Created
November 4, 2010 14:58
-
-
Save heartnet/662577 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# @(#) iptables.sh - Script for configuring firewall with iptables | |
# Based on: http://centossrv.com/ | |
# | |
# Configuration part | |
# | |
############################## | |
## External Interface | |
EXTERNAL_IF="eth0" | |
## Define full path of functions | |
IPTBLS_FUNC="/root/scripts/lib/iptables_functions" | |
## Define full path of blacklist | |
DENY_HOSTS_LIST="/root/scripts/misc/blacklist" | |
## Define full path of whitelist | |
ALLOW_HOSTS_LIST="/root/scripts/misc/whitelist" | |
## set PATH | |
export PATH=/sbin:/bin:/usr/sbin:/usr/bin | |
# | |
# Main routines | |
# | |
############################## | |
## Obtain netmask from target interface | |
LOCALNET_MASK=`ifconfig ${EXTERNAL_IF} | sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d` | |
## Obtain network address from target interface | |
LOCALNET_ADDR=`netstat -rn | grep ${EXTERNAL_IF} | grep ${LOCALNET_MASK} | cut -f1 -d' '` | |
LOCALNET=${LOCALNET_ADDR}/${LOCALNET_MASK} | |
## Reset all rules | |
iptables -F | |
iptables -Z | |
iptables -X | |
## Stop running iptables | |
/etc/init.d/iptables stop | |
## Default policy | |
## (These policies will be applied to rules which do not match any rules.) | |
iptables -P INPUT DROP # All discard incoming packets | |
iptables -P OUTPUT ACCEPT # All permit outgoing packets | |
iptables -P FORWARD DROP # All discard forwarding packets | |
## Permit all packets from loopback interface | |
iptables -A INPUT -i lo -j ACCEPT | |
## Permit all packets from private network | |
iptables -A INPUT -s ${LOCALNET} -j ACCEPT | |
## Permit all packets via private network interface card | |
iptables -A INPUT ! -i ${EXTERNAL_IF} -j ACCEPT | |
## Permit all return packets from private network | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
## Enable SYN Cookies | |
## (*) for TCP SYN Flood attack | |
sysctl -w net.ipv4.tcp_syncookies=1 >/dev/null | |
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf | |
echo "net.ipv4.tcp_syncookies=1" >>/etc/sysctl.conf | |
## Do not reply to broadcast ping packets | |
## (*) for Smurf attack | |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null | |
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf | |
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >>/etc/sysctl.conf | |
## Deny all ICMP Redirect packets | |
sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf | |
for DEV in `ls /proc/sys/net/ipv4/conf/` | |
do | |
sysctl -w net.ipv4.conf.${DEV}.accept_redirects=0 >/dev/null | |
echo "net.ipv4.conf.${DEV}.accept_redirects=0" >>/etc/sysctl.conf | |
done | |
## Deny all Source-Routed packets | |
sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf | |
for DEV in `ls /proc/sys/net/ipv4/conf/` | |
do | |
sysctl -w net.ipv4.conf.${DEV}.accept_source_route=0 >/dev/null | |
echo "net.ipv4.conf.${DEV}.accept_source_route=0" >>/etc/sysctl.conf | |
done | |
## Discard all packets of new sessions which do not start from SYN flag | |
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
## Deny all packets of new sessions which start from SYN/ACK flag | |
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset | |
## Discard all fragmented packets after logging | |
iptables -A INPUT -f -j LOG --log-level debug --log-prefix '[FRAGMENT] : ' | |
iptables -A INPUT -f -j DROP | |
## Discard all packets which are related to NetBIOS from external network without logging | |
## (*) for not logging unnecessary packets | |
iptables -A INPUT ! -s ${LOCALNET} -p tcp -m multiport --dports 135,137,138,139,445 -j DROP | |
iptables -A INPUT ! -s ${LOCALNET} -p udp -m multiport --dports 135,137,138,139,445 -j DROP | |
iptables -A OUTPUT ! -d ${LOCALNET} -p tcp -m multiport --sports 135,137,138,139,445 -j DROP | |
iptables -A OUTPUT ! -d ${LOCALNET} -p udp -m multiport --sports 135,137,138,139,445 -j DROP | |
## Discard all private packets including multicast packets from external network after logging | |
## (*) for IP Spoofing | |
iptables -N IP_SPOOFING | |
iptables -A IP_SPOOFING -j LOG --log-level debug --log-prefix '[IP SPOOFING]: ' | |
iptables -A IP_SPOOFING -j DROP | |
iptables -A INPUT -i ${EXTERNAL_IF} -s 127.0.0.0/8 -j IP_SPOOFING | |
iptables -A INPUT -i ${EXTERNAL_IF} -s 10.0.0.0/8 -j IP_SPOOFING | |
iptables -A INPUT -i ${EXTERNAL_IF} -s 172.16.0.0/12 -j IP_SPOOFING | |
iptables -A INPUT -i ${EXTERNAL_IF} -s 192.168.0.0/16 -j IP_SPOOFING | |
## Discard all ping packets which request over 4 times per second after logging | |
## (*) for Ping of Death attack | |
iptables -N PING_OF_DEATH | |
iptables -A PING_OF_DEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT | |
iptables -A PING_OF_DEATH -j LOG --log-level debug --log-prefix '[PING OF DEATH]: ' | |
iptables -A PING_OF_DEATH -j DROP | |
iptables -A INPUT -p icmp --icmp-type echo-request -j PING_OF_DEATH | |
## Discard all packets for all host (broadcast, multicast) without logging | |
## (*) for not logging unnecessary packets | |
iptables -A INPUT -d 255.255.255.255 -j DROP | |
iptables -A INPUT -d 224.0.0.1 -j DROP | |
## Deny all pakcets to port 113 (IDENT) | |
## (*) for not delaying responses from mail servers | |
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | |
## Definition of "ACCEPT_COUNTRY_MAKE" function | |
## Define user-defined chain to permit all pakcets from specified country | |
ACCEPT_COUNTRY_MAKE(){ | |
for ADDR in `cat /tmp/cidr.txt | grep ^$1 | awk '{print $2}'` | |
do | |
iptables -A ACCEPT_COUNTRY -s ${ADDR} -j ACCEPT | |
done | |
} | |
## Definition of "DROP_COUNTRY_MAKE" function | |
## Define user-defined chain to discard all packets from specified country | |
DROP_COUNTRY_MAKE(){ | |
for ADDR in `cat /tmp/cidr.txt | grep ^$1 | awk '{print $2}'` | |
do | |
iptables -A DROP_COUNTRY -s ${ADDR} -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DENIED COUNTRY]: ' | |
iptables -A DROP_COUNTRY -s ${ADDR} -j DROP | |
done | |
} | |
## Obtain the list of IP addresses | |
. ${IPTBLS_FUNC} | |
IPLISTGET | |
## Create user-defined chain ("ACCEPT_COUNTRY") to permit all packets from Japan | |
iptables -N ACCEPT_COUNTRY | |
ACCEPT_COUNTRY_MAKE JP | |
## From below, If you need to permit all packets from Japan, | |
## you can specify "ACCEPT_COUNTRY" instead of "ACCEPT". | |
## Discard all packets from China, Korea, Taiwan (*) after logging | |
## (*) Top 3 countries (except Japan, USA) of attacking to all Japan police facilities | |
## Reference: http://www.cyberpolice.go.jp/detect/observation.html | |
iptables -N DROP_COUNTRY | |
DROP_COUNTRY_MAKE CN | |
DROP_COUNTRY_MAKE KR | |
DROP_COUNTRY_MAKE TW | |
DROP_COUNTRY_MAKE KP | |
iptables -A INPUT -j DROP_COUNTRY | |
# | |
# Configuration for public servecies [beginning] | |
# | |
## Permit all packets to TCP port 22 (SSH) only from accepted country | |
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT_COUNTRY | |
## Permit all packets to TCP/UDP port 53 (DNS) | |
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT | |
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT | |
## Permit all packets to TCP port 80 (HTTP) | |
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT | |
## Permit all packets to TCP port 443 (HTTPS) | |
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT | |
## Permit all packets to TCP port 25 (SMTP) | |
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT | |
## Permit all packets to TCP port 587 (SMTP Submission) | |
iptables -A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT | |
## Permit all packets to TCP port 465 (SMTPS) only from accepted country | |
iptables -A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT_COUNTRY | |
## Permit all packets to TCP port 110 (POP3) only from accepted country | |
iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT_COUNTRY | |
## Permit all packets to TCP port 995 (POP3S) only from accepted country | |
iptables -A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT_COUNTRY | |
## Permit all packets to TCP port 143 (IMAP) only from accepted country | |
iptables -A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT_COUNTRY | |
## Permit all packets to TCP port 993 (IMAPS) only from accepted country | |
iptables -A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT_COUNTRY | |
# | |
# Configuration for public servecies [end] | |
# | |
## Discard all packets from denied IP addresses after logging | |
if [ -s ${DENY_HOSTS_LIST} ]; then | |
iptables -N BLACKLIST | |
iptables -A BLACKLIST -j LOG --log-level debug --log-prefix '[BLACKLIST]: ' | |
iptables -A BLACKLIST -j DROP | |
for ADDR in `cat ${DENY_HOSTS_LIST}` | |
do | |
iptables -I INPUT -s ${ADDR} -j BLACKLIST | |
done | |
fi | |
## Permit all packets from allowed IP addresses | |
if [ -s ${ALLOW_HOSTS_LIST} ]; then | |
for ADDR in `cat ${ALLOW_HOSTS_LIST}` | |
do | |
iptables -I INPUT -s ${ADDR} -j ACCEPT | |
done | |
fi | |
## Discard all packets which did not match any rules above after logging | |
iptables -A INPUT -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DROPPED INPUT]: ' | |
iptables -A INPUT -j DROP | |
iptables -A FORWARD -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DROPPED FORWARD]: ' | |
iptables -A FORWARD -j DROP | |
## Save rules | |
/etc/init.d/iptables save | |
## Start iptables | |
/etc/init.d/iptables start | |
# [EOF] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment