#!/bin/sh # # Nom : firewall.sh # Description : Script Iptables # OS : Debian # Requires : iptables + fail2ban + module ip_conntrack_ftp # Licence : GPL # Version : 0.1.3 # Author : Adrien Pujol # Web site : http://www.crashdump.fr/ # # Un peu de couleurs ? #31=rouge, 32=vert, 33=jaune,34=bleu, 35=rose, 36=cyan, 37= blanc color() { #echo [$1`shift`m$*[m printf '\033[%sm%s\033[m\n' "$@" } #-----> VARIABLES A CONFIGURER <----------------------------------------# IPTABLES=/sbin/iptables IF_EXT=eth0 LOGLEVEL="info" #----- Initialisation --------------------------------------------------# echo ">Shutting down Fail2Ban" /etc/init.d/fail2ban stop echo ">Setting firewall rules..." ## Vider les tables actuelles ${IPTABLES} -t filter -F ${IPTABLES} -t filter -X ${IPTABLES} -t mangle -F ${IPTABLES} -t mangle -X ${IPTABLES} -t nat -F ${IPTABLES} -t nat -X ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -Z echo "- Vidage : [`color 32 "OK"`]" #----- configuration /proc -----------------------------------------------# ## ignore_echo_broadcasts, TCP Syncookies, ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "- Ignorer les echo braodcast, TCP Syncookies et IP Forward : [`color 32 "OK"`]" ## Use /proc rp_filter values to drop connections from non-routable IPs if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i done fi echo "- Drop connections from non-routable IPs [`color 32 "OK"`]" ## Block ALL ICMP echo requests? echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo "- Blocking all ICMP echo-requests [`color 32 "OK"`]" ## Add synflood protection? if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi echo "- Enabling SYN-flood protection via SYN-cookies [`color 32 "OK"`]" ## Log martians? echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo "- Enabling the logging of martians [`color 32 "OK"`]" ## Accept ICMP redirect messages? echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo "- Blocking ICMP redirect messages [`color 32 "OK"`]" ## Disable ICMP send_redirect if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $interface done fi echo "- Disable ICMP send_redirect [`color 32 "OK"`]" ## ENABLING protection against source routed packets # Don't accept source routed packets. # Attackers can use source routing to generate traffic pretending to be from inside your network, # but which is routed back along the path from which it came, namely outside, # so attackers can compromise your network. Source routing is rarely used for legitimate purposes. for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $interface done echo "- Enabling protection against source routed packets [`color 32 "OK"`]" ## ICMP Broadcasting protection (smurf amplifier protection) if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi echo "- ICMP Broadcasting protection (smurf amplifier protection) [`color 32 "OK"`]" ## ICMP Dead Error Messages protection if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi echo "- ICMP Dead Error Messages protection [`color 32 "OK"`]" ## Enable some general settings echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo "- Enabling TCP window scaling [`color 32 "OK"`]" ## Enabling reduction of the DoS'ing ability echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 3600 > /proc/sys/net/ipv4/tcp_keepalive_time echo "- Enabling reduction of the DoS'ing ability [`color 32 "OK"`]" ## Enable ECN? (Explicit Congestion Notification) if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 1 > /proc/sys/net/ipv4/tcp_ecn echo "- Enable ECN (Explicit Congestion Notification) [`color 32 "OK"`]" else printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/tcp_ecn does not exist!\033[0m\n" >&2 fi ## Flushing route table" echo 1 >/proc/sys/net/ipv4/route/flush echo "- Flushing route table [`color 32 "OK"`]" #----- Regles par defaut -----------------------------------------------# ## Police par defaut ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -P FORWARD DROP echo "- Police par defaut, DROP : [`color 32 "OK"`]" ## Loopback accepte ${IPTABLES} -A FORWARD -i lo -o lo -j ACCEPT ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT echo "- Accepter les loopbacks : [`color 32 "OK"`]" ## REJECT les fausses connex pretendues s'initialiser et sans syn ${IPTABLES} -I INPUT -p tcp ! --syn -m state --state NEW,INVALID -j REJECT echo "- Rejeter les fakes de connection, pas de syn : [`color 32 "OK"`]" ## Ne pas casser les connexions etablies ${IPTABLES} -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo "- Ne pas casser les connexions établies : [`color 32 "OK"`]" #----- Fin Inialisation ------------------------------------------------# ## Création des chaines ${IPTABLES} -N SPOOFED ${IPTABLES} -N SERVICES ${IPTABLES} -N VALID_CHK echo "- Création des chaines : [`color 32 "OK"`]" #----- Security zone ----------------------------------------------------# #### Log scanning of nmap etc. ## (NMAP) FIN/URG/PSH $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS scan: " ## SYN/RST/ACK/FIN/URG $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-PSH scan: " ## ALL/ALL $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL ALL \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-ALL scan: " ## NMAP FIN Stealth $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth FIN scan: " ## SYN/RST $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/RST scan: " ## SYN/FIN (probably) $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): " ## Null scan $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL NONE \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth Null scan: " #### Drop (NMAP) scan packets: ## NMAP FIN/URG/PSH $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ## SYN/RST/ACK/FIN/URG $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP ## ALL/ALL Scan $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL ALL -j DROP ## NMAP FIN Stealth $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN -j DROP ## SYN/RST $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ## SYN/FIN -- Scan(probably) $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ## NMAP Null Scan $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL NONE -j DROP ## Drop packets with bad tcp flags $IPTABLES -A VALID_CHK -p tcp --tcp-option 64 -j DROP $IPTABLES -A VALID_CHK -p tcp --tcp-option 128 -j DROP ## Drop invalid packets $IPTABLES -A VALID_CHK -m state --state INVALID -j DROP ## Drop fragmented packets $IPTABLES -A VALID_CHK -f -j DROP echo "- Logging of stealth scans (nmap probes etc.) [`color 32 "OK"`]" #----- Debut des règles ------------------------------------------------# ## Interdire les paquets spoofés ${IPTABLES} -A SPOOFED -s 127.0.0.0/8 -j DROP ${IPTABLES} -A SPOOFED -s 169.254.0.0/12 -j DROP ${IPTABLES} -A SPOOFED -s 172.16.0.0/12 -j DROP ${IPTABLES} -A SPOOFED -s 192.168.0.0/16 -j DROP ${IPTABLES} -A SPOOFED -s 10.0.0.0/8 -j DROP echo "- Interdire les paquets soopfés : [`color 32 "OK"`]" # Autoriser ping ${IPTABLES} -A SERVICES -p icmp --icmp-type echo-request -j ACCEPT echo "- Autoriser ping : [`color 32 "OK"`]" # Autoriser SSH ${IPTABLES} -A SERVICES -p tcp --dport 22 -j ACCEPT echo "- Autoriser SSH : [`color 32 "OK"`]" # Autoriser les requetes DNS ${IPTABLES} -A SERVICES -p tcp --dport 53 -j ACCEPT ${IPTABLES} -A SERVICES -p udp --dport 53 -j ACCEPT echo "- Autoriser les requetes DNS : [`color 32 "OK"`]" # Autoriser les requetes HTTP ${IPTABLES} -A SERVICES -p tcp --dport 80 -j ACCEPT ${IPTABLES} -A SERVICES -p tcp --dport 443 -j ACCEPT echo "- Autoriser les requetes HTTP : [`color 32 "OK"`]" # Autoriser les requetes NTP ${IPTABLES} -A SERVICES -p udp --dport 123 -j ACCEPT echo "- Autoriser les requetes NTP : [`color 32 "OK"`]" # FTP modprobe ip_conntrack_ftp #DISABLED ${IPTABLES} -A SERVICES -p tcp --dport 20 -j ACCEPT ${IPTABLES} -A SERVICES -p tcp --dport 21 -j ACCEPT echo "- Autoriser serveur FTP : [`color 32 "OK"` / `color 33 "SFTP: DISABLED"`]" # Mail ${IPTABLES} -A SERVICES -p tcp --dport 25 -j ACCEPT #DISABLED ${IPTABLES} -A SERVICES -p tcp --dport 110 -j ACCEPT #DISABLED ${IPTABLES} -A SERVICES -p tcp --dport 143 -j ACCEPT echo "- Autoriser serveur Mail : [`color 32 "OK"` / `color 33 "IMAP, POP3: DISABLED"`]" #TS Server ${IPTABLES} -A SERVICES -p udp --dport 8767 -j ACCEPT ${IPTABLES} -A SERVICES -p tcp --dport 14534 -j ACCEPT ${IPTABLES} -A SERVICES -p tcp --dport 51234 -j ACCEPT echo "- Autoriser serveur TS : [`color 32 "OK"`]" #----- Fin des règles --------------------------------------------------# # Ecriture de la politique de log # Ici on affiche [IPTABLES DROP] dans /var/log/message a chaque paquet rejette par iptables ${IPTABLES} -N LOG_DROP ${IPTABLES} -A LOG_DROP -j LOG --log-level 1 --log-prefix '[IPTABLES DROP]:' ${IPTABLES} -A LOG_DROP -j DROP # On met en place les logs en entree, sortie et routage selon la politique LOG_DROP ecrit avant ${IPTABLES} -A FORWARD -j LOG_DROP ${IPTABLES} -A OUTPUT -j ACCEPT ${IPTABLES} -A OUTPUT -j LOG_DROP ${IPTABLES} -A INPUT -j LOG_DROP ${IPTABLES} -I INPUT -i ${IF_EXT} -j SERVICES ${IPTABLES} -I INPUT -j SPOOFED ${IPTABLES} -I INPUT -i ${IF_EXT} -j VALID_CHK echo "- Mise en place des politiques prédedement définies : [`color 32 "OK"`]" echo ">Starting Fail2Ban" sleep 5 /etc/init.d/fail2ban start sleep 2 echo "- Fail2Ban actives modules: " echo `iptables -L -nv --line-numbers | grep -e "Chain fail2ban-"` echo "`color 32 ">Firewall mis a jour avec succes !"`"