (inspirations-scripts)
Hej Jesper.
Jeg har her de sidste par dage strikket et lille fw-script sammen som er
baseret på 2.4/iptables og 3 interfaces. Jeg ved ikke om du kan bruge det
direkte, men om ikke andet der ihvertfald mulighed for at hente inspiration.
Jeg har faktisk selv testet alle regler/NAT, men er gået lidt istå da jeg
mangler et krydset kabel (og alle forretninger har lukket).
Der er bl.a. vist NAT for en transparent proxy - det mener jeg du tidligere
har spurgt om
Mvh Jeppe
-----Original Message-----
From: Jesper Hegaard [mailto:jesper.hegaard@brovandeskolen.dk].sslug.dk
Sent: 5. juni 2001 12:06
To: sslug-sikkerhed@sslug.dk
Subject: [SIKKERHED] Iptables - firewall (inspirations-scripts)
I forbindelse med opsætning af firewall (kernel 2.4 - iptables) efterlyser
jeg "inspirations-scripts" eller links til howto's m.m.
Fw-boxen skal kun køre fw (evt. DHCP) og kun tillade indgående HTTP.
Udgående skal foreløbig tillades alt fra fast/DHCP ip-adresser.
Jeg råder over ca. 100 ip-adresser, jeg fortsat gerne vil bruge. Men i
forbindelse med Iptables, vil NAT/Masquerading måske være at foretrække.
Mvh
Jesper Hegaard
Brovandeskolen i Skagen
################################################################################################
### 05/06-2001 Jeppe Koefoed ###
### jeppe@koefoed.to ###
### ###
### Revision history ###
### Version 0.3: Added DMZ interface, new chain structure ###
### Version 0.2: Added pool nat, redirection, static nat ###
### Version 0.1: Initial script, 2 interfaces, simple masq ###
################################################################################################
# For debugging:
#set -x
# External programs
IPTABLES=/sbin/iptables
case "$1" in
start)
# Just fall through..... (no exit)
;;
stop)
# Clear filter entries
$IPTABLES -F
# Clear chains
$IPTABLES -X
# Clear NAT entries
$IPTABLES -t nat -F
# Clear chains
$IPTABLES -t nat -X
# Clear mangle entries
$IPTABLES -t mangle -F
# Set default chain policies
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Disable routing
echo "0" > /proc/sys/net/ipv4/ip_forward
exit 0
;;
unload)
echo "Warning: Your are routing packets WITHOUT a security policy"
# Clear filter entries
$IPTABLES -F
# Clear chains
$IPTABLES -X
# Clear chains
$IPTABLES -t nat -X
# Set default chain policies
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
exit 0
;;
status)
$IPTABLES -L -n -v --line-numbers
;;
nat)
$IPTABLES -L -n -v --line-numbers -t nat
;;
*)
echo "Usage: $0 {start|stop|unload|status|nat}"
echo " start : applies rules/nat and enable routing"
echo " stop : removes rules/nat and disable routing"
echo " unload : removes rules, applies nat and enable routing (dangerous)"
echo " status : Shows rules"
echo " status : Shows NAT"
exit 1
;;
esac
# This is done when argument 'start' :
#####################################################################
### Site specific
#####################################################################
# Interfaces
ext_if=eth1
int_if=eth2
dmz_if=eth0
# Networks
localnet="192.168.222.0/24"
dmznet="192.168.244.0/24"
# Hosts
# Gateway
ext_ip=192.168.1.2
int_ip=192.168.222.1
dmz_ip=192.168.244.1
#ext_ip=`ifconfig $ext_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
#int_ip=`ifconfig $int_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
#dmz_ip=`ifconfig $dmz_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
# Webserver
webserver=192.168.222.1
# Management client
management=192.168.222.10
# Pool nat (remember to route pool / proxy arp)
IP_POOL=192.168.1.129-192.168.1.254
### Port definition ###
# Redirection
SQUID_PORT=8080
# Static nat
terminalserver_int=192.168.244.2
terminalserver_ext=192.168.1.100
#########################################################################
# Setting up forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Setting up Dynamic address (ppp)
# echo "1" >/proc/sys/net/ipv4/ip_dynaddr
# Setting up anti-ipspoofing
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# turn on antispoofing protection
#for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# Enable syn-cookies (syn-flooding attacks)
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable ICMP echo-request altogether (see also below for ICMP filtering)
# echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable ICMP redirects
echo "0" >/proc/sys/net/ipv4/conf/all/accept_redirects
# Disable source route
echo "0" >/proc/sys/net/ipv4/conf/all/accept_source_route
# Starting IP Bogus Error Response Protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Log impossible addresses
echo "1" >/proc/sys/net/ipv4/conf/all/log_martians
# Set local port range
echo "50000 60999" >/proc/sys/net/ipv4/ip_local_port_range
##################################################################################
#### RULES (remember corresponding NAT)
##################################################################################
## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp
###
### Policy:
###
# Set default chain policies (paranoid)
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
# Clear filter entries
$IPTABLES -F
# Clear chains
$IPTABLES -X
# Clear NAT entries
$IPTABLES -t nat -F
# Clear chains
$IPTABLES -t nat -X
# Clear mangle entries
$IPTABLES -t mangle -F
### Anti-ip-spoofing
$IPTABLES -N spoof
$IPTABLES -A FORWARD -i $int_if -s ! $localnet -j spoof
$IPTABLES -A FORWARD -i $dmz_if -s ! $dmznet -j spoof
$IPTABLES -A FORWARD -i $ext_if -s $localnet -j spoof
$IPTABLES -A FORWARD -i $ext_if -s $dmznet -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 172.16.0.0/12 -j spoof
#$IPTABLES -A FORWARD -i $ext_if -s 192.168.0.0/16 -j spoof
$IPTABLES -A FORWARD -o $ext_if -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -o $ext_if -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -o $ext_if -s 172.16.0.0/12 -j spoof
#$IPTABLES -A FORWARD -o $ext_if -s 192.168.0.0/16 -j spoof
# Allow dhcp
$IPTABLES -A spoof -i $int_if -d 255.255.255.255 -j ACCEPT
$IPTABLES -A spoof -m limit --limit 5/minute -j LOG --log-prefix "Spoofing:"
$IPTABLES -A spoof -j DROP
###
### General ICMP
$IPTABLES -N icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
# Don't allow other icmp (or comment out and add specific icmp-rule at each chain)
$IPTABLES -A icmp_allowed -j DROP
###
#################################################################################################
### Rules starts here
###
# First, make fw statefull:
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
# General ICMP
$IPTABLES -A FORWARD -p icmp -j icmp_allowed
$IPTABLES -A INPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed
# Create chains ...
$IPTABLES -N int_ext
$IPTABLES -N int_dmz
$IPTABLES -N ext_int
$IPTABLES -N ext_dmz
$IPTABLES -N dmz_ext
$IPTABLES -N dmz_int
$IPTABLES -N accept_dmz
$IPTABLES -N accept_int
$IPTABLES -N accept_ext
$IPTABLES -N accept_fw
$IPTABLES -N cleanup
### Rules from inside
# Allow everything from inside to internet (ext)
$IPTABLES -A int_ext -m state --state NEW -j accept_int
# Allow everything from inside to dmz
$IPTABLES -A int_dmz -m state --state NEW -j accept_int
###
### Rules from dmz
# Allow everything from dmz to internet (ext)
$IPTABLES -A dmz_ext -m state --state NEW -j accept_dmz
# Allow everything from dmz to inside
$IPTABLES -A dmz_int -m state --state NEW -j accept_dmz
###
### Rules from internet (ext)
# Reject ident (speeds up sending mail)
$IPTABLES -A ext_int -m state --state NEW -p tcp --dport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A ext_dmz -m state --state NEW -p tcp --dport 113 -j REJECT --reject-with tcp-reset
###
### Acceptrules:
# No logging from inside:
$IPTABLES -A accept_int -j ACCEPT
# No logging from dmz:
$IPTABLES -A accept_dmz -j ACCEPT
# Log from outside
$IPTABLES -A accept_ext -j LOG --log-prefix "Accepted packet on $ext_if:"
$IPTABLES -A accept_ext -j ACCEPT
# Log against FW
#$IPTABLES -A accept_fw -j LOG --log-prefix "Accepted packet on"
$IPTABLES -A accept_fw -j ACCEPT
###
### Cleanup rule (not specified, not allowed)
# Reject ident (speeds up sending mail)
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 113 -j REJECT --reject-with tcp-reset
# Dolby rule:
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 138 -j DROP
$IPTABLES -A cleanup -m limit --limit 5/minute -j LOG --log-prefix "Cleanup-rule:"
$IPTABLES -A cleanup -j DROP
###
### Allow some connections to FW
# Loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow management from inside
$IPTABLES -A INPUT -m state --state NEW -i $int_if -s $management -p tcp --dport ssh -j accept_fw
# Allow everything from inside - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $int_if -s $localnet -j accept_fw
# Allow dhcp from inside - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $int_if -j accept_fw
# Allow everything from dmz - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $dmz_if -s $dmznet -j accept_fw
## From internet - not recommended
# Allow ssh from outside
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport ssh -j accept_fw
# Allow mail from outside
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j accept_fw
## Allow www from outside
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j accept_fw
# Allow ftp from outside
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j accept_fw
##
# ..the rest goes to cleanup
$IPTABLES -A INPUT -j cleanup
###
###
# Allow all connections from FW
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -j cleanup
###
## Jump to that chain from FORWARD chains.
$IPTABLES -A FORWARD -s $localnet -d $dmznet -j int_dmz
$IPTABLES -A FORWARD -s $localnet -d ! $dmznet -j int_ext
$IPTABLES -A FORWARD -s $dmznet -d $localnet -j dmz_int
$IPTABLES -A FORWARD -s $dmznet -d ! $localnet -j dmz_ext
$IPTABLES -A FORWARD -s ! $dmznet -d $localnet -j ext_int
$IPTABLES -A FORWARD -s ! $localnet -d $dmznet -j ext_dmz
$IPTABLES -A FORWARD -j cleanup
###
### Rules end here
###########################################################################################
###########################################################################################
## Address translation (NAT) (remember corresponding rule)
###########################################################################################
# Hiding of internal net (many-to-one-NAT)
$IPTABLES -t nat -A POSTROUTING -o $ext_if -j SNAT --to $ext_ip
# Static portforwarding : External to internal
# Internal Webserver
$IPTABLES -A PREROUTING -t nat -p tcp -d $ext_ip --dport 80 -j DNAT --to $webserver:80
# A range
#$IPTABLES -A PREROUTING -t nat -p tcp -d $ext_ip --dport 2000:3000 -j DNAT --to $webserver:2000-3000
# Static nat (one-to-one-NAT) (NAT before rules)
$IPTABLES -A PREROUTING -t nat -d $terminalserver_ext -j DNAT --to-destination $terminalserver_int
$IPTABLES -A POSTROUTING -t nat -s $terminalserver_int -j SNAT --to-source $terminalserver_ext
# Pool nat (one-to-one-NAT)
$IPTABLES -A POSTROUTING -t nat -s $dmznet -o $ext_if -j SNAT --to-source $IP_POOL
# Redirect nat (here: transparent http to squid on local machine)
$IPTABLES -A PREROUTING -t nat -i $int_if -d ! $localnet -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# Load balancing
# Basic load balancing by redirecting www requests to any of several local www servers
#virtual_www=www.koefoed.to
#www_range=192.168.244.200-192.168.244.205
#$IPTABLES -A PREROUTING -t nat -i $ext_if -d $virtual_www -p tcp --dport 80 -j DNAT --to-dest $www_range
#test
#$IPTABLES -A POSTROUTING -t nat -s 192.168.222.10 -o $ext_if -j SNAT --to-source 192.168.1.205
#$IPTABLES -A PREROUTING -t nat -i $ext_if -d 192.168.1.205 -j DNAT --to-dest 192.168.222.10
###########################################################################################
## Quality of Service (A poor man's version)
###########################################################################################
$IPTABLES -A PREROUTING -t mangle -p tcp --sport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
############################################################################################
############################################################################################
############################################################################################
# clean exit:
exit 0