]>
Commit | Line | Data |
---|---|---|
3e016dfc JR |
1 | #!/bin/sh |
2 | # | |
3 | # rc.firewall iptables | |
4 | # | |
5 | # chkconfig: 2345 9 91 | |
6 | # description: Example netfilter setup version 0.1 by Anthony C. Zboralski \ | |
7 | # Warning this is experimental, I don't garantee this is 100% \ | |
8 | # secure, it just does the work fine for me and i thought \ | |
9 | # it could be a good jumpstart for people new to netfilter. \ | |
10 | # Now I am waiting for your corrections, suggestions and \ | |
11 | # critics :) Also I am gonna write a small addon \ | |
12 | # for setting up dynamic rules cause i am tired of all \ | |
13 | # these programs with dynamics port like bind, xdm and rpc. \ | |
14 | # All mail go to acz@hert.org | |
15 | ||
16 | . /etc/rc.d/init.d/functions | |
c95810d6 | 17 | . /etc/sysconfig/network |
3e016dfc JR |
18 | |
19 | iptables=/usr/sbin/iptables | |
701cd158 JR |
20 | ip6tables=/usr/sbin/ip6tables |
21 | ||
0a37e3cb | 22 | _modprobe single die -k -a ip_tables "`is_yes "$IPV6_NETWORKING" && echo ip6_tables`" |
3e016dfc | 23 | |
701cd158 | 24 | show "Flush standard tables and deny everything" |
3e016dfc JR |
25 | busy |
26 | $iptables --flush INPUT | |
27 | $iptables --flush OUTPUT | |
28 | $iptables --flush FORWARD | |
c95810d6 JR |
29 | $iptables --table nat --flush OUTPUT |
30 | $iptables --table nat --flush PREROUTING | |
31 | $iptables --table nat --flush POSTROUTING | |
3e016dfc JR |
32 | $iptables --policy INPUT DROP |
33 | $iptables --policy OUTPUT DROP | |
34 | $iptables --policy FORWARD DROP | |
0a37e3cb | 35 | if is_yes "$IPV6_NETWORKING" ; then |
701cd158 JR |
36 | $ip6tables --flush INPUT |
37 | $ip6tables --flush OUTPUT | |
38 | $ip6tables --flush FORWARD | |
39 | # $ip6tables --table nat --flush OUTPUT | |
40 | # $ip6tables --table nat --flush PREROUTING | |
41 | # $ip6tables --table nat --flush POSTROUTING | |
42 | $ip6tables --policy INPUT DROP | |
43 | $ip6tables --policy OUTPUT DROP | |
44 | $ip6tables --policy FORWARD DROP | |
45 | fi | |
3e016dfc JR |
46 | deltext ; ok |
47 | ||
48 | ||
3e016dfc | 49 | CHAINS=`$iptables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'` |
9161301f | 50 | show "Remove remaining chains %s:" $CHAINS |
3e016dfc JR |
51 | busy |
52 | for chain in $CHAINS; do | |
53 | $iptables --flush $chain | |
54 | done | |
55 | # 2nd step cause of dependencies | |
56 | for chain in $CHAINS; do | |
57 | $iptables --delete-chain $chain | |
58 | done | |
c95810d6 JR |
59 | CHAINS=`$iptables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'` |
60 | for chain in $CHAINS; do | |
61 | $iptables -t nat --flush $chain | |
62 | done | |
63 | # 2nd step cause of dependencies | |
64 | for chain in $CHAINS; do | |
65 | $iptables -t nat --delete-chain $chain | |
66 | done | |
0a37e3cb | 67 | if is_yes "$IPV6_NETWORKING" ; then |
701cd158 JR |
68 | CHAINS=`$ip6tables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'` |
69 | for chain in $CHAINS; do | |
70 | $ip6tables --flush $chain | |
71 | done | |
72 | # 2nd step cause of dependencies | |
73 | for chain in $CHAINS; do | |
74 | $ip6tables --delete-chain $chain | |
75 | done | |
76 | # CHAINS=`$ip6tables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'` | |
77 | # for chain in $CHAINS; do | |
78 | # $ip6tables -t nat --flush $chain | |
79 | # done | |
80 | # # 2nd step cause of dependencies | |
81 | # for chain in $CHAINS; do | |
82 | # $ip6tables -t nat --delete-chain $chain | |
83 | # done | |
84 | fi | |
3e016dfc JR |
85 | deltext ; ok |
86 | ||
3e016dfc JR |
87 | # now this is tricky with ipchains you just had to deny forward and set |
88 | # forwarding to MASQ target but now you have to do it in two steps: | |
89 | ||
90 | show "Turn off rp_filter for all interfaces" | |
91 | busy | |
92 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
93 | echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter | |
0a37e3cb | 94 | if is_yes "$IPV6_NETWORKING" ; then |
701cd158 JR |
95 | echo 1 > /proc/sys/net/ipv6/conf/all/forwarding |
96 | fi | |
3e016dfc JR |
97 | deltext ; ok |
98 | ||
0a37e3cb | 99 | show "Load modules needed by NAT" |
3e016dfc | 100 | busy |
0a37e3cb | 101 | _modprobe die -k -a ip_conntrack ip_conntrack_ftp ip_nat_ftp # ip_nat_snmp_basic |
3e016dfc JR |
102 | deltext ; ok |
103 | ||
104 | show "Create a target for logging and dropping packets" | |
105 | busy | |
106 | $iptables --new LDROP 2>/dev/null | |
107 | $iptables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop " | |
108 | $iptables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop " | |
109 | $iptables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop " | |
110 | $iptables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop " | |
111 | $iptables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop " | |
112 | $iptables -A LDROP -j DROP | |
0a37e3cb | 113 | if is_yes "$IPV6_NETWORKING" ; then |
701cd158 JR |
114 | $ip6tables --new LDROP 2>/dev/null |
115 | # $ip6tables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop " | |
116 | # $ip6tables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop " | |
117 | # $ip6tables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop " | |
118 | # $ip6tables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop " | |
119 | # $ip6tables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop " | |
120 | $ip6tables -A LDROP -j DROP | |
121 | fi | |
3e016dfc JR |
122 | deltext ; ok |
123 | ||
124 | show "Create a target for watching some accepting rules" | |
125 | busy | |
126 | $iptables --new WATCH 2>/dev/null | |
127 | $iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT " | |
128 | $iptables -A WATCH -j ACCEPT | |
0a37e3cb | 129 | if is_yes "$IPV6_NETWORKING" ; then |
701cd158 JR |
130 | $ip6tables --new WATCH 2>/dev/null |
131 | # $ip6tables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT " | |
132 | $ip6tables -A WATCH -j ACCEPT | |
133 | fi | |
3e016dfc JR |
134 | deltext ; ok |
135 | ||
136 | show "Enforcing up ICMP policies, use iptables -L ICMP to check" | |
137 | busy | |
138 | # If you deny all ICMP messages you head for trouble since it would | |
139 | # break lots of tcp/ip algorithm (acz) | |
140 | $iptables --new ICMP 2>/dev/null | |
141 | $iptables -A INPUT --proto icmp -j ICMP | |
142 | $iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT | |
143 | $iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH | |
144 | $iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH | |
145 | $iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH | |
146 | $iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH | |
147 | $iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT | |
148 | $iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP | |
149 | $iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH | |
150 | $iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH | |
151 | $iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH | |
152 | $iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH | |
153 | $iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH | |
154 | $iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH | |
155 | $iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH | |
156 | $iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH | |
157 | $iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP | |
158 | $iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP | |
159 | $iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP | |
160 | $iptables -A ICMP -p icmp --icmp-type redirect -j LDROP | |
161 | $iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP | |
162 | $iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP | |
163 | $iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP | |
164 | $iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP | |
165 | $iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH | |
166 | $iptables -A ICMP -p icmp --icmp-type router-advertisement -j WATCH | |
167 | $iptables -A ICMP -p icmp --icmp-type router-solicitation -j WATCH | |
168 | $iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH | |
169 | $iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH | |
170 | $iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH | |
171 | $iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH | |
172 | $iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH | |
173 | $iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH | |
174 | $iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP | |
175 | $iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP | |
176 | $iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP | |
177 | $iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP | |
178 | $iptables -A ICMP -p icmp -j LDROP | |
179 | deltext ; ok | |
180 | ||
181 | show "Authorize packet input and output" | |
182 | busy | |
183 | # Insert your rules here | |
184 | ||
185 | $iptables --policy INPUT ACCEPT | |
186 | $iptables --policy OUTPUT ACCEPT | |
c95810d6 JR |
187 | $iptables --table nat --policy PREROUTING ACCEPT |
188 | $iptables --table nat --policy POSTROUTING ACCEPT | |
189 | $iptables --table nat --policy OUTPUT ACCEPT | |
0a37e3cb | 190 | if is_yes "$IPV6_NETWORKING" ; then |
701cd158 JR |
191 | $ip6tables --policy INPUT ACCEPT |
192 | $ip6tables --policy OUTPUT ACCEPT | |
193 | # $ip6tables --table nat --policy PREROUTING ACCEPT | |
194 | # $ip6tables --table nat --policy POSTROUTING ACCEPT | |
195 | # $ip6tables --table nat --policy OUTPUT ACCEPT | |
196 | fi | |
3e016dfc | 197 | deltext ; ok |