|
Firewall example script
#!/bin/sh # # For a system to function as a firewall the kernel has to be told to forward # packets between interfaces, i.e., it needs to be a router. Since # you'll save the running config with 'iptables-save' for RedHat to reinstate # at the next boot IP fordarding must be enabled by other than this script for # production use. That's best done by editing /etc/sysctl.comf and setting # 'net.ipv4.ip_forward = 1'. # # Once the rule sets are to your liking you can easily arrainge to have them # installed at boot on a Redhat box (7.1 or later). Save the rules with: # # iptables-save >/etc/sysconfig/iptables # # When /etc/init.d/iptables executes it will see the file and restore the # saved rules. # # Since /etc/sysctl.conf will only be read at boot, you can uncomment the # following line to enable forwarding on the fly. Just remember that the # saved iptables data won't include the command. # #echo 1 > /proc/sys/net/ipv4/ip_forward # # Set an absolute path to IPTABLES and define the interfaces # OUTSIDE is the outside or untrusted interface that connects to the Internet # and INSIDE is, well that ought to be obvious. # IPTABLES="/sbin/iptables" OUTSIDE=eth0 INSIDE=eth1 # # Clear out any existing firewall rules, and any chains that might have # been created. Then set the default policies. # $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # Begin setting up the rulesets. First define some rule chains to handle # exception conditions. These chains will receive packetsthat we aren't # willing to pass. Limiters on logging are used so as to not to swamp the # firewall in a DOS scenario. # # silent - Just drop it on the floor, used for internal traffic # badflags - Log packets with bad flags, most likely an attack # dropit - Log packets that that we refuse, possibly from an attack # $IPTABLES -N silent $IPTABLES -A silent -j DROP $IPTABLES -N tcpflags $IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags: $IPTABLES -A tcpflags -j DROP $IPTABLES -N firewalled $IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled: $IPTABLES -A firewalled -j DROP # # Use up NPAT if you have a dynamic IP. Otherwise comment out the following # line and use the Source NAT below. # $IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE # # Use Source NAT if to do the NPAT you have a static IP or netblock. # Remember to change the IP to be that of your OUTSIDE NIC. # #$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 111.222.333.444 # # Examples of Port forwarding. # # The first forwards HTTP traffic to 10.1.0.1 # The second forwards SSH to 10.1.0.1 # The third forwards a block of tcp and udp ports (2300-2400) to 10.1.0.1 # # Remember that if you intend to forward something that you'll also # have to add a rule to permit the inbound traffic. # $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.1.0.1 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.1.0.1 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.1.0.1 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.1.0.1 # # These are all TCP flag combinations that should never, ever, occur in the # wild. All of these are illegal combinations that are used to attack a box # in various ways. # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags # # Allow selected ICMP types and drop the rest. # $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPTABLES -A INPUT -p icmp -j firewalled # # The loopback interface is inheritly trustworthy. Don't disable it or # a number of things on the firewall will break. Uncomment the line following # if the inside machines are trustworthy and there are services on the firewall, # like DNS, web, DHCP etc., that they need to access. # $IPTABLES -A INPUT -i lo -j ACCEPT #$IPTABLES -A INPUT -i $INSIDE -d 10.1.0.254 -j ACCEPT # # Uncomment the following two lines if you are running a DHCP server on the # firewall. # #$IPTABLES -A INPUT -i $INSIDE -d 10.1.0.255 -j ACCEPT #$IPTABLES -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT # # Allow packets that are part of an established connection to pass # through the firewall. This is required for normal Internet activity # by inside clients. # $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # Silently drop and SMB traffic. We've slipped the surly bonds of windows # and are dancing on the silvery wings of Linux, so block that windows trash. # $IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent # # If you want to be able to connect via SSH from the Internet # to the firewall uncomment the next line. # #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT # # Allow inbound SMTP and IMAP connections to the firewall system. # very usefull if your firewall is also your mail server. # #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 143 -j ACCEPT # # Examples of allowing inbound for the port forwarding examples above. # $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT # # Anything that hasn't already matched gets logged and then dropped. # $IPTABLES -A INPUT -j firewalled pablo , 2003-05-29 00:25:42 |