#!/bin/tcsh # # Firewallskript für iro # ========================================================== # PART I: Variablen # ========================================================== # modprobe ip_tables # modprobe ip_conntrack set IPTABLES = /usr/sbin/iptables # ---------------------------------------------------------- # special ports set p_high = 1024:65535 # unprivileged ports set p_ssh = 500:1023 # common ssh source ports set p_socks = 1080 # Socks Server Port # ---------------------------------------------------------- # interfaces set INT = eth0 set DMZ = eth1 set IF = ( $INT $DMZ ) # ---------------------------------------------------------- # ip hosts set ns_int = 192.168.2.2 # caching only Nameserver set intmail = 192.168.2.2 # interner Mailserver set sockssrv = 192.168.2.2 # set loghost = 192.168.1.9 # syslog purposes set INT_NET = 192.168.1.0/255.255.255.0 # example set DMZ_NET = 192.168.2.0/255.255.255.0 # example set FRIENDs = 192.0.84.0/255.255.255.0 # ========================================================== # PART II: Grundkonfiguration: absichern # ========================================================== # dynamische Kernelparameter setzen echo "0" > /proc/sys/net/ipv4/ip_forward # erstmal abschalten echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate foreach if ( $IF ) echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians end # ---------------------------------------------------------- # Default Policy und flush $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP $IPTABLES -F # flush aller chains (Tabelle filter) $IPTABLES -X # delete all userdefined chains # (Tabelle filter) # ---------------------------------------------------------- # lokale Prozesse $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT # ---------------------------------------------------------- # ssh fuer Fernwartung $IPTABLES -A INPUT -i $INT -s $INT_NET \ -p TCP --sport $p_ssh --dport ssh \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $INT -d $INT_NET \ -p TCP --dport $p_ssh --sport ssh \ -m state --state ESTABLISHED,RELATED -j ACCEPT # ========================================================== # PART III: Userdefinierte Regelketten # ========================================================== # ---------------------------------------------------------- # DROP & LOG Chain $IPTABLES -N my_drop $IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP " $IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP " $IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP " $IPTABLES -A my_drop -j DROP # ========================================================== # PART IV: Forwarding # ========================================================== echo "1" > /proc/sys/net/ipv4/ip_forward # wieder einschalten # ========================================================== # PART V: Filterregeln für lokale Dienste # ========================================================== # ---------------------------------------------------------- # Rückkanal: eingehende Pakete zu einer bestehenden Verbindung $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state NEW,INVALID -j my_drop # ---------------------------------------------------------- # ICMP $IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT # ---------------------------------------------------------- # SYSLOG $IPTABLES -A OUTPUT -o $INT -d $loghost \ -m state --state NEW,ESTABLISHED,RELATED \ -p UDP --sport syslog --dport syslog -j ACCEPT # ========================================================== # PART VI: Forwarding: Intern --> DMZ, einschl. "exa" # ========================================================== # ---------------------------------------------------------- # SYSLOG $IPTABLES -A FORWARD -i $DMZ -o $INT -s $DMZ_NET -d $loghost \ -m state --state NEW,ESTABLISHED,RELATED \ -p UDP --sport syslog --dport syslog -j ACCEPT $IPTABLES -A FORWARD -i $INT -o $DMZ -s $loghost -d $DMZ_NET \ -m state --state ESTABLISHED,RELATED \ -p UDP --sport syslog --dport syslog -j ACCEPT # ---------------------------------------------------------- # Rückkanal: eingehende Pakete zu einer bestehenden Verbindung $IPTABLES -A FORWARD -i $DMZ -o $INT -s $DMZ_NET \ -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $DMZ -o $INT -s $DMZ_NET \ -m state --state NEW,INVALID -j my_drop # ---------------------------------------------------------- # ICMP $IPTABLES -A FORWARD -i $INT -o $DMZ -d $DMZ_NET \ -p ICMP --icmp-type echo-request -j ACCEPT # ---------------------------------------------------------- # DNS zum internen Nameserver foreach ns ( $ns_int ) $IPTABLES -A FORWARD -i $INT -o $DMZ -d $ns \ -m state --state NEW,ESTABLISHED,RELATED \ -p UDP --sport $p_high --dport domain \ -j ACCEPT $IPTABLES -A FORWARD -i $INT -o $DMZ -d $ns \ -m state --state NEW,ESTABLISHED,RELATED \ -p TCP --sport $p_high --dport domain \ -j ACCEPT end # ---------------------------------------------------------- # SOCKS $IPTABLES -A FORWARD -i $INT -o $DMZ -d $sockssrv \ -m state --state NEW,ESTABLISHED,RELATED \ -p TCP --sport $p_high --dport $p_socks -j ACCEPT $IPTABLES -A FORWARD -i $INT -o $DMZ -d $sockssrv \ -m state --state NEW,ESTABLISHED,RELATED \ -p UDP --sport $p_high --dport $p_high -j ACCEPT # ---------------------------------------------------------- # SMTP, POP3 $IPTABLES -A FORWARD -i $INT -o $DMZ -d $intmail \ -m state --state NEW,ESTABLISHED,RELATED \ -p TCP --sport $p_high --dport smtp \ -j ACCEPT $IPTABLES -A FORWARD -i $INT -o $DMZ -d $intmail \ -m state --state NEW,ESTABLISHED,RELATED \ -p TCP --sport $p_high --dport pop3 \ -j ACCEPT # ---------------------------------------------------------- # SSH $IPTABLES -A FORWARD -i $INT -o $DMZ -d $DMZ_NET \ -m state --state NEW,ESTABLISHED,RELATED \ -p TCP --sport $p_ssh --dport ssh -j ACCEPT # ========================================================== # PART VIII: Forwarding: Intern --> Extern, direkt # ========================================================== # ---------------------------------------------------------- # Rückkanal: eingehende Pakete zu einer bestehenden Verbindung $IPTABLES -A FORWARD -i $DMZ -o $INT -s ! $DMZ_NET \ -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $DMZ -o $INT -s ! $DMZ_NET \ -m state --state NEW,INVALID -j my_drop # ---------------------------------------------------------- # ICMP $IPTABLES -A FORWARD -i $INT -o $DMZ -d ! $DMZ_NET \ -p ICMP --icmp-type echo-request -j ACCEPT # ---------------------------------------------------------- # SSH $IPTABLES -A FORWARD -i $INT -o $DMZ -d $FRIENDs \ -m state --state NEW,ESTABLISHED,RELATED \ -p TCP --sport $p_ssh --dport ssh -j ACCEPT # ========================================================== # SCHLUSS # ========================================================== # ---------------------------------------------------------- # Ausputzer: Rest sperren, loggen $IPTABLES -A INPUT -j my_drop $IPTABLES -A FORWARD -j my_drop $IPTABLES -A OUTPUT -j my_drop