Last active
November 20, 2019 13:21
-
-
Save crashdump/6006894 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### BEGIN INIT INFO | |
| # Provides: firewall | |
| # Required-Start: $network | |
| # Required-Stop: $network | |
| # Default-Start: S 2 3 4 5 | |
| # Default-Stop: 0 1 6 | |
| # Short-Description: Firewall (ipv6) rules | |
| # Description: Simple script to initialise an ip6tables firewall | |
| ### END INIT INFO | |
| #-----------------------------------------------------------------------# | |
| # # | |
| # Description : Firewall (ipv6) Config # | |
| # OS : Debian # | |
| # Requires : ip6tables # | |
| # Licence : GPL # | |
| # Version : 0.1.1-3 # | |
| # Author : Adrien Pujol <adrien.pujol@crashdump.fr> # | |
| # Web site : http://www.crashdump.fr/ # | |
| # # | |
| #-----------------------------------------------------------------------# | |
| # install rsyslog and create /etc/rsyslog.d/ip6tables.conf with: | |
| # :msg, contains, "[ip6tables]" -/var/log/ip6tables.log | |
| # & ~ | |
| # | |
| # logrotate that with the following config in /etc/logrotate.d/ip6tables.conf | |
| # /var/log/ip6tables.log { | |
| # weekly | |
| # missingok | |
| # rotate 7 | |
| # compress | |
| # delaycompress | |
| # notifempty | |
| # } | |
| # | |
| # Put this in /etc/init.d/ip6tables, then activate it: | |
| # # /etc/init.d/ip6tables start | |
| # # update-rc.d ip6tables defaults | |
| test -f /sbin/ip6tables || exit 0 | |
| . /lib/lsb/init-functions | |
| # Un peu de couleurs | |
| #31=rouge, 32=vert, 33=jaune,34=bleu, 35=rose, 36=cyan, 37= blanc | |
| color() | |
| { | |
| #echo [$1`shift`m$*[m | |
| printf '\033[%sm%s\033[m\n' "$@" | |
| } | |
| #-----> VARIABLES A CONFIGURER <----------------------------------------# | |
| IPTABLES=/sbin/ip6tables | |
| IF_EXT=eth0 | |
| LOGFLAGS="LOG --log-tcp-options --log-tcp-sequence --log-ip-options --log-level warning --log-prefix" | |
| #-----> START/STOP <----------------------------------------------------# | |
| case "$1" in | |
| start) | |
| log_begin_msg "Starting ip6tables firewall rules..." | |
| ###################################################################### | |
| #----- Initialisation --------------------------------------------------# | |
| echo ">Shutting down Fail2Ban" | |
| /etc/init.d/fail2ban stop | |
| echo ">Setting firewall rules..." | |
| ## Vider les tables actuelles | |
| ${IPTABLES} -t filter -F | |
| ${IPTABLES} -t filter -X | |
| ${IPTABLES} -t mangle -F | |
| ${IPTABLES} -t mangle -X | |
| ${IPTABLES} -F | |
| ${IPTABLES} -X | |
| ${IPTABLES} -Z | |
| echo "- Vidage : [`color 32 "OK"`]" | |
| #----- Default rules --------------------------------------------------# | |
| ## Police par defaut | |
| ${IPTABLES} -P INPUT DROP | |
| ${IPTABLES} -P OUTPUT ACCEPT | |
| ${IPTABLES} -P FORWARD DROP | |
| echo "- Police par defaut, DROP : [`color 32 "OK"`]" | |
| ## Loopback accepted | |
| ${IPTABLES} -A FORWARD -i lo -o lo -j ACCEPT | |
| ${IPTABLES} -A INPUT -i lo -j ACCEPT | |
| echo "- Accepter les loopbacks : [`color 32 "OK"`]" | |
| #----- Chains creation -------------------------------------------------# | |
| ## Creation des chaines | |
| ${IPTABLES} -N SERVICES | |
| ${IPTABLES} -N THISISPORN | |
| ${IPTABLES} -N SECURITY | |
| echo "- Creation des chaines : [`color 32 "OK"`]" | |
| #----- Security ---------------------------------------------------------# | |
| # Anyone who tried to portscan us is locked out for an entire day. | |
| ${IPTABLES} -A SECURITY -m recent --name portscan --rcheck --seconds 86400 -j DROP -m comment --comment "Portscan" | |
| # Once the day has passed, remove them from the portscan list | |
| ${IPTABLES} -A SECURITY -m recent --name portscan --remove -m comment --comment "Portscan" | |
| # These rules add scanners to the portscan list, and log the attempt. | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j ${LOGFLAGS} "[ip6tables] [:portscan:]" -m comment --comment "Portscan" | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -m comment --comment "Portscan" | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j ${LOGFLAGS} "[ip6tables] [:portscan:]" -m comment --comment "Portscan" | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j DROP -m comment --comment "Portscan" | |
| echo "- Portscan (Connect. on port 139 banned for a day) : [`color 32 "OK"`]" | |
| ## No NULL Packet | |
| ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[ip6tables] [:nullpackets:]" -m comment --comment "Null packets" | |
| ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Null packets" | |
| echo "- Protection NULL Packets : [`color 32 "OK"`]" | |
| ## No XMAS | |
| ${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[ip6tables] [:xmaspackets:]" -m comment --comment "Xmas packet" | |
| ${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -m comment --comment "Xmas packet" | |
| echo "- Protection XMAS : [`color 32 "OK"`]" | |
| ## No FIN packet scans | |
| ${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[ip6tables] [:finpacketsscan:]" -m comment --comment "Fin packet" | |
| ${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -j DROP -m comment --comment "Fin packet" | |
| ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -m comment --comment "Fin packet" | |
| echo "- Protection FIN packet scans : [`color 32 "OK"`]" | |
| ## No Broadcast / Multicast / Invalid and Bogus | |
| ${IPTABLES} -A SECURITY -m pkttype --pkt-type broadcast -j ${LOGFLAGS} "[ip6tables] [:broadcast:]" -m comment --comment "No broadcast" | |
| ${IPTABLES} -A SECURITY -m pkttype --pkt-type broadcast -j DROP -m comment --comment "No Broadcast" | |
| ${IPTABLES} -A SECURITY -m pkttype --pkt-type multicast -j ${LOGFLAGS} "[ip6tables] [:multicast:]" -m comment --comment "No multicast" | |
| ${IPTABLES} -A SECURITY -m pkttype --pkt-type multicast -j DROP -m comment --comment "No multicast" | |
| ${IPTABLES} -A SECURITY -m state --state INVALID -j ${LOGFLAGS} "[ip6tables] [:invalid:]" -m comment --comment "Invalid" | |
| ${IPTABLES} -A SECURITY -m state --state INVALID -j DROP -m comment --comment "Invalid" | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j ${LOGFLAGS} "[ip6tables] [:bogus:]" -m comment --comment "Invalid" | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -m comment --comment "Invalid" | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j ${LOGFLAGS} "[ip6tables] [:bogus:]" -m comment --comment "Invalid" | |
| ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -m comment --comment "Invalid" | |
| echo "- No Broadcast / Multicast / Invalid and Bogus : [`color 32 "OK"`]" | |
| ## REJECT les fausses connex pretendues s'initialiser et sans syn | |
| ${IPTABLES} -A SECURITY -p tcp ! --syn -m state --state NEW,INVALID -j ${LOGFLAGS} "[ip6tables] [:falsenosyn:]" -m comment --comment "NoSyn" | |
| ${IPTABLES} -A SECURITY -p tcp ! --syn -m state --state NEW,INVALID -j DROP -m comment --comment "NoSyn" | |
| echo "- Rejeter les fakes de connection, pas de syn : [`color 32 "OK"`]" | |
| ## icmp neighbor-* | |
| ${IPTABLES} -A INPUT -i ${IF_EXT} -p ipv6-icmp --icmpv6-type neighbor-advertisement -j ACCEPT | |
| ${IPTABLES} -A INPUT -i ${IF_EXT} -p ipv6-icmp --icmpv6-type neighbor-solicitation -j ACCEPT | |
| ## Ne pas casser les connexions etablies | |
| ${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| echo "- Ne pas casser les connexions etablies : [`color 32 "OK"`]" | |
| #----- Debut des regles ------------------------------------------------# | |
| ${IPTABLES} -A THISISPORN -s 2001:1041:444:3::/64 -j DROP -m comment --comment "Scanned me" | |
| ${IPTABLES} -A THISISPORN -s 2001:4a48:217:1::/64 -j DROP -m comment --comment "Bruteforced me" | |
| # Autoriser SSH | |
| ${IPTABLES} -A SERVICES -p tcp --dport 22 -j ACCEPT -m comment --comment "sshd" | |
| echo "- Autoriser SSH (ipv6) : [`color 32 "OK"`]" | |
| # Autoriser les requetes HTTP | |
| ${IPTABLES} -A SERVICES -p tcp --dport 80 -j ACCEPT -m comment --comment "http" | |
| ${IPTABLES} -A SERVICES -p tcp --dport 443 -j ACCEPT -m comment --comment "https" | |
| echo "- Autoriser les requetes HTTP/S (ipv6) : [`color 32 "OK"`]" | |
| # Autoriser NTP | |
| ${IPTABLES} -A SERVICES -p udp --dport 123 -j ACCEPT -m comment --comment "ntpd" | |
| echo "- Autoriser NTP (ipv6) : [`color 32 "OK"`]" | |
| ${IPTABLES} -A SERVICES -p tcp --dport 25 -j ACCEPT -m comment --comment "smtp" | |
| #${IPTABLES} -A SERVICES -p tcp --dport 110 -j ACCEPT -m comment --comment "pop3" | |
| ${IPTABLES} -A SERVICES -p tcp --dport 143 -j ACCEPT -m comment --comment "imap" | |
| ${IPTABLES} -A SERVICES -p tcp --dport 993 -j ACCEPT -m comment --comment "imaps" | |
| echo "- Autoriser serveur Mail (ipv6) : [`color 32 "OK"`]" | |
| #----- Fin des regles --------------------------------------------------# | |
| # Ecriture de la politique de log | |
| # Ici on affiche [IPTABLES DROP] dans /var/log/messages a chaque paquet rejette par iptables | |
| ${IPTABLES} -N LOG_DROP | |
| ${IPTABLES} -A LOG_DROP -j ${LOGFLAGS} '[ip6tables] [:finaldrop:]' | |
| ${IPTABLES} -A LOG_DROP -j DROP | |
| # On met en place les logs en entree, sortie et routage selon la politique LOG_DROP ecrit avant | |
| ${IPTABLES} -A FORWARD -j LOG_DROP | |
| ${IPTABLES} -A INPUT -j LOG_DROP | |
| # | |
| ${IPTABLES} -I INPUT -i ${IF_EXT} -j SERVICES | |
| ${IPTABLES} -I INPUT -i ${IF_EXT} -j SECURITY | |
| ${IPTABLES} -I INPUT -j THISISPORN | |
| echo "- Mise en place des politiques prededement definies : [`color 32 "OK"`]" | |
| ## | |
| echo ">Starting Fail2Ban" | |
| sleep 5 | |
| /etc/init.d/fail2ban start | |
| sleep 1 | |
| echo "- Fail2Ban actives modules: " | |
| echo `ip6tables -L -nv --line-numbers | grep -e "Chain fail2ban-"` | |
| echo "`color 32 ">Firewall mis a jour avec succes !"`" | |
| ###################################################################### | |
| log_end_msg $? | |
| ;; | |
| stop) | |
| log_begin_msg "Flushing rules..." | |
| ## Vider les tables actuelles | |
| ${IPTABLES} -t filter -F | |
| ${IPTABLES} -t filter -X | |
| ${IPTABLES} -t mangle -F | |
| ${IPTABLES} -t mangle -X | |
| ${IPTABLES} -F | |
| ${IPTABLES} -X | |
| ${IPTABLES} -Z | |
| ${IPTABLES} -P INPUT ACCEPT | |
| ${IPTABLES} -A INPUT -j ACCEPT | |
| ${IPTABLES} -P OUTPUT ACCEPT | |
| ${IPTABLES} -A OUTPUT -j ACCEPT | |
| ${IPTABLES} -P FORWARD ACCEPT | |
| ${IPTABLES} -A FORWARD -j ACCEPT | |
| log_end_msg $? | |
| ;; | |
| restart) | |
| $0 stop | |
| $0 start | |
| ;; | |
| status) | |
| ${IPTABLES} -nvL | |
| ;; | |
| *) | |
| log_success_msg "Usage: /etc/init.d/ip6tables {start|stop|restart|status}" | |
| exit 1 | |
| ;; | |
| esac | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Adrien. Is interesting your script for my ip6tables implementation on my debian. Thing is that i'm using a raspberry+jessie, so it works with systemctl. Cannot start this init.d script. Maybe you have the needed file to work with systemd? File should be something like ip6tables.service. Anyway, thanks for share your work. Greetz from Argentina =)