6 # description: Example netfilter setup version 0.1 by Anthony C. Zboralski \
7 # Warning this is experimental, I don't garantee this is 100% \
8 # secure, it just does the work fine for me and i thought \
9 # it could be a good jumpstart for people new to netfilter. \
10 # Now I am waiting for your corrections, suggestions and \
11 # critics :) Also I am gonna write a small addon \
12 # for setting up dynamic rules cause i am tired of all \
13 # these programs with dynamics port like bind, xdm and rpc. \
14 # All mail go to acz@hert.org
16 . /etc/rc.d/init.d/functions
17 . /etc/sysconfig/network
19 iptables=/usr/sbin/iptables
20 ip6tables=/usr/sbin/ip6tables
22 _modprobe single die -k -a ip_tables "`is_yes "$IPV6_NETWORKING" && echo ip6_tables`"
24 show "Flush standard tables and deny everything"
26 $iptables --flush INPUT
27 $iptables --flush OUTPUT
28 $iptables --flush FORWARD
29 $iptables --table nat --flush OUTPUT
30 $iptables --table nat --flush PREROUTING
31 $iptables --table nat --flush POSTROUTING
32 $iptables --policy INPUT DROP
33 $iptables --policy OUTPUT DROP
34 $iptables --policy FORWARD DROP
35 if is_yes "$IPV6_NETWORKING" ; then
36 $ip6tables --flush INPUT
37 $ip6tables --flush OUTPUT
38 $ip6tables --flush FORWARD
39 # $ip6tables --table nat --flush OUTPUT
40 # $ip6tables --table nat --flush PREROUTING
41 # $ip6tables --table nat --flush POSTROUTING
42 $ip6tables --policy INPUT DROP
43 $ip6tables --policy OUTPUT DROP
44 $ip6tables --policy FORWARD DROP
49 CHAINS=`$iptables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'`
50 show "Remove remaining chains %s:" $CHAINS
52 for chain in $CHAINS; do
53 $iptables --flush $chain
55 # 2nd step cause of dependencies
56 for chain in $CHAINS; do
57 $iptables --delete-chain $chain
59 CHAINS=`$iptables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'`
60 for chain in $CHAINS; do
61 $iptables -t nat --flush $chain
63 # 2nd step cause of dependencies
64 for chain in $CHAINS; do
65 $iptables -t nat --delete-chain $chain
67 if is_yes "$IPV6_NETWORKING" ; then
68 CHAINS=`$ip6tables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'`
69 for chain in $CHAINS; do
70 $ip6tables --flush $chain
72 # 2nd step cause of dependencies
73 for chain in $CHAINS; do
74 $ip6tables --delete-chain $chain
76 # CHAINS=`$ip6tables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'`
77 # for chain in $CHAINS; do
78 # $ip6tables -t nat --flush $chain
80 # # 2nd step cause of dependencies
81 # for chain in $CHAINS; do
82 # $ip6tables -t nat --delete-chain $chain
87 # now this is tricky with ipchains you just had to deny forward and set
88 # forwarding to MASQ target but now you have to do it in two steps:
90 show "Turn off rp_filter for all interfaces"
92 echo 1 > /proc/sys/net/ipv4/ip_forward
93 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
94 if is_yes "$IPV6_NETWORKING" ; then
95 echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
99 show "Load modules needed by NAT"
101 _modprobe die -k -a ip_conntrack ip_conntrack_ftp ip_nat_ftp # ip_nat_snmp_basic
104 show "Create a target for logging and dropping packets"
106 $iptables --new LDROP 2>/dev/null
107 $iptables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
108 $iptables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
109 $iptables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop "
110 $iptables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
111 $iptables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop "
112 $iptables -A LDROP -j DROP
113 if is_yes "$IPV6_NETWORKING" ; then
114 $ip6tables --new LDROP 2>/dev/null
115 # $ip6tables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
116 # $ip6tables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
117 # $ip6tables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop "
118 # $ip6tables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
119 # $ip6tables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop "
120 $ip6tables -A LDROP -j DROP
124 show "Create a target for watching some accepting rules"
126 $iptables --new WATCH 2>/dev/null
127 $iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
128 $iptables -A WATCH -j ACCEPT
129 if is_yes "$IPV6_NETWORKING" ; then
130 $ip6tables --new WATCH 2>/dev/null
131 # $ip6tables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
132 $ip6tables -A WATCH -j ACCEPT
136 show "Enforcing up ICMP policies, use iptables -L ICMP to check"
138 # If you deny all ICMP messages you head for trouble since it would
139 # break lots of tcp/ip algorithm (acz)
140 $iptables --new ICMP 2>/dev/null
141 $iptables -A INPUT --proto icmp -j ICMP
142 $iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
143 $iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
144 $iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
145 $iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
146 $iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
147 $iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
148 $iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
149 $iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
150 $iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
151 $iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
152 $iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
153 $iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
154 $iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
155 $iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
156 $iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
157 $iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
158 $iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
159 $iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
160 $iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
161 $iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
162 $iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP
163 $iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
164 $iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
165 $iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
166 $iptables -A ICMP -p icmp --icmp-type router-advertisement -j WATCH
167 $iptables -A ICMP -p icmp --icmp-type router-solicitation -j WATCH
168 $iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
169 $iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
170 $iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
171 $iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
172 $iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
173 $iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
174 $iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
175 $iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
176 $iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
177 $iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
178 $iptables -A ICMP -p icmp -j LDROP
181 show "Authorize packet input and output"
183 # Insert your rules here
185 $iptables --policy INPUT ACCEPT
186 $iptables --policy OUTPUT ACCEPT
187 $iptables --table nat --policy PREROUTING ACCEPT
188 $iptables --table nat --policy POSTROUTING ACCEPT
189 $iptables --table nat --policy OUTPUT ACCEPT
190 if is_yes "$IPV6_NETWORKING" ; then
191 $ip6tables --policy INPUT ACCEPT
192 $ip6tables --policy OUTPUT ACCEPT
193 # $ip6tables --table nat --policy PREROUTING ACCEPT
194 # $ip6tables --table nat --policy POSTROUTING ACCEPT
195 # $ip6tables --table nat --policy OUTPUT ACCEPT