#!/bin/tcsh # Firewallscript für surfer # ---------------------------------------------------------- # PART I: Variablen set IPTABLES = /usr/sbin/iptables # ---------------------------------------------------------- # special ports set p_high = 1024:65535 # unprivileged ports set p_ssh = 1000:1023 # common ssh source ports # ---------------------------------------------------------- # interfaces set IF = ippp0 # ---------------------------------------------------------- # ip hosts set surfer = 192.0.81.17 # example set ns = 192.0.84.1 # example set mail = 192.0.84.3 # example set FRIEND = 192.0.84.0/255.255.255.0 # example # ---------------------------------------------------------- # PART II: Grundkonfiguration: absichern # ---------------------------------------------------------- # dynamische Kernelparameter setzen echo "0" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians # ---------------------------------------------------------- # Default Policy und flush $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP $IPTABLES -F # flush aller chains # ---------------------------------------------------------- # spoof protection $IPTABLES -A INPUT -s $surfer -i $IF -j DROP # ---------------------------------------------------------- # lokale Prozesse $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT # ---------------------------------------------------------- # PART III: endgültige Filterregeln # ---------------------------------------------------------- # ---------------------------------------------------------- # DROP & LOG Chain $IPTABLES -N my_drop $IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP " $IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP " $IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP " $IPTABLES -A my_drop -j DROP # ---------------------------------------------------------- # ICMP # ping: 8 und 0, ausgehend $IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT $IPTABLES -A INPUT -p ICMP --icmp-type echo-request -j my_drop # source quench (4) $IPTABLES -A OUTPUT -p ICMP --icmp-type source-quench -j ACCEPT $IPTABLES -A INPUT -p ICMP --icmp-type source-quench -j my_drop # time exceeded (11) $IPTABLES -A OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT $IPTABLES -A INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT # parameter problem (12) $IPTABLES -A OUTPUT -p ICMP --icmp-type parameter-problem -j ACCEPT $IPTABLES -A INPUT -p ICMP --icmp-type parameter-problem -j ACCEPT # destination unreachable (3) $IPTABLES -A OUTPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT $IPTABLES -A OUTPUT -p ICMP --icmp-type port-unreachable -j ACCEPT $IPTABLES -A INPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT $IPTABLES -A INPUT -p ICMP --icmp-type destination-unreachable -j ACCEPT # ---------------------------------------------------------- # DNS $IPTABLES -A OUTPUT -p UDP --sport $p_high -d $ns \ --dport domain -j ACCEPT $IPTABLES -A INPUT -p UDP --dport $p_high -s $ns \ --sport domain -j ACCEPT $IPTABLES -A OUTPUT -p TCP --sport $p_high -d $ns \ --dport domain -j ACCEPT $IPTABLES -A INPUT -p TCP --dport $p_high -s $ns \ --sport domain ! --syn -j ACCEPT $IPTABLES -A INPUT -p TCP --sport domain --syn -j my_drop $IPTABLES -A INPUT -p UDP --sport domain -j my_drop # ---------------------------------------------------------- # SMTP, POP3 $IPTABLES -A OUTPUT -p TCP --sport $p_high \ -d $mail --dport smtp -j ACCEPT $IPTABLES -A INPUT -p TCP --dport $p_high -s $mail \ --sport smtp ! --syn -j ACCEPT $IPTABLES -A OUTPUT -p TCP --sport $p_high \ -d $mail --dport pop3 -j ACCEPT $IPTABLES -A INPUT -p TCP --sport $p_high \ -s $mail --dport pop3 ! --syn -j ACCEPT # ---------------------------------------------------------- # HTTP $IPTABLES -A OUTPUT -p TCP --sport $p_high \ --dport http -j ACCEPT $IPTABLES -A INPUT -p TCP --dport $p_high \ --sport http ! --syn -j ACCEPT $IPTABLES -A INPUT -p TCP --dport http --syn -j my_drop # ---------------------------------------------------------- # HTTP via SSL $IPTABLES -A OUTPUT -p TCP --sport $p_high \ --dport https -j ACCEPT $IPTABLES -A INPUT -p TCP --dport $p_high \ --sport https ! --syn -j ACCEPT $IPTABLES -A INPUT -p TCP --dport https --syn -j my_drop # ---------------------------------------------------------- # ident: reject $IPTABLES -A INPUT -p TCP --dport auth --syn -j REJECT # ---------------------------------------------------------- # ftp, out, control connection $IPTABLES -A OUTPUT -p TCP --sport $p_high \ --dport ftp -j ACCEPT $IPTABLES -A INPUT -p TCP --dport $p_high \ --sport ftp ! --syn -j ACCEPT # ftp, out, passive data connection $IPTABLES -A OUTPUT -p TCP --sport $p_high \ --dport $p_high -j ACCEPT $IPTABLES -A INPUT -p TCP --dport $p_high \ --sport $p_high ! --syn -j ACCEPT $IPTABLES -A INPUT -p TCP --dport ftp --syn -j my_drop # ---------------------------------------------------------- # Ausputzer: Rest sperren, loggen $IPTABLES -A INPUT -j my_drop $IPTABLES -A FORWARD -j my_drop $IPTABLES -A OUTPUT -j REJECT