My firewall script

My firewall script

[Gáspár Lajos]

Any comments welcome!!! :)
The remarks are in hungarian... :)
Some "features" disabled...

Swifty

#!/bin/bash
echo "Setting up FIREWALL rules:"
echo "Creating \"active\" rule... "

# ALAP beállítások
fw_if_in=eth1
fw_if_ex=ppp+
fw_ip_in=192.168.0.254
fw_ip_ex=www.xxx.yyy.zzz
fw_nw_in=192.168.0.0/24
fw_nw_ex=www.xxx.yyy.0/24
fw_tc_if=ppp0
fw_tc_ul=192
# 2048*1.1=2252
fw_tc_dl=2252

hosts_deny=`cat /etc/firewall/hosts_deny`

# Rendszer beállítások
core_set="/proc/sys/net/core"
ip_set="/proc/sys/net/ipv4"
echo 1 > $ip_set/tcp_syncookies
echo 0 > $ip_set/conf/all/rp_filter
echo 1 > $ip_set/conf/all/proxy_arp
echo 1 > $ip_set/ip_forward
echo 1 > $ip_set/icmp_echo_ignore_broadcasts
echo 1 > $ip_set/tcp_rfc1337
echo 1 > $ip_set/tcp_sack
echo 1 > $ip_set/tcp_abort_on_overflow
echo 10 > $ip_set/tcp_fin_timeout
echo 32768 > $ip_set/ip_conntrack_max
echo 65535 > $core_set/rmem_default
echo 65535 > $core_set/wmem_default
echo 65535 > $core_set/wmem_max
sysctl -w net.ipv4.tcp_ecn=0 >/dev/null 2>/dev/null

# Modulok
modprobe ip_conntrack >/dev/null 2>/dev/null
modprobe ip_conntrack_ftp >/dev/null 2>/dev/null
modprobe ip_conntrack_irc >/dev/null 2>/dev/null
modprobe ip_conntrack_tftp >/dev/null 2>/dev/null
modprobe ip_conntrack_amanda >/dev/null 2>/dev/null
modprobe ip_nat >/dev/null 2>/dev/null
modprobe ip_nat_ftp >/dev/null 2>/dev/null
modprobe ip_nat_irc >/dev/null 2>/dev/null
modprobe iptable_nat >/dev/null 2>/dev/null

# Szubrutinok
clean_subchain() {
 $table -F $subchain >/dev/null 2>/dev/null
 $table -X $subchain >/dev/null 2>/dev/null
 $table -Z $subchain >/dev/null 2>/dev/null
 }
 
create_subchain() {
 clean_subchain
 $table -N $subchain
 }

do_ports() {
for port in $tcp_ports
 do
 $table -A $subchain -j $target -p tcp --dport $port 
 done
for port in $udp_ports
 do
 $table -A $subchain -j $target -p udp --dport $port 
 done
 tcp_ports=""
 udp_ports=""
 }

disable_ports() {
 target="sendrej"
 do_ports
 }
 
enable_ports() {
 target="ACCEPT"
 do_ports
 }

# Az eddigi szabályok törlése
subchain=""
table="iptables -t nat"
clean_subchain
table="iptables -t filter"
clean_subchain
table="iptables -t mangle"
clean_subchain

###**************###
### Saját láncok ###
###**************###

chains="inp fwd out"
table="iptables -t filter"

##############
# Megtagadás #
##############

subchain="sendrej"
create_subchain
$table -A $subchain -j REJECT -p tcp --reject-with tcp-reset
$table -A $subchain -j REJECT --reject-with icmp-admin-prohibited
$table -A $subchain -j DROP

##################
# Hoszt tiltások #
##################

subchain="den-in"
create_subchain
subchain="den-ex"
create_subchain
subchain="den"
for denied in $hosts_deny
 do
 $table -A $subchain-in -j sendrej -s $denied
 $table -A $subchain-ex -j sendrej -d $denied
 done

#------#
# ICMP #
#------#
 # Death ping
# $table -A $subchain -j sendrej -p icmp --icmp-type echo-request -m limit ! --limit 1/s


#-----#
# TCP #
#-----#

 #++++++++++++++++++#
 # Már kapcsolódott #
 #++++++++++++++++++#
# $table -A $subchain -j ACCEPT -p tcp --tcp-flags URG URG
# $table -A $subchain -j ACCEPT -p tcp --tcp-flags ACK ACK
# $table -A $subchain -j ACCEPT -p tcp --tcp-flags PSH PSH
# $table -A $subchain -j ACCEPT -p tcp --tcp-flags RST RST
# $table -A $subchain -j ACCEPT -p tcp --tcp-flags SYN SYN
# $table -A $subchain -j ACCEPT -p tcp --tcp-flags FIN FIN
 
 #+++++++++++++++++++#
 # Kapcsolat alapján #
 #+++++++++++++++++++#

 # SYN-ACK védelem
# $table -A $subchain -j sendrej -p tcp --tcp-flags SYN,ACK SYN,ACK  -m limit ! --limit 1/s --limit-burst 30

 # Port scan védelem
# $table -A $subchain -j sendrej -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit ! --limit 1/s --limit-burst 6

 # SYN flood védelem --syn = --tcp-flags SYN,ACK,RST SYN
# $table -A $subchain -j sendrej -p tcp --tcp-flags SYN,ACK,RST SYN -m limit ! --limit 1/s --limit-burst 90

  # Korrekt kapcsolódás
# $table -A $subchain -j RETURN 

###########################
# Közös kapcsolódott lánc #
###########################

subchain="connected"
create_subchain

$table -A $subchain -j ACCEPT -m state --state ESTABLISHED,RELATED
$table -A $subchain -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
$table -A $subchain -j RETURN -p icmp
$table -A $subchain -j RETURN -p udp
$table -A $subchain -j RETURN -m state --state NEW
#?????????????????????????????????????????????????????????

$table -A $subchain -j ACCEPT -p tcp --tcp-flags ACK,FIN ACK,FIN
$table -A $subchain -j ACCEPT -p tcp --tcp-flags ACK,RST ACK,RST
$table -A $subchain -j ACCEPT -p tcp --tcp-flags ALL RST

$table -A $subchain -j RETURN -p tcp --dport 1411

#$table -A $subchain -j ACCEPT -m state --state INVALID
$table -A $subchain -j LOG  --log-prefix "INVALID: " --log-level debug
$table -A $subchain -j DROP


###################
# Naplózás láncok #
###################

for chain in $chains
 do
 subchain=$chain-lr
 create_subchain
 $table -A $subchain -j LOG --log-prefix "$chain: " --log-level debug
 $table -A $subchain -j sendrej
 done




###****************************###
### * NAT szabályok *          ###
###                            ###
### PREROUTING                 ###
###  csomag érkezése           ###
### POSTROUTING                ###
###  csomag távozása           ###
### OUTPUT                     ###
###  helyben generált csomagok ###
###****************************###
table="iptables -t nat"



#######################
### PREROUTING lánc ###
#######################
chain="PREROUTING"

# Irányelv felállítása
$table -P $chain ACCEPT



# !!! LAN !!!
subchain=pre-in
create_subchain
$table -A $chain -j $subchain -i $fw_if_in

 # SMTP
 $table -A $subchain -j DNAT -p tcp --dport smtp ! -s 192.168.0.253 --to-destination 192.168.0.253

 # SQUID
 $table -A $subchain -j REDIRECT -p tcp --dport www ! -d $fw_ip_in --to-port 3128

 # DNS
 $table -A $subchain -j DNAT -p tcp --dport domain ! -d $fw_ip_in --to-destination $fw_ip_in
 $table -A $subchain -j DNAT -p udp --dport domain ! -d $fw_ip_in --to-destination $fw_ip_in

 # POP3
 $table -A $subchain -j DNAT -p tcp --dport pop-3 -d $fw_ip_in --to-destination 192.168.0.253
 $table -A $subchain -j DNAT -p tcp --dport pop-3 -d $fw_ip_ex --to-destination 192.168.0.253

 # NTP
 $table -A $subchain -j DNAT -p tcp --dport ntp ! -d $fw_ip_in --to-destination $fw_ip_in
 $table -A $subchain -j DNAT -p udp --dport ntp ! -d $fw_ip_in --to-destination $fw_ip_in

 # Belsõ háló <-> külsõ IP csomagjainak átirányítása
 $table -A $subchain -j DNAT -d $fw_ip_ex --to-destination $fw_ip_in




# !!! WAN !!!
subchain=pre-ex
create_subchain
$table -A $chain -j $subchain -i $fw_if_ex

 # HTTP
 $table -A $subchain -j DNAT -p tcp --dport http --to-destination 192.168.0.253
 
 # POP3
 $table -A $subchain -j DNAT -p tcp --dport pop-3 --to-destination 192.168.0.253

 $table -A $subchain -j DNAT -p tcp --dport 1411 --to-destination 192.168.0.192
 $table -A $subchain -j DNAT -p udp --dport 1411 --to-destination 192.168.0.192



########################
### POSTROUTING lánc ###
########################
chain="POSTROUTING"

# Irányelv felállítása
$table -P $chain ACCEPT



# !!! LAN !!!
subchain=pst-in
create_subchain
$table -A $chain -j $subchain -o $fw_if_in

 # Átirányítások másik szerverre
 $table -A $subchain -j SNAT -p tcp --dport smtp -d 192.168.0.253 --to-source $fw_ip_in
 $table -A $subchain -j SNAT -p tcp --dport pop-3 -d 192.168.0.253 --to-source $fw_ip_in

 # Belsõ háló <-> külsõ IP csomagjainak átirányítása
 $table -A $subchain -j SNAT -s $fw_ip_ex --to-source $fw_ip_in



# !!! WAN !!!
subchain=pst-ex
create_subchain
$table -A $chain -j $subchain -o $fw_if_ex

 # Maszkolás
 #$table -A $subchain -j MASQUERADE

 # NAT
 $table -A $subchain -j SNAT -s $fw_nw_in ! -d $fw_ip_ex --to-source $fw_ip_ex




###################
### OUTPUT lánc ###
###################
chain="OUTPUT"

# Irányelv felállítása
$table -P $chain ACCEPT




###****************************###
### * FILTER szabályok *       ###
###                            ###
### INPUT                      ###
###  csomag fogadása           ###
### FORWARD                    ###
###  csomag továbbítása        ###
### OUTPUT                     ###
###  helyben generált csomagok ###
###****************************###
table="iptables -t filter"



##################
### INPUT lánc ###
##################
chain="INPUT"

# Irányelv felállítása
$table -P $chain DROP

# Ismert?
$table -A $chain -j connected

# ADSL modem
$table -A $chain -j DROP -i eth0

# LO
$table -A $chain -j ACCEPT -i lo

# LAN
$table -A $chain -j ACCEPT -i $fw_if_in -s $fw_nw_in

# Denied
$table -A $chain -j den-in

# !!! inp-ex !!!
subchain=inp-ex
create_subchain
$table -A $chain -j $subchain -i $fw_if_ex -d $fw_ip_ex

 # DNS
# $table -A $subchain -j ACCEPT -p udp --sport domain
 
 # Publikus portok
 tcp_ports="ssh smtp" #auth
 udp_ports=""
 enable_ports
 
 # LOG SZÛRÉS
 tcp_ports="loc-srv netbios-ns netbios-dgm netbios-ssn microsoft-ds"
 udp_ports=$tcp_ports
 disable_ports
 
# Megsértések naplózása
$table -A $chain -j inp-lr



####################
### FORWARD lánc ###
####################
chain="FORWARD"

# Irányelv felállítása
$table -P $chain DROP

# Ismert?
$table -A $chain -j connected


# Tiltott IP-k
$table -A $chain -j den-in
$table -A $chain -j den-ex

# !!! fwd-in !!!
subchain=fwd-in
create_subchain
$table -A $chain -j $subchain -i $fw_if_in -s $fw_nw_in

 # ICMP
 $table -A $subchain -j ACCEPT -p icmp

 # Saját háló ??????????????????????????????????????????????????????????????????????????????????
 $table -A $subchain -j ACCEPT -d $fw_nw_in

 tcp_ports="ftp-data ftp ssh smtp pop3 https 1024:65535 411"
 udp_ports="1024:65535 411"
 enable_ports

# !!! fwd-ex !!!
subchain=fwd-ex
create_subchain
$table -A $chain -j $subchain -i $fw_if_ex

 # ICMP
 $table -A $subchain -j ACCEPT -p icmp

 # POP3 engedélyezése
 $table -A $subchain -j ACCEPT -p tcp -d 192.168.0.253 --dport pop3
 
 # HTTP engedélyezése
 $table -A $subchain -j ACCEPT -p tcp -d 192.168.0.253 --dport http
 # User progs
# $table -A $subchain -j ACCEPT -p udp --sport 1024:65535 --dport 1024:65535
 
 $table -A $subchain -j ACCEPT -p tcp -d 192.168.0.192 --dport 1411
 $table -A $subchain -j ACCEPT -p udp -d 192.168.0.192 --dport 1411

# Megsértések naplózása
$table -A $chain -j fwd-lr



###################
### OUTPUT lánc ###
###################
chain="OUTPUT"

# Irányelv felállítása
$table -P $chain DROP

# Ismert?
$table -A $chain -j connected

# Helyi
$table -A $chain -j ACCEPT -o lo

# Belsõ háló felé
$table -A $chain -j ACCEPT -o $fw_if_in -d $fw_nw_in

# Tiltott IP címek
$table -A $chain -j den-ex

# Internet felé
$table -A $chain -j ACCEPT -o $fw_if_ex -s $fw_ip_ex

# Megsértések naplózása (értelmetlen :) )
$table -A $chain -j out-lr





###****************************###
### * MANGLE szabályok *       ###
###                            ###
### INPUT                      ###
###  csomag fogadása           ###
### FORWARD                    ###
###  csomag továbbítása        ###
### OUTPUT                     ###
###  helyben generált csomagok ###
### POSTROUTING                ###
###  csomag távozása           ###
###****************************###
table="iptables -t mangle"



###############
### FORWARD ###
###############
chain="FORWARD"

$table -A $chain -j RETURN ! -o $fw_if_ex

$table -A $chain -j MARK -p tcp --sport 1411 --set-mark 110

$table -A $chain -j MARK -p tcp --dport smtp --set-mark 111
$table -A $chain -j MARK -p tcp --dport 1024:65535 --set-mark 110

$table -A $chain -j MARK -p tcp --dport https --set-mark 112

$table -A $chain -j MARK ! -p tcp --set-mark 113
$table -A $chain -j MARK -p tcp -m length --length :64 --set-mark 113


###################
### OUTPUT lánc ###
###################
chain="OUTPUT"

# Traffic Control
$table -A $chain -j RETURN ! -o $fw_if_ex

$table -A $chain -j MARK -p tcp --sport 1411 --set-mark 110

$table -A $chain -j MARK -p tcp --dport smtp --set-mark 111
$table -A $chain -j MARK -p tcp --dport 1024:65535 --set-mark 111

$table -A $chain -j MARK -p tcp --dport http --set-mark 112

$table -A $chain -j MARK ! -p tcp --set-mark 113
$table -A $chain -j MARK -p tcp -m length --length :64 --set-mark 113

#########################
### POSTROUTING lánc  ###
#########################
chain="POSTROUTING"

$table -A $chain -j RETURN ! -o $fw_if_ex

# MSS blackhole
$table -A $chain -j TCPMSS -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu

# ECN blackhole
$table -A $chain -j ECN -p tcp --ecn-tcp-remove


# Adatok mentése, befejezés
/etc/init.d/iptables save active
echo done.
echo "Creating \"inactive\" rule... "
/etc/init.d/iptables halt
/etc/init.d/iptables save inactive
echo "Loading \"active\" rule... "
/etc/init.d/iptables load active
echo "done."

#######################
### TRAFFIC CONTROL ###
#######################

echo "Setting up TRAFFIC CONTROL rules:"

tc_dev="dev $fw_tc_if"
tc_ul=`echo "scale=0; ($fw_tc_ul*0.95+0.5)/1" | bc`

# Alap beállítások
tc_com="tc qdisc del $tc_dev"
$tc_com root >/dev/null 2>/dev/null
$tc_com ingress >/dev/null 2>/dev/null

##############
### UpLink ###
##############

#$tc_qdisc parent 1:10 handle 10:0 esfq perturb 10 quantum 4k hash src
#$tc_qdisc parent 10:0 handle 10:1 pfifo limit 10
tc_addfilter() {
 $tc_fl protocol ip  parent 1:0 ${tc_filter} flowid 1:${tc_flow}
 }
#prio ${tc_bw_prio}

tc_child() {
 $tc_cl parent 1:1 classid 1:${tc_flow} htb rate ${tc_bw_min}kbit ceil ${tc_bw_max}kbit burst ${tc_bw_burst}k prio ${tc_bw_prio}
 $tc_qd parent 1:${tc_flow} handle ${tc_flow}:0 sfq perturb ${tc_bw_pert} quantum ${tc_bw_burst}k
# $tc_qd parent 1:${tc_flow} handle ${tc_flow}:0 tbf rate ${tc_bw_min}kbit burst 1492 latency 50ms
 }


tc_qd="tc qdisc add $tc_dev"
tc_cl="tc class add $tc_dev"
tc_fl="tc filter add $tc_dev"

$tc_qd root handle 1:0 htb default 12
$tc_cl parent 1:0 classid 1:1 htb rate ${tc_ul}kbit ceil ${tc_ul}kbit

# !!!  8kbit(/s) = 1kbyte/s !!!
# !!! 16kbit(/s) = 2kbyte/s !!!

#INTERACTIVE
tc_flow="13"
tc_bw_min="128"
tc_bw_max="128"
tc_bw_burst="8"
tc_bw_prio="4"
tc_bw_pert="4"
tc_child
#TOS
tc_filter="u32 match ip tos 0x10 0xff"
tc_addfilter
#ICMP
tc_filter="u32 match ip protocol 1 0xff"
tc_addfilter
#TCP ACK<64byte
tc_filter="u32	match ip protocol 6 0xff \
		match u8 0x05 0x0f at 0 \
	        match u16 0x0000 0xffc0 at 2 \
	        match u8 0x10 0xff at 33"
tc_addfilter

#DEFAULT
tc_flow="12"
tc_bw_min="160"
tc_bw_max=${tc_ul}
tc_bw_burst="16"
tc_bw_prio="3"
tc_bw_pert="8"
tc_child
tc_filter="u32 match ip dport 80 0xfff"
tc_addfilter
tc_filter="u32 match ip dport 443 0xfff"
tc_addfilter

#SMTP
tc_flow="11"
tc_bw_min="96"
tc_bw_max="160"
tc_bw_burst="64"
tc_bw_prio="2"
tc_bw_pert="16"
tc_child
tc_filter="u32 match ip dport 25 0xffff"
tc_addfilter

#DC++
tc_flow="10"
tc_bw_min="48"
tc_bw_max="56"
tc_bw_burst="1"
tc_bw_prio="1"
tc_bw_pert="20"
tc_child
tc_filter="u32 match ip sport 1411 0xffff"
tc_addfilter
tc_filter="u32 match ip dport 1411 0xffff"
tc_addfilter

flows="13 12 11 10"
for tc_flow in $flows 
 do 
 tc_filter="handle 1${tc_flow} fw"
 tc_addfilter
 done

################
### DownLink ###
################

$tc_qd handle ffff:0 ingress
$tc_fl parent ffff:0 protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${fw_tc_dl}kbit burst 64k drop flowid 0:1

echo "done."

Re: My firewall script

[Jan Engelhardt]

>
> Any comments welcome!!! :)

No one ever reads through that mess, really. There are so many scripts floating
around, the number is just too outstanding, and it makes tired after a while.



Jan Engelhardt
-- 

Re: My firewall script

[Gáspár Lajos]

Thanx !

Yes it is really long... a bit messy...  but also there are rules that 
make my firewall script easier to understand and edit. (At least for me :D )
For example: In almost every table I separate the traffic depending upon 
the interface...
I have seen many scripts that do not follow the concept of iptables... 
In my first attempts I wrote such scripts also...

After all: Thanx for your comment !!! :)

Jan Engelhardt wrote:
>> Any comments welcome!!! :)
>>     
>
> No one ever reads through that mess, really. There are so many scripts floating
> around, the number is just too outstanding, and it makes tired after a while.
>
>
>
> Jan Engelhardt
>