[olug] firewall
Vincent
vraffensberger at home.com
Wed Jun 13 15:34:31 UTC 2001
Here's my newest iptables script. It works well, even if it's too long.
It should be flawless on a redhat 7.1 system.
Just edit the addresses for your system and then do the following:
Let me know if you have any trouble.
cp firestarter /etc/rc.d/init.d/
chmod 755 /etc/rc.d/init.d/firestarter
chkconfig --level 345 firestarter on
service firestarter start
#!/bin/bash
# /etc/rc.d/init.d/firestarter
# firestarter: Starts iptables firewalling/ NAT
#
# chkconfig: 345 80 85
# description: Starts firewalling and NAT via iptables
#
# processname: /sbin/iptables
RETVAL=0
start() {
# Remove all ipchains and ip_tables kernel modules
echo
echo "Flushing current tables and removing kernel modules! "
echo
iptables -F
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #1 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #2 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #3 - Removing kernel module:" $mod
rmmod $mod
done
#echo "Remaining kernel modules: "
#lsmod
# Add ip_tables Kernel Modules: "
echo
echo "Inserting kernel modules and setting kernel parameters! "
echo
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
#modprobe iptable_filter
#modprobe iptable_mangle
#modprobe iptable_nat
#modprobe ipt_MIRROR
#modprobe ipt_limit
#modprobe ipt_LOG
#modprobe ipt_mac
#modprobe ipt_mark
#modprobe ipt_MARK
#modprobe ipt_MASQUERADE
#modprobe ipt_multiport
#modprobe ipt_owner
#modprobe ipt_REDIRECT
#modprobe ipt_REJECT
#modprobe ipt_state
#modprobe ipt_tcpmss
#modprobe ipt_TCPMSS
#modprobe ipt_tos
#modprobe ipt_TOS
#modprobe ipt_unclean
#modprobe ip_conntrack_irc
#modprobe ip_conntrack#modprobe
#modprobe ip_nat_irc#modprobe
#modprobe ip_queue
#
#echo "The following modules are now loaded: "
#lsmod
#
# no source routing
[ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] && \
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i;
done
# ignore broadcast icmp echo requests
[ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] && \
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ignore icmp echo requests on all interfaces
[ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ] && \
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# enable spoof protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f;
done
else
echo "ieee: no kernel spoof protection enabled".
exit 1
fi
# local port range for TCP/UDP connections
# [ -e /proc/sys/net/ipv4/ip_local_port_range ] && \
# echo -e "32768\t61000" >
/proc/sys/net/ipv4/ip_local_port_range
# log packets with impossible addresses to kernel log.
[ -e /proc/sys/net/ipv4/conf/all/log_martians ] && \
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# don't accept ICMP redirects on Internet
[ -e /proc/sys/net/ipv4/conf/$interIF/accept_redirects ] && \
echo 0 > /proc/sys/net/ipv4/conf/$interIF/accept_redirects
# no acceptance of {ICMP} redirects at all
[ -e /proc/sys/net/ipv4/conf/all/accept_redirects ] && \
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# enable IP forward
[ -e /proc/sys/net/ipv4/ip_forward ] && \
echo 1 > /proc/sys/net/ipv4/ip_forward
# enable TCP Syncookies
[ -e /proc/sys/net/ipv4/tcp_syncookies ] && \
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Flush everything
echo "Flushing all IP Tables! "
iptables -F
#echo "Ramaining IP Tables: "
#iptables -L
# Default Policies are DROP
echo "Default Policies are set to DROP! "
echo
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
# accept trusted interfaces and lan
echo "Trusting local interfaces and LAN! "
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
# accept related packets to connections made locally
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# accept connections for ssh
echo "Accepting inbound SSH connections! "
iptables -A INPUT -p tcp -m multiport --destination-port 22 -j
ACCEPT
# setup the NAT rules first
echo "Establishing NAT! "
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
SNAT --to-source 24.3.227.221
# accept related packets to connections made locally for NAT
iptables -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d
192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow ftp to send data back and forth.
iptables -A INPUT -p tcp ! --syn --source-port 20 --destination-port
1024:65535 -j ACCEPT
# accept trusted interface
iptables -A FORWARD -i eth1 -d 0.0.0.0/0 -j ACCEPT
# log unwanted traffic, don't flood the logfile
echo "Logging malicious traffic! "
iptables -A FORWARD -m limit --limit 5/minute --limit-burst 5 -j
LOG --log-level warning --log-prefix "NetFilter: "
# Have some fun with the portscanners
echo "Now mirroring malicious traffic! ..hehe. "
#iptables -A INPUT -i eth0 -p tcp -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"
#iptables -A INPUT -i eth0 -p tcp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p udp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p icmp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p tcp --tcp-option \! 2 -j MIRROR -m
limit --limit 1000/hour --limit-burst 1000
iptables -A INPUT -i eth0 -p all -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
iptables -A INPUT -i eth0 -p all -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"
echo
echo "Current IP kernel modules and IP tables: "
lsmod | grep ip | cut -d" " -f1
iptables -L
}
stop() {
# Remove all ipchains and ip_tables kernel modules
iptables -F
echo
echo "Removing IP kernel modules and flushing IP tables! "
echo
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #1 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #2 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #3 - Removing kernel module:" $mod
rmmod $mod
done
echo
echo "Remaining IP kernel modules and IP tables: "
echo
lsmod | grep ip | cut -d" " -f1
echo
iptables -L
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop}"
exit 1
esac
exit $RETVAL
----- Original Message -----
From: "Jon" <thechunk at thechunk.dhs.org>
To: "Olug Mailing List" <olug at bstc.net>
Sent: Wednesday, June 13, 2001 8:29 AM
Subject: [olug] firewall
> does anyone use ipchains or iptables as a firewall? If you do I have some
quick questions.
> How do you log addresses of people who attempt connections.
> Is iptables easy to go to from ipchains? Is iptables superior to
ipchains?
>
> Thanks
> -Jon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list