Ukazkovy iptables script...
david.kopecek na hacktrack.com
david.kopecek na hacktrack.com
Čtvrtek Říjen 20 10:34:38 CEST 2005
Zdravi konferenci
dostal se mi pod ruku fw s iptables kde se pouziva nasledujici
ukazkovy script pro vytvoreni fw s routerem.. Script vetsina lidi zna
:).. POtreboval bych poradit jak zakazat odchazeni nekterym paketum na
urcite porty. jako je 139,138. Nejake pravidla jsem tam umistil ale
asi ne na spravne misto prtoze pakety chodej vesele dal..
=======================================================================
#!/bin/bash
#
# Firewall Script
# chkconfig: 2345 11 89
# description: firewall script for 2.4.x kernel
################################################
# Fill in the values below to match your
# local network.
LAN_IP_RANGE="192.168.0.0/16"
LAN_IP="192.168.0.1/32"
LAN_IP1="192.168.1.1/32"
INET_IP="194.108.122.122"
LAN_BCAST_ADRESS="192.168.0.255/32"
LAN_BCAST_ADRESS1="192.168.1.255/32"
LOCALHOST_IP="127.0.0.1/32"
INET_IFACE="eth0"
LAN_IFACE="eth1"
LAN_IFACE1="eth2"
LO_IFACE="lo"
IPTABLES="/sbin/iptables"
################################################
# some handy generic values to use
ANY=0.0.0.0/0
ALLONES=255.255.255.255
# Source function library.
#. /etc/rc.d/init.d/functions
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#[ ${NETWORKING} = "no" ] && exit 0
# Check kernel version
if [ ! -x $IPTABLES ]; then
echo "$IPTABLES not found - cannot run firewall !!!"
exit 0
fi
if [ ! -f /proc/net/ip_tables_names ]; then
modprobe ip_tables > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "CANNOT RUN FIREWALL !!!"
exit 1
fi
fi
# See how we are called
case "$1" in
start)
# Start providing access
echo "Starting firewall: "
# Flush all lists
$IPTABLES -F
# Turn on packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Plug up everything
$IPTABLES -I INPUT -i ! lo -j DROP
$IPTABLES -I FORWARD -j DROP
$IPTABLES -I OUTPUT -o ! lo -j DROP
##
## Install Modules
##
# Insert the active ftp module. This will allow non-passive ftp to machines
# on the local network (but not to the router since it is not masq'd)
needed_mods="ipt_LOG ip_nat_ftp ipt_REJECT ipt_MASQUERADE ip_conntrack_ftp"
for mod in $needed_mods; do
if ! ( /sbin/lsmod | /bin/grep $mod > /dev/null ); then
/sbin/modprobe $mod || echo "Cannot load module : $mod"
fi
done
##
## Some Security Stuff
##
# turn on Source Address Verification and get spoof protection
# on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
else
echo
echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED."
echo
fi
########
## Firewall rules
##
#
# POSTROUTING chain in the nat table
#
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_in_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j LOG --log-prefix "TCP not established: "
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed # SSH
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed # SMTP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed # WWW
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # auth
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed # FTP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed # POP3
#
# UDP ports
#
$IPTABLES -A udp_in_packets -p UDP -s 0/0 --sport 53 -j ACCEPT # DNS
$IPTABLES -A udp_in_packets -p UDP -s 0/0 --sport 123 -j ACCEPT # NTP
$IPTABLES -A udp_in_packets -p UDP -s 0/0 --sport 21 -j ACCEPT # FTP
#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
#
# INPUT chain
#
# Take care of bad TCP packets that we don't want
#
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
# Rules for incoming packets from the internet
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_in_packets
$IPTABLES -t nat -A PREROUTING -p tcp -d 194.108.122.122 --dport 5555 -j DNAT --to 192.168.0.222:5555
$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.222 --source-port 5555 -j SNAT --to 194.108.122.122:5555
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d 192.168.0.222 --dport 5555 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s 192.168.0.222 --dport 5555 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d 194.108.122.122 --dport 5555 -j DNAT --to 192.168.0.222:5555
$IPTABLES -t nat -A POSTROUTING -p udp -s 192.168.0.222 --source-port 5555 -j SNAT --to 194.108.122.122:555
$IPTABLES -A FORWARD -p udp -i $INET_IFACE -d 192.168.0.222 --dport 5555 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $LAN_IFACE -s 192.168.0.222 --dport 5555 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d 194.108.122.122 --dport 65530 -j DNAT --to 192.168.0.233:65530
$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.233 --source-port 65530 -j SNAT --to 194.108.122.122:65530
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d 192.168.0.233 --dport 65530 -j allowed
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s 192.168.0.233 --dport 65530 -j allowed
$IPTABLES -t nat -A PREROUTING -p udp -d 194.108.122.122 --dport 65530 -j DNAT --to 192.168.0.233:65530
$IPTABLES -t nat -A POSTROUTING -p udp -s 192.168.0.233 --source-port 65530 -j SNAT --to 194.108.122.122:65530
$IPTABLES -A FORWARD -p udp -i $INET_IFACE -d 192.168.0.233 --dport 65530 -j allowed
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s 192.168.0.233 --dport 65530 -j allowed
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE1 -d $LAN_BCAST_ADRESS1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE1 -d $LAN_IP1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE1 -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 137 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 138 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 139 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 135 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 445 -j DROP
$IPTABLES -A OUTPUT -p udp -s 0/0 --dport 137 -j DROP
$IPTABLES -A OUTPUT -p udp -s 0/0 --dport 138 -j DROP
$IPTABLES -A OUTPUT -p udp -s 0/0 --dport 139 -j DROP
$IPTABLES -A OUTPUT -p udp -s 0/0 --dport 135 -j DROP
$IPTABLES -A OUTPUT -p udp -s 0/0 --dport 445 -j DROP
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#######
# Let's open the plug
$IPTABLES -D INPUT 1
$IPTABLES -D FORWARD 1
$IPTABLES -D OUTPUT 1
$IPTABLES -A OUTPUT -p tcp -s $LAN_IP -j DROP
;;
stop)
echo "Stoping firewall: "
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -F allowed
$IPTABLES -F tcp_packets
$IPTABLES -F icmp_packets
$IPTABLES -F udp_in_packets
$IPTABLES -X allowed
$IPTABLES -X tcp_packets
$IPTABLES -X icmp_packets
$IPTABLES -X udp_in_packets
echo
;;
restart)
echo "Restarting firewall: "
$0 stop
$0 start
echo
;;
status)
# List out settings
$IPTABLES -L
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
===============================================
Další informace o konferenci Linux