Search This Blog

Thursday, October 25, 2007

Re: Default Policy = DROP. Help-me

Ansgar Wiechers,

I made all the changes that achieve by following their advice!

Thanks for the tips. I delete the Local Conections rule, as mentioned
because it was really useless.

As for the rule Ping Limit, really does not protect against
Ping-of-Death, but it does not protect against some sort of Buffer
OverFlow?

Can I pass a rule that actually protects against Ping-of-Death?

I can not leave the firewall functional only for putting NEW
connections. Can you help me? I tried to leave with [-m state -- state
NEW] and the firewall fails. Could not do this work. Please help me!

Thank's

Yuri Rodrigues


#!/bin/sh

clear

# Firewall System
# Author - Yuri Rodrigues
# Mail - yurirbraz@gmail.com
#
# It is recognized that:
# Eth0 = Intranet
# Eth1 = Internet

intranet="eth0"
iptables="/sbin/iptables"
internet="eth1"
rede="192.168.121.0/24"

echo "0" > /proc/sys/net/ipv4/ip_forward

echo -e "\033[01;33m-----------------=======\033[01;32m
Firewall\033[01;33m =======------------------"
echo " By: Yuri Rodrigues "
echo -e "\033[01;37mLOGS: [ /var/log/kern.log ] "
echo ""
echo "Starting the script "
echo ""

#### Policing ####
# Filter Table
$iptables -t filter -P INPUT DROP &&\
$iptables -t filter -P OUTPUT DROP &&\
$iptables -t filter -P FORWARD DROP &&\
# Nat Table
$iptables -t nat -P PREROUTING ACCEPT &&\
$iptables -t nat -P OUTPUT ACCEPT &&\
$iptables -t nat -P POSTROUTING ACCEPT &&\
# Mangle Table
$iptables -t mangle -P PREROUTING ACCEPT &&\
$iptables -t mangle -P OUTPUT ACCEPT &&\
$iptables -t mangle -P INPUT ACCEPT &&\
$iptables -t mangle -P POSTROUTING ACCEPT &&\
echo -e "\033[01;36mPolicing\033[01;37m
..........................................\033[01;32m [ OK ]" || {
echo "Something broke in [Policing]!";
exit 1
}

#### Loading Modules ####
modprobe ip_conntrack &&\
modprobe ip_conntrack_ftp &&\
modprobe ip_nat_ftp &&\
modprobe ip_queue &&\
modprobe ip_tables &&\
modprobe ipt_LOG &&\
modprobe ipt_MARK &&\
modprobe ipt_MASQUERADE &&\
modprobe ipt_REDIRECT &&\
modprobe ipt_REJECT &&\
modprobe ipt_TCPMSS &&\
modprobe ipt_TOS &&\
modprobe ipt_limit &&\
modprobe ipt_mac &&\
modprobe ipt_mark &&\
modprobe ipt_multiport &&\
modprobe ipt_owner &&\
modprobe ipt_state &&\
modprobe ipt_tcpmss &&\
modprobe ipt_tos &&\
modprobe iptable_filter &&\
modprobe iptable_mangle &&\
modprobe iptable_nat &&\
echo -e "\033[01;36mLoading Modules\033[01;37m
...................................\033[01;32m [ OK ]" || {
echo "Something broke in [Loading Modules]!";
exit 1
}

#### Flush Rules ####
$iptables -F &&\
$iptables -t nat -F &&\
$iptables -t mangle -F &&\
echo -e "\033[01;36mFlush Rules\033[01;37m
.......................................\033[01;32m [ OK ]" || {
echo "Something broke in [Flush Rules]!";
exit 1
}

echo "1" > /proc/sys/net/ipv4/ip_forward

#### Allowing already established connections ####
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &&\
echo -e "\033[01;36mAllowing already established connections\033[01;37m
..........\033[01;32m [ OK ]" || {
echo "Something broke in [Allowing already established connections]!";
exit 1
}

#### LoopBack Traffic Accepted ####
$iptables -A INPUT -i lo -j ACCEPT

echo ""
echo -e "\033[01;33m>>>>>>>>>>>>>>>>>>\033[01;32m Regras para
usuarios\033[01;33m <<<<<<<<<<<<<<<<<<"
echo ""

#### Debugging ####
#$iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix
"[IPTABLES] INPUT : "
#$iptables -A OUTPUT -m limit --limit 3/minute -j LOG --log-prefix
"[IPTABLES] OUTPUT : "
#$iptables -A FORWARD -j LOG --log-prefix "[IPTABLES] FORWARD : "

#### Remote Administrator ####
$iptables -A INPUT -p tcp --dport 4899 -j LOG --log-prefix "[IPTABLES]
RA : " --log-level 6 --log-tcp-options --log-ip-options &&\
$iptables -A INPUT -i $internet -p tcp --dport 4899 -j ACCEPT &&\
$iptables -t nat -A PREROUTING -i $internet -p tcp --dport 4899 -j DNAT
--to 192.168.121.4:4899 &&\
$iptables -A FORWARD -i $internet -o $intranet -p tcp --dport 4899 -j
ACCEPT &&\
$iptables -A FORWARD -i $intranet -o $internet -p tcp --sport 4899 -j
ACCEPT &&\
echo -e "\033[01;36mRemote Administrator\033[01;37m
..............................\033[01;32m [ OK ]" || {
echo "Something broke in [Remote Administrator]!";
exit 1
}

#### Transparent Proxy ####
#$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state new
-j ACCEPT &&\
#$iptables -A INPUT -i $internet -p tcp --dport 443 -m state --state new
-j ACCEPT &&\
#$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 80 -j
REDIRECT --to-port 3128 &&\
#$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 443 -j
REDIRECT --to-port 3128 &&\
#echo -e "\033[01;36mTransparent Proxy\033[01;37m
................................\033[01;32m [ OK ]" || {
# echo "Something broke in [Transparent Proxy]!";
# exit 1
#}

#### SSH Access ####
## LAN 2 FIREWALL
$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LOG
--log-prefix "[IPTABLES] SSH : " --log-level 6 --log-tcp-options
--log-ip-options &&\
$iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW -j LOG
--log-prefix "[IPTABLES] SSH : " --log-level 6 --log-tcp-options
--log-ip-options &&\
$iptables -A INPUT -p tcp --dport 22 -i $intranet -j ACCEPT &&\
$iptables -A OUTPUT -p tcp --sport 22 -o $intranet -j ACCEPT &&\
$iptables -A FORWARD -p tcp --dport 22 -j ACCEPT &&\
$iptables -A FORWARD -p tcp --sport 22 -j ACCEPT &&\
## FIREWALL 2 INTERNET
$iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT &&\
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT &&\
## INTERNET 2 FIREWALL
$iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT &&\
$iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT &&\
echo -e "\033[01;36mSSH Access\033[01;37m
........................................\033[01;32m [ OK ]" || {
echo "Something broke in [SSH Access]!";
exit 1
}

#### Internet Sharing ####
$iptables -A FORWARD -i $intranet -p tcp --dport 80 -j ACCEPT &&\
$iptables -A FORWARD -i $internet -p tcp --sport 80 -j ACCEPT &&\
$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state NEW
-j ACCEPT &&\
$iptables -t nat -A POSTROUTING -j MASQUERADE &&\
echo -e "\033[01;36mInternet Sharing\033[01;37m
..................................\033[01;32m [ OK ]" || {
echo "Something broke in [Internet Sharing]!";
exit 1
}

echo ""
echo -e
"\033[01;33m<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
echo ""

#### SynFloods Protection ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT &&\
echo -e "\033[01;36mSynFloods Protection\033[01;37m
..............................\033[01;32m [ OK ]" || {
echo "Something broke in [SynFloods Protection]!";
exit 1
}

#### Ping Limit ####
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT &&\
echo -e "\033[01;36mPing Limit\033[01;37m
........................................\033[01;32m [ OK ]" || {
echo "Something broke in [Ping Limit]!";
exit 1
}

#### Locking fragmented packets ####
$iptables -A INPUT -f -i $internet -j LOG --log-prefix "[IPTABLES]
Fragmentos: " &&\
$iptables -A INPUT -f -i $internet -j REJECT &&\
echo -e "\033[01;36mLocking fragmented packets\033[01;37m
........................\033[01;32m [ OK ]" || {
echo "Something broke in [Locking fragmented packets]!";
exit 1
}

#### ICMP Limit ####
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT &&\
echo -e "\033[01;36mICMP Limit\033[01;37m
........................................\033[01;32m [ OK ]" || {
echo "Something broke in [ICMP Limit]!";
exit 1
}

#### QOS Remote Admin ####
$iptables -t mangle -A OUTPUT -o $internet -p tcp --sport 4899 -j TOS
--set-tos 0x10 &&\
$iptables -t mangle -A INPUT -i $internet -p tcp --dport 4899 -j TOS
--set-tos 0x10 &&\
$iptables -t mangle -A FORWARD -o $internet -p tcp --sport 4899 -j TOS
--set-tos 0x10 &&\
echo -e "\033[01;36mQoS Remote Admin\033[01;37m
..................................\033[01;32m [ OK ]" || {
echo "Something broke in [QOS Remote Admin]!";
exit 1
}

echo ""
echo -e "\033[01;33m-------------======\033[01;32m Firewall
Enabled\033[01;33m ======--------------"
echo -e "\033[01;37m"

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: