lemoncube.com Search: (normal)
Articles
Links
News
Projects

Disclaimer

Firewall example script

#!/bin/sh
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since
# you'll save the running config with 'iptables-save' for RedHat to reinstate
# at the next boot IP fordarding must be enabled by other than this script for
# production use. That's best done by editing /etc/sysctl.comf and setting
# 'net.ipv4.ip_forward = 1'.
#
# Once the rule sets are to your liking you can easily arrainge to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# iptables-save >/etc/sysconfig/iptables
#
# When /etc/init.d/iptables executes it will see the file and restore the
# saved rules.
# 
# Since /etc/sysctl.conf will only be read at boot, you can uncomment the
# following line to enable forwarding on the fly. Just remember that the
# saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Set an absolute path to IPTABLES and define the interfaces
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packetsthat we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent   - Just drop it on the floor, used for internal traffic
# badflags - Log packets with bad flags, most likely an attack
# dropit   - Log packets that that we refuse, possibly from an attack
# 
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
# Use up NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 111.222.333.444
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.1.0.1
# The second forwards SSH to 10.1.0.1
# The third forwards a block of tcp and udp ports (2300-2400) to 10.1.0.1
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.1.0.1
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break. Uncomment the line following
# if the inside machines are trustworthy and there are services on the firewall,
# like DNS, web, DHCP etc., that they need to access.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A INPUT -i $INSIDE -d 10.1.0.254 -j ACCEPT
#
# Uncomment the following two lines if you are running a DHCP server on the
# firewall.
#
#$IPTABLES -A INPUT -i $INSIDE -d 10.1.0.255 -j ACCEPT
#$IPTABLES -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Silently drop and SMB traffic. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux, so block that windows trash.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
# If you want to be able to connect via SSH from the Internet
# to the firewall uncomment the next line.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Allow inbound SMTP and IMAP connections to the firewall system.
# very usefull if your firewall is also your mail server.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 143 -j ACCEPT
#
# Examples of allowing inbound for the port forwarding examples above.
#
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPTABLES -A INPUT -j firewalled

pablo , 2003-05-29 00:25:42