#!/bin/sh # minifirewall is shellscripts for easy firewalling on a standalone server # we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel # See https://forge.evolix.org/projects/minifirewall # Copyright (c) 2007-2015 Evolix # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 3 # of the License. # Description # script for standalone server # Start or stop minifirewall # ### BEGIN INIT INFO # Provides: minfirewall # Required-Start: # Required-Stop: # Should-Start: $network $syslog $named # Should-Stop: $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop the firewall # Description: Firewall designed for standalone server ### END INIT INFO DESC="minifirewall" NAME="minifirewall" # Variables configuration ######################### # iptables paths IPT=/sbin/iptables IPT6=/sbin/ip6tables # TCP/IP variables LOOPBACK='127.0.0.0/8' LOOPBACK6='::1' CLASSA='10.0.0.0/8' CLASSB='172.16.0.0/12' CLASSC='192.168.0.0/16' CLASSD='224.0.0.0/4' CLASSE='240.0.0.0/5' ALL='0.0.0.0' BROAD='255.255.255.255' PORTSROOT='0:1023' PORTSUSER='1024:65535' ipxtables() { set +e ip=$1 echo "$ip"|grep -q ":" if [ $? -ne 0 ]; then echo $IPT else echo $IPT6 fi set -e } ipalltables() { iptables $@ ip6tables $@ } check_addr() { set +e addr=$1 echo $addr|grep -q "/" if [ $? -eq 0 ]; then echo $addr else host=$(host $addr) if [ $? -ne 0 ]; then echo "WARNING: $addr is invalid !" >&2 else echo "$host"|grep -q "address" if [ $? -eq 0 ]; then echo "$host"|grep -v "mail"|awk '{ print $NF }'|while read ip; do echo $ip done else echo $addr fi fi fi set -e } case "$1" in start) echo "Start IPTables rules..." # Stop and warn if error! set -e trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT # sysctl network security settings ################################## # Don't answer to broadcast pings echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignore bogus ICMP responses echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Disable Source Routing for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done # Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks # cf http://cr.yp.to/syncookies.html echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP redirects for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i done for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i done # Enable Reverse Path filtering : verify if responses use same network interface for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i done # log des paquets avec adresse incoherente for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i done # IPTables configuration ######################## ipalltables -N LOG_DROP ipalltables -A LOG_DROP -j LOG #--log-prefix '[IPTABLES DROP] : ' ipalltables -A LOG_DROP -j DROP ipalltables -N LOG_ACCEPT ipalltables -A LOG_ACCEPT -j LOG #--log-prefix '[IPTABLES ACCEPT] : ' ipalltables -A LOG_ACCEPT -j ACCEPT # Configuration oldconfigfile="/etc/firewall.rc" configfile="/etc/default/minifirewall" if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 exit 1 fi if ! test -f $configfile; then echo "$configfile does not exist" >&2 exit 1 fi tmpfile=`mktemp` . $configfile 2>$tmpfile >&2 if [ -s $tmpfile ]; then echo "$configfile returns standard or error output (see below). Stopping." >&2 cat $tmpfile exit 1 fi rm $tmpfile # Trusted ip addresses ipalltables -N ONLYTRUSTED ipalltables -A ONLYTRUSTED -j LOG_DROP for addr in $TRUSTEDIPS; do check_addr $addr|while read ip; do $(ipxtables $ip) -I ONLYTRUSTED -s $ip -j ACCEPT done done # Privilegied ip addresses # (trusted ip addresses *are* privilegied) ipalltables -N ONLYPRIVILEGIED ipalltables -A ONLYPRIVILEGIED -j ONLYTRUSTED for addr in $PRIVILEGIEDIPS; do check_addr $addr|while read ip; do $(ipxtables $ip) -I ONLYPRIVILEGIED -s $ip -j ACCEPT done done # Chain for restrictions (blacklist IPs/ranges) ipalltables -N NEEDRESTRICT # We allow all on loopback interface ipalltables -A INPUT -i lo -j ACCEPT # if OUTPUTDROP ipalltables -A OUTPUT -o lo -j ACCEPT # We avoid "martians" packets, typical when W32/Blaster virus # attacked windowsupdate.com and DNS was changed to 127.0.0.1 # ipalltables -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP $IPT6 -A INPUT -s $LOOPBACK6 ! -i lo -j DROP # Local services restrictions ############################# # Allow services for $INTLAN (local server or local network) $IPT -A INPUT -s $INTLAN -j ACCEPT # Enable protection chain for sensible services for x in $SERVICESTCP1p do ipalltables -A INPUT -p tcp --dport $x -j NEEDRESTRICT done for x in $SERVICESUDP1p do ipalltables -A INPUT -p udp --dport $x -j NEEDRESTRICT done # Public service for x in $SERVICESTCP1 do ipalltables -A INPUT -p tcp --dport $x -j ACCEPT done for x in $SERVICESUDP1 do ipalltables -A INPUT -p udp --dport $x -j ACCEPT done # Privilegied services for x in $SERVICESTCP2 do ipalltables -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED done for x in $SERVICESUDP2 do ipalltables -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED done # Private services for x in $SERVICESTCP3 do ipalltables -A INPUT -p tcp --dport $x -j ONLYTRUSTED done for x in $SERVICESUDP3 do ipalltables -A INPUT -p udp --dport $x -j ONLYTRUSTED done # External services ################### # DNS authorizations for x in $DNSSERVEURS do ipalltables -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT ipalltables -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT ipalltables -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT done # HTTP (TCP/80) authorizations for addr in $HTTPSITES do check_addr $addr|while read ip; do $(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $ip -j ACCEPT done done # HTTPS (TCP/443) authorizations for addr in $HTTPSSITES do check_addr $addr|while read ip; do $(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $ip -j ACCEPT done done # FTP (so complex protocol...) authorizations for x in $FTPSITES do # requests on Control connection ipalltables -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT # FTP port-mode on Data Connection ipalltables -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT # FTP passive-mode on Data Connection # WARNING, this allow all connections on TCP ports > 1024 ipalltables -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT done # SSH authorizations for x in $SSHOK do ipalltables -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT done # SMTP authorizations for addr in $SMTPOK do check_addr $addr|while read ip; do $(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -s $ip -j ACCEPT done done # secure SMTP (TCP/465 et TCP/587) authorizations for addr in $SMTPSECUREOK do check_addr $addr|while read ip; do $(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -s $ip -j ACCEPT $(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -s $ip -j ACCEPT done done # NTP authorizations for x in $NTPOK do ipalltables -A INPUT -p udp --sport 123 -s $x -j ACCEPT ipalltables -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT done # Always allow ICMP ipalltables -A INPUT -p icmp -j ACCEPT # IPTables policy ################# # by default DROP INPUT packets ipalltables -P INPUT DROP # by default, no FORWARING (deprecated for Virtual Machines) #echo 0 > /proc/sys/net/ipv4/ip_forward #ipalltables -P FORWARD DROP #ipalltables6 -P FORWARD DROP # by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets) ipalltables -P OUTPUT ACCEPT ipalltables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT ipalltables -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT ipalltables -A OUTPUT -p udp -j DROP trap - INT TERM EXIT echo "...starting IPTables rules is now finish : OK" ;; stop) echo "Flush all rules and accept everything..." # Delete all rules ipalltables -F INPUT ipalltables -F OUTPUT ipalltables -F LOG_DROP ipalltables -F LOG_ACCEPT ipalltables -F ONLYTRUSTED ipalltables -F ONLYPRIVILEGIED ipalltables -F NEEDRESTRICT ipalltables -t nat -F ipalltables -t mangle -F # Accept all ipalltables -P INPUT ACCEPT ipalltables -P OUTPUT ACCEPT #ipalltables -P FORWARD ACCEPT #ipalltables -t nat -P PREROUTING ACCEPT #ipalltables -t nat -P POSTROUTING ACCEPT # Delete non-standard chains ipalltables -X LOG_DROP ipalltables -X LOG_ACCEPT ipalltables -X ONLYPRIVILEGIED ipalltables -X ONLYTRUSTED ipalltables -X NEEDRESTRICT echo "...flushing IPTables rules is now finish : OK" ;; status) ipalltables -L -n -v --line-numbers ipalltables -t nat -L -n -v --line-numbers ipalltables -t mangle -L -n -v --line-numbers ;; reset) echo "Reset all IPTables counters..." ipalltables -Z ipalltables -t nat -Z ipalltables -t mangle -Z echo "...reseting IPTables counters is now finish : OK" ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|status|reset|squid}" exit 1 esac exit 0