### BEGIN INIT INFO # Provides: firewall6 # Required-Start: $network # Required-Stop: $network # Default-Start: S 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: The Firewall rules # Description: Firewall my ass ### END INIT INFO #-----------------------------------------------------------------------# # # # Description : Firewall Config # # OS : Debian # # Requires : iptables + module ip_conntrack # # Licence : GPL # # Version : 0.1.7-3 # # Author : Adrien Pujol # # Web site : http://www.crashdump.fr/ # # # #-----------------------------------------------------------------------# test -f /sbin/iptables || exit 0 . /lib/lsb/init-functions # Un peu de couleurs ? #31=rouge, 32=vert, 33=jaune,34=bleu, 35=rose, 36=cyan, 37= blanc color() { #echo [$1`shift`m$*[m printf '\033[%sm%s\033[m\n' "$@" } #-----> VARIABLES A CONFIGURER <----------------------------------------# IPTABLES=/sbin/ip6tables IF_EXT=eth0 LOGFLAGS="LOG --log-tcp-options --log-tcp-sequence --log-ip-options --log-level warning --log-prefix" modprobe ip_conntrack #-----> START/STOP <----------------------------------------------------# case "$1" in start) log_begin_msg "Starting iptables firewall rules..." ###################################################################### #----- Initialisation --------------------------------------------------# echo ">Setting firewall rules..." ## Vider les tables actuelles ${IPTABLES} -t filter -F ${IPTABLES} -t filter -X ${IPTABLES} -t mangle -F ${IPTABLES} -t mangle -X ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -Z echo "- Vidage : [`color 32 "OK"`]" #----- Regles par defaut -----------------------------------------------# #Reduce DoS'ing ability by reducing ratelimit echo "750" > /proc/sys/net/ipv6/icmp/ratelimit ## Police par defaut ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -P FORWARD DROP echo "- Police par defaut, DROP : [`color 32 "OK"`]" ## Loopback accepte ${IPTABLES} -A FORWARD -i lo -o lo -j ACCEPT ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT echo "- Accepter les loopbacks : [`color 32 "OK"`]" #----- Creation chaines ------------------------------------------------# ## Creation des chaines ${IPTABLES} -N SERVICES ${IPTABLES} -N THISISPORN ${IPTABLES} -N SECURITY echo "- Creation des chaines : [`color 32 "OK"`]" #----- Security ---------------------------------------------------------# # Anyone who tried to portscan us is locked out for an entire day. ${IPTABLES} -A SECURITY -m recent --name portscan --rcheck --seconds 86400 -j DROP -m comment --comment "Portscan" # Once the day has passed, remove them from the portscan list ${IPTABLES} -A SECURITY -m recent --name portscan --remove -m comment --comment "Portscan" # These rules add scanners to the portscan list, and log the attempt. ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j ${LOGFLAGS} "[ip6tables] [:portscan:]" -m comment --comment "Portscan" ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -m comment --comment "Portscan" ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j ${LOGFLAGS} "[ip6tables] [:portscan:]" -m comment --comment "Portscan" ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j DROP -m comment --comment "Portscan" echo "- Portscan (Connect. on port 139 banned for a day) : [`color 32 "OK"`]" ## No NULL Packet ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[ip6tables] [:nullpackets:]" -m comment --comment "Null packets" ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Null packets" echo "- Protection NULL Packets : [`color 32 "OK"`]" ## No SYN Flood ${IPTABLES} -A SECURITY -p tcp --syn -m limit --limit 2/second --limit-burst 5 --dport 80 -j ACCEPT -m comment --comment "Syn flood" ${IPTABLES} -A SECURITY -p tcp --syn -m limit --limit 5/second --limit-burst 10 -j ACCEPT -m comment --comment "Syn flood" ${IPTABLES} -A SECURITY -p tcp --syn -m limit --limit 20/m --limit-burst 10 -j ${LOGFLAGS} "[ip6tables] [:synflood:]" -m comment --comment "Syn flood" ${IPTABLES} -A SECURITY -p tcp --syn -j DROP -m comment --comment "Syn flood" echo "- Protection SYN Flood : [`color 32 "OK"`]" ## No FIN packet scans ${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[ip6tables] [:finpacketsscan:]" -m comment --comment "Fin packet" ${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -j DROP -m comment --comment "Fin packet" ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -m comment --comment "Fin packet" echo "- Protection FIN packet scans : [`color 32 "OK"`]" ## No slowloris ${IPTABLES} -A SECURITY -p tcp --dport 80 -m connlimit --connlimit-above 25 --connlimit-mask 32 -j ${LOGFLAGS} "[ip6tables] [:slowloris:]" -m comment --comment "Slowloris" ${IPTABLES} -A SECURITY -p tcp --dport 80 -m connlimit --connlimit-above 25 --connlimit-mask 32 -j DROP -m comment --comment "Slowloris" echo "- Protection HTTP Slowloris : [`color 32 "OK"`]" ## Furtive port scanner ${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ${LOGFLAGS} "[ip6tables] [:furtiveportscan:]" -m comment --comment "Furt. port scan" ${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT -m comment --comment "Furt. port scan" echo "- Block furtive port scanner : [`color 32 "OK"`]" ## Ne pas casser les connexions etablies ${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo "- Ne pas casser les connexions etablies : [`color 32 "OK"`]" #----- Debut des r?gles ------------------------------------------------# # Autoriser SSH ${IPTABLES} -A SERVICES -p tcp --dport 22 -j DROP -m comment --comment "sshd" echo "- Bloquer explicitement SSH (Pas de fail2ban6) : [`color 32 "OK"`]" # Autoriser les requetes DNS #DISABLED ${IPTABLES} -A SERVICES -p tcp --dport 53 -j ACCEPT -m comment --comment "bind" #DISABLED ${IPTABLES} -A SERVICES -p udp --dport 53 -j ACCEPT -m comment --comment "bind" echo "- Autoriser les requetes DNS : [`color 33 "DISABLED"`]" # Autoriser les requetes HTTP ${IPTABLES} -A SERVICES -p tcp --dport 80 -j ACCEPT -m comment --comment "http" ${IPTABLES} -A SERVICES -p tcp --dport 443 -j ACCEPT -m comment --comment "https" echo "- Autoriser les requetes HTTP/S : [`color 32 "OK"`]" # Autoriser NTP ${IPTABLES} -A SERVICES -p udp --dport 123 -j ACCEPT -m comment --comment "ntpd" echo "- Autoriser NTP : [`color 32 "OK"`]" # ZNC-BNC ${IPTABLES} -A SERVICES -p tcp --dport 5001 -j ACCEPT -m comment --comment "bouncer/irc" echo "- Autoriser ZNC-BNC : [`color 32 "OK"`]" # Mail ${IPTABLES} -A SERVICES -p tcp --dport 25 -j ACCEPT -m comment --comment "smtp" #DISABLED ${IPTABLES} -A SERVICES -p tcp --dport 110 -j ACCEPT -m comment --comment "pop3" #DISABLED ${IPTABLES} -A SERVICES -p tcp --dport 143 -j ACCEPT -m comment --comment "imap" ${IPTABLES} -A SERVICES -p tcp --dport 993 -j ACCEPT -m comment --comment "imaps" echo "- Autoriser serveur Mail : [`color 33 "POP: DISABLED"`, `color 32 "SMTP/IMAPs: OK"`]" #TS Server #${IPTABLES} -A SERVICES -p udp --dport 8765 -j ACCEPT -m comment --comment "teamspeak" #${IPTABLES} -A SERVICES -p udp --dport 8766 -j ACCEPT -m comment --comment "teamspeak" #${IPTABLES} -A SERVICES -p udp --dport 8767 -j ACCEPT -m comment --comment "teamspeak" #${IPTABLES} -A SERVICES -p udp --dport 8768 -j ACCEPT -m comment --comment "teamspeak" #${IPTABLES} -A SERVICES -p udp --dport 8769 -j ACCEPT -m comment --comment "teamspeak" #${IPTABLES} -A SERVICES -p tcp --dport 14534 -j ACCEPT -m comment --comment "teamspeak" #${IPTABLES} -A SERVICES -p tcp --dport 51234 -j ACCEPT -m comment --comment "teamspeak" #echo "- Autoriser serveur TS : [`color 32 "OK"`]" #----- Fin des r?gles --------------------------------------------------# # Ecriture de la politique de log # Ici on affiche [IPTABLES DROP] dans /var/log/messages a chaque paquet rejette par iptables ${IPTABLES} -N LOG_DROP ${IPTABLES} -A LOG_DROP -j ${LOGFLAGS} '[ip6tables] [:finaldrop:]' ${IPTABLES} -A LOG_DROP -j DROP # On met en place les logs en entree, sortie et routage selon la politique LOG_DROP ecrit avant ${IPTABLES} -A FORWARD -j LOG_DROP ${IPTABLES} -A OUTPUT -j ACCEPT ${IPTABLES} -A OUTPUT -j LOG_DROP ${IPTABLES} -A INPUT -j LOG_DROP # ${IPTABLES} -I INPUT -i ${IF_EXT} -j SERVICES # ${IPTABLES} -I INPUT -i ${IF_EXT} -j SECURITY # ${IPTABLES} -I INPUT -j THISISPORN ${IPTABLES} -I OUTPUT -j THISISPORN echo "- Mise en place des politiques pr?dedement d?finies : [`color 32 "OK"`]" ## PSAD fifo ${IPTABLES} -A INPUT -j LOG --log-tcp-options --log-tcp-sequence --log-ip-options --log-level info echo "- PSAD FIFO : [`color 32 "OK"`]" ## Ping ${IPTABLES} -I OUTPUT 1 -p ipv6-icmp -j ACCEPT -m comment --comment "Ping to inet OK" ${IPTABLES} -I INPUT 1 -p ipv6-icmp -j ACCEPT -m comment --comment "Ping to inet OK" echo "- Autoriser icmp6 : [`color 32 "OK"`]" echo "`color 32 ">Firewall mis a jour avec succes !"`" ###################################################################### log_end_msg $? ;; stop) log_begin_msg "Flushing rules..." ## Vider les tables actuelles ${IPTABLES} -t filter -F ${IPTABLES} -t filter -X ${IPTABLES} -t mangle -F ${IPTABLES} -t mangle -X ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -Z ${IPTABLES} -A INPUT -j ACCEPT ${IPTABLES} -A OUTPUT -j ACCEPT ${IPTABLES} -A FORWARD -j ACCEPT log_end_msg $? ;; restart) $0 stop $0 start ;; status) ${IPTABLES} -nvL ;; *) log_success_msg "Usage: /etc/init.d/firewall {start|stop|restart|status}" exit 1 ;; esac exit 0