diff options
| author | Silvino Silva <silvino@bk.ru> | 2018-05-06 10:51:32 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2018-05-06 10:51:32 +0100 |
| commit | 2f97ec532422ea22ba1d04ddc683e64863d05234 (patch) | |
| tree | 7a6bee80cf7418a9a005a152878f8da49db0f5f2 /core | |
| parent | 5b331e8145aeeb05ab24cde90e2c554989b16777 (diff) | |
| download | doc-2f97ec532422ea22ba1d04ddc683e64863d05234.tar.gz | |
initial iptables revision
Diffstat (limited to 'core')
| -rw-r--r-- | core/network.html | 176 | ||||
| -rw-r--r-- | core/scripts/iptables-conf.sh | 229 | ||||
| -rw-r--r-- | core/scripts/iptables.sh | 435 |
3 files changed, 455 insertions, 385 deletions
diff --git a/core/network.html b/core/network.html index 9aa5921..3f8a870 100644 --- a/core/network.html +++ b/core/network.html @@ -14,7 +14,7 @@ <dl> <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> <dd>Configure <a href="#iptables">iptables</a>, start option - loads set of rules from file /etc/iptables/name.v4, open option + loads set of rules from file /etc/iptables/net.v4, open option allows everything to outside and blocks everything from outside, stop will block and log everything.</dd> <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt> @@ -114,20 +114,16 @@ <h2 id="iptables">2.3.3. Iptables</h2> - <p>For more information about iptables read - <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. - Iptables can be setup at boot with - <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> init script, change - <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run - to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> - file.</p> + <p>For more information about firewall systems read arch wiki + <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a> + an <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p> - <p>Init script "start" option loads set of rules from file - /etc/iptables/rules.v4, "open" option allows everything to outside + <p>To setup iptables rules a set of scripts is used, init script + <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> + loads set of rules from file /etc/iptables/net.v4 at boot time. + Start option "open" option allows everything to outside and blocks everything from outside, "stop" will block and log - everything.</p> - - <p>Setup init script and rules ;</p> + everything. Setup init script and rules ;</p> <pre> # mkdir /etc/iptables @@ -142,6 +138,150 @@ SERVICES=(iptables lo net crond) </pre> + <p>Diagram of a package route throw iptables;</p> + + <pre> + + XXXXXXXXXXXXXXXXX + XXXX Network XXXX + XXXXXXXXXXXXXXXXX + + + | + v + +-------------+ +------------------+ + |table: filter| >---+ | table: nat | + |chain: INPUT | | | chain: PREROUTING| + +-----+-------+ | +--------+---------+ + | | | + v | v + [local process] | **************** +--------------+ + | +---------+ Routing decision +------< |table: filter | + v **************** |chain: FORWARD| + **************** +------+-------+ + Routing decision | + **************** | + | | + v **************** | + +-------------+ +------< Routing decision >---------------+ + |table: nat | | **************** + |chain: OUTPUT| | + + +-----+-------+ | | + | | v + v | +-------------------+ + +--------------+ | | table: nat | + |table: filter | +----+ | chain: POSTROUTING| + |chain: OUTPUT | +--------+----------+ + +--------------+ | + v + XXXXXXXXXXXXXXXXX + XXXX Network XXXX + XXXXXXXXXXXXXXXXX + + </pre> + + <p>Command line usage;</p> + + <pre> + iptables [-t table] {-A|-C|-D} chain rule-specification + iptables [-t table] {-A|-C|-D} chain rule-specification + iptables [-t table] -I chain [rulenum] rule-specification + iptables [-t table] -R chain rulenum rule-specification + iptables [-t table] -D chain rulenum + iptables [-t table] -S [chain [rulenum]] + iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] + iptables [-t table] -N chain + iptables [-t table] -X [chain] + iptables [-t table] -P chain target + iptables [-t table] -E old-chain-name new-chain-name + rule-specification = [matches...] [target] + match = -m matchname [per-match-options] + </pre> + + <p>Targets, can be a user defined chain;</p> + + <pre> + ACCEPT - accepts the packet + DROP - drop the packet on the floor + QUEUE - packet will be stent to queue + RETURN - stop traversing this chain and + resume ate the next rule in the + previeus (calling) chain. + + if packet reach the end of the chain or + a target RETURN, default policy for that + chain is applayed. + </pre> + + <p>Target Extensions</p> + + <pre> + AUDIT + CHECKSUM + CLASSIFY + DNAT + DSCP + LOG + Torn on kernel logging, will print some + some information on all matching packets. + Log data can be read with dmesg or syslogd. + This is a non-terminating target and a rule + should be created with matching criteria. + + --log-level level + Level of logging (numeric or see sys- + log.conf(5) + + --log-prefix prefix + Prefix log messages with specified prefix + up to 29 chars log + + --log-uid + Log the userid of the process with gener- + ated the packet + NFLOG + This target pass the packet to loaded logging + backend to log the packet. One or more userspace + processes may subscribe to the group to receive + the packets. + + ULOG + This target provides userspace logging of maching + packets. One or more userspace processes may then + then subscribe to various multicast groups and + then receive the packets. + </pre> + + <p>Commands</p> + <pre> + -A, --append chain rule-specification + -C, --check chain rule-specification + -D, --delete chain rule-specification + -D, --delete chain rulenum + -I, --insert chain [rulenum] rule-specification + -R, --replace chain rulenum rule-specification + -L, --list [chain] + -P, --policy chain target + </pre> + + <p>Parameters</p> + <pre> + -p, --protocol protocol + tcp, udp, udplite, icmp, esp, ah, sctp, all + -s, --source address[/mask][,...] + -d, --destination address[/mask][,...] + -j, --jump target + -g, --goto chain + -i, --in-interface name + -o, --out-interface name + -f, --fragment + -m, --match options module-name + iptables can use extended packet matching + modules. + -c, --set-counters packets bytes + </pre> + + <h3 id="ipt_server">2.3.3.1. Server iptables</h3> + <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with your network configuration then run it;</p> @@ -149,6 +289,16 @@ # bash core/scripts/iptables.sh </pre> + <p> + <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run + to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> + file.</p> + + <h3 id="ipt_client">2.3.3.2. Client iptables </h3> + + <p></p> + <h3 id="ipt_client">2.3.3.3. Bridge iptables</h3> + <p>See current rules and packets;</p> <pre> diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh new file mode 100644 index 0000000..cd3185b --- /dev/null +++ b/core/scripts/iptables-conf.sh @@ -0,0 +1,229 @@ +#!/bin/bash + + + +iptables_clear () { + echo "clear all iptables tables" + + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + iptables -N blocker + + iptables -N srv_dhcp + iptables -N srv_rip + iptables -N srv_icmp + iptables -N srv_dns_in + iptables -N srv_dns_out + iptables -N srv_http_in + iptables -N srv_http_out + iptables -N srv_https_in + iptables -N srv_https_out + iptables -N srv_ssh_in + iptables -N srv_ssh_out + iptables -N srv_git_in + iptables -N srv_git_out + iptables -N srv_db_in + iptables -N srv_db_out + + + iptables -N cli_dns_in + iptables -N cli_dns_out + iptables -N cli_http_in + iptables -N cli_http_out + iptables -N cli_https_in + iptables -N cli_https_out + iptables -N cli_ssh_in + iptables -N cli_ssh_out + iptables -N cli_pops_in + iptables -N cli_pops_out + iptables -N cli_smtps_in + iptables -N cli_smtps_out + iptables -N cli_irc_in + iptables -N cli_irc_out + iptables -N cli_ftp_in + iptables -N cli_ftp_out + iptables -N cli_git_in + iptables -N cli_git_out + iptables -N cli_gpg_in + iptables -N cli_gpg_out + + # Set Default Rules + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP + +} + +iptables_log () { + ## log everything else and drop + $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + $IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " + $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " +} + + +iptables_tables () { + echo "start adding tables..." + + ####### blocker Chain ###### + ## Block google dns + $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " + $IPT -A blocker -s 8.8.0.0/24 -j DROP + ## Block sync + $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " + $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP + ## Block Fragments + $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " + $IPT -A blocker -f -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " + $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller + $IPT -A blocker -j RETURN + + ######## DNS Server + #echo "server_in chain: Allow input to DNS Server" + $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -j RETURN + #echo "srv_dns_out chain: Allow output from DNS server" + $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -j RETURN + + ####### Database Server + $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_db_in -j RETURN + $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_db_out -j RETURN + + ####### SSH Server + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + + $IPT -A srv_ssh_in -j RETURN + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -j RETURN + + ####### HTTP Server + $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_http_in -j RETURN + $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_http_out -j RETURN + + ####### HTTPS Server + $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_https_in -j RETURN + $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_https_out -j RETURN + + ###### GIT server + $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_git_in -j RETURN + $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_git_out -j RETURN + + ######## DNS Client + $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_dns_out -j RETURN + $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_dns_in -j RETURN + + ######## HTTP Client + $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -j RETURN + $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -j RETURN + + + ######## IRC client + $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_irc_in -j RETURN + $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_irc_out -j RETURN + + ######## FTP client + + $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -j RETURN + $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -j RETURN + ######## GIT client + $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_git_in -j RETURN + $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_git_out -j RETURN + + ######## POP3S client + $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_pops_in -j RETURN + $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_pops_out -j RETURN + + ######## SMTPS client + $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_in -j RETURN + $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_out -j RETURN + + ######## HTTPS client + $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -j RETURN + $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -j RETURN + + ######## SSH client + $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -j RETURN + $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -j RETURN + + ######## GPG key client + $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_in -j RETURN + $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_out -j RETURN + + ######## DHCP Server + $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -j RETURN + + ####### RIP Server + $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT + $IPT -A srv_rip -j RETURN + + ####### ICMP Server + $IPT -A srv_icmp -p icmp -j ACCEPT + $IPT -A srv_icmp -j RETURN +} diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index b887204..9c6cb87 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -1,408 +1,99 @@ -#!/bin/sh +#!/bin/bash -# -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# + -# | -# v -# +-------------+ +------------------+ -# |table: filter| <---+ | table: nat | -# |chain: INPUT | | | chain: PREROUTING| -# +-----+-------+ | +--------+---------+ -# | | | -# v | v -# [local process] | **************** +--------------+ -# | +---------+ Routing decision +------> |table: filter | -# v **************** |chain: FORWARD| -# **************** +------+-------+ -# Routing decision | -# **************** | -# | | -# v **************** | -# +-------------+ +------> Routing decision <---------------+ -# |table: nat | | **************** -# |chain: OUTPUT| | + -# +-----+-------+ | | -# | | v -# v | +-------------------+ -# +--------------+ | | table: nat | -# |table: filter | +----+ | chain: POSTROUTING| -# |chain: OUTPUT | +--------+----------+ -# +--------------+ | -# v -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] -I chain [rulenum] rule-specification -# -# iptables [-t table] -R chain rulenum rule-specification -# -# iptables [-t table] -D chain rulenum -# -# iptables [-t table] -S [chain [rulenum]] -# -# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] -# -# iptables [-t table] -N chain -# -# iptables [-t table] -X [chain] -# -# iptables [-t table] -P chain target -# -# iptables [-t table] -E old-chain-name new-chain-name -# -# rule-specification = [matches...] [target] -# -# match = -m matchname [per-match-options] -# -# -# Targets -# -# can be a user defined chain -# -# ACCEPT - accepts the packet -# DROP - drop the packet on the floor -# QUEUE - packet will be stent to queue -# RETURN - stop traversing this chain and -# resume ate the next rule in the -# previeus (calling) chain. -# -# if packet reach the end of the chain or -# a target RETURN, default policy for that -# chain is applayed. -# -# Target Extensions -# -# AUDIT -# CHECKSUM -# CLASSIFY -# DNAT -# DSCP -# LOG -# Torn on kernel logging, will print some -# some information on all matching packets. -# Log data can be read with dmesg or syslogd. -# This is a non-terminating target and a rule -# should be created with matching criteria. -# -# --log-level level -# Level of logging (numeric or see sys- -# log.conf(5) -# -# --log-prefix prefix -# Prefix log messages with specified prefix -# up to 29 chars log -# -# --log-uid -# Log the userid of the process with gener- -# ated the packet -# NFLOG -# This target pass the packet to loaded logging -# backend to log the packet. One or more userspace -# processes may subscribe to the group to receive -# the packets. -# -# ULOG -# This target provides userspace logging of maching -# packets. One or more userspace processes may then -# then subscribe to various multicast groups and -# then receive the packets. -# -# -# Commands -# -# -A, --append chain rule-specification -# -C, --check chain rule-specification -# -D, --delete chain rule-specification -# -D, --delete chain rulenum -# -I, --insert chain [rulenum] rule-specification -# -R, --replace chain rulenum rule-specification -# -L, --list [chain] -# -P, --policy chain target -# -# Parameters -# -# -p, --protocol protocol -# tcp, udp, udplite, icmp, esp, ah, sctp, all -# -s, --source address[/mask][,...] -# -d, --destination address[/mask][,...] -# -j, --jump target -# -g, --goto chain -# -i, --in-interface name -# -o, --out-interface name -# -f, --fragment -# -m, --match options module-name -# iptables can use extended packet matching -# modules. -# -c, --set-counters packets bytes +TYPE=bridge IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" + # public interface to network/internet BR_IF="br0" -BR_IP="10.0.0.254" BR_NET="10.0.0.0/8" GW="10.0.0.1" -# private interface for virtual/internal -WIFI_IF="wlp7s0" -WIFI_NET="192.168.1.0/24" -#PRI_IP="192.168.1.33" - -echo "Stopping ipv4 firewall and deny everyone..." - -iptables -F -iptables -X -iptables -t nat -F -iptables -t nat -X -iptables -t mangle -F -iptables -t mangle -X -iptables -t raw -F -iptables -t raw -X -iptables -t security -F -iptables -t security -X -iptables -N blocker - -iptables -N netconf_in -iptables -N netconf_out -iptables -N server_in -iptables -N server_out -iptables -N client_in -iptables -N client_out +PUB_IP="10.0.0.254" +PUB_IF="enp8s0" -iptables -N srv_dns_in -iptables -N srv_dns_out -iptables -N cli_dns_in -iptables -N cli_dns_out -iptables -N cli_http_in -iptables -N cli_http_out - -# Set Default Rules -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -####### blocker Chain ###### -## Block google dns -$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " -$IPT -A blocker -s 8.8.0.0/24 -j DROP -## Block sync -$IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " -$IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP -## Block Fragments -$IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " -$IPT -A blocker -f -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " -$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans -$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -## Return to caller -$IPT -A blocker -j RETURN - -######## DNS Server -#echo "server_in chain: Allow input to DNS Server" -$IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_in -j RETURN -#echo "srv_dns_out chain: Allow output from DNS server" -$IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_out -j RETURN - -######## DNS Client -echo "cli_dns_out chain: Allow output to DNS server" -$IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A cli_dns_out -j RETURN -echo "cli_dns_in chain: Allow input from DNS Server" -$IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A cli_dns_in -j RETURN +# private interface for virtual/internal +PRIV_IF="wlp7s0" +PRIV_NET="192.168.1.0/24" -######## HTTP Client -$IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A cli_http_in -j RETURN -#echo "Allow to HTTP server" -$IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A cli_http_out -j RETURN +#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT -####### server input Chain ###### -#echo "server_in chain: Allow to VNC Server" -#$IPT -A server_in -p tcp --dport 5900:5910 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to DataBase Server" -$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to SSH server" -$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTPS Server" -$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTP Server" -$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow output from GIT server" -$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT -## Return to caller -$IPT -A server_in -j RETURN +source iptables-conf.sh -####### server output Chain ###### -echo "server_out chain: Allow output from GIT server" -$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from https server" -$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from http server" -$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from SSH server" -$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from Data Base server" -$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from VNC server" -#$IPT -A server_out -p tcp --sport 5900:5910 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables_clear +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -## Return to caller -$IPT -A server_out -j RETURN -####### client input Chain ###### -echo "client_in chain: Allow input from IRC server" -$IPT -A client_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from FTP server" -$IPT -A client_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GIT server" -$IPT -A client_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from POP3S server" -$IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SMTPS server" -$IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTPS server" -$IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SSH Server" -$IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GPG key Server" -$IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -j RETURN +iptables_tables -####### client output Chain ###### -echo "client_out chain: Allow output to IRC server" -$IPT -A client_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to FTP server" -$IPT -A client_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GIT server" -$IPT -A client_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to POP3S server" -$IPT -A client_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SMTPS server" -$IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to HTTPS server" -$IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SSH server" -$IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GPG key Server" -$IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -j RETURN +case $TYPE in + bridge) -####### netconf input Chain ###### -echo "netconf_in chain: Allow DHCP protocol" -$IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT -echo "netconf_in chain: Allow RIP protocol for ${BR_NET}" -$IPT -A netconf_in -p udp --sport 520 --dport 520 -j ACCEPT -#echo "netconf chain: Allow ICMP from ${BR_NET}" -#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT -echo "netconf_in chain: Allow ICMP from all" -$IPT -A netconf_in -p icmp -j ACCEPT + echo "Setting bridge network..." -## Return to caller -$IPT -A netconf_in -j RETURN + echo 1 > /proc/sys/net/ipv4/ip_forward + ####### Forward Chain ###### + $IPT -A FORWARD -j blocker + #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j ACCEPT + #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap0 --physdev-out ${PUB_IF} -j srv_ssh_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_in + $IPT -A FORWARD -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out -####### netconf output Chain ###### -echo "netconf_out chain: Allow output from DHCP server" -$IPT -A netconf_out -p udp --sport 67 --dport 68 -j ACCEPT -echo "netconf_out chain: Allow RIP protocol for ${BR_NET}" -$IPT -A netconf_out -p udp --sport 520 --dport 520 -j ACCEPT -#echo "netconf chain: Allow ICMP output to ${BR_NET}" -#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT -echo "netconf chain: Allow ICMP output to all" -$IPT -A netconf_out -p icmp -j ACCEPT + ####### Input Chain ###### + $IPT -A INPUT -j blocker + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in -## Return to caller -$IPT -A netconf_out -j RETURN + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in -############################################################ -# -# Start adding rules tables -# + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP -echo "Starting ipv4 firewall tables..." + ####### Output Chain ###### + $IPT -A OUTPUT -j blocker + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_dns_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT + #Less noise + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP -#modprobe ip_conntrack -#modprobe ip_conntrack_ftp -echo 1 > /proc/sys/net/ipv4/ip_forward + ####### PostRouting Chain ###### + $IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE -####### Forward Chain ###### -$IPT -A FORWARD -j blocker -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT -$IPT -A FORWARD -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j ACCEPT -#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j ACCEPT + ## log everything else and drop + iptables_log -####### Input Chain ###### -$IPT -A INPUT -j blocker -$IPT -A INPUT -i ${BR_IF} -j netconf_in -$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j srv_dns_in -$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d ${BR_IP} -j server_in -#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j client_in -#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j cli_dns_in -#$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j client_in -# -##$IPT -A INPUT -i ${WIFI_IF} -j server_in -#$IPT -A INPUT -i ${WIFI_IF} -j netconf_in + iptables-save > /etc/iptables/net.v4 + exit 0 + ;; + server) -####### Output Chain ###### -$IPT -A OUTPUT -j blocker -$IPT -A OUTPUT -o ${BR_IF} -j netconf_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j srv_dns_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j server_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j client_out -#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j client_out -#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j cli_dns_out + echo "Setting server network..." + ####### Input Chain ###### + $IPT -A INPUT -j blocker -#$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -j client_out + ####### Output Chain ###### + $IPT -A OUTPUT -j blocker -#$IPT -A OUTPUT -o ${WIFI_IF} -j server_out -#$IPT -A OUTPUT -o ${WIFI_IF} -j netconf_out + ## log everything else and drop + iptables_log -####### PostRouting Chain ###### -$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j MASQUERADE + iptables-save > /etc/iptables/net.v4 + exit 0 -## log everything else and drop -$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " -$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " -$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " -$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + ;; + *) + echo "usage: $0 [start|stop|restart]" + ;; +esac -iptables-save > /etc/iptables/net.rules -exit 0 |