evolix
/
minifirewall
18
0
Fork 0
Code Issues 4 Pull Requests 3 Releases 1 Activity
minifirewall/minifirewall

421 lines
10 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# minifirewall is shellscripts for easy firewalling on a standalone server
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
# See https://forge.evolix.org/projects/minifirewall
# Copyright (c) 2007-2015 Evolix
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License.
# Description
# script for standalone server
# Start or stop minifirewall
#
### BEGIN INIT INFO
# Provides: minfirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
DESC="minifirewall"
NAME="minifirewall"
# Variables configuration
#########################
# iptables paths
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
LOOPBACK6='::1'
CLASSA='10.0.0.0/8'
CLASSB='172.16.0.0/12'
CLASSC='192.168.0.0/16'
CLASSD='224.0.0.0/4'
CLASSE='240.0.0.0/5'
ALL='0.0.0.0'
BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
ipxtables() {
set +e
ip=$1
echo "$ip"|grep -q ":"
if [ $? -ne 0 ]; then
echo $IPT
else
echo $IPT6
fi
set -e
}
ipalltables() {
iptables $@
ip6tables $@
}
check_addr() {
set +e
addr=$1
echo $addr|grep -q "/"
if [ $? -eq 0 ]; then
echo $addr
else
host=$(host $addr)
if [ $? -ne 0 ]; then
echo "WARNING: $addr is invalid !" >&2
else
echo "$host"|grep -q "address"
if [ $? -eq 0 ]; then
echo "$host"|grep -v "mail"|awk '{ print $NF }'|while read ip; do
echo $ip
done
else
echo $addr
fi
fi
fi
set -e
}
case "$1" in
start)
echo "Start IPTables rules..."
# Stop and warn if error!
set -e
trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
# sysctl network security settings
##################################
# Don't answer to broadcast pings
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Ignore bogus ICMP responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable Source Routing
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
# Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks
# cf http://cr.yp.to/syncookies.html
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP redirects
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $i
done
# Enable Reverse Path filtering : verify if responses use same network interface
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
# log des paquets avec adresse incoherente
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $i
done
# IPTables configuration
########################
ipalltables -N LOG_DROP
ipalltables -A LOG_DROP -j LOG #--log-prefix '[IPTABLES DROP] : '
ipalltables -A LOG_DROP -j DROP
ipalltables -N LOG_ACCEPT
ipalltables -A LOG_ACCEPT -j LOG #--log-prefix '[IPTABLES ACCEPT] : '
ipalltables -A LOG_ACCEPT -j ACCEPT
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="/etc/default/minifirewall"
if test -f $oldconfigfile; then
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
exit 1
fi
if ! test -f $configfile; then
echo "$configfile does not exist" >&2
exit 1
fi
tmpfile=`mktemp`
. $configfile 2>$tmpfile >&2
if [ -s $tmpfile ]; then
echo "$configfile returns standard or error output (see below). Stopping." >&2
cat $tmpfile
exit 1
fi
rm $tmpfile
# Trusted ip addresses
ipalltables -N ONLYTRUSTED
ipalltables -A ONLYTRUSTED -j LOG_DROP
for addr in $TRUSTEDIPS; do
check_addr $addr|while read ip; do
$(ipxtables $ip) -I ONLYTRUSTED -s $ip -j ACCEPT
done
done
# Privilegied ip addresses
# (trusted ip addresses *are* privilegied)
ipalltables -N ONLYPRIVILEGIED
ipalltables -A ONLYPRIVILEGIED -j ONLYTRUSTED
for addr in $PRIVILEGIEDIPS; do
check_addr $addr|while read ip; do
$(ipxtables $ip) -I ONLYPRIVILEGIED -s $ip -j ACCEPT
done
done
# Chain for restrictions (blacklist IPs/ranges)
ipalltables -N NEEDRESTRICT
# We allow all on loopback interface
ipalltables -A INPUT -i lo -j ACCEPT
# if OUTPUTDROP
ipalltables -A OUTPUT -o lo -j ACCEPT
# We avoid "martians" packets, typical when W32/Blaster virus
# attacked windowsupdate.com and DNS was changed to 127.0.0.1
# ipalltables -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
$IPT6 -A INPUT -s $LOOPBACK6 ! -i lo -j DROP
# Local services restrictions
#############################
# Allow services for $INTLAN (local server or local network)
$IPT -A INPUT -s $INTLAN -j ACCEPT
# Enable protection chain for sensible services
for x in $SERVICESTCP1p
do
ipalltables -A INPUT -p tcp --dport $x -j NEEDRESTRICT
done
for x in $SERVICESUDP1p
do
ipalltables -A INPUT -p udp --dport $x -j NEEDRESTRICT
done
# Public service
for x in $SERVICESTCP1
do
ipalltables -A INPUT -p tcp --dport $x -j ACCEPT
done
for x in $SERVICESUDP1
do
ipalltables -A INPUT -p udp --dport $x -j ACCEPT
done
# Privilegied services
for x in $SERVICESTCP2
do
ipalltables -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED
done
for x in $SERVICESUDP2
do
ipalltables -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED
done
# Private services
for x in $SERVICESTCP3
do
ipalltables -A INPUT -p tcp --dport $x -j ONLYTRUSTED
done
for x in $SERVICESUDP3
do
ipalltables -A INPUT -p udp --dport $x -j ONLYTRUSTED
done
# External services
###################
# DNS authorizations
for x in $DNSSERVEURS
do
ipalltables -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
ipalltables -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
ipalltables -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT
done
# HTTP (TCP/80) authorizations
for addr in $HTTPSITES
do
check_addr $addr|while read ip; do
$(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $ip -j ACCEPT
done
done
# HTTPS (TCP/443) authorizations
for addr in $HTTPSSITES
do
check_addr $addr|while read ip; do
$(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $ip -j ACCEPT
done
done
# FTP (so complex protocol...) authorizations
for x in $FTPSITES
do
# requests on Control connection
ipalltables -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT
# FTP port-mode on Data Connection
ipalltables -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT
# FTP passive-mode on Data Connection
# WARNING, this allow all connections on TCP ports > 1024
ipalltables -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT
done
# SSH authorizations
for x in $SSHOK
do
ipalltables -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT
done
# SMTP authorizations
for addr in $SMTPOK
do
check_addr $addr|while read ip; do
$(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -s $ip -j ACCEPT
done
done
# secure SMTP (TCP/465 et TCP/587) authorizations
for addr in $SMTPSECUREOK
do
check_addr $addr|while read ip; do
$(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -s $ip -j ACCEPT
$(ipxtables $ip) -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -s $ip -j ACCEPT
done
done
# NTP authorizations
for x in $NTPOK
do
ipalltables -A INPUT -p udp --sport 123 -s $x -j ACCEPT
ipalltables -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
done
# Always allow ICMP
ipalltables -A INPUT -p icmp -j ACCEPT
# IPTables policy
#################
# by default DROP INPUT packets
ipalltables -P INPUT DROP
# by default, no FORWARING (deprecated for Virtual Machines)
#echo 0 > /proc/sys/net/ipv4/ip_forward
#ipalltables -P FORWARD DROP
#ipalltables6 -P FORWARD DROP
# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets)
ipalltables -P OUTPUT ACCEPT
ipalltables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
ipalltables -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
ipalltables -A OUTPUT -p udp -j DROP
trap - INT TERM EXIT
echo "...starting IPTables rules is now finish : OK"
;;
stop)
echo "Flush all rules and accept everything..."
# Delete all rules
ipalltables -F INPUT
ipalltables -F OUTPUT
ipalltables -F LOG_DROP
ipalltables -F LOG_ACCEPT
ipalltables -F ONLYTRUSTED
ipalltables -F ONLYPRIVILEGIED
ipalltables -F NEEDRESTRICT
ipalltables -t nat -F
ipalltables -t mangle -F
# Accept all
ipalltables -P INPUT ACCEPT
ipalltables -P OUTPUT ACCEPT
#ipalltables -P FORWARD ACCEPT
#ipalltables -t nat -P PREROUTING ACCEPT
#ipalltables -t nat -P POSTROUTING ACCEPT
# Delete non-standard chains
ipalltables -X LOG_DROP
ipalltables -X LOG_ACCEPT
ipalltables -X ONLYPRIVILEGIED
ipalltables -X ONLYTRUSTED
ipalltables -X NEEDRESTRICT
echo "...flushing IPTables rules is now finish : OK"
;;
status)
ipalltables -L -n -v --line-numbers
ipalltables -t nat -L -n -v --line-numbers
ipalltables -t mangle -L -n -v --line-numbers
;;
reset)
echo "Reset all IPTables counters..."
ipalltables -Z
ipalltables -t nat -Z
ipalltables -t mangle -Z
echo "...reseting IPTables counters is now finish : OK"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset|squid}"
exit 1
esac
exit 0
Reference in New Issue View Git Blame Copy Permalink