#!/bin/bash
# iptables.sh - Initial SIMPLE IP Firewall script for Linux 2.6.x and iptables
#
# Copyright (C) 07/08/09
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 3 of the License.
#
# [========== GNU Lesser General Public License ==========]
#
# "Free software" is a matter of liberty,not price.To understand the
# concept,you should think of "free speech",not "free beer".
# "Free software" refers to the user's freedom to run,copy,distribute,
# study,change,and improve the software.
#
###############################################################################
#
#1.Configuration options.
#
#
#1.1 Internet Configuration.
#
#INET_IFACE="eth0"
#INET_IP="72.14.203.103"
#
#1.2 DHCP
#
#Information pertainning to DHCP over the Internet,if needed.
#
#Set DHCP variable to no if you don't get IP from DHCP.if you get
#DHCP over the Internet set this variable to yes,and setup the
#proper IP address for the DHCP server in the DHCP_SERVER variable.
#
DHCP="no"
DHCP_SERVER="192.168.1.4"
#
#1.3 PPPoE
#
#Configuration options pertaining to PPPoE
#
#If you have problem with your PPPoE connection,such as large mails
#not getting through while small mail get through properly etc,you may
#set a rule in the PREROUTING chain of the mangle table which will
#clamp(resize)all routed packets to PMTU(Path Maximum Transmit Unit).
#
PPPOE_PMTU="no"
#
#1.3 Local Area Network configuration.
#
#your LAN's IP range and localhost IP./23 means to only use the first 23
#bits of the 32 bit IP address.the same as netmask 255.255.255.0
#
LAN_IP="192.168.1.4"
LAN_IP_RANGE="192.168.1.0/255.255.255.0"
LAN_IFACE="eth0"
#
#1.5 DMZ configuration.
#
#
#1.6 Localhost configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
#1.7 IPTables configuration.
#
IPTABLES="/sbin/iptables"
#
#1.8 Other configuration.
#
################################################################################
#
#2.Module loading.
#
#
#Needed to initially load modules
#
/sbin/depmod -a
#
#2.1 Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
#2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_conntrack_ftp
#/sbin/modprobe ipt_conntrack_irc
#/sbin/modprobe ipt_nat_ftp
#/sbin/modprobe ipt_nat_irc
################################################################################
#
#3.rules set up.
#
#
#3.1 Filter table
#
#
#3.1.1 Set policies
#
echo "[+] Flushing existing iptable's rules ..."
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
#3.1.2 Create user specified chains
#
echo "[+] Creating user specified chains and rules ..."
#
#Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
#Create separate chains for ICMP,TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
#3.1.3 Create content in user specified chains
#
#
#bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW \
-j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW \
-j DROP
$IPTABLES -A bad_tcp_packets -p tcp -m state --state INVALID \
-j DROP
$IPTABLES -A bad_tcp_packets -p tcp --sport 1:1023 --dport 1:1023 \
--syn -j DROP
#
#allowed chain
#
#
#'--syn' this command would in other words be exactly the same as the
#'--tcp-flags SYN,RST,ACK SYN'match.Such packets are mainly used to request
#new TCP connections from a server.If you block these packets,you should
#have effectively blocked all incoming connection attempt,but not have
#blocked the outgoing connections.
#
#'! --syn'this would match all packets with the RST or the ACK bits set,
#in other words packets in an already established connection.
#
$IPTABLES -A allowed -p tcp --syn -j ACCEPT
$IPTABLES -A allowed -p tcp -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#$IPTABLES -A allowed -p tcp --syn -j DROP
$IPTABLES -A allowed -p tcp -j DROP
#
#TCP rules
#21port(FTP)22port(SSH)25port(SMTP)993(IMAP)110port(POP3)
#53port(DNS)80port(HTTP)443port(HTTPS)113port(IRC)873port(rsync)
#23port(Telnet)111port(Portmap/NFS)139port(smbd/SAMBA)TCP445port
#65400:65410 port(passive FTP)==>/etc/vsftpd/vsftpd.conf
#
#man 5 vsftpd.conf
#pasv_max_port=65400
#pasv_min_port=65410
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 21 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 65400:65410 -j allowed
$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 22 -j allowed
#$IPTABLES -A tcp_packets -p tcp -m mac --mac-source AA:BB:CC:DD:EE:FF \
#--dport 22 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 -m multiport --dport 80,443 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 23 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 111 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 139 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 25 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 993 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 53 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 110 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 443 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 113 -j allowed
#
#UDP rules
#53port(DNS)123port(NTP)111port(Portmap/NFS)137:138port(nmbd/SAMBA)
#333/8000(QQ)3000(ICQ)2073(SpeakFreely)
#
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p udp -s $DHCP_SERVER --sport 67 \
--dport 68 -j ACCEPT
fi
#$IPTABLES -A udp_packets -p udp -s 0/0 --dport 53 -j ACCEPT
#$IPTABLES -A udp_packets -p udp -s $LAN_IP_RANGE --dport 111 -j ACCEPT
$IPTABLES -A udp_packets -p udp -s $LAN_IP_RANGE --dport 123 -j ACCEPT
#$IPTABLES -A udp_packets -p udp -s $LAN_IP_RANGE --dport 137:138 -j ACCEPT
#$IPTABLES -A udp_packets -p udp -s 0/0 --dport 2073 -j ACCEPT
#$IPTABLES -A udp_packets -p udp -s 0/0 --dport 3000 -j ACCEPT
#
#In Microsoft Networks you will be swamped by broadcasts. These lines
#will prevent them from showing up in the logs.
#
#$IPTABLES -A udp_packets -p udp -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP
#
#If we get DHCP requests from the outside of our network,our logs will
#be swamped as well.This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p udp -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
#ICMP rules
#
#
#Echo Requests(type 8)are used to request an echo reply(type 0),which in turn is
#used to mainly ping other hosts to see if they are available on any of
#the networks.Without this rule,other hosts will not be able to ping us
#to see if we are available on any network connection.
#
#Do note that some people would tend to erase this rule,since they
#simply do not want to be seen on the Internet.Deleting this rule will
#effectively render any pings to our firewall totally useless from the
#Internet since the firewall will simply not respond to them.
#
#
#Time Exceeded(type 11)
#(TTL equals 0 during transit and TTL equals 0 during reassembly)
#is allowed in the case we want to trace-route some host or if a packet
#gets its Time To Live set to 0,we will get a reply about this.
#
#$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
#$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
#TYPES="0 3 3/4 4 11 12 14 16 18"
#for type in $TYPES
#do
# $IPTABLES -A icmp_packets -p icmp --icmp-type $type -j ACCEPT
#done
$IPTABLES -A icmp_packets -p icmp -s ! $LAN_IP_RANGE -j DROP
################################################################################
#
#3.1.4 INPUT chain
#
echo "[+] Setting up INPUT chain's rules ..."
#
#Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
#Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
#$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
#Mac match options..
#
#Note that since MAC address are only used on Ethernet type networks,
#this match will only be possible to use for Ethernet interfaces.
#The MAC match is only valid in the PREROUTING,FORWARD and INPUT chains
#and nowhere else.
#
#$IPTABLES -A INPUT -m mac --mac-source AA:BB:CC:DD:EE:FF -j ACCEPT
#$IPTABLES -A INPUT -m mac --mac-source ! AA:BB:CC:DD:EE:FF -j ACCEPT
#
#Special rule for DHCP requests from LAN,which are not caught
#properly otherwise.
#68port(DHCP Client)/67port(DHCP Server)
#
$IPTABLES -A INPUT -p udp -i $LAN_IFACE --dport 67:68 --sport 67:68 -j ACCEPT
#
#Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -j tcp_packets
$IPTABLES -A INPUT -p udp -i $LAN_IFACE -j udp_packets
$IPTABLES -A INPUT -p icmp -i $LAN_IFACE -j icmp_packets
#
#If you have a Microsoft Network on the outside of your firewall,you
#may also get flooded by Multicasts.We drop them so we do not get
#flooded by logs
#$IPTABLES -A INPUT -i $INET_IFACE -d 223.0.0.0/8 -j DROP
#
#Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j \
LOG --log-level DEBUG --log-prefix "IPT INPUT packet died:"
#
#3.1.5 FORWARD chain
#
echo "[+] Setting up FORWARD chain's rules ..."
#
#Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
#Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j \
LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
#
#3.1.6 OUTPUT chain
#
echo "[+] Setting up OUTPUT chain's rules ..."
#
#Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
#Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -d ! $LAN_IP_RANGE -m owner \
--uid-owner 0 -j DROP
#
#Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j \
LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
################################################################################
#
#3.2 nat table
#
echo "[+] Setting up NAT table's rules ..."
#
#3.2.1 Set policies
#
#
#3.2.2 Create user specified chains
#
#
#3.2.3 Create content in user specified chains
#
#
#3.2.4 PREROUTING chain
#
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP -i $INET_IFACE --dport 80 \
#-j DNAT --to-destination 192.168.1.2:80
#
#3.2.5 POSTROUTING chain
#
#
#Enable simple IP Forwarding and Network Address Translation
#
if [ $PPPOE_PMTU == "yes" ] ; then
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
fi
#$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE \
#-j SNAT --to-source $INET_IP
################################################################################
#
#3.3 mangle table
#
echo "[+] Setting up mangle table's rules ..."
#
#3.3.1 Set policies
#
#
#3.3.2 Create user specified chains
#
#
#3.3.3 Create content in user specified chains
#
#
#3.3.4 PREROUTING chain
#
$IPTABLES -A PREROUTING -t mangle -i $LAN_IFACE -j TTL --ttl-set 64
$IPTABLES -A PREROUTING -t mangle -i $LAN_IFACE -j TTL --ttl-inc 1
#
#3.3.5 OUTPUT chain
#
################################################################################
#
#4.proc set up.
#
#
#4.1 Required proc configuration
#
#
#It may be a very bad idea to turn on ip_forward before
#we habe all firewall rules and routes up and running.
#
echo "[+] Enabling IP forwarding(default:0)..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "[+] Prevent SYN Flood attack(default:1) ..."
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "[+] Ignore Ping Broadcast(default:1)..."
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo "[+] The ExecShield feature that protect app from being compromised by most buffer exploits(default:1)..."
#echo "1" > /proc/sys/kernel/exec-shield
echo "[+] Disable another useful function..."
for value in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo "0" > $value
done
for value in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo "0" > $value
done
for value in /proc/sys/net/ipv4/conf/*/send_redirects;
do
echo "0" > $value
done
#
#4.2 Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# save the current configuration and reload the service
#
echo "[+] Saving the current configuration above..."
service iptables save
echo "[+] Reload the configuration from /etc/sysconfig/iptables..."
service iptables restart