Last active
August 29, 2015 14:11
-
-
Save sata/36e92ddb4278748b690a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/sh | |
| ### BEGIN INIT INFO | |
| # Provides: firewall | |
| # Required-Start: $remote_fs $syslog | |
| # Required-Stop: $remote_fs $syslog | |
| # Default-Start: 2 3 4 5 | |
| # Default-Stop: 0 1 6 | |
| # Short-Description: firewall for armitage vpn container | |
| ### END INIT INFO | |
| # firewall Start iptables firewall | |
| # chkconfig: 2345 08 92 | |
| # description: Starts, stops and saves iptables firewall | |
| vpn_if="tun0" | |
| vpn_net="10.10.5.0/24" | |
| lan_if="eth0" | |
| lan_net="10.10.0.0/24" | |
| lan_gw="10.10.0.1" | |
| ava_lan="10.10.0.51" # ava container resource to be accessible by ssh from vpn | |
| this_host="10.10.0.53" # armitage container ip | |
| success() { | |
| printf "...success" | |
| } | |
| ipv4_settings() { | |
| printf "Firewall: Setting valid settings for ipv4 in kernel" | |
| # Drop ICMP echo-request messages sent to broadcast or multicast addresses | |
| echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
| # Drop source routed packets | |
| echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route | |
| # Enable TCP SYN cookie protection from SYN floods | |
| echo 1 > /proc/sys/net/ipv4/tcp_syncookies | |
| # Don't accept ICMP redirect messages | |
| echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects | |
| # Don't send ICMP redirect messages | |
| echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects | |
| # Enable source address spoofing protection | |
| echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter | |
| # Log packets with impossible source addresses | |
| echo 1 > /proc/sys/net/ipv4/conf/all/log_martians | |
| # Disable logging of bogus responses to broadcast frames | |
| echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses | |
| success ; printf "\n" | |
| } | |
| drop_policy() { | |
| printf "Firewall: Setting default policies to DROP, ACCEPT on ESTABLISHED, RELATED" | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| iptables -I INPUT -j ACCEPT -i lo | |
| success ; printf "\n" | |
| } | |
| rules() { | |
| printf "Firewall: vpn, container rules" | |
| # incoming vpn | |
| iptables -A INPUT -p udp --destination-port 11942 -d "$this_host" -j ACCEPT | |
| # incoming ssh only from LAN | |
| iptables -A INPUT -p tcp --destination-port 22 -s "$lan_net" -d "$this_host" -j ACCEPT | |
| # incoming established from Internet/LAN to VPN | |
| iptables -A FORWARD -i "$lan_if" -o "$vpn_if" -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # forward from VPN to Internet/LAN | |
| iptables -A FORWARD -s "$vpn_net" -o "$lan_if" -j ACCEPT | |
| # NAT outgoing VPN to LAN/Internet | |
| iptables -t nat -A POSTROUTING -s "$vpn_net" -o "$lan_if" -j MASQUERADE | |
| # reject new requests FORWARD from lan/Internet to VPN | |
| iptables -I FORWARD -i "$lan_if" -o "$vpn_if" -m state --state NEW -j REJECT | |
| # reject VPN to LAN except for DNS | |
| iptables -I FORWARD -i "$vpn_if" -o "$lan_if" -d "$lan_net" -m state --state NEW -j REJECT | |
| iptables -I OUTPUT -o "$vpn_if" -d "$lan_net" -m state --state NEW -j REJECT | |
| # allow DNS from VPN to GW | |
| iptables -I FORWARD -p udp --destination-port 53 -i "$vpn_if" -o "$lan_if" -d "$lan_gw" -m state --state NEW -j ACCEPT | |
| # allow SSH from VPN to Ava | |
| iptables -I FORWARD -p tcp --destination-port 22 -i "$vpn_if" -o "$lan_if" -d "$ava_lan" -m state --state NEW -j ACCEPT | |
| success ; printf "\n" | |
| } | |
| handle_bad_packets() { | |
| printf "Firewall: Inserting (in the top) check on SYN, XMAS, NULL, DROP invalid packets" | |
| # Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them: | |
| iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| iptables -I FORWARD -p tcp ! --syn -m state --state NEW -j DROP | |
| # Incoming malformed XMAS packets drop them: | |
| iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| iptables -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP | |
| # Incoming malformed NULL packets: | |
| iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP | |
| # DROP INVALID | |
| iptables -I INPUT -m state --state INVALID -j DROP | |
| iptables -I FORWARD -m state --state INVALID -j DROP | |
| success ; printf "\n" | |
| } | |
| purge() { | |
| printf "Firewall: Purging and allowing all traffic" | |
| iptables -P OUTPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P INPUT ACCEPT | |
| iptables -F | |
| iptables -t nat -F | |
| success ; printf "\n" | |
| } | |
| main_setup() { | |
| ipv4_settings | |
| drop_policy | |
| rules | |
| handle_bad_packets | |
| } | |
| case "$1" in | |
| start) | |
| echo "Starting firewall..." | |
| purge | |
| main_setup | |
| ;; | |
| stop) | |
| echo "Stopping firewall..." | |
| purge | |
| ;; | |
| restart) | |
| "$0" stop | |
| "$0" start | |
| ;; | |
| status) | |
| iptables -n -L | |
| ;; | |
| *) | |
| echo "Usage: $0 <start|stop|restart|status>" | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment