#!/bin/sh # # Local Copy # -------------------------- # http://www.Linux-Sec.net/Firewall/Scripts/rc.iptable.zelow.ppp.txt # # # Original File # ------------- # http://www.zelow.no/floppyfw/download/contrib/Omar_Herrera/firewall.ini # # # Firewall setup. # # This is a conversion of the ipchains/ipmasqadm based firewall.ini # from the 1.x series of floppyfw, it's pretty simple and the # corresponding ipchains rules are kept for references. # # Setting up iptables # # Rules tunning by Omar Herrera (jan 2003) # ** LAST UPDATE: August 2nd 2003 . /etc/config # # Do you want to do port forwarding to an internal server? # Set the server IP here and sort out the port stuff later in this file. # # SERVER_IP= # Define the default outgoing device (ppp0 for dialup and PPPoE) PPPOE_DEVICE=ppp0 # # Stopping forwarding (this script may be run during normal uptime because # for re-lease of DHCP or demand dialing / PPPoE). echo "0" > /proc/sys/net/ipv4/ip_forward # Modifies default TTL for sending packets in some cases (some obfuscation...) echo "230" > /proc/sys/net/ipv4/ip_default_ttl # Disables response to broadcasts. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Stop source routed packets by default. echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable bad error message protection. echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # # Overriding the /etc/config and adding additional information. # . /etc/outside.info . /etc/inside.info # # Brad suggested this: # And he suggested to check and maybe change the formatting. # We'll do that later. # echo "Starting firewall with the following config:" echo echo " Inside Outside" echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}" echo " Device: ${INSIDE_DEVICE} ${OUTSIDE_DEVICE}" echo "IP Address: ${INSIDE_IP} ${OUTSIDE_IP}" echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}" echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}" echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}" echo sleep 5 # # Flushing the chains. # iptables -F iptables -t nat -F iptables -t mangle -F # or: # for i in `cat /proc/net/ip_tables_names`; do iptables -F -t $i ; done iptables -X iptables -Z # zero all counters # # Policy for chains DROP everything # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # LOG Chains iptables -N blockLOG iptables -N ackLOG iptables -N rejecticmpLOG iptables -N rejecttcpLOG # LOG RULES #...log droped packets related to suspicious connections iptables -A blockLOG -m limit --limit 1/m --limit-burst 10 -j LOG --log-prefix "NETFILTER DROP [-]: " --log-ip-options --log-tcp-options --log-tcp-sequence iptables -A blockLOG -j DROP # log allowed but suspicious packets iptables -A ackLOG -m limit --limit 1/m --limit-burst 10 -j LOG --log-prefix "NETFILTER ACCEPT [+]: " --log-ip-options --log-tcp-options --log-tcp-sequence iptables -A ackLOG -j ACCEPT #...log rejected packets with icmp iptables -A rejecticmpLOG -m limit --limit 1/m --limit-burst 10 -j LOG --log-prefix "NETFILTER REJECT [-]: " --log-ip-options --log-tcp-options --log-tcp-sequence iptables -A rejecticmpLOG -j REJECT --reject-with icmp-host-unreachable #...log rejected inetd packets with TCP reject iptables -A rejecttcpLOG -m limit --limit 1/m --limit-burst 10 -j LOG --log-prefix "NETFILTER REJECT [-]: " --log-ip-options --log-tcp-options --log-tcp-sequence iptables -A rejecttcpLOG -p TCP --dport 113 -j REJECT --reject-with tcp-reset # # --- PREROUTING # # Set TOS for certain types of traffic to increase performance iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --sport ftp -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --sport http -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --sport https -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput # # --- PREROUTING # # # --- POSTROUTING # # WORKAROUND fix problem cause by braindead ISP blocking all ICMP messages, including frag needed iptables -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Good old masquerading. iptables -t nat -A POSTROUTING -o ${PPPOE_DEVICE} -j MASQUERADE # # --- POSTROUTING # # # Forwarding outside ports to an internal server. # This used to be the ipchains / ipmasqadm portfw commad. # SSH: #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT # Web: #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT # This rule helps the "I can't reach my web server from the inside" problem. #iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP} # FTP: #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT # SMTP (Internal mail server): #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT # This rule helps the "I can't reach my server from the inside" problem. #iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 25 -s ${INSIDE_NETWORK} -j SNAT --to ${OUTSIDE_IP} # # --- FORWARD (traffic from/to trusted/untrusted networks) # # EXCEPTION - avoid state bypassing (i.e. new ack packets get treated as established; behaviour remains in netfilter/iptables as of ver. 1.2.7) iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j blockLOG # EXCEPTION - Drop all reserved network addresses that should not come from the external interface # (Comment the range used legitimely by your ISP !!!) iptables -A FORWARD -s 192.168.0.0/16 -i ${PPPOE_DEVICE} -j blockLOG iptables -A FORWARD -s 127.0.0.0/8 -i ${PPPOE_DEVICE} -j blockLOG iptables -A FORWARD -s 172.16.0.0/12 -i ${PPPOE_DEVICE} -j blockLOG iptables -A FORWARD -s 10.0.0.0/8 -i ${PPPOE_DEVICE} -j blockLOG # EXCEPTION - Drop all reserved network addresses that should not be targeted from the external interface # (Comment the range used legitimely by your INTERNAL NETWORK !!!) # iptables -A FORWARD -d 192.168.0.0/16 -i ${PPPOE_DEVICE} -j blockLOG iptables -A FORWARD -d 127.0.0.0/8 -i ${PPPOE_DEVICE} -j blockLOG iptables -A FORWARD -d 172.16.0.0/12 -i ${PPPOE_DEVICE} -j blockLOG iptables -A FORWARD -d 10.0.0.0/8 -i ${PPPOE_DEVICE} -j blockLOG # EXCEPTION - REJECT all connections with TTL enough to reach FW and not servers on the trusted network (limit firewalk attacks by making the firewall and the protected servers one in terms of TTL) # Note: might require some tunning, but a value between 3 and 5 is usually fine iptables -A FORWARD -m ttl --ttl-lt 5 -i ${PPPOE_DEVICE} -j rejecticmpLOG # EXCEPTION RST all connections to identd to avoid lags in FTP and SMTP iptables -A FORWARD -p TCP --dport 113 -i ${PPPOE_DEVICE} -j rejecttcpLOG # EXCEPTION just log all connection started from the outside (if we don't put this here, these packets will be dropped without logging) iptables -A FORWARD -m state --state NEW -i ${PPPOE_DEVICE} -j blockLOG # forward everything new from trusted network to anywhere iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT # forward all established and related to previous connections iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # forward invalid packets from trusted network but log them iptables -A FORWARD -m state --state INVALID -i ${INSIDE_DEVICE} -j ackLOG # # IPTABLES -A FORWARD -j DROP (DEFAULT RULE APPLIED BY TABLE POLICY) # # --- FORWARD # # --- INPUT (input accepted by FW device) # # EXCEPTION - avoid state bypassing (i.e. new ack packets get treated as established; behaviour remains in netfilter/iptables as of ver. 1.2.7) iptables -A INPUT -p tcp ! --syn -m state --state NEW -j blockLOG # EXCEPTION - Drop invalid and new connections initiated by the untrusted network (only trusted network might initiate connections; exceptions to this rule are defined above in server rules section) iptables -A INPUT -m state --state NEW,INVALID -i ${PPPOE_DEVICE} -j blockLOG # EXCEPTION - REJECT all connections with TTL enough to reach FW and not servers on the trusted network (limit firewalk attacks by making the firewall and the protected servers one in terms of TTL); requires tunning according to network iptables -A INPUT -m ttl --ttl-lt 5 -i ${PPPOE_DEVICE} -j rejecticmpLOG # EXCEPTION RST all connections to identd to avoid lags in FTP and SMTP iptables -A INPUT -p TCP --dport 113 -i ${PPPOE_DEVICE} -j rejecttcpLOG # accept all traffic from trusted network (for DHCP and all that) iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT # accept only input that is established or related from untrusted networks - DHCP and troubleshooting iptables -A INPUT -m state --state ESTABLISHED,RELATED -i ${PPPOE_DEVICE} -j ACCEPT # accept all ICMP from (un)trusted networks (we will egress filter unwanted replies at OUTPUT chain later) iptables -A INPUT -p icmp -j ACCEPT # # IPTABLES -A INPUT -j DROP (DEFAULT RULE APPLIED BY TABLE POLICY) # # --- INPUT # # --- OUTPUT # # EXCEPTION egress filter all dangerous and unnecessary replies to untrusted network (for security reassons) iptables -A OUTPUT -p icmp --icmp-type time-exceeded -o ${PPPOE_DEVICE} -j blockLOG iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -o ${PPPOE_DEVICE} -j blockLOG iptables -A OUTPUT -p icmp --icmp-type address-mask-reply -o ${PPPOE_DEVICE} -j blockLOG iptables -A OUTPUT -p icmp --icmp-type echo-reply -o ${PPPOE_DEVICE} -j blockLOG # accept new, established and related output to untrusted network - DHCP and troubleshooting iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o ${PPPOE_DEVICE} -j ACCEPT # full output to trusted network iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT # # IPTABLES -A OUTPUT -j DROP (DEFAULT RULE APPLIED BY TABLE POLICY) # # --- OUTPUT # # Finally, list what we have #iptables -L # If broken DNS: iptables -L -n iptables -L -n -v > /etc/firewall.rules echo "Look at /etc/firewall.rules for details on FW configuration." # This enables dynamic IP address following echo 7 > /proc/sys/net/ipv4/ip_dynaddr # trying to stop some smurf attacks. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Rules set, we can enable forwarding in the kernel. echo "Enabling IP forwarding." echo 1 > /proc/sys/net/ipv4/ip_forward # # End of file