[packages/iptables.git] / rc.firewall

#!/bin/sh
#
# rc.firewall	iptables
#
# chkconfig:	2345 9 91
# description:	Example netfilter setup version 0.1 by Anthony C. Zboralski \
#		Warning this is experimental, I don't garantee this is 100% \
#		secure, it just does the work fine for me and i thought \
#		it could be a good jumpstart for people new to netfilter. \
#		Now I am waiting for your corrections, suggestions and \
#		critics :) Also I am gonna write a small addon \
#		for setting up dynamic rules cause i am tired of all \
#		these programs with dynamics port like bind, xdm and rpc. \
#		All mail go to acz@hert.org

. /etc/rc.d/init.d/functions
. /etc/sysconfig/network

iptables=/usr/sbin/iptables
ip6tables=/usr/sbin/ip6tables

_modprobe single die -k -a ip_tables "`is_yes "$IPV6_NETWORKING" && echo ip6_tables`"

show "Flush standard tables and deny everything"
busy
$iptables --flush INPUT
$iptables --flush OUTPUT
$iptables --flush FORWARD
$iptables --table nat --flush OUTPUT
$iptables --table nat --flush PREROUTING
$iptables --table nat --flush POSTROUTING
$iptables --policy INPUT   DROP
$iptables --policy OUTPUT  DROP
$iptables --policy FORWARD DROP
if is_yes "$IPV6_NETWORKING" ; then
	$ip6tables --flush INPUT
	$ip6tables --flush OUTPUT
	$ip6tables --flush FORWARD
#	$ip6tables --table nat --flush OUTPUT
#	$ip6tables --table nat --flush PREROUTING
#	$ip6tables --table nat --flush POSTROUTING
	$ip6tables --policy INPUT   DROP
	$ip6tables --policy OUTPUT  DROP
	$ip6tables --policy FORWARD DROP
fi
deltext ; ok


CHAINS=`$iptables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'`
show "Remove remaining chains %s:" $CHAINS
busy
for chain in $CHAINS; do
  $iptables --flush $chain
done
# 2nd step cause of dependencies
for chain in $CHAINS; do
  $iptables --delete-chain $chain
done
CHAINS=`$iptables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'`
for chain in $CHAINS; do
  $iptables -t nat --flush $chain
done
# 2nd step cause of dependencies
for chain in $CHAINS; do
  $iptables -t nat --delete-chain $chain
done
if is_yes "$IPV6_NETWORKING" ; then
	CHAINS=`$ip6tables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'`
	for chain in $CHAINS; do
	  $ip6tables --flush $chain
	done
	# 2nd step cause of dependencies
	for chain in $CHAINS; do
	  $ip6tables --delete-chain $chain
	done
#	CHAINS=`$ip6tables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'`
#	for chain in $CHAINS; do
#	  $ip6tables -t nat --flush $chain
#	done
#	# 2nd step cause of dependencies
#	for chain in $CHAINS; do
#	  $ip6tables -t nat --delete-chain $chain
#	done
fi
deltext ; ok

# now this is tricky with ipchains you just had to deny forward and set
# forwarding to MASQ target but now you have to do it in two steps:

show "Turn off rp_filter for all interfaces"
busy
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
if is_yes "$IPV6_NETWORKING" ; then
	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
fi
deltext ; ok

show "Load modules needed by NAT"
busy
_modprobe die -k -a ip_conntrack ip_conntrack_ftp ip_nat_ftp # ip_nat_snmp_basic
deltext ; ok

show "Create a target for logging and dropping packets"
busy
$iptables --new LDROP 2>/dev/null
$iptables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
$iptables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
$iptables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop "
$iptables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
$iptables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop "
$iptables -A LDROP -j DROP
if is_yes "$IPV6_NETWORKING" ; then
	$ip6tables --new LDROP 2>/dev/null
#	$ip6tables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
#	$ip6tables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
#	$ip6tables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop "
#	$ip6tables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
#	$ip6tables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop "
	$ip6tables -A LDROP -j DROP
fi
deltext ; ok

show "Create a target for watching some accepting rules"
busy
$iptables --new WATCH 2>/dev/null
$iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
$iptables -A WATCH -j ACCEPT
if is_yes "$IPV6_NETWORKING" ; then
	$ip6tables --new WATCH 2>/dev/null
#	$ip6tables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
	$ip6tables -A WATCH -j ACCEPT
fi
deltext ; ok

show "Enforcing up ICMP policies, use iptables -L ICMP to check"
busy
# If you deny all ICMP messages you head for trouble since it would
# break lots of tcp/ip algorithm (acz)
$iptables --new ICMP 2>/dev/null
$iptables -A INPUT --proto icmp -j ICMP
$iptables -A ICMP -p icmp --icmp-type echo-reply                   -j ACCEPT
$iptables -A ICMP -p icmp --icmp-type destination-unreachable      -j WATCH
$iptables -A ICMP -p icmp --icmp-type   network-unreachable        -j WATCH
$iptables -A ICMP -p icmp --icmp-type   host-unreachable           -j WATCH
$iptables -A ICMP -p icmp --icmp-type   protocol-unreachable       -j WATCH
$iptables -A ICMP -p icmp --icmp-type   port-unreachable           -j ACCEPT
$iptables -A ICMP -p icmp --icmp-type   fragmentation-needed       -j LDROP
$iptables -A ICMP -p icmp --icmp-type   source-route-failed        -j WATCH
$iptables -A ICMP -p icmp --icmp-type   network-unknown            -j WATCH
$iptables -A ICMP -p icmp --icmp-type   host-unknown               -j WATCH
$iptables -A ICMP -p icmp --icmp-type   network-prohibited         -j WATCH
$iptables -A ICMP -p icmp --icmp-type   host-prohibited            -j WATCH
$iptables -A ICMP -p icmp --icmp-type   TOS-network-unreachable    -j WATCH
$iptables -A ICMP -p icmp --icmp-type   TOS-host-unreachable       -j WATCH
$iptables -A ICMP -p icmp --icmp-type   communication-prohibited   -j WATCH
$iptables -A ICMP -p icmp --icmp-type   host-precedence-violation  -j LDROP
$iptables -A ICMP -p icmp --icmp-type   precedence-cutoff          -j LDROP
$iptables -A ICMP -p icmp --icmp-type source-quench                -j LDROP
$iptables -A ICMP -p icmp --icmp-type redirect                     -j LDROP
$iptables -A ICMP -p icmp --icmp-type   network-redirect           -j LDROP
$iptables -A ICMP -p icmp --icmp-type   host-redirect              -j LDROP
$iptables -A ICMP -p icmp --icmp-type   TOS-network-redirect       -j LDROP
$iptables -A ICMP -p icmp --icmp-type   TOS-host-redirect          -j LDROP
$iptables -A ICMP -p icmp --icmp-type echo-request                 -j WATCH
$iptables -A ICMP -p icmp --icmp-type router-advertisement         -j WATCH
$iptables -A ICMP -p icmp --icmp-type router-solicitation          -j WATCH
$iptables -A ICMP -p icmp --icmp-type time-exceeded                -j WATCH
$iptables -A ICMP -p icmp --icmp-type   ttl-zero-during-transit    -j WATCH
$iptables -A ICMP -p icmp --icmp-type   ttl-zero-during-reassembly -j WATCH
$iptables -A ICMP -p icmp --icmp-type parameter-problem            -j WATCH
$iptables -A ICMP -p icmp --icmp-type   ip-header-bad              -j WATCH
$iptables -A ICMP -p icmp --icmp-type   required-option-missing    -j WATCH
$iptables -A ICMP -p icmp --icmp-type timestamp-request            -j LDROP
$iptables -A ICMP -p icmp --icmp-type timestamp-reply              -j LDROP
$iptables -A ICMP -p icmp --icmp-type address-mask-request         -j LDROP
$iptables -A ICMP -p icmp --icmp-type address-mask-reply           -j LDROP
$iptables -A ICMP -p icmp -j LDROP   
deltext ; ok

show "Authorize packet input and output"
busy
# Insert your rules here

$iptables --policy INPUT ACCEPT
$iptables --policy OUTPUT ACCEPT
$iptables --table nat --policy PREROUTING ACCEPT
$iptables --table nat --policy POSTROUTING ACCEPT
$iptables --table nat --policy OUTPUT ACCEPT
if is_yes "$IPV6_NETWORKING" ; then
	$ip6tables --policy INPUT ACCEPT
	$ip6tables --policy OUTPUT ACCEPT
#	$ip6tables --table nat --policy PREROUTING ACCEPT
#	$ip6tables --table nat --policy POSTROUTING ACCEPT
#	$ip6tables --table nat --policy OUTPUT ACCEPT
fi
deltext ; ok
Commit	Line	Data
3e016dfc JR	1	#!/bin/sh
	2	#
	3	# rc.firewall iptables
	4	#
	5	# chkconfig: 2345 9 91
	6	# description: Example netfilter setup version 0.1 by Anthony C. Zboralski \
	7	# Warning this is experimental, I don't garantee this is 100% \
	8	# secure, it just does the work fine for me and i thought \
	9	# it could be a good jumpstart for people new to netfilter. \
	10	# Now I am waiting for your corrections, suggestions and \
	11	# critics :) Also I am gonna write a small addon \
	12	# for setting up dynamic rules cause i am tired of all \
	13	# these programs with dynamics port like bind, xdm and rpc. \
	14	# All mail go to acz@hert.org
	15
	16	. /etc/rc.d/init.d/functions
c95810d6	17	. /etc/sysconfig/network
3e016dfc JR	18
3e016dfc JR	19	iptables=/usr/sbin/iptables
701cd158 JR	20	ip6tables=/usr/sbin/ip6tables
701cd158 JR	21
0a37e3cb	22	_modprobe single die -k -a ip_tables "`is_yes "$IPV6_NETWORKING" && echo ip6_tables`"
3e016dfc	23
701cd158	24	show "Flush standard tables and deny everything"
3e016dfc JR	25	busy
	26	$iptables --flush INPUT
	27	$iptables --flush OUTPUT
	28	$iptables --flush FORWARD
c95810d6 JR	29	$iptables --table nat --flush OUTPUT
	30	$iptables --table nat --flush PREROUTING
	31	$iptables --table nat --flush POSTROUTING
3e016dfc JR	32	$iptables --policy INPUT DROP
	33	$iptables --policy OUTPUT DROP
	34	$iptables --policy FORWARD DROP
0a37e3cb	35	if is_yes "$IPV6_NETWORKING" ; then
701cd158 JR	36	$ip6tables --flush INPUT
	37	$ip6tables --flush OUTPUT
	38	$ip6tables --flush FORWARD
	39	# $ip6tables --table nat --flush OUTPUT
	40	# $ip6tables --table nat --flush PREROUTING
	41	# $ip6tables --table nat --flush POSTROUTING
	42	$ip6tables --policy INPUT DROP
	43	$ip6tables --policy OUTPUT DROP
	44	$ip6tables --policy FORWARD DROP
	45	fi
3e016dfc JR	46	deltext ; ok
	47
	48
3e016dfc	49	CHAINS=`$iptables -n -L \| awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT\|OUTPUT\|FORWARD)$/) {print $2}'`
9161301f	50	show "Remove remaining chains %s:" $CHAINS
3e016dfc JR	51	busy
	52	for chain in $CHAINS; do
	53	$iptables --flush $chain
	54	done
	55	# 2nd step cause of dependencies
	56	for chain in $CHAINS; do
	57	$iptables --delete-chain $chain
	58	done
c95810d6 JR	59	CHAINS=`$iptables -t nat -n -L \| awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT\|PREROUTING\|POSTROUTING)$/) {print $2}'`
	60	for chain in $CHAINS; do
	61	$iptables -t nat --flush $chain
	62	done
	63	# 2nd step cause of dependencies
	64	for chain in $CHAINS; do
	65	$iptables -t nat --delete-chain $chain
	66	done
0a37e3cb	67	if is_yes "$IPV6_NETWORKING" ; then
701cd158 JR	68	CHAINS=`$ip6tables -n -L \| awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT\|OUTPUT\|FORWARD)$/) {print $2}'`
	69	for chain in $CHAINS; do
	70	$ip6tables --flush $chain
	71	done
	72	# 2nd step cause of dependencies
	73	for chain in $CHAINS; do
	74	$ip6tables --delete-chain $chain
	75	done
	76	# CHAINS=`$ip6tables -t nat -n -L \| awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT\|PREROUTING\|POSTROUTING)$/) {print $2}'`
	77	# for chain in $CHAINS; do
	78	# $ip6tables -t nat --flush $chain
	79	# done
	80	# # 2nd step cause of dependencies
	81	# for chain in $CHAINS; do
	82	# $ip6tables -t nat --delete-chain $chain
	83	# done
	84	fi
3e016dfc JR	85	deltext ; ok
3e016dfc JR	86
3e016dfc JR	87	# now this is tricky with ipchains you just had to deny forward and set
	88	# forwarding to MASQ target but now you have to do it in two steps:
	89
	90	show "Turn off rp_filter for all interfaces"
	91	busy
	92	echo 1 > /proc/sys/net/ipv4/ip_forward
	93	echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
0a37e3cb	94	if is_yes "$IPV6_NETWORKING" ; then
701cd158 JR	95	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
701cd158 JR	96	fi
3e016dfc JR	97	deltext ; ok
3e016dfc JR	98
0a37e3cb	99	show "Load modules needed by NAT"
3e016dfc	100	busy
0a37e3cb	101	_modprobe die -k -a ip_conntrack ip_conntrack_ftp ip_nat_ftp # ip_nat_snmp_basic
3e016dfc JR	102	deltext ; ok
	103
	104	show "Create a target for logging and dropping packets"
	105	busy
	106	$iptables --new LDROP 2>/dev/null
	107	$iptables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
	108	$iptables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
	109	$iptables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop "
	110	$iptables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
	111	$iptables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop "
	112	$iptables -A LDROP -j DROP
0a37e3cb	113	if is_yes "$IPV6_NETWORKING" ; then
701cd158 JR	114	$ip6tables --new LDROP 2>/dev/null
	115	# $ip6tables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
	116	# $ip6tables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
	117	# $ip6tables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop "
	118	# $ip6tables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
	119	# $ip6tables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop "
	120	$ip6tables -A LDROP -j DROP
	121	fi
3e016dfc JR	122	deltext ; ok
	123
	124	show "Create a target for watching some accepting rules"
	125	busy
	126	$iptables --new WATCH 2>/dev/null
	127	$iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
	128	$iptables -A WATCH -j ACCEPT
0a37e3cb	129	if is_yes "$IPV6_NETWORKING" ; then
701cd158 JR	130	$ip6tables --new WATCH 2>/dev/null
	131	# $ip6tables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
	132	$ip6tables -A WATCH -j ACCEPT
	133	fi
3e016dfc JR	134	deltext ; ok
	135
	136	show "Enforcing up ICMP policies, use iptables -L ICMP to check"
	137	busy
	138	# If you deny all ICMP messages you head for trouble since it would
	139	# break lots of tcp/ip algorithm (acz)
	140	$iptables --new ICMP 2>/dev/null
	141	$iptables -A INPUT --proto icmp -j ICMP
	142	$iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
	143	$iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
	144	$iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
	145	$iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
	146	$iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
	147	$iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
	148	$iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
	149	$iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
	150	$iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
	151	$iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
	152	$iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
	153	$iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
	154	$iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
	155	$iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
	156	$iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
	157	$iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
	158	$iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
	159	$iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
	160	$iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
	161	$iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
	162	$iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP
	163	$iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
	164	$iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
	165	$iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
	166	$iptables -A ICMP -p icmp --icmp-type router-advertisement -j WATCH
	167	$iptables -A ICMP -p icmp --icmp-type router-solicitation -j WATCH
	168	$iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
	169	$iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
	170	$iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
	171	$iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
	172	$iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
	173	$iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
	174	$iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
	175	$iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
	176	$iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
	177	$iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
	178	$iptables -A ICMP -p icmp -j LDROP
	179	deltext ; ok
	180
	181	show "Authorize packet input and output"
	182	busy
	183	# Insert your rules here
	184
	185	$iptables --policy INPUT ACCEPT
	186	$iptables --policy OUTPUT ACCEPT
c95810d6 JR	187	$iptables --table nat --policy PREROUTING ACCEPT
	188	$iptables --table nat --policy POSTROUTING ACCEPT
	189	$iptables --table nat --policy OUTPUT ACCEPT
0a37e3cb	190	if is_yes "$IPV6_NETWORKING" ; then
701cd158 JR	191	$ip6tables --policy INPUT ACCEPT
	192	$ip6tables --policy OUTPUT ACCEPT
	193	# $ip6tables --table nat --policy PREROUTING ACCEPT
	194	# $ip6tables --table nat --policy POSTROUTING ACCEPT
	195	# $ip6tables --table nat --policy OUTPUT ACCEPT
	196	fi
3e016dfc	197	deltext ; ok