» »

iptables skripta

HriBB ::

tole skriptio sm najdu na gentoo forumu in jo mal spremenu za moje potrebe. upam da komu pride prav, hkrati pa prosim vse guruje da mal preverijo ce je vse v redu.

ps: ce imate tezave z iptables ali pa se jih samo zelite nauciti uporabljati obvezno obiscite zgornji link
#!/bin/bash


################################################
################## INTERFACES ##################
################################################
# External interface
EXTIF=dsl0
# Internal interface
INTIF=eth0
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"


###############################################
################## VARIABLES ##################
###############################################
# Text tools variables
IPT='/usr/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'

# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo ""
echo "INTERFACES"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Setting up environment variables for internal interface one
INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
echo ""


####################################################
################## INITIALIZATION ##################
####################################################
# Deny than accept: this keeps holes from opening up
# while we close ports and such
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done

for i in $CHAINS;
do
$IPT -t $i -X
done

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

echo 1 > /proc/sys/net/ipv4/ip_forward


#############################################
################## LOGGING ##################
#############################################
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log.

# Do not complain if chain already exists (so restart is clean)
$IPT -N drop_input 2> /dev/null
$IPT -A drop_input -j LOG --log-prefix 'FW DROP INPUT:'
$IPT -A drop_input -j DROP

$IPT -N drop_output 2> /dev/null
$IPT -A drop_output -j LOG --log-prefix 'FW DROP OUTPUT:'
$IPT -A drop_output -j DROP

$IPT -N drop_forward 2> /dev/null
$IPT -A drop_forward -j LOG --log-prefix 'FW DROP FORWARD:'
$IPT -A drop_forward -j DROP


##################################################
################## COMMON RULES ##################
##################################################
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $INTIP -j ACCEPT

# Blocking Broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j drop_input
$IPT -A INPUT -i $INTIF -d $INTBC -j drop_input
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j drop_output
$IPT -A OUTPUT -o $INTIF -d $INTBC -j drop_output

# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j drop_input

# Now we will block internal addresses originating from anything butour predefined interface.....
# just remember that if you jack your your laptop or another pc into one of these NIC's directly,
# you'll need # to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
$IPT -A INPUT -i $INTIF -s ! $INTNET -j drop_input
$IPT -A OUTPUT -o $INTIF -d ! $INTNET -j drop_output

# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j drop_output

# Block outbound ICMP (except for PING)
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j drop_output


#####################################################
################## BLOCK BAD PORTS ##################
#####################################################
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"

# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"

# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"

echo "BLOCK PORTS"
echo -n "TCP: "
tput sgr0
for i in $TCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp --dport $i -j drop_input
$IPT -A OUTPUT -p tcp --dport $i -j drop_output
done
echo ""

echo -n "UDP: "
for i in $UDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp --dport $i -j drop_input
$IPT -A OUTPUT -p udp --dport $i -j drop_output
done
echo ""
echo ""


#############################################################
################## FTP CONNECTION TRACKING ##################
#############################################################
# Opening up ftp connection tracking
#MODULES="ip_nat_ftp ip_conntrack_ftp"
#for i in $MODULES;
#do
# echo "Inserting module $i"
# modprobe $i
#done


##########################################################
################## EXTERNAL > LOCALHOST ##################
##########################################################
EXTTCPHOST="ssh 6999 7000 7001"
EXTUDPHOST=""

echo "ALLOW PORTS"
echo -n "EXTERNAL > LOCALHOST TCP: "
for i in $EXTTCPHOST;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "EXTERNAL > LOCALHOST UDP: "
for i in $EXTUDPHOST;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
echo ""

##########################################################
################## INTERNAL > LOCALHOST ##################
##########################################################
INTTCPHOST="ssh"
INTUDPHOST=""

echo -n "INTERNAL > LOCALHOST TCP: "
for i in $INTTCPHOST;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p tcp -d $INTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "INTERNAL > LOCALHOST UDP: "
for i in $INTUDPHOST;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p udp -s $INTIP --dport $i -m state --state NEW -j ACCEPT
done
echo ""


##########################################################
################## LOCALHOST > EXTERNAL ##################
##########################################################
IRC='ircd'
MSN=1863
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371

EXTTCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $MSN $OpenPGP_HTTP_Keyserver 6969"
EXTUDPSERV="domain time"

echo -n "LOCALHOST > EXTERNAL TCP: "
for i in $EXTTCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "LOCALHOST > EXTERNAL UDP: "
for i in $EXTUDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
echo ""


###########################################################
################## LOCALHOST > INTERNAL ###################
###########################################################
INTTCPSERV="ssh"
INTUDPSERV=""

echo -n "LOCALHOST > INTERNAL TCP: "
for i in $INTTCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $INTIF -p tcp -s $INTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "LOCALHOST > INTERNAL UDP: "
for i in $INTUDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $INTIF -p udp -s $INTIP --dport $i -m state --state NEW -j ACCEPT
done
echo ""


################################################
################## ALLOW PING ##################
################################################
# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTIP --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow firewall to ping internal systems
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT


##############################################
################## FINALIZE ##################
##############################################
# Allow existing connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# block and log what me may have forgot
$IPT -A INPUT -j drop_input
$IPT -A OUTPUT -j drop_output
$IPT -A FORWARD -j drop_forward
jaja

Gandalfar ::

OpenPGP_HTTP_Keyserver=11371


Zakaj je pa to kul laufat? :)

HriBB ::

ehm... pojma nimam. toj tip naredu in glede na to da mal bl zna od mene sm mislu da je pomembno:D eh jest bom kr izkljucu in kar bo, bo...

ps: port range se da tud tkole 6999:7001 (doh...)

pss: en nasvet glede NFS. lahko ga izkljucite in uporabljate konqueror -> fish://uporabnik@streznik/pot obstajajo tudi posebni programi za to
jaja

karafeka ::

Hvala ti za to skripto.... sicer sem tisto na gentoojevem forumu že prej našel, vendar mi nikak ni ratalo, da bi vse poštimo tk ko je treba (še posebej mi ni ratalo uštimat sambe, pa sem sprobal vse mogoče). Tvoja je pa lepo razdeljena in mi je bila v veliko pomoć. Še več takih :).

Daedalus ::

Mogoče sem len, samo sam precej raje uporabljam shorewall. Je tekstovni frontend za iptables in precej lažji za naučit in upravljat, kot pa direktno delo z iptables.
Man is condemned to be free; because once thrown into the world,
he is responsible for everything he does.
[J.P.Sartre]

roscha ::

Ma ja.. Fwbuilder rox.

karafeka ::

Kako imate to zrihtano za mulo?
Če mam OUTPUT na drop, potem mi najde zelo malo oz. nič virov za prenos dol. Če dam OUTPUT na ACCEPT je vse vredu, ampak a je to prava rešitev?

Pri external > localhost mam odprta ista tcp in udp porta kot pa sta naštimana v amule. Imam HighID, vendar lahko od mene samo vlečejo, medtem ko mi ne najde nobenga vira. Če flushnem :) nastavitve za iptables, mi deluje vse normalno.

Zgodovina sprememb…

  • spremenil: karafeka ()

karafeka ::

Zadnji del (finalize) skripte sem spremenil tako:

$IPT -A INPUT -j drop_input
$IPT -A OUTPUT -m owner --cmd-owner amule -j ACCEPT
$IPT -A OUTPUT -j drop_input
$IPT -A FORWARD -j drop_forward

uporabil sem modul owner in celo deluje. Naj nekdo, ki to malo bolj obvlada pove ali je tako prav.


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

ProtFtp Passive mode in iptables

Oddelek: Programska oprema
25895 (717) SasoS
»

iptables "whitelist" težavica

Oddelek: Omrežja in internet
12804 (550) McMallar
»

iptables problem z SSH

Oddelek: Omrežja in internet
12830 (684) sverde21
»

IPTables

Oddelek: Operacijski sistemi
211060 (689) Brane2
»

pomoč pri iptables

Oddelek: Omrežja in internet
101001 (830) HellRaiseR

Več podobnih tem