Last active
March 7, 2023 22:21
-
-
Save LuisPalacios/16265be825109a5fd45d303aac8106b7 to your computer and use it in GitHub Desktop.
Sur: Script que configura iptables antes de que se active la red
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## | |
## /root/firewall/sur_firewall_1_pre_network.sh | |
## | |
## Script que configura iptables en un servidor Raspbian OS | |
## | |
## Este fichero está relacionado con este apunte: | |
## https://www.luispa.com/linux/2014/10/19/bridge-ethernet.html | |
## | |
## | |
# Script para activar reglas de iptables antes de activar la red. | |
# | |
# Averiguo nombres de las interfaces y rangos de mi red | |
# | |
. /root/firewall/sur_firewall_inames.sh | |
# LOG | |
export LOGALL="no" | |
export LOGDROP="no" | |
export LOGSERVICIOS="no" | |
export LOGMCAST="no" | |
export LOGINVALID="no" | |
# Log con journald: | |
export LOGGING="LOG --log-level info --log-prefix" | |
# Limpio iptables | |
/root/firewall/sur_firewall_clean.sh | |
# Por defecto lo tiro TODO | |
iptables -P OUTPUT DROP | |
iptables -P INPUT DROP | |
iptables -P FORWARD DROP | |
iptables -F | |
# TCP MSS / Pdte de ver si hace falta. | |
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
# Aceptar cualquier sesión establecida. | |
# Todo aquello que alcance estado de conexión establecida se permitirá | |
iptables -N CH_ESTABLISHED | |
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CH_ESTABLISHED | |
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CH_ESTABLISHED | |
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j CH_ESTABLISHED | |
if [ "${LOGALL}" = "yes" ]; then | |
iptables -A CH_ESTABLISHED -j $LOGGING "CH_ESTABLISHED -- OK " | |
fi | |
iptables -A CH_ESTABLISHED -j ACCEPT | |
# Permito el trafico multicast, necesario para Movistar TV | |
# Lo permito todo, incluso lo que venga de la WAN (que nunca va a ocurrir) | |
iptables -N CH_MULTICAST | |
iptables -I INPUT -d 224.0.0.0/4 -j CH_MULTICAST | |
iptables -I OUTPUT -d 224.0.0.0/4 -j CH_MULTICAST | |
iptables -I FORWARD -d 224.0.0.0/4 -j CH_MULTICAST | |
if [ "${LOGMCAST}" = "yes" ]; then | |
iptables -A CH_MULTICAST -j $LOGGING "CH_MULTICAST -- OK " | |
fi | |
iptables -A CH_MULTICAST -j ACCEPT | |
# SNAT: | |
iptables -t nat -A POSTROUTING -o ${ifWan} -j MASQUERADE # Hacia Internet sale con mi IP | |
# Anti-spoofing en la interfaz publica. | |
# Tiro cualquier trafico con un rango de mi Intranet que entre por la Pública | |
iptables -N CH_ANTISPOOF | |
for antispoof_net in ${INTRANET} | |
do | |
iptables -A INPUT -i ${ifWan} -s $antispoof_net -m conntrack --ctstate NEW -j CH_ANTISPOOF | |
iptables -A FORWARD -i ${ifWan} -s $antispoof_net -m conntrack --ctstate NEW -j CH_ANTISPOOF | |
done | |
if [ "${LOGDROP}" = "yes" ] || [ "${LOGALL}" = "yes" ]; then | |
iptables -A CH_ANTISPOOF -j $LOGGING "CH_ANTISPOOF -- DROP " | |
fi | |
iptables -A CH_ANTISPOOF -j DROP | |
# Permitir todo "mi" trafico originado o recibido en la loopback | |
iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT | |
# Permito que yo pueda salir hacia cualquier sitio | |
# incluso salida UDP desde mi mismo hacia cualquier sitio | |
iptables -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A OUTPUT -s ${ipBridgeIPTV}/32 -p udp -j ACCEPT | |
iptables -A OUTPUT -s ${ipLanInternetViaNorte}/32 -p udp -j ACCEPT | |
iptables -A OUTPUT -s ${ipLanInternetViaSur}/32 -p udp -j ACCEPT | |
# Acepto todo tipo de tráfico por la vlan de IPTV | |
sudo iptables -A INPUT -i ${ifBridgeIPTV} -j ACCEPT | |
# PERMITIR CUALQUIER TRAFICO INTRANET | |
iptables -N CH_Intranet | |
for intranet in ${INTRANET} | |
do | |
iptables -A INPUT -s ${intranet} -m conntrack --ctstate NEW -j CH_Intranet | |
iptables -A OUTPUT -s ${intranet} -m conntrack --ctstate NEW -j CH_Intranet | |
iptables -A FORWARD -s ${intranet} -m conntrack --ctstate NEW -j CH_Intranet | |
iptables -A INPUT -s ${intranet} -p udp -j CH_Intranet | |
iptables -A OUTPUT -s ${intranet} -p udp -j CH_Intranet | |
iptables -A FORWARD -s ${intranet} -p udp -j CH_Intranet | |
done | |
if [ "${LOGALL}" = "yes" ]; then | |
iptables -A CH_Intranet -j ${LOGGING} "CH_Intranet -- OK " | |
fi | |
iptables -A CH_Intranet -j ACCEPT | |
# Permito bootp,s en la LAN | |
# 67 UDP Servidor de protocolo de inicio (BootP, bootps) | |
# 68 UDP Cliente de protocolo de inicio (bootpc) | |
# 69 UDP Protocolo trivial de transferencia de archivos (TFTP) | |
for interface in ${ifLanInternetViaNorte} ${ifLanInternetViaSur} | |
do | |
echo "aplicando dhcp en ${interface}" | |
iptables -A INPUT -i ${interface} -p udp -m udp -m multiport --dports 68,67 -j ACCEPT | |
iptables -A FORWARD -o ${interface} -p udp -m udp -m multiport --dports 68,67 -j ACCEPT | |
done | |
# Cargarse cualquier paquete que no este en ningun estado valido | |
iptables -N CH_Invalido | |
iptables -A INPUT -m conntrack --ctstate INVALID -j CH_Invalido | |
iptables -A OUTPUT -m conntrack --ctstate INVALID -j CH_Invalido | |
iptables -A FORWARD -m conntrack --ctstate INVALID -j CH_Invalido | |
if [ "${LOGINVALID}" = "yes" ]; then | |
iptables -A CH_Invalido -j $LOGGING "CH_Invalido -- DROP " | |
fi | |
iptables -A CH_Invalido -j DROP | |
# El resto de trafico se tira(drop) | |
iptables -N CH_DROP | |
iptables -A INPUT -j CH_DROP | |
iptables -A FORWARD -j CH_DROP | |
iptables -A OUTPUT -j CH_DROP | |
if [ "${LOGDROP}" = "yes" ] || [ "${LOGALL}" = "yes" ]; then | |
iptables -A CH_DROP -j $LOGGING "CH_DROP -- " | |
fi | |
iptables -A CH_DROP -j DROP | |
## END |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment