Back to homepage
Template of netfilter daemon script
#!/bin/bash
#
# Basic iptable configuration
#
# Julien Blitte - julien.blitte@gmail.com
#
# This configuration only enable following services
# entering: dhcp (client), ssh (server) translated to 22022
# outgoing: dns (client), dhcp (client), http (client), tls (client),
# ftp (client), jabber (client), ssh (client), ntp (client),
# tse (client), cifs over ip (client),
# ping (requester), proxy (client), ipsec (client)
#
# Warning:
# Non-usefull ports are filtered, does not answer to ping, no mail services
#
# tcp
ftp=21
ssh=22
ssh_translated=22022
http=80
proxies="3128 8080"
tls=443
whois=43
rdesktop=3389
jabber=5222
cifs=445
# udp
dns=53
dhcp_client=67
dhcp_server=68
ntp=123
isakmp=500
ipsec=4500
######## /proc/ configuration file API ########
proc_enable()
{
for i in $*
do
echo 1 > $i
done
}
proc_disable()
{
for i in $*
do
echo 0 > $i
done
}
######## ip4 configuration ########
ip4_enable_forwarding()
{
proc_enable /proc/sys/net/ipv4/ip_forward
}
ip4_securize()
{
# broadcast echo
proc_enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# bad error message
proc_enable /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# source address verification (ip spoofing)
proc_enable /proc/sys/net/ipv4/conf/*/rp_filter
# ICMP redirect
proc_disable /proc/sys/net/ipv4/conf/*/accept_redirects
proc_disable /proc/sys/net/ipv4/conf/*/send_redirects
# Source Routed Packets
proc_disable /proc/sys/net/ipv4/conf/*/accept_source_route
}
ip4_unsecurize()
{
# broadcast echo
proc_disable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# bad error message
proc_disable /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# source address verification (ip spoofing)
proc_disable /proc/sys/net/ipv4/conf/*/rp_filter
# ICMP redirect
proc_enable /proc/sys/net/ipv4/conf/*/accept_redirects
proc_enable /proc/sys/net/ipv4/conf/*/send_redirects
# Source Routed Packets
proc_enable /proc/sys/net/ipv4/conf/*/accept_source_route
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
proc_disable /proc/sys/net/ipv4/conf/*/log_martians
}
######## iptable main functions ########
kernel_load()
{
for i in iptable_filter ip_tables ipt_state ipt_tcp ipt_udp ipt_LOG ip_conntrack_ftp ipt_connmark ipt_mark
do
modprobe $i
done
}
iptables_flush()
{
# flush
iptables -F
iptables -F -t nat
iptables -F -t mangle
# delete custom chains
iptables -X
}
iptables_policy_drop()
{
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
}
iptables_policy_accept()
{
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
iptables_log_drop_invalid()
{
iptables -N LOG_DROP_INVALID
iptables -A LOG_DROP_INVALID -j LOG --log-prefix "netfilter [invalid]"
iptables -A LOG_DROP_INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j LOG_DROP_INVALID
iptables -A OUTPUT -m state --state INVALID -j REJECT
}
iptables_accept_related()
{
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
}
iptables_accept_interface()
{
for i in $*
do
iptables -A INPUT -i $i -j ACCEPT
iptables -A OUTPUT -o $i -j ACCEPT
done
}
iptables_reject_multicast()
{
iptables -A INPUT -d 224.0.0.0/8 -j DROP
}
# add me at last position
iptables_log_drop()
{
iptables -N LOG_DROP_IN
iptables -A LOG_DROP_IN -j LOG --log-prefix "netfilter [in]"
iptables -A LOG_DROP_IN -j DROP
iptables -N LOG_DROP_OUT
iptables -A LOG_DROP_OUT -j LOG --log-prefix "netfilter [out]"
iptables -A LOG_DROP_OUT -j REJECT
iptables -N LOG_DROP_FWD
iptables -A LOG_DROP_FWD -j LOG --log-prefix "netfilter [fwd]"
iptables -A LOG_DROP_FWD -j DROP
iptables -A INPUT -j LOG_DROP_IN
iptables -A OUTPUT -j LOG_DROP_OUT
iptables -A FORWARD -j LOG_DROP_FWD
}
######## iptable setting functions ########
iptables_accept_tcp_in()
{
for i in $*
do
iptables -A INPUT -m state --state NEW -p tcp --dport $i -j ACCEPT
done
}
iptables_accept_tcp_out()
{
for i in $*
do
iptables -A OUTPUT -m state --state NEW -p tcp --dport $i -j ACCEPT
done
}
iptables_accept_udp_in()
{
for i in $*
do
iptables -A INPUT -p udp --dport $i -j ACCEPT
done
}
iptables_accept_udp_in_symetric()
{
for i in $*
do
iptables -A INPUT -p udp --sport $i --dport $i -j ACCEPT
done
}
iptables_accept_udp_out()
{
for i in $*
do
iptables -A OUTPUT -p udp --dport $i -j ACCEPT
done
}
iptables_accept_icmp_out()
{
for i in 0 3 11
do
iptables -A INPUT -p icmp --icmp-type $i -j ACCEPT
done
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
}
iptables_accept_icmp_in()
{
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
for i in 0 3 11
do
iptables -A OUTPUT -p icmp --icmp-type $i -j ACCEPT
done
}
iptables_translate_tcp_in()
{
iptables -t mangle -A PREROUTING -p tcp --dport $2 -j MARK --or-mark 1
iptables -t nat -A PREROUTING -p tcp --dport $2 -j REDIRECT --to-port $1
iptables -A INPUT -p tcp --dport $1 -m mark --mark 1/1 -j ACCEPT
}
iptables_translate_tcp_out()
{
iptables -A OUTPUT -p tcp --dport $2 -j NAT
iptables -t nat -A OUTPUT -p tcp --dport $2 -j REDIRECT --to-port $1
}
if [ "$UID" -ne 0 ]
then
echo 'You must be root!' >&2
exit 1
fi
######## parameters handling ########
case "$1" in
start|restart)
ip4_securize
#ip4_enable_forwarding
kernel_load
iptables_flush
iptables_policy_drop
iptables_log_drop_invalid
iptables_reject_multicast
iptables_accept_related
iptables_accept_interface 'lo'
iptables_translate_tcp_in $ssh $ssh_translated
iptables_accept_tcp_out $ftp $ssh $http $tls $jabber $proxies $rdesktop $whois $cifs
iptables_accept_udp_in $dhcp_client
iptables_accept_udp_out $dhcp_server $dns $ntp $isakmp $ipsec
iptables_accept_icmp_out
#iptables_accept_icmp_in
iptables_log_drop
;;
stop)
ip4_unsecurize
#ip4_enable_forwarding
iptables_flush
iptables_policy_accept
iptables_log_drop_invalid
iptables_reject_multicast
;;
show)
for i in filter mangle nat
do
echo "------------[ $i ]-------------"
iptables -t $i -L -v -n
done
;;
install)
cp "$0" '/etc/init.d/firewall'
update-rc.d firewall defaults
invoke-rc.d firewall start
;;
*)
echo "`basename $0` [(re)start|stop|show|install]"
echo
;;
esac