#!/bin/bash ##################################################################### # IPTABLES SCRIPT FOR A WORKSTATION WRITTEN BY SL1PM0DE VERSION 1.1 # ##################################################################### # Copyright (c) 2004 sl1pm0de. # Permission is granted to copy, distribute and/or modify this document # under the terms of the GNU Free Documentation License, Version 1.2 # or any later version published by the Free Software Foundation; # with no Invariant Sections, no Front-Cover Texts, and no Back-Cover # Texts. A copy of the license can be found at http://www.gnu.org/copyleft/fdl.html. # USER CONFIGURATION SECTION # The name of iptables. IPTABLES=iptables start() { # Load module for iptables support /sbin/modprobe ip_tables # Load modules for connection tracking support /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc # Our network address space and device. OURIP="192.168.1.10" OURDEV="eth0" # The outside address. ANYADDR="0/0" # The TCP services we wish to pass. #TCPIN="" TCPOUT="telnet,ftp,ssh,smtp,pop3,http,https,nntp,ircd" # The UDP services we wish to pass. UDPIN="domain" UDPOUT="domain,ntp" # The ICMP services we wish to allow to pass. # ICMP settings are not set here. This is a reference that # should tell what ICMP numbers are used in this firewall. # ref: /usr/include/netinet/ip_icmp.h for type numbers #ICMPIN="0,3,11" #ICMPOUT="3,8,11" # The hosts that are allowed to access sshd. #SSHIN="" #SSHOUT="" # We will prevent illegal addresses. Warning! If you are using an IP # address that is on one of these private subnets, make sure that you comment # out the rule that blocks that subnet, otherwise you will be blocking all # traffic on your network from coming into your machine. CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks CLASS_D_MULTICAST="224.0.0.0/4" # Class-D Multicast Addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # Class-E Reserved Addresses LOOPBACK_NETWORK="127.0.0.0/8" # Reserved Loopback Address Range BROADCAST_SRC="0.0.0.0" # Broadcast Source Address BROADCAST_DEST="255.255.255.255" # Broadcast Destination Address # Logging; uncomment the following line to enable logging of datagrams # that are blocked by the firewall. # LOGGING=1 # END USER CONFIGURATION SECTION ############################################################# echo "Starting Firewall Services" # Turn off IP Forwarding echo 0 >/proc/sys/net/ipv4/ip_forward # Turn off dynamic IP hacking echo "0" > /proc/sys/net/ipv4/ip_dynaddr # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Drop Spoofed Packets coming in on an interface, which if replied to, # would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Log packets with impossible addresses. for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Flush all the tables. $IPTABLES -F # Drop all datagrams destined for this host recieved from the outside. $IPTABLES -P INPUT DROP # Drop all outgoing datagrams by default. $IPTABLES -P OUTPUT DROP # Drop all routed datagrams by default. $IPTABLES -P FORWARD DROP # Enable loopback input $IPTABLES -A INPUT -i lo -j ACCEPT # Enable loopback output $IPTABLES -A OUTPUT -o lo -j ACCEPT # SPOOFING # We will not accept any datagrams with a source address matching ours # from the outside. $IPTABLES -A INPUT -s $OURIP -i $OURDEV -d $OURIP -j DROP # Refuse packets claiming to be to or from a Class-A private network. $IPTABLES -A INPUT -i $OURDEV -s $CLASS_A -j DROP # Refuse packets claiming to be to or from a Class-B private network. $IPTABLES -A INPUT -i $OURDEV -s $CLASS_B -j DROP # Refuse packets claiming to be to or from a Class-C private network. #$IPTABLES -A INPUT -i $OURDEV -s $CLASS_C -j DROP # Refuse Class-D Multicast addresses. (Illegal as source address) $IPTABLES -A INPUT -i $OURDEV -s $CLASS_D_MULTICAST -j DROP # Refuse Class-E reserved IP addresses. $IPTABLES -A INPUT -i $OURDEV -s $CLASS_E_RESERVED_NET -j DROP # Refuse packets claiming to be from the loopback. $IPTABLES -A INPUT -i $OURDEV -s $LOOPBACK_NETWORK -j DROP # Refuse malformed broadcast packets. $IPTABLES -A INPUT -i $OURDEV -s $BROADCAST_SRC -j DROP $IPTABLES -A INPUT -i $OURDEV -s $BROADCAST_DEST -j DROP # We need to accept fragments, in iptables we must do this explicitly. $IPTABLES -A INPUT -f -j ACCEPT # TCP - INCOMING CONNECTIONS # We will accept TCP SYN requests from the outside world only on the # allowed TCP ports. #$IPTABLES -A INPUT -m multiport -p tcp -i $OURDEV -d $OURIP --dports $TCPIN --syn -j ACCEPT # TCP - OUTGOING CONNECTIONS # We will accept all outgoing TCP SYN requests on the allowed # TCP ports. $IPTABLES -A OUTPUT -m multiport -p tcp -o $OURDEV -s $OURIP -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT # TCP # We will accept all TCP datagrams belonging to an existing connection # (i.e having the ACK bit set) for the TCP ports we're allowing through. # This should catch more than 95 % of all valid TCP packets. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # This will help us recieve DCC in IRC. This is evil and I strongly recommend not using # this since you have to open such a large range. I would stop the firewall shortly to accept # a trusted request or use email. # $IPTABLES -A OUTPUT -p tcp -o $OURDEV -s $OURIP --syn --dport 1024:65535 -j ACCEPT # TCP - SSHD INCOMING CONNECTIONS # Allow access to sshd from the allowed hosts. #$IPTABLES -A INPUT -p tcp -i $OURDEV -d $OURIP -s $SSHIN --dport ssh -j ACCEPT # TCP - SSHD OUTGOING CONNECTIONS # Allow outgoing connections to sshd from the allowed hosts. #$IPTABLES -A OUTPUT -p tcp -o $OURDEV -s $OURIP -d $SSHOUT --dport ssh -j ACCEPT # UDP - INCOMING # We will allow UDP datagrams in on the allowed ports. $IPTABLES -A INPUT -m multiport -p udp -i $OURDEV -d $OURIP --dports $UDPIN -j ACCEPT # UDP - OUTGOING # We will allow UDP datagrams out on the allowed ports. $IPTABLES -A OUTPUT -m multiport -p udp -o $OURDEV -s $OURIP -d $ANYADDR --dports $UDPOUT -j ACCEPT # UDP for Quake3 (Example for adding gaming support, 27960:27999 specifies # a range of ports to open) #$IPTABLES -A OUTPUT -p udp -o $OURDEV -s $OURIP -d $ANYADDR --dport 27960:27999 -j ACCEPT # ICMP - INCOMING # We will allow ICMP datagrams in from the allowed types. $IPTABLES -A INPUT -p icmp -i $OURDEV -d $OURIP --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp -i $OURDEV -d $OURIP --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp -i $OURDEV -d $OURIP --icmp-type 11 -j ACCEPT # ICMP - OUTGOING # We will allow ICMP datagrams out from the allowed types. $IPTABLES -A OUTPUT -p icmp -o $OURDEV -s $OURIP -d $ANYADDR --icmp-type 3 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -o $OURDEV -s $OURIP -d $ANYADDR --icmp-type 8 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -o $OURDEV -s $OURIP -d $ANYADDR --icmp-type 11 -j ACCEPT # DEFAULT and LOGGING # All remaining datagrams fall through to the default # rule and will be dropped. They will be logged if you've # configured the LOGGING variable above. # if [ "$LOGGING" ] then # Log barred TCP $IPTABLES -A INPUT -p tcp -j LOG --log-prefix "Filtered Incoming TCP: " $IPTABLES -A OUTPUT -p tcp -j LOG --log-prefix "Filtered Outgoing TCP: " # Log barred UDP $IPTABLES -A INPUT -p udp -j LOG --log-prefix "Filtered Incoming UDP: " $IPTABLES -A OUTPUT -p udp -j LOG --log-prefix "Filtered Outgoing UDP: " # Log barred ICMP $IPTABLES -A INPUT -p icmp -j LOG --log-prefix "Filtered Incoming ICMP: " $IPTABLES -A OUTPUT -p icmp -j LOG --log-prefix "Filtered Outgoing ICMP: " fi echo "Firewall started and configured" touch /var/lock/subsys/firewall } status() { if [ -f /var/lock/subsys/firewall ]; then echo "Firewall started and configured" else echo "Firewall stopped" fi } stop() { echo "Shutting down Firewall Services" # Flush all the tables. $IPTABLES -F # Accept all datagrams destined for this host recieved from the outside. $IPTABLES -P INPUT ACCEPT # Accept all outgoing datagrams by default. $IPTABLES -P OUTPUT ACCEPT # Accept all routed datagrams by default. $IPTABLES -P FORWARD ACCEPT rm -f /var/lock/subsys/firewall } restart() { stop start } case "$1" in start) start ;; stop) stop ;; status) status ;; restart) restart ;; *) echo $"Usage: $0 {start|stop|status|restart}" exit 1 esac exit $?