version 2.20, 2005/03/04 23:53:14 |
version 2.25, 2005/06/29 15:24:04 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.19 2005/03/01 23:17:11 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.24 2005/04/18 22:49:30 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
DESC="firewall" |
DESC="firewall" |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
|
|
DEFAULT_CONFIG="${DEFAULT_CONFIG:=/etc/default/firewall}" |
DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}" |
|
|
if [ -f "$DEFAULT_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
echo "Reading config file $DEFAULT_CONFIG" |
echo "Reading config file $DEFAULT_FIREWALL_CONFIG" |
. $DEFAULT_CONFIG |
. $DEFAULT_FIREWALL_CONFIG |
fi |
fi |
|
|
# |
# |
Line 38 LOG_LIMIT="${LOG_LIMIT:=-m limit --limit |
|
Line 38 LOG_LIMIT="${LOG_LIMIT:=-m limit --limit |
|
# Paths: |
# Paths: |
#IPTABLES=":" # for testing only - does nothing |
#IPTABLES=":" # for testing only - does nothing |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
|
if [ "x$LOGGING" = "xoff" ]; then |
|
IPTABLES_LOG=": log turned off" |
|
else |
|
IPTABLES_LOG="${IPTABLES_LOG:=$DEBUG/sbin/iptables}" |
|
fi |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
|
|
done |
done |
} # }}} |
} # }}} |
|
|
|
forward_on() |
|
{ # {{{ |
|
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
} # }}} |
|
|
|
forward_off() |
|
{ # {{{ |
|
echo -en "NAT: Disabling packet forwarding..." |
|
echo 0 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
} # }}} |
|
|
# clear status of iptable chains |
# clear status of iptable chains |
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
Line 138 nmap_scan_filter() |
|
Line 157 nmap_scan_filter() |
|
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
echo -en "." |
echo -en "." |
|
|
# dva odporujuuce si flagy su nastavene: |
# dva odporujuuce si flagy su nastavene: |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
# je nastavene len $flags bez predpokladaneho ACK |
# je nastavene len $flags bez predpokladaneho ACK |
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
done |
done |
Line 170 invalid_packet_filter() |
|
Line 189 invalid_packet_filter() |
|
|
|
echo -en "Turning on INVALID packet filter " |
echo -en "Turning on INVALID packet filter " |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
Line 207 anti_spoof_filter() |
|
Line 226 anti_spoof_filter() |
|
$IPTABLES -N spoof |
$IPTABLES -N spoof |
|
|
# Ochrana proti Spoogingu zo spatnej slucky |
# Ochrana proti Spoogingu zo spatnej slucky |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES_LOG -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES_LOG -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES_LOG -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
echo -en " $iface" |
echo -en " $iface" |
|
|
masquerade() |
masquerade() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
ip="IP_$NAT_SUBNET_IFACE"; |
|
|
echo -en " $type" |
echo -en " $type" |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
#$IPTABLES -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
echo " done." |
echo " done." |
|
|
# Port forwarding to local machines |
# Port forwarding to local machines |
Line 367 log_new_connections() |
|
Line 389 log_new_connections() |
|
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
echo -en "Logging new connections:" |
echo -en "Logging new connections:" |
$IPTABLES -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
$IPTABLES_LOG -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
$IPTABLES -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
$IPTABLES_LOG -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
$IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
$IPTABLES_LOG -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
echo " done." |
echo " done." |
fi |
fi |
fi |
fi |
|
|
|
|
} # }}} |
} # }}} |
|
|
|
bann_ip_adresses() |
|
{ # {{{ |
|
# |
|
# This feature has been developed for following reason: |
|
# UbiCrawler spam our website with many requests (they are duplicit requests of the same page!) |
|
# And this web robot doesn't accept HTTP META tags (http://www.robotstxt.org/wc/faq.html#extension) |
|
# |
|
# Bann them too! |
|
# |
|
#IP address is: 146.48.97.11 146.48.97.13 |
|
# User Agent: "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)" |
|
# |
|
if [ ! -z "$BANNED_IP" ]; then |
|
echo -en "Dropping ALL packets from IP:" |
|
for banned_ip in $BANNED_IP; do |
|
echo -en " $banned_ip" |
|
$IPTABLES -A INPUT -s $banned_ip -j DROP |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
done |
|
echo " done." |
|
fi |
|
} # }}} |
|
|
allow_accept_all() |
allow_accept_all() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
|
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
done |
done |
#$IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES_LOG -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
#$IPTABLES_LOG -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
log_input_drop() |
log_input_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="input drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Input drop is logged with prefix '$prefix'" |
prefix="input drop: " |
$IPTABLES -A INPUT $LOG_LIMIT "$prefix" |
echo "Input drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A INPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_output_drop() |
log_output_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="output drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Output drop is logged with prefix '$prefix'" |
prefix="output drop: " |
$IPTABLES -A OUTPUT $LOG_LIMIT "$prefix" |
echo "Output drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A OUTPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_forward_drop() |
log_forward_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="forward drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Forward drop is logged with prefix '$prefix'" |
prefix="forward drop: " |
$IPTABLES -A FORWARD $LOG_LIMIT "$prefix" |
echo "Forward drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A FORWARD $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
Line 577 accept_loopback() |
|
Line 628 accept_loopback() |
|
|
|
# Loopback není radno omezovat |
# Loopback není radno omezovat |
echo -en "Accepting loopback:" |
echo -en "Accepting loopback:" |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
|
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
Line 698 for iface in $interfaces; do |
|
Line 750 for iface in $interfaces; do |
|
INTERFACES="$INTERFACES $iface"; |
INTERFACES="$INTERFACES $iface"; |
fi |
fi |
done |
done |
|
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
|
|
|
|
case "$1" in |
case "$1" in |
|
|
# |
# |
# (un)commnet next lines as needed |
# (un)commnet next lines as needed |
# |
# |
|
bann_ip_adresses |
allow_accept_all |
allow_accept_all |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
|
|
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
unload_modules |
unload_modules |
|
forward_off |
;; |
;; |
|
|
status) |
status) |
|
|
;; |
;; |
|
|
*) |
*) |
echo "Usage: $0 {start|stop|stop}" >&2 |
echo "Usage: $0 {start|stop|status}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |