Stateful firewall

#!/bin/sh

#################
# Configuration #
#################

IPT="/usr/sbin/iptables"

if0="eth0"
if1="wlan0"
if2="eth1"

# Setting modules and kernel configuration
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

# Flush old rules, old custom tables
echo "Flushing old rules"
$IPT --flush

# Set default policies for all three default chains
echo "We DROP everything"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Enable free use of loopback interface
echo "Free access to loopback interface"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

echo "Necessary chains created: Open, Interfaces"
$IPT -N open
$IPT -N interfaces

################
# INPUT chain # - tutaj oby wchodzi³y tylko te pakiety, które akceptujemy
################
echo "INPUT chain created"
$IPT -A INPUT -p icmp -j ACCEPT
echo "Stateful firewall - we do not DROP already ESTABLISHED and RELATED connections"
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# VNC
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5906 -j ACCEPT

# Samba
$IPT -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT # NetBIOS Name Service
$IPT -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT # NetBIOS Datagram Service
$IPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT # NetBIOS Session Service
$IPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT # Microsoft Directory Service

echo "In majority we do not want to DROP all of the incoming connections"
$IPT -A INPUT -j interfaces
$IPT -A INPUT -j open
echo "We DROP everything that was not clearly accepted above"
echo "We DROP TCP packets with tcp-reset flag"
echo "We answer to UDP packets with ICMP message"
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
echo "Other protocols than TCP, UDP and ICMP are DROPPED"
$IPT -P INPUT DROP

#################
# FORWARD chain #
#################
# no NAT, so no FORWARD
echo "FORWARD chain created, but while there is no NAT so DROP"
$IPT -P FORWARD DROP

################
# OUTPUT chain #
################
echo "OUTPUT chain created"
# We do not want to filter outgoing traffic
$IPT -P OUTPUT ACCEPT

####################
# Interfaces chain #
####################
echo "Interfaces chain created"
# We use this chain to accept traffic from trusted interfeces
# Freedom for loopback device - many applications does not work properly without loopback
$IPT -A interfaces -i lo -j ACCEPT

# connections coming from other interfaces shall be dropped
$IPT -A interfaces -i if1 -j ACCEPT
#$IPT -A interfaces -i wlan0 -j ACCEPT

##############
# Open chain #
##############
echo "Open chain created"
# this chain contains rules for incoming connections running on specific port or protocol

# NTP accepted
#$IPT -A open -i if1 -p udp --dport 123 -j ACCEPT
# FTP accepted
#$IPT -A open -p tcp --dport 20 -j ACCEPT
#$IPT -A open -p tcp --dport 21 -j ACCEPT
# SSH accepted
#$IPT -A open -p tcp --dport 22 -j ACCEPT
# SSH & MUD
#$IPT -A open -p tcp --dport 23 -j ACCEPT
# HTTP
#$IPT -A open -i wlan0 -p tcp --dport 80 -j ACCEPT
#$IPT -A open -i if1 -p tcp --dport 80 -j ACCEPT
# Usenet - Newsgroups
#$IPT -A open -i if1 -p tcp --dport 119 -j ACCEPT
#$IPT -A open -i if1 -p tcp --dport 563 -j ACCEPT
# on specific port range
#$IPT -A open -i if1 -p tcp --dport 65000:65005 -j ACCEPT
# UDP
#$IPT -A open -i if1 -p udp --dport 65000:65005 -j ACCEPT

# LDAP
#$IPT -A open -i if1 -p tcp --dport 389 -j ACCEPT

# Squid - WWW proxy
#$IPT -A open -i if1 -p tcp --dport 8080 -j ACCEPT

# pdnsd - DNS proxy
#$IPT -A open -i if1 -p tcp --dport 53 -j ACCEPT

# VNC - Virtual Network Con
#$IPT -A open -i if1 -p tcp --dport 5900:5906 -j ACCEPT

# eDonkey Network
#$IPT -A open -i if1 -p tcp --dport 7777 -j ACCEPT
#$IPT -A open -i if1 -p udp --dport 7780 -j ACCEPT
#$IPT -t filter -A INPUT -m state --state NEW -m tcp -p tcp --dport 4662 -j ACCEPT
#$IPT -t filter -A INPUT -m state --state NEW -m udp -p udp --dport 4665 -j ACCEPT
#$IPT -t filter -A INPUT -m state --state NEW -m udp -p udp --dport 4672 -j ACCEPT

##########################
# Procetion from attacks #
##########################
echo "Protection from attacks"

echo "Ignoring ICMP echo requests sent to broadcast address"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "Protection from SYN flood"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "Refuse source routed packets"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

echo "Source validation using reversed path (RFC1812)"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "Logging packets coming from wrong addresses (Martians)"
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "Force SYN packet check - be sure that newcoming TCP packets are SYN, otherwise DROP them"
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "Force Fragment packets check - packets coming with fragments DOPPED"
$IPT -A INPUT -f -j DROP
echo "XMAS packets - newcoming modified XMAS packets DROPPED"
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
echo "Drop all NULL packets - newcoming modified NULL packets DROPPED"
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
echo "Spoofing attack protection"
# /etc/sysctl.conf net.ipv4.conf.all.rp_filter = 1
#$IPT -I INPUT -i wlan0 -s 10.0.0.0/8 -j DROP
#$IPT -I INPUT -i wlan0 -s 172.16.0.0/12 -j DROP
#$IPT -I INPUT -i wlan0 -s 192.168.0.0/16 -j DROP
#$IPT -I INPUT -i wlan0 -s 127.0.0.0/8 -j DROP

$IPT -I INPUT -i if1 -s 10.0.0.0/8 -j DROP
$IPT -I INPUT -i if1 -s 172.16.0.0/12 -j DROP
#$IPT -I INPUT -i if1 -s 192.168.0.0/16 -j DROP
$IPT -I INPUT -i if1 -s 127.0.0.0/8 -j DROP

##########
# Hiding #
##########
# ICMP
# /etc/sysctl.conf net.ipv4.icmp_echo_ignore_all = 1
#$IPT -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
# ICMP type match blocking (je¶li komp nie jest routerem)
#$IPT -I INPUT -p icmp --icmp-type redirect -j DROP
#$IPT -I INPUT -p icmp --icmp-type router-advertisement -j DROP
#$IPT -I INPUT -p icmp --icmp-type router-solicitation -j DROP
#$IPT -I INPUT -p icmp --icmp-type address-mask-request -j DROP
#$IPT -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# Block nmap's uptime detection
# /etc/sysctl.conf net.ipv4.tcp_timestamps = 0
# Inne ataki
# net.ipv4.conf.all.accept_source_route=0
# net.ipv4.icmp_echo_ignore_broadcasts=1
# net.ipv4.icmp_ignore_bogus_error_messages=1

Leave a Reply

whatever you do or fix please test it afterwards, better however do not fix things that work, wait until they break otherwise feel the wrath of dummy users.