Differences

This shows you the differences between two versions of the page.

--- iptables:firewall_script [2016/11/22 16:48] – peter
+++ iptables:firewall_script [2019/11/29 17:33] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - Firewall Script ======
-===== Turning on native Kernel IPv4 protection =====
-The Linux kernel provides some basic protections against manipulated IP packets. A configuration could be:
-<code bash>
-echo 1 > /proc/sys/net/ipv4/tcp_syncookies                          # enable syn cookies (prevent against the common 'syn flood attack')
-echo 0 > /proc/sys/net/ipv4/ip_forward                              # disable Packet forwarning between interfaces
-echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts             # ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
-echo 1 > /proc/sys/net/ipv4/conf/all/log_martians                   # log packets with impossible addresses to kernel log
-echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses       # disable logging of bogus responses to broadcast frames
-echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter                      # do source validation by reversed path (Recommended option for single homed hosts)
-echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects                 # don't send redirects
-echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route            # don't accept packets with SRR option
-</code>
-Further reading:
-  * The file Documentation/networking/ip-sysctl.txt in your kernel source directory
-  * [[http://linuxgazette.net/issue77/lechnyr.html|Network Security with /proc/sys/net/ipv4]]
-===== Firewall =====
-<file bash firewall.sh>
-#!/bin/sh
-# set -e
-### BEGIN INIT INFO
-# Provides:          firewall
-# Required-Start:    $network $syslog
-# Required-Stop:     $network $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Start iptables based firewall
-# Description:       Start IPv4 and IPv6 firewall
-### END INIT INFO
-# Version:      @(#)firewall  1.0.1  2006-01-22  tehpeh-web@tty1.net  First version IPv4 only
-#                             1.2.0  2011-05-28  tehpeh-web@tty1.net  Added IPv6 support
-#
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-NAME=firewall
-iptables4=/sbin/iptables
-iptables6=/sbin/ip6tables
-pub_if=eth0                                 # public interface, e.g. eth0
-pub_ipv4=70.85.16.194                       # public IPv4 address
-pub_ipv6=2600:3c00::f03c:91ff:fe96:d898     # public IPv6 address
-test -x $iptables4 || exit 0
-test -x $iptables6 || exit 0
-firewall_flush()
-{
-    # flush rules
-    $iptables4 -F
-    $iptables6 -F
-    $iptables4 -F -t mangle
-    $iptables6 -F -t mangle
-    $iptables4 -X -t mangle
-    $iptables6 -X -t mangle
-    $iptables4 -F -t nat
-    $iptables4 -X -t nat
-    $iptables4 -X
-    $iptables6 -X
-}
-firewall_default()
-{
-    default=$1
-    # apply default rules
-    $iptables4 -P INPUT   $default
-    $iptables6 -P INPUT   $default
-    $iptables4 -P FORWARD $default
-    $iptables6 -P FORWARD $default
-    $iptables4 -P OUTPUT  $default
-    $iptables6 -P OUTPUT  $default
-}
-firewall_start()
-{
-    # default policy
-    firewall_default DROP
-    # accept everything from loopback
-    $iptables4 -A INPUT  -i lo -j ACCEPT
-    $iptables6 -A INPUT  -i lo -j ACCEPT
-    $iptables4 -A OUTPUT -o lo -j ACCEPT
-    $iptables6 -A OUTPUT -o lo -j ACCEPT
-    # Allow Link-Local addresses
-    $iptables6 -A INPUT -s fe80::/10 -j ACCEPT
-    $iptables6 -A OUTPUT -s fe80::/10 -j ACCEPT
-    # drop Bad Guys
-    $iptables4 -A INPUT -m recent --update --seconds 60 -j DROP
-    $iptables6 -A INPUT -m recent --update --seconds 60 -j DROP
-    # Filter all packets that have RH0 headers:
-    $iptables6 -A INPUT -m rt --rt-type 0 -j DROP
-    $iptables6 -A FORWARD -m rt --rt-type 0 -j DROP
-    $iptables6 -A OUTPUT -m rt --rt-type 0 -j DROP
-    # drop spoofed packets (i.e. packets with local source addresses coming from outside etc.), mark as Bad Guy
-    $iptables4 -A INPUT  -i $pub_if -s $pub_ipv4 -m recent --set -j DROP
-    $iptables6 -A INPUT  -i $pub_if -s $pub_ipv6 -m recent --set -j DROP
-    # accept ICMP packets (ping et.al.)
-    $iptables4 -A INPUT  -p icmp   -j ACCEPT
-    $iptables6 -A INPUT  -p icmpv6 -j ACCEPT
-    $iptables6 -A OUTPUT -p icmpv6 -j ACCEPT
-    $iptables6 -A FORWARD -p icmpv6 -j ACCEPT
-    # internet (established and out)
-    $iptables4 -A OUTPUT -o $pub_if -j ACCEPT
-    $iptables6 -A OUTPUT -o $pub_if -j ACCEPT
-    $iptables4 -A INPUT  -i $pub_if -m state --state ESTABLISHED,RELATED -j ACCEPT
-    $iptables6 -A INPUT  -i $pub_if -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # allow public services
-    $iptables4 -A INPUT -i $pub_if -p tcp -d $pub_ipv4 -m multiport --dports 25,80,143,443,465,993,8000 -j ACCEPT
-    $iptables6 -A INPUT -i $pub_if -p tcp -d $pub_ipv6 -m multiport --dports 25,80,143,443,465,993,8000 -j ACCEPT
-    # accept ssh connections (max 2/minute from the same IP address)
-    $iptables4 -A INPUT -p tcp --dport 22 -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
-    $iptables6 -A INPUT -p tcp --dport 22 -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
-    $iptables4 -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
-    $iptables6 -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
-    # reject everything else in INPUT
-    $iptables4 -A INPUT -j REJECT
-    $iptables6 -A INPUT -j REJECT
-}
-firewall_stop()
-{
-    # flush rules
-    firewall_flush
-    # default policy
-    firewall_default ACCEPT
-}
-case "$1" in
-    start)
-        echo -n "Starting $NAME: "
-        firewall_start
-        echo "OK."
-        ;;
-    stop)
-        echo -n "Stopping $NAME: "
-        firewall_stop
-        echo "OK."
-        ;;
-    restart|reload)
-        echo -n "Restarting $NAME: "
-        firewall_stop
-        sleep 1
-        firewall_start
-        echo "OK."
-        ;;
-    *)
-        echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload}" >&2
-        exit 1
-        ;;
-esac
-exit 0
-</file>
-===== References =====
-https://tty1.net/blog/2007/iptables-firewall_en.html