btfans
06-08-2004, 12:44 AM
I just create a firewall to be called from /etc/rc.d/rc.local
it failed complainting no such file or directory.
I manually run it and use "sh -n firewall" it show syntax problem in the first for loop, can anyone show me what error and how to correct?
#! /bin/sh
#
# Original Script Reference
# http://www.sns.ias.edu/~jns/security/iptables/rules.html
# http://www.study-area.org/linux/servers/linux_nat.htm
#
# Modified by - Matthew Chin
# Date - 2004/06/05
# Version - 1.0
#
# Redistribution of this file is permitted under the terms of
# the GNU General Public License (GPL).
#
#
# --------------- Start of Script ---------------
#
# --------------- Some definitions ---------------
echo "Set up definitions..."
IFACE="eth0"
IPADDR="192.168.1.5"
BROADCAST="192.168.1.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/4"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
TR_TCP_PORTS="20 21 22 23 25 53 80 110 113 139 143 220 443 445 465 515 631 783 993 995 000 3306 6000 10000 10001"
TR_UDP_PORTS="53 137 138 445"
# --------------- Allow TCP, UDP port deswcription ---------------
# 20 - ftp data
# 21 - ftp control
# 22 - SSH
# 23 - Telnet
# 25 - SMTP
# 53 - DNS
# 80 - WWW
# 110 - POP3
# 113 - auth
# 137 - samba
# 138 - samba
# 139 - samba
# 143 - ?
# 220 - ?
# 443 - https
# 445 - samba
# 465 - ?
# 515 - printer
# 631 - ipp (CUPS)
# 783 - hp-alarm-mgr
# 993 - ?
# 995 - ?
# 3000 - palantir - webcam
# 3306 - mysql
# 6000 - X11
# 10000 - webmin
# 10001 - router remote
#
# --------------- Load appropriate modules ---------------
echo "Loading modules..."
#
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
#
# --------------- ip forwarding ---------------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# --------------- anti spoofing etc ---------------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $file
done
#
# Disable response to ping.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > ${interface}
done
#
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
# Log spoofed packets, source routed packets, redirect packets.
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
# ---------- Remove all rules ----------
echo "Cleaning up..."
iptables -F
iptables -X
iptables -Z
#
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
#
# ------------- Policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# --------------- Rules ---------------
echo "Creating rules ..."
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again. The default limit
# is 3/hour. The default limit burst is 5.
#
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
#
#
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i $IFACE -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
# iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
#
# --------------- ICMP ---------------
echo "Creating ICMP chain...."
# We prefilter icmp by pulling it off to user-dfined chains so that we can restrict which
# types are allowed from the beginning rather than leaving it to the connection tracking.
# For instance, we don't want redirects whatever happens.
# In case you hadn't realised, ICMP scares me ...................
#
# 0: echo reply (pong)
# 3: destination-unreachable (port-unreachable, fragmentation-needed etc).
# 4: source quench
# 5: redirect
# 8: echo request (ping)
# 9: router advertisement
# 10: router solicitation
# 11: time-exceeded
# 12: parameter-problem
# 13: timestamp request
# 14: timestamp reply
# 15: information request
# 16: information reply
# 17: address mask request
# 18: address mask reply
#
iptables -N icmp-in
iptables -N icmp-out
#
iptables -A INPUT -i $IFACE -p icmp -j icmp-in
iptables -A OUTPUT -o $IFACE -p icmp -j icmp-out
#
# Accept 0,3,4,11,12,14,16,18 in.
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 0 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 3 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 4 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 11 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 12 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 14 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 16 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 18 -s 0/0 -d $IPADDR -j RETURN
# Allow 4,8,12,13,15,17 out.
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 4 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 8 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 12 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 13 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 15 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 17 -s $IPADDR -d 0/0 -j RETURN
#
# Any ICMP not already allowed is logged and then dropped.
iptables -A icmp-in -i $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-IN: "
iptables -A icmp-in -i $IFACE -j DROP
iptables -A icmp-out -o $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-OUT: "
iptables -A icmp-out -o $IFACE -j DROP
#
# Now we have returned from the icmp-in chain allowing only certain types
# of icmp inbound, we can accept it if it is related to other connections
# (e.g a time exceed from a traceroute) or part of an established one
# (e.g. an echo reply)
iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Now we have returned from the icmp-out chain allowing only certain types
# of icmp outbound, we can just accept it under all circumstances.
iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# --------------- services ---------------
echo "Creating services chain...."
iptables -N services
for PORT in $TR_TCP_PORTS; do
iptables -A services -i $IFACE -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TR_UDP_PORTS; do
iptables -A services -i $IFACE -p udp --dport $PORT -j ACCEPT
done
#
# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $IFACE -j ACCEPT
iptables -A block -j DROP
#
# ------------- filter -------------
echo "Filtering packets..."
#
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j block
#
# FTP
echo "FTP control..."
# Allow ftp outbound.
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Now for the connection tracking part of ftp. This is discussed more completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine, to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes
# the connection as RELATED to the original outgoing connection to port 21 so we don't
# need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing
# connection to port 21 so we don't need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
# TRACEROUTE
echo "TRACEROUTE control..."
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.
iptables -A OUTPUT -o $IFACE -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS \
-m state --state NEW -j ACCEPT
#
# FORWARD
echo "Forward control..."
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -A FORWARD -j ACCEPT
#
iptables -A FORWARD -j LOG --log-prefix "IPTABLES FORWARD: "
#
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
#
# ------------- Logging -------------
echo "Logging..."
# You don't have to split up your logging like I do below, but I prefer to do it this way
# because I can then grep for things in the logs more easily. One thing you probably want
# to do is rate-limit the logging. I didn't do that here because it is probably best not too
# when you first set things up ................. you actually really want to see everything going to
# the logs to work out what isn't working and why. You can implement logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case.
#
# Any udp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
#
echo "Firewall Setup is Completed..."
#
# --------------- End of Script ---------------
#
it failed complainting no such file or directory.
I manually run it and use "sh -n firewall" it show syntax problem in the first for loop, can anyone show me what error and how to correct?
#! /bin/sh
#
# Original Script Reference
# http://www.sns.ias.edu/~jns/security/iptables/rules.html
# http://www.study-area.org/linux/servers/linux_nat.htm
#
# Modified by - Matthew Chin
# Date - 2004/06/05
# Version - 1.0
#
# Redistribution of this file is permitted under the terms of
# the GNU General Public License (GPL).
#
#
# --------------- Start of Script ---------------
#
# --------------- Some definitions ---------------
echo "Set up definitions..."
IFACE="eth0"
IPADDR="192.168.1.5"
BROADCAST="192.168.1.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/4"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
TR_TCP_PORTS="20 21 22 23 25 53 80 110 113 139 143 220 443 445 465 515 631 783 993 995 000 3306 6000 10000 10001"
TR_UDP_PORTS="53 137 138 445"
# --------------- Allow TCP, UDP port deswcription ---------------
# 20 - ftp data
# 21 - ftp control
# 22 - SSH
# 23 - Telnet
# 25 - SMTP
# 53 - DNS
# 80 - WWW
# 110 - POP3
# 113 - auth
# 137 - samba
# 138 - samba
# 139 - samba
# 143 - ?
# 220 - ?
# 443 - https
# 445 - samba
# 465 - ?
# 515 - printer
# 631 - ipp (CUPS)
# 783 - hp-alarm-mgr
# 993 - ?
# 995 - ?
# 3000 - palantir - webcam
# 3306 - mysql
# 6000 - X11
# 10000 - webmin
# 10001 - router remote
#
# --------------- Load appropriate modules ---------------
echo "Loading modules..."
#
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
#
# --------------- ip forwarding ---------------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# --------------- anti spoofing etc ---------------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $file
done
#
# Disable response to ping.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > ${interface}
done
#
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
# Log spoofed packets, source routed packets, redirect packets.
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
# ---------- Remove all rules ----------
echo "Cleaning up..."
iptables -F
iptables -X
iptables -Z
#
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
#
# ------------- Policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# --------------- Rules ---------------
echo "Creating rules ..."
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again. The default limit
# is 3/hour. The default limit burst is 5.
#
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
#
#
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i $IFACE -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
# iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
#
# --------------- ICMP ---------------
echo "Creating ICMP chain...."
# We prefilter icmp by pulling it off to user-dfined chains so that we can restrict which
# types are allowed from the beginning rather than leaving it to the connection tracking.
# For instance, we don't want redirects whatever happens.
# In case you hadn't realised, ICMP scares me ...................
#
# 0: echo reply (pong)
# 3: destination-unreachable (port-unreachable, fragmentation-needed etc).
# 4: source quench
# 5: redirect
# 8: echo request (ping)
# 9: router advertisement
# 10: router solicitation
# 11: time-exceeded
# 12: parameter-problem
# 13: timestamp request
# 14: timestamp reply
# 15: information request
# 16: information reply
# 17: address mask request
# 18: address mask reply
#
iptables -N icmp-in
iptables -N icmp-out
#
iptables -A INPUT -i $IFACE -p icmp -j icmp-in
iptables -A OUTPUT -o $IFACE -p icmp -j icmp-out
#
# Accept 0,3,4,11,12,14,16,18 in.
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 0 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 3 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 4 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 11 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 12 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 14 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 16 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 18 -s 0/0 -d $IPADDR -j RETURN
# Allow 4,8,12,13,15,17 out.
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 4 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 8 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 12 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 13 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 15 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 17 -s $IPADDR -d 0/0 -j RETURN
#
# Any ICMP not already allowed is logged and then dropped.
iptables -A icmp-in -i $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-IN: "
iptables -A icmp-in -i $IFACE -j DROP
iptables -A icmp-out -o $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-OUT: "
iptables -A icmp-out -o $IFACE -j DROP
#
# Now we have returned from the icmp-in chain allowing only certain types
# of icmp inbound, we can accept it if it is related to other connections
# (e.g a time exceed from a traceroute) or part of an established one
# (e.g. an echo reply)
iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Now we have returned from the icmp-out chain allowing only certain types
# of icmp outbound, we can just accept it under all circumstances.
iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# --------------- services ---------------
echo "Creating services chain...."
iptables -N services
for PORT in $TR_TCP_PORTS; do
iptables -A services -i $IFACE -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TR_UDP_PORTS; do
iptables -A services -i $IFACE -p udp --dport $PORT -j ACCEPT
done
#
# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $IFACE -j ACCEPT
iptables -A block -j DROP
#
# ------------- filter -------------
echo "Filtering packets..."
#
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j block
#
# FTP
echo "FTP control..."
# Allow ftp outbound.
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Now for the connection tracking part of ftp. This is discussed more completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine, to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes
# the connection as RELATED to the original outgoing connection to port 21 so we don't
# need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing
# connection to port 21 so we don't need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
# TRACEROUTE
echo "TRACEROUTE control..."
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.
iptables -A OUTPUT -o $IFACE -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS \
-m state --state NEW -j ACCEPT
#
# FORWARD
echo "Forward control..."
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -A FORWARD -j ACCEPT
#
iptables -A FORWARD -j LOG --log-prefix "IPTABLES FORWARD: "
#
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
#
# ------------- Logging -------------
echo "Logging..."
# You don't have to split up your logging like I do below, but I prefer to do it this way
# because I can then grep for things in the logs more easily. One thing you probably want
# to do is rate-limit the logging. I didn't do that here because it is probably best not too
# when you first set things up ................. you actually really want to see everything going to
# the logs to work out what isn't working and why. You can implement logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case.
#
# Any udp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
#
echo "Firewall Setup is Completed..."
#
# --------------- End of Script ---------------
#