about summary refs log tree commit diff stats
path: root/core/conf/iptables/iptables-lan.sh
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf/iptables/iptables-lan.sh')
-rw-r--r--core/conf/iptables/iptables-lan.sh277
1 files changed, 277 insertions, 0 deletions
diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh
new file mode 100644
index 0000000..fae7345
--- /dev/null
+++ b/core/conf/iptables/iptables-lan.sh
@@ -0,0 +1,277 @@
+#!/bin/sh
+
+#------------------------------------------------------------------------------
+#
+# File: iptables_mint17.sh
+#
+# http://www.hardenedlinux.org
+#
+# Reference: Ruslan Abuzant <ruslan@abuzant.com>,  http://www.hackersgarage.com/
+# Changed by: Silvino Silva <silvino@bk.ru>
+#
+# License: GNU GPL (version 2, or any later version).
+#
+# Configuration.
+#------------------------------------------------------------------------------
+
+# For debugging use iptables -v.
+IPTABLES="/usr/sbin/iptables"
+IP6TABLES="/usr/sbin/ip6tables"
+MODPROBE="/sbin/modprobe"
+RMMOD="/sbin/rmmod"
+ARP="/usr/sbin/arp"
+
+# NIC interfaces
+NIC_NAME="enp8s0 wlp7s0"
+
+# Logging options.
+#------------------------------------------------------------------------------
+LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
+LOG="$LOG --log-ip-options"
+
+
+# Defaults for rate limiting
+#------------------------------------------------------------------------------
+RLIMIT="-m limit --limit 3/s --limit-burst 8"
+
+
+# Unprivileged ports.
+#------------------------------------------------------------------------------
+PHIGH="1024:65535"
+PSSH="1000:1023"
+
+
+# Load required kernel modules
+#------------------------------------------------------------------------------
+$MODPROBE ip_conntrack_ftp
+$MODPROBE ip_conntrack_irc
+
+
+# Mitigate ARP spoofing/poisoning and similar attacks.
+#------------------------------------------------------------------------------
+# Hardcode static ARP cache entries here
+# $ARP -s IP-ADDRESS MAC-ADDRESS
+
+
+# Default policies.
+#------------------------------------------------------------------------------
+
+# Drop everything by default.
+$IPTABLES -P INPUT DROP
+$IPTABLES -P FORWARD DROP
+$IPTABLES -P OUTPUT ACCEPT
+
+# Set the nat/mangle/raw tables' chains to ACCEPT
+
+$IPTABLES -t mangle -P PREROUTING ACCEPT
+$IPTABLES -t mangle -P INPUT ACCEPT
+$IPTABLES -t mangle -P FORWARD ACCEPT
+$IPTABLES -t mangle -P OUTPUT ACCEPT
+$IPTABLES -t mangle -P POSTROUTING ACCEPT
+
+# Cleanup.
+#------------------------------------------------------------------------------
+
+# Delete all
+$IPTABLES -F
+$IPTABLES -t mangle -F
+
+# Delete all
+$IPTABLES -X
+$IPTABLES -t mangle -X
+
+# Zero all packets and counters.
+$IPTABLES -Z
+$IPTABLES -t mangle -Z
+
+# Completely disable IPv6.
+#------------------------------------------------------------------------------
+
+# Block all IPv6 traffic
+# If the ip6tables command is available, try to block all IPv6 traffic.
+if test -x $IP6TABLES; then
+# Set the default policies
+# drop everything
+$IP6TABLES -P INPUT DROP 2>/dev/null
+$IP6TABLES -P FORWARD DROP 2>/dev/null
+$IP6TABLES -P OUTPUT DROP 2>/dev/null
+
+# The mangle table can pass everything
+$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
+$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
+
+# Delete all rules.
+$IP6TABLES -F 2>/dev/null
+$IP6TABLES -t mangle -F 2>/dev/null
+
+# Delete all chains.
+$IP6TABLES -X 2>/dev/null
+$IP6TABLES -t mangle -X 2>/dev/null
+
+# Zero all packets and counters.
+$IP6TABLES -Z 2>/dev/null
+$IP6TABLES -t mangle -Z 2>/dev/null
+fi
+
+# Custom user-defined chains.
+#------------------------------------------------------------------------------
+
+# LOG packets, then ACCEPT.
+$IPTABLES -N ACCEPTLOG
+$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
+$IPTABLES -A ACCEPTLOG -j ACCEPT
+
+# LOG packets, then DROP.
+$IPTABLES -N DROPLOG
+$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
+$IPTABLES -A DROPLOG -j DROP
+
+# LOG packets, then REJECT.
+# TCP packets are rejected with a TCP reset.
+$IPTABLES -N REJECTLOG
+$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
+$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
+$IPTABLES -A REJECTLOG -j REJECT
+
+# Only allows RELATED ICMP types
+# (destination-unreachable, time-exceeded, and parameter-problem).
+# TODO: Rate-limit this traffic?
+# TODO: Allow fragmentation-needed?
+# TODO: Test.
+$IPTABLES -N RELATED_ICMP
+$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
+$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
+$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
+$IPTABLES -A RELATED_ICMP -j DROPLOG
+
+# Make It Even Harder To Multi-PING
+$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
+$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
+$IPTABLES  -A INPUT -p icmp -j DROP
+$IPTABLES  -A OUTPUT -p icmp -j ACCEPT
+
+# Only allow the minimally required/recommended parts of ICMP. Block the rest.
+#------------------------------------------------------------------------------
+
+# TODO: This section needs a lot of testing!
+
+# First, drop all fragmented ICMP packets (almost always malicious).
+$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
+$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
+$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
+
+# Allow all ESTABLISHED ICMP traffic.
+$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
+$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
+
+# Allow some parts of the RELATED ICMP traffic, block the rest.
+$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
+$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
+
+# Allow incoming ICMP echo requests (ping), but only rate-limited.
+$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+
+# Allow outgoing ICMP echo requests (ping), but only rate-limited.
+$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+
+# Drop any other ICMP traffic.
+$IPTABLES -A INPUT -p icmp -j DROPLOG
+$IPTABLES -A OUTPUT -p icmp -j DROPLOG
+$IPTABLES -A FORWARD -p icmp -j DROPLOG
+
+# Selectively allow certain special types of traffic.
+#------------------------------------------------------------------------------
+
+# Allow loopback interface to do anything.
+$IPTABLES -A INPUT -i lo -j ACCEPT
+$IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+# Allow incoming connections related to existing allowed connections.
+$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allow outgoing connections EXCEPT invalid
+$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+
+# Miscellaneous.
+#------------------------------------------------------------------------------
+
+# We don't care about Milkosoft, Drop SMB/CIFS/etc..
+#                     ^ person before me; my label = psychogreedyevilsoft
+$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+
+# Explicitly drop invalid incoming traffic
+$IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+# Drop invalid outgoing traffic, too.
+$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+
+# If we would use NAT, INVALID packets would pass - BLOCK them anyways
+$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+
+# PORT Scanners (stealth also)
+$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
+$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
+
+# TODO: Some more anti-spoofing rules? For example:
+$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
+$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
+
+$IPTABLES -N SYN_FLOOD
+$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
+$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
+
+$IPTABLES -A SYN_FLOOD -j DROP
+
+$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+
+$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+$IPTABLES -A INPUT -f -j DROP
+
+
+# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
+
+# Selectively allow certain inbound connections, block the rest.
+#------------------------------------------------------------------------------
+
+# Allow incoming SSH requests.
+$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+
+# Explicitly log and reject everything else.
+#------------------------------------------------------------------------------
+# Use REJECT instead of REJECTLOG if you don't need/want logging.
+$IPTABLES -A INPUT -j REJECTLOG
+$IPTABLES -A OUTPUT -j REJECTLOG
+$IPTABLES -A FORWARD -j REJECTLOG
+
+# Counter hits
+
+for i in $NIC_NAME
+do
+	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set
+	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP
+done
+
+#------------------------------------------------------------------------------
+# Testing the firewall.
+#------------------------------------------------------------------------------
+
+# You should check/test that the firewall really works, using
+# iptables -vnL, nmap, ping, telnet, ...
+
+# Exit gracefully.
+#------------------------------------------------------------------------------
+
+    exit 0
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-09-07 13:00:30 +0000