Last active
July 7, 2018 16:05
-
-
Save englercj/11163178 to your computer and use it in GitHub Desktop.
iptables setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
IPT="/sbin/iptables" | |
### Interfaces ### | |
PUB_IF="eth0" # public interface | |
PRV_IF="eth1" # private interface | |
LO_IF="lo" # loopback | |
SERVER_IP=$(ifconfig eth0 | grep 'inet addr:' | awk -F'inet addr:' '{ print $2}' | awk '{ print $1}') | |
########## Allow/block services ################################################# | |
ALLOW_SSH="true" | |
ALLOW_HTTP="true" | |
ALLOW_FTP="false" | |
ALLOW_STEAM="false" | |
ALLOW_OUTGOING_DNS="true" | |
ALLOW_OUTGOING_NTP="true" | |
ALLOW_OUTGOING_SMTP="true" | |
ALLOW_OUTGOING_ICMP="true" | |
ALLOW_INCOMING_ICMP="true" | |
USE_HARDENING_RULESET="true" | |
########## SSH ################################################# | |
SSH_PORT=22 | |
# This notes every NEW connection to port ${SSH_PORT} and adds it to the recent "list" | |
# If your IP is on the recent list, and you have ${SSH_LOGIN_ATTEMPT} or more entries on the list in the | |
# last ${SSH_LOGIN_ATTEMPT_TIMEFRAME} seconds, we drop your request. | |
SSH_LOGIN_ATTEMPT_PROTECTION="true" | |
SSH_LOGIN_ATTEMPT=4 | |
SSH_LOGIN_ATTEMPT_TIMEFRAME_SECONDS=90 | |
SSH_ALLOW_ONLY_IP="false" | |
SSH_ALLOW_ONLY_IP_LIST="122.xx.yy.zz/29" | |
#### FILES ##### | |
CUSTOM_RULES=/root/.fw/customRules.sh | |
BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt | |
SPOOFIP="" | |
#SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24" | |
#BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v "^#|^$" ${BLOCKED_IP_TDB}) | |
########################################################### | |
### You shouldn't need to change below this line ### | |
########################################################### | |
function allowPort() { | |
if [[ "$1" == "in" ]]; then | |
$IPT -A INPUT -i ${PUB_IF} -p $2 --dport $3 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A OUTPUT -o ${PUB_IF} -p $2 --sport $3 -m state --state ESTABLISHED -j ACCEPT | |
else | |
$IPT -A OUTPUT -o ${PUB_IF} -p $2 --dport $3 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -i ${PUB_IF} -p $2 --sport $3 -m state --state ESTABLISHED -j ACCEPT | |
fi | |
} | |
function customRules() { | |
if [ -f ${CUSTOM_RULES} ]; then | |
source ${CUSTOM_RULES} | |
fi | |
} | |
function clearAllIpTablesRules() { | |
echo "Clear all firewall rules"; | |
#Default policy is DROP so first change the INPUT FORWARD and OUTPUT policy before the -F or you will be locked. | |
iptables -P INPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -F | |
iptables -X | |
iptables -t nat -F | |
iptables -t nat -X | |
iptables -t mangle -F | |
iptables -t mangle -X | |
} | |
function hardeningRules() { | |
if [ "${USE_HARDENING_RULESET}" == "true" ]; then | |
echo "Hardening: Drop sync" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP | |
echo "Hardening: Drop Fragments" | |
$IPT -A INPUT -i ${PUB_IF} -f -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP | |
echo "Hardening: Drop NULL packets" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets " | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
echo "Hardening: Drop XMAS" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets " | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
echo "Hardening: Drop FIN packet scans" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan " | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
echo "Hardening: Log and get rid of broadcast / multicast and invalid" | |
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast " | |
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast " | |
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j LOG --log-prefix " Invalid " | |
$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP | |
fi | |
} | |
function logAndBlockSpoofedIPRules() { | |
$IPT -N spooflist | |
for ipblock in $SPOOFIP | |
do | |
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix " SPOOF List Block " | |
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP | |
done | |
$IPT -I INPUT -j spooflist | |
$IPT -I OUTPUT -j spooflist | |
$IPT -I FORWARD -j spooflist | |
} | |
function sshRules() { | |
if [ "${ALLOW_SSH}" == "true" ]; then | |
echo "Allow SSH"; | |
if [ "${SSH_ALLOW_ONLY_IP}" == "true" ]; then | |
# Allow ssh only from selected public ips | |
for ip in ${SSH_ALLOW_ONLY_IP_LIST} | |
do | |
$IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT | |
$IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT | |
done | |
else | |
# allow for all | |
$IPT -A INPUT -i ${PUB_IF} -p tcp -d ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT | |
$IPT -A OUTPUT -o ${PUB_IF} -p tcp -s ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT | |
# allow for all (outbound) | |
$IPT -A OUTPUT -o ${PUB_IF} -p tcp -s ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT | |
$IPT -A INPUT -i ${PUB_IF} -p tcp -d ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT | |
fi | |
if [ "${SSH_LOGIN_ATTEMPT_PROTECTION}" == "true" ]; then | |
$IPT -I INPUT -p tcp --dport ${SSH_PORT} -i eth0 -m state --state NEW -m recent --set | |
$IPT -I INPUT -p tcp --dport ${SSH_PORT} -i eth0 -m state --state NEW -m recent --update --seconds ${SSH_LOGIN_ATTEMPT_TIMEFRAME_SECONDS} --hitcount ${SSH_LOGIN_ATTEMPT} -j DROP | |
fi | |
fi | |
} | |
function icmpRules() { | |
if [ "${ALLOW_INCOMING_ICMP}" == "true" ]; then | |
echo "Allow incoming ICMP"; | |
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec -j ACCEPT | |
$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
fi | |
if [ "${ALLOW_OUTGOING_ICMP}" == "true" ]; then | |
echo "Allow outgoing ICMP"; | |
$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type echo-request -j ACCEPT | |
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type echo-reply -j ACCEPT | |
fi | |
} | |
function httpRules() { | |
if [ "${ALLOW_HTTP}" == "true" ]; then | |
echo "Allow HTTP"; | |
#allow http(s) inbound connection/response | |
$IPT -A INPUT -i ${PUB_IF} -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A OUTPUT -o ${PUB_IF} -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT | |
#allow http(s) outbound connection/response | |
$IPT -A OUTPUT -o ${PUB_IF} -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -i ${PUB_IF} -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT | |
fi | |
} | |
function dnsRules() { | |
if [ "${ALLOW_OUTGOING_DNS}" == "true" ]; then | |
echo "Allow outgoing DNS"; | |
allowPort out udp 53 | |
fi | |
} | |
function ntpRules() { | |
if [ "${ALLOW_OUTGOING_NTP}" == "true" ]; then | |
echo "Allow outgoing NTP"; | |
allowPort out udp 123 | |
fi | |
} | |
function smtpRules() { | |
if [ "${ALLOW_OUTGOING_SMTP}" == "true" ]; then | |
echo "Allow outgoing SMTP"; | |
allowPort out tcp 25 | |
fi | |
} | |
function ftpRules() { | |
if [ "${ALLOW_FTP}" == "true" ]; then | |
echo "Allow FTP"; | |
$IPT -A INPUT -p tcp --dport ftp -i ${PUB_IF} -j ACCEPT | |
$IPT -A INPUT -p udp --dport ftp -i ${PUB_IF} -j ACCEPT | |
$IPT -A INPUT -p tcp --dport ftp-data -i ${PUB_IF} -j ACCEPT | |
$IPT -A INPUT -p udp --dport ftp-data -i ${PUB_IF} -j ACCEPT | |
fi | |
} | |
function steamRules() { | |
if [ "${ALLOW_STEAM}" == "true" ]; then | |
echo "Allow Steam"; | |
allowPort in udp "27000:27030" | |
allowPort out udp "27000:27030" | |
allowPort in tcp "27014:27050" | |
allowPort out tcp "27014:27050" | |
allowPort in udp "4379:4380" | |
allowPort out udp "4379:4380" | |
fi | |
} | |
function dropAndCloseEverythingRules() { | |
echo "Drop And Close Everything"; | |
$IPT -P INPUT DROP | |
$IPT -P OUTPUT DROP | |
$IPT -P FORWARD DROP | |
} | |
function dropAndLogEverythingElseRules() { | |
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " DEFAULT DROP " | |
$IPT -A INPUT -j DROP | |
} | |
function unlimitedLoopbackRules() { | |
$IPT -A INPUT -i ${LO_IF} -j ACCEPT | |
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT | |
} | |
function unlimitedPrivateRules() { | |
$IPT -A INPUT -i ${PRV_IF} -j ACCEPT | |
$IPT -A OUTPUT -o ${PRV_IF} -j ACCEPT | |
} | |
function createIptablesRules() { | |
echo "Setting $(hostname) Firewall..."; | |
dropAndCloseEverythingRules | |
unlimitedLoopbackRules | |
unlimitedPrivateRules | |
hardeningRules | |
logAndBlockSpoofedIPRules | |
sshRules | |
httpRules | |
icmpRules | |
dnsRules | |
ntpRules | |
smtpRules | |
ftpRules | |
steamRules | |
customRules | |
dropAndLogEverythingElseRules | |
} | |
echo " Choose one of the following options:" | |
echo | |
echo "[N]ew firewall rules" | |
echo "[C]lear all firewall rules" | |
echo "[T]est firewall rules" | |
echo "[S]ave firewall rules to /etc/network/iptables" | |
echo "[E]xit" | |
echo | |
read choice | |
case "$choice" in | |
"N" | "n" ) | |
clearAllIpTablesRules | |
createIptablesRules | |
;; | |
"C" | "c" ) | |
clearAllIpTablesRules | |
;; | |
"T" | "t" ) | |
clearAllIpTablesRules | |
createIptablesRules | |
iptables-apply | |
;; | |
"S" | "s" ) | |
clearAllIpTablesRules | |
createIptablesRules | |
iptables-save > /etc/network/iptables | |
;; | |
* ) | |
exit 0 | |
;; | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment