Created
February 10, 2011 18:03
-
-
Save gabetax/820992 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # MIS Firewall Script v1.0 | |
| # | |
| # Author: gabe@mudbuginfo.com | |
| # Based on O'reilly Linux Server Hacks, #45 | |
| # | |
| # Documentation forthcoming | |
| # This script must be run after a boot, as iptables does not save its state | |
| # | |
| #< I. Configuration Options >################################################### | |
| WHITELIST=/etc/firewall.whitelist | |
| BLACKLIST=/etc/firewall.blacklist | |
| # List of PUBLICALLY allowed ports, delimited by spaces | |
| PUBLIC_TCP_PORTS="20 21 22 53 80 443 2575 30000:30050" | |
| PUBLIC_UDP_PORTS="53" | |
| SYN_LIMIT="600/s" | |
| SYN_LIMIT_BURST="800" | |
| LOG_LIMIT="2/s" | |
| LOG_LIMIT_BURST="10" | |
| #< II. Program Locations >###################################################### | |
| AWK=/usr/bin/awk | |
| ECHO=echo | |
| GREP=/bin/grep | |
| ID=/usr/bin/id | |
| IPTABLES=/sbin/iptables | |
| SORT=/usr/bin/sort | |
| UNIQ=/usr/bin/uniq | |
| if [ ! -z $DEBUG ]; then | |
| IPTABLES="debug $IPTABLES" | |
| fi | |
| #< III. Functions >############################################################# | |
| function error() { | |
| $ECHO "$0: $@" 1>&2 | |
| $EXIT 1 | |
| } | |
| function debug() { | |
| if [ ! -z $DEBUG ]; then | |
| $ECHO "$0 DEBUG: $@" 1>&2 | |
| fi | |
| } | |
| #< IV. Sanitize >############################################################### | |
| if [ `$ID -u` != 0 ]; then error "must be root user to execute, exiting..."; fi; | |
| if [ ! -e "$WHITELIST" ]; then error "WHITELIST $WHITELIST does not exist"; fi; | |
| if [ ! -e "$BLACKLIST" ]; then error "BLACKLIST $BLACKLIST does not exist"; fi; | |
| #< V. Firewall Script Body >#################################################### | |
| $ECHO "--- Setting up sysctl options" | |
| $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
| $ECHO "0" > /proc/sys/net/ipv4/tcp_timestamps | |
| # Doesn't exist in 2.6. Re-examine at my leisure | |
| #$ECHO "1" > /proc/sys/net/ipv4/tcp_syncookies | |
| $ECHO "1" > /proc/sys/net/ipv4/conf/all/log_martians | |
| for i in /proc/sys/net/ipv4/conf/*/rp_filter; do | |
| $ECHO "1" > $i | |
| done | |
| # Clear all current rules, its only proper | |
| $IPTABLES -F | |
| $IPTABLES -X | |
| echo "--- Adding Whitelist" | |
| # Process the white list | |
| $IPTABLES -N WHITELIST | |
| for i in `$GREP -v \^# $WHITELIST | $AWK '{print $1}' | $SORT | $UNIQ`; do | |
| debug "Allowing $i" | |
| $IPTABLES -A WHITELIST -t filter --source $i -j ACCEPT | |
| done | |
| echo "--- Adding Blacklist (LOGGED)" | |
| # Process the black list | |
| $IPTABLES -N BLACKLIST_LOG | |
| $IPTABLES -A BLACKLIST_LOG -j LOG --log-prefix "fp=BLACKLIST a=DROP " | |
| $IPTABLES -A BLACKLIST_LOG -j DROP | |
| $IPTABLES -N BLACKLIST | |
| for i in `$GREP -v \^# $BLACKLIST | $AWK '{print $1}' | $SORT | $UNIQ`; do | |
| debug "Blocking $i" | |
| #$IPTABLES -A BLACKLIST -t filter --source $i -j BLACKLIST_LOG | |
| $IPTABLES -A BLACKLIST -t filter --source $i -j DROP | |
| done | |
| echo "--- Checking for Bad TCP Flags (LOGGED)" | |
| $IPTABLES -N MALICIOUS_FLAGS_LOG | |
| $IPTABLES -A MALICIOUS_FLAGS_LOG -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-prefix "chain=MALICIOUS_FLAGS a=DROP " | |
| $IPTABLES -A MALICIOUS_FLAGS_LOG -j DROP | |
| $IPTABLES -N MALICIOUS_FLAGS | |
| $IPTABLES -A MALICIOUS_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j MALICIOUS_FLAGS_LOG | |
| $IPTABLES -A MALICIOUS_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j MALICIOUS_FLAGS_LOG | |
| $IPTABLES -A MALICIOUS_FLAGS -p tcp --tcp-flags ALL ALL -j MALICIOUS_FLAGS_LOG | |
| $IPTABLES -A MALICIOUS_FLAGS -p tcp --tcp-flags ALL NONE -j MALICIOUS_FLAGS_LOG | |
| $IPTABLES -A MALICIOUS_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j MALICIOUS_FLAGS_LOG | |
| $IPTABLES -A MALICIOUS_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j MALICIOUS_FLAGS_LOG | |
| echo "--- Blocking 'Backdoor' ports (LOGGED)" | |
| $IPTABLES -N MALICIOUS_PORTS_LOG | |
| $IPTABLES -A MALICIOUS_PORTS_LOG -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-prefix "chain=MALICIOUS_PORTS a=DROP " | |
| $IPTABLES -A MALICIOUS_PORTS_LOG -j DROP | |
| $IPTABLES -N MALICIOUS_PORTS | |
| # Deepthroat | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 6670 -j MALICIOUS_PORTS_LOG | |
| # Subseven | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 1243 -j MALICIOUS_PORTS_LOG | |
| $IPTABLES -A MALICIOUS_PORTS -p udp --dport 1243 -j MALICIOUS_PORTS_LOG | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 27374 -j MALICIOUS_PORTS_LOG | |
| $IPTABLES -A MALICIOUS_PORTS -p udp --dport 27374 -j MALICIOUS_PORTS_LOG | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 6711:6713 -j MALICIOUS_PORTS_LOG | |
| # Netbus | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 12345:12346 -j MALICIOUS_PORTS_LOG | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 20034 -j MALICIOUS_PORTS_LOG | |
| # Back Orifice | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 31337:31338 -j MALICIOUS_PORTS_LOG | |
| # Hack'a'Tack 2000 | |
| $IPTABLES -A MALICIOUS_PORTS -p tcp --dport 28431 -j MALICIOUS_PORTS_LOG | |
| #echo "--- Blocking SYN floods (LOGGED)" | |
| #$IPTABLES -N SYNFLOOD_LOG | |
| #$IPTABLES -A SYNFLOOD_LOG -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-prefix "chain=SYN_FLOOD a=DROP " | |
| #$IPTABLES -A SYNFLOOD_LOG -j DROP | |
| $IPTABLES -N TCP_ACCEPT | |
| $IPTABLES -A TCP_ACCEPT -p tcp -j ACCEPT # The syn flood blocking is being *too* proactive. blocking them for now. | |
| #$IPTABLES -A TCP_ACCEPT -p tcp --syn -m limit --limit $SYN_LIMIT --limit-burst $SYN_LIMIT_BURST -j ACCEPT | |
| #$IPTABLES -A TCP_ACCEPT -p tcp --syn -j SYNFLOOD_LOG | |
| #$IPTABLES -A TCP_ACCEPT -p tcp ! --syn -j ACCEPT | |
| echo "--- Allowing TCP Services: $PUBLIC_TCP_PORTS" | |
| $IPTABLES -N TCP_SERVICES | |
| for i in $PUBLIC_TCP_PORTS; do | |
| debug "Allowing public access of tcp port $i" | |
| $IPTABLES -A TCP_SERVICES -t filter -p tcp --destination-port $i -j TCP_ACCEPT | |
| done | |
| echo "--- Allowing UDP Services: $PUBLIC_UDP_PORTS" | |
| $IPTABLES -N UDP_SERVICES | |
| for i in $PUBLIC_UDP_PORTS; do | |
| debug "Allowing public access of udp port $i" | |
| $IPTABLES -A UDP_SERVICES -t filter -p udp --destination-port $i -j ACCEPT | |
| done | |
| # | |
| # This is the INPUT chain "money shot" | |
| # | |
| $IPTABLES -A INPUT -j WHITELIST | |
| $IPTABLES -A INPUT -j BLACKLIST | |
| $IPTABLES -A INPUT -p tcp -j MALICIOUS_FLAGS | |
| $IPTABLES -A INPUT -j MALICIOUS_PORTS | |
| $IPTABLES -A INPUT -p tcp -j TCP_SERVICES | |
| $IPTABLES -A INPUT -p udp -j UDP_SERVICES | |
| # Special blocking for IDENT | |
| echo "--- REJECTing Ident tcp/113 requests" | |
| $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | |
| echo "--- DROPing all other new incoming connections" | |
| # And block anything else that tries to connect | |
| $IPTABLES -A INPUT -t filter -p tcp --syn -j DROP | |
| ################################################################################ | |
| #< Finished >################################################################### | |
| ################################################################< have a beer ># |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment