#!/bin/bash #####source config########################### if [ -f /etc/sysconfig/rc.iptables.config ] ; then . /etc/sysconfig/rc.iptables.config else echo "$0: could not find config file" exit 1 fi ############################################ #make sure modules are loaded if [ -n "${MODS}" ] ; then for H in $MODS ; do modprobe ${H} || { echo "failed to load module"; exit 1; } done fi #flush everything out for H in $TABLES; do ${IPTABLES} -F -t ${H} ${IPTABLES} -X -t ${H} done #set default policies to DROP for H in ${FILTERCH}; do ${IPTABLES} -P ${H} DROP done #create interface specific chains for H in ${INTERFACES} ; do for G in in out fwd ; do ${IPTABLES} -N ${H}-${G} -t filter done done #create common filter table chains for H in trusted infilter outfilter accepts attacks; do ${IPTABLES} -N ${H} -t filter done #point main rules to appropriate per-iface rules for H in ${INTERFACES} ; do ${IPTABLES} -A INPUT -i ${H} -j ${H}-in ${IPTABLES} -A OUTPUT -o ${H} -j ${H}-out ${IPTABLES} -A FORWARD -i ${H} -j ${H}-fwd done #tos: set tos mangling ${IPTABLES} -A OUTPUT -t mangle -p tcp --dport telnet -j TOS --set-tos Minimize-Delay ${IPTABLES} -A OUTPUT -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay ${IPTABLES} -A OUTPUT -t mangle -p tcp --dport www -j TOS --set-tos Minimize-Delay ${IPTABLES} -A OUTPUT -t mangle -p tcp --dport pop-3 -j TOS --set-tos Maximize-Reliability ${IPTABLES} -A OUTPUT -t mangle -p tcp --dport smtp -j TOS --set-tos Maximize-Throughput #trusted: trusted networks chain ${IPTABLES} -A trusted -p icmp -j ACCEPT ${IPTABLES} -A trusted -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -A trusted -m state --state INVALID -j DROP #check trusted ip/mask tuples #for H in ${TRUSTED} ; do # ${IPTABLES} -A trusted -s ${H} -j ACCEPT # ${IPTABLES} -A trusted -d ${H} -j ACCEPT #done ${IPTABLES} -A trusted -j ACCEPT #${IPTABLES} -A trusted -j LOG --log-level 7 --log-prefix "end trust: " #######################filtering rules##################################### if [ -n "$IF_FILTER" ] ; then ##attacks: chain to protect against ATTACKS ##rules here should either DROP, LOG or RETURN. Not ACCEPT! # ##various scan/attack fingerprints (taken from firewall-iptables) ## Xmas Tree ${IPTABLES} -A attacks -p tcp --tcp-flags ALL ALL -m limit \ --limit 5/minute -j LOG --log-level 7 \ --log-prefix "attack Merry XMAS:" #${IPTABLES} -A attacks -p tcp --tcp-flags ALL ALL -j DROP ## NMAP FIN/URG/PSH ${IPTABLES} -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \ --limit 5/minute -j LOG --log-level 7 \ --log-prefix "attack NMAP-XMAS:" #$IPTABLES -A attacks -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ## Another Xmas Tree $IPTABLES -A attacks -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ -m limit --limit 5/minute -j LOG --log-level 7 \ --log-prefix "attack XMAS-PSH:" #$IPTABLES -A attacks -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ # -j DROP ## SYN/RST ${IPTABLES} -A attacks -p tcp --tcp-flags SYN,RST SYN,RST -m limit \ --limit 5/minute -j LOG --log-level 7 \ --log-prefix "attack SYN/RST:" #${IPTABLES} -A attacks -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ## SYN/FIN -- Scan(possibly) $IPTABLES -A attacks -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \ --limit 5/minute -j LOG --log-level 7 \ --log-prefix "attack SYN/FIN:" #$IPTABLES -A attacks -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # ## TCP Option Check $IPTABLES -A attacks -p tcp --tcp-option 64 -m limit \ --limit 5/minute -j LOG --log-level 7 --log-prefix \ "Bogus TCP FLAG 64" #$IPTABLES -A attacks -p tcp --tcp-option 64 -j DROP $IPTABLES -A attacks -p tcp --tcp-option 128 -m limit \ --limit 5/minute -j LOG --log-level 7 --log-prefix \ "Bogus TCP FLAG 128" #$IPTABLES -A attacks -p tcp --tcp-option 128 -j DROP #######################end attacks##################### ############################################################## ##accepts: accepted services for untrusted incoming interfaces #connections which we will ACCEPT #protocols if [ -n "${FIL_PROTO}" ] ; then for H in ${FIL_PROTO} ; do ${IPTABLES} -A accepts -p $H -j ACCEPT done fi #connection tracking if [ -n "${FIL_STATE}" ] ; then ${IPTABLES} -A accepts -m state \ --state ${FIL_STATE} -j ACCEPT fi #by tcp dest port if [ -n "${FIL_TCPDEST}" ] ; then for H in ${FIL_TCPDEST} ; do ${IPTABLES} -A accepts -p tcp --dport $H -j ACCEPT done fi #by udp dest port if [ -n "${FIL_UDPDEST}" ] ; then for H in ${FIL_UDPDEST} ; do ${IPTABLES} -A accepts -p udp --dport $H -j ACCEPT done fi #by tcp source port if [ -n "${FIL_TCPSRC}" ] ; then for H in ${FIL_TCPSRC} ; do ${IPTABLES} -A accepts -p tcp --sport $H -j ACCEPT done fi #by udp source port if [ -n "${FIL_UDPSRC}" ] ; then for H in ${FIL_UDPSRC} ; do ${IPTABLES} -A accepts -p udp --sport $H -j ACCEPT done fi #by source ip/prefix if [ -n "${FIL_IPSRC}" ] ; then for H in ${FIL_IPSRC} ; do ${IPTABLES} -A accepts -s $H -j ACCEPT done fi #by dest ip/prefix if [ -n "${FIL_IPDEST}" ] ; then for H in ${FIL_IPDEST} ; do ${IPTABLES} -A accepts -d $H -j ACCEPT done fi #custom if [ -n "${FIL_CUST}" ] ; then oldifs=$IFS IFS="," for H in $FIL_CUST ; do IFS=$oldifs ${IPTABLES} -A accepts $H -j ACCEPT done fi #################end accepts################################### ##infilter: top level untrusted i/f filter chain #attach attacks chain ${IPTABLES} -A infilter -j attacks #attach accepts chain ${IPTABLES} -A infilter -j accepts #any packets that get here are going to get dropped, let's log 'em #first if admin so desires if [ "${FIL_HITEND}" = "true" -o "${FIL_HITEND}" = "yes" ] ; then ${IPTABLES} -A infilter -j LOG -m limit --limit 10/minute \ --log-prefix "infilter end: " fi #send an icmp-prohibited to prevent long timeouts when debugging net #problems. eg traceroute. has the nifty side effect of confusing #the hell out of most scan/kiddy programmes. #${IPTABLES} -A infilter -j REJECT --reject-with icmp-net-prohibited ## #append 'infilter' chain to IF_FILTER interfaces. for H in ${IF_FILTER} ; do ${IPTABLES} -A ${H}-in -j infilter done fi ##################end filtering setup#################################### #attach relevant generic chains to if specific chains for H in ${IF_TRUSTED} ; do ${IPTABLES} -A ${H}-in -j trusted ${IPTABLES} -A ${H}-out -j trusted ${IPTABLES} -A ${H}-fwd -j trusted done for H in ${IF_UNTRUSTED} ; do ${IPTABLES} -A ${H}-out -j trusted if [ -n "$MASQIF" ] ; then ${IPTABLES} -A ${H}-fwd -m state \ --state RELATED,ESTABLISHED \ -j ACCEPT fi ${IPTABLES} -A ${H}-fwd -j REJECT --reject-with icmp-net-prohibited done ##########################set up nat####################################### if [ -n "$MASQIF" ] ; then for iface in $MASQIF ; do ##tcp ports not to masq if [ -n "${TCPNOMASQ}" ] ; then for tcpnomasq in ${TCPNOMASQ} ; do ${IPTABLES} -t nat -I POSTROUTING 1 \ -s 0/0 -d 0/0 -o $iface \ -p tcp --dport ${tcpnomasq} \ -j RETURN done fi ##udp ports never to masq if [ -n "${UDPNOMASQ}" ] ; then for udpnomasq in ${UDPNOMASQ} ; do ${IPTABLES} -t nat -I POSTROUTING 1 \ -s 0/0 -d 0/0 -o $iface \ -p udp --dport ${udpnomasq} \ -j RETURN done fi ##tcp ports to always masq if [ -n "${TCPMASQ}" ] ; then for tcpmasq in ${TCPMASQ} ; do ${IPTABLES} -t nat -I POSTROUTING 1 \ -s 0/0 -d 0/0 -o $iface \ -p tcp --dport ${tcpmasq} \ -j MASQUERADE done fi ##udp ports to always masq if [ -n "${UDPMASQ}" ] ; then for udpmasq in ${UDPMASQ} ; do ${IPTABLES} -t nat -I POSTROUTING 1 \ -s 0/0 -d 0/0 -o $iface \ -p udp --dport ${udpmasq} \ -j MASQUERADE done fi ##prefix's to never masq if [ -n "${NOMASQ}" ] ; then for nomasq in $NOMASQ ; do ${IPTABLES} -t nat -A POSTROUTING -s $nomasq \ -o $iface -j RETURN done fi ##prefix's to masq if [ -n "${MASQ}" ] ; then for mhost in $MASQ ; do ${IPTABLES} -t nat -A POSTROUTING -s $mhost \ -o $iface -j MASQUERADE done fi done fi ######################end nat setup######################################## # save the iptable rules the RH way, just so people dont get caught out if [ -x /etc/rc.d/init.d/iptables ] ; then /etc/rc.d/init.d/iptables save fi ##that's all folks##