Ukazkovy iptables script...

david.kopecek na hacktrack.com david.kopecek na hacktrack.com
Čtvrtek Říjen 20 10:34:38 CEST 2005


Zdravi konferenci

dostal se mi pod ruku fw s iptables kde se pouziva nasledujici
ukazkovy script pro vytvoreni fw s routerem.. Script vetsina lidi zna
:).. POtreboval bych poradit jak zakazat odchazeni nekterym paketum na
urcite porty. jako je 139,138. Nejake pravidla jsem tam umistil ale
asi ne na spravne misto prtoze pakety chodej vesele dal..

=======================================================================
#!/bin/bash
#
# Firewall Script

# chkconfig: 2345 11 89
# description: firewall script for 2.4.x kernel


################################################
#  Fill in the values below to match your
#  local network.

LAN_IP_RANGE="192.168.0.0/16"
LAN_IP="192.168.0.1/32"
LAN_IP1="192.168.1.1/32"
INET_IP="194.108.122.122"
LAN_BCAST_ADRESS="192.168.0.255/32"
LAN_BCAST_ADRESS1="192.168.1.255/32"
LOCALHOST_IP="127.0.0.1/32"
INET_IFACE="eth0"
LAN_IFACE="eth1"
LAN_IFACE1="eth2"
LO_IFACE="lo"

IPTABLES="/sbin/iptables"

################################################

# some handy generic values to use
ANY=0.0.0.0/0
ALLONES=255.255.255.255

# Source function library.
#. /etc/rc.d/init.d/functions

# Source networking configuration.
#. /etc/sysconfig/network

# Check that networking is up.
#[ ${NETWORKING} = "no" ] && exit 0

# Check kernel version
if [ ! -x $IPTABLES ]; then
        echo "$IPTABLES not found - cannot run firewall !!!"
        exit 0
fi

if [ ! -f /proc/net/ip_tables_names ]; then
        modprobe ip_tables > /dev/null 2>&1
        if [ $? -ne 0 ]; then
                echo "CANNOT RUN FIREWALL !!!"
                exit 1
        fi
fi

# See how we are called
case "$1" in
  start)
        # Start providing access
        echo "Starting firewall: "

        # Flush all lists
        $IPTABLES -F

        # Turn on packet forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

        # Plug up everything
        $IPTABLES -I INPUT -i ! lo -j DROP
        $IPTABLES -I FORWARD -j DROP
        $IPTABLES -I OUTPUT -o ! lo -j DROP

        ##
        ## Install Modules
        ##
        # Insert the active ftp module.  This will allow non-passive ftp to machines
        # on the local network (but not to the router since it is not masq'd)
                needed_mods="ipt_LOG ip_nat_ftp ipt_REJECT ipt_MASQUERADE ip_conntrack_ftp"
                for mod in $needed_mods; do
                if ! ( /sbin/lsmod | /bin/grep $mod > /dev/null ); then
                    /sbin/modprobe $mod || echo "Cannot load module : $mod"
                fi
                done

        ##
        ## Some Security Stuff
        ##
        # turn on Source Address Verification and get spoof protection
        # on all current and future interfaces.
        if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
            for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $f
            done
        else
            echo
            echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED."
            echo
        fi

        ########
        ## Firewall rules
        ##

        #
        # POSTROUTING chain in the nat table
        #
        $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

        #
        # Bad TCP packets we don't want
        #

        $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
        $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

        #
        # Accept the packets we actually want to forward
        #

        $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
        $IPTABLES -A FORWARD -i $LAN_IFACE1 -j ACCEPT
        $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

        #
        # Set default policies for the INPUT, FORWARD and OUTPUT chains
        #

        $IPTABLES -P INPUT DROP
        $IPTABLES -P OUTPUT DROP
        $IPTABLES -P FORWARD DROP

        #
        # Create separate chains for ICMP, TCP and UDP to traverse
        #

        $IPTABLES -N icmp_packets
        $IPTABLES -N tcp_packets
        $IPTABLES -N udp_in_packets

        #
        # The allowed chain for TCP connections
        #

        $IPTABLES -N allowed
        $IPTABLES -A allowed -p TCP --syn -j ACCEPT
        $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A allowed -p TCP -j LOG --log-prefix "TCP not established: "
        $IPTABLES -A allowed -p TCP -j DROP

        #
        # ICMP rules
        #

        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

        #
        # TCP rules
        #

        $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed    # SSH
        $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed    # SMTP
        $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed    # WWW
        $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed   # auth
        $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed    # FTP
        $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed   # POP3

        #
        # UDP ports
        #

        $IPTABLES -A udp_in_packets -p UDP -s 0/0 --sport 53 -j ACCEPT  # DNS
        $IPTABLES -A udp_in_packets -p UDP -s 0/0 --sport 123 -j ACCEPT # NTP
        $IPTABLES -A udp_in_packets -p UDP -s 0/0 --sport 21 -j ACCEPT  # FTP
        
        #
        # PREROUTING chain.
        #
        # Do some checks for obviously spoofed IP's
        #

        $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
        #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP


        #
        # INPUT chain
        #
        # Take care of bad TCP  packets that we don't want
        #

        $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
        $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

        #
        # Rules for incoming packets from the internet
        #

        $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
        $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
        $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_in_packets

        $IPTABLES -t nat -A PREROUTING  -p tcp -d 194.108.122.122 --dport 5555 -j DNAT --to 192.168.0.222:5555
        $IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.222 --source-port 5555 -j SNAT --to 194.108.122.122:5555
        $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d 192.168.0.222 --dport 5555 -j ACCEPT
        $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s 192.168.0.222 --dport 5555 -j ACCEPT
        $IPTABLES -t nat -A PREROUTING  -p udp -d 194.108.122.122 --dport 5555 -j DNAT --to 192.168.0.222:5555
        $IPTABLES -t nat -A POSTROUTING -p udp -s 192.168.0.222 --source-port 5555 -j SNAT --to 194.108.122.122:555
        $IPTABLES -A FORWARD -p udp -i $INET_IFACE -d 192.168.0.222 --dport 5555 -j ACCEPT
        $IPTABLES -A FORWARD -p udp -i $LAN_IFACE -s 192.168.0.222 --dport 5555 -j ACCEPT       

        $IPTABLES -t nat -A PREROUTING  -p tcp -d 194.108.122.122 --dport 65530 -j DNAT --to 192.168.0.233:65530
        $IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.233 --source-port 65530 -j SNAT --to 194.108.122.122:65530
        $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d 192.168.0.233 --dport 65530 -j allowed
        $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s 192.168.0.233 --dport 65530 -j allowed
        $IPTABLES -t nat -A PREROUTING  -p udp -d 194.108.122.122 --dport 65530 -j DNAT --to 192.168.0.233:65530
        $IPTABLES -t nat -A POSTROUTING -p udp -s 192.168.0.233 --source-port 65530 -j SNAT --to 194.108.122.122:65530
        $IPTABLES -A FORWARD -p udp -i $INET_IFACE -d 192.168.0.233 --dport 65530 -j allowed
        $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s 192.168.0.233 --dport 65530 -j allowed

        #
        # Rules for special networks not part of the Internet
        #

        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE1 -d $LAN_BCAST_ADRESS1 -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP1 -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE1 -d $LAN_IP1 -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP1 -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE1 -d $LAN_IP -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

        #
        # OUTPUT chain
        #

        $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
        $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

        $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
        $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
        $IPTABLES -A OUTPUT -p ALL -s $LAN_IP1 -j ACCEPT
        $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
        
        $IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 137 -j DROP
        $IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 138 -j DROP
        $IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 139 -j DROP
        $IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 135 -j DROP
        $IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 445 -j DROP
        
        $IPTABLES -A OUTPUT -p udp -s 0/0 --dport 137 -j DROP
        $IPTABLES -A OUTPUT -p udp -s 0/0 --dport 138 -j DROP
        $IPTABLES -A OUTPUT -p udp -s 0/0 --dport 139 -j DROP
        $IPTABLES -A OUTPUT -p udp -s 0/0 --dport 135 -j DROP
        $IPTABLES -A OUTPUT -p udp -s 0/0 --dport 445 -j DROP

                
        $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

        #######
        # Let's open the plug
        $IPTABLES -D INPUT 1
        $IPTABLES -D FORWARD 1
        $IPTABLES -D OUTPUT 1

        $IPTABLES -A OUTPUT -p tcp -s $LAN_IP -j DROP
        ;;

  stop)
        echo "Stoping firewall: "
        echo 0 > /proc/sys/net/ipv4/ip_forward
        $IPTABLES -F INPUT
        $IPTABLES -F OUTPUT
        $IPTABLES -F FORWARD
        $IPTABLES -t nat -F PREROUTING
        $IPTABLES -t nat -F POSTROUTING
        $IPTABLES -F allowed
        $IPTABLES -F tcp_packets
        $IPTABLES -F icmp_packets
        $IPTABLES -F udp_in_packets
        $IPTABLES -X allowed
        $IPTABLES -X tcp_packets
        $IPTABLES -X icmp_packets
        $IPTABLES -X udp_in_packets

        echo
        ;;

  restart)
        echo "Restarting firewall: "
        $0 stop
        $0 start

        echo
        ;;

  status)
        # List out settings
        $IPTABLES -L
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1

esac
===============================================



Další informace o konferenci Linux