Added iptables-def
This commit is contained in:
parent
6ddbc86f76
commit
4f74be9369
14
iptables-def/README.md
Normal file
14
iptables-def/README.md
Normal file
@ -0,0 +1,14 @@
|
||||
# IPTABLES base config
|
||||
|
||||
<br/>
|
||||
This repo has Ansible, Packer by HashiCorp and etc auto tools for maintenance and service IT infrastructure.<br/>
|
||||
<br/>
|
||||
Look at these envs:<br/>
|
||||
|
||||
`outside="11.11.11.11"`<br/>
|
||||
`inside="192.168.77.0/24"`<br/>
|
||||
`outside_interface="ppp0"`<br/>
|
||||
`inside_interface="eth1"`<br/>
|
||||
<br/>
|
||||
|
||||
|
||||
213
iptables-def/firewall.sh
Normal file
213
iptables-def/firewall.sh
Normal file
@ -0,0 +1,213 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# For debug
|
||||
#set -e # Abort script when command exits with error
|
||||
#set -x # Print each command before it is executed (only for debugging)
|
||||
|
||||
echo "[FIREWALL] = > Enable IP Forwarding."
|
||||
echo "1" > /proc/sys/net/ipv4/ip_forward
|
||||
#
|
||||
# **** Clean all firewall rules. ****
|
||||
#
|
||||
echo "[FIREWALL] = > Cleaning all iptables rules."
|
||||
iptables -P INPUT ACCEPT
|
||||
iptables -P FORWARD ACCEPT
|
||||
iptables -P OUTPUT ACCEPT
|
||||
iptables -t nat -P PREROUTING ACCEPT
|
||||
iptables -t nat -P POSTROUTING ACCEPT
|
||||
iptables -t nat -P OUTPUT ACCEPT
|
||||
iptables -t mangle -P PREROUTING ACCEPT
|
||||
iptables -t mangle -P OUTPUT ACCEPT
|
||||
|
||||
iptables -F
|
||||
iptables -t nat -F
|
||||
iptables -t mangle -F
|
||||
|
||||
iptables -X
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -X
|
||||
|
||||
# ****
|
||||
outside="11.11.11.11"
|
||||
inside="192.168.77.0/24"
|
||||
outside_interface="ppp0"
|
||||
inside_interface="eth1"
|
||||
echo "[FIREWALL] = > Outside IP = $outside on inteface = $outside_interface"
|
||||
echo "[FIREWALL] = > Inside IP = $inside on inteface = $inside_interface"
|
||||
|
||||
#
|
||||
# **** Set default policy ****
|
||||
#
|
||||
echo "[FIREWALL] = > Set for INPUT FORWARD set default policy = DROP"
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
echo "[FIREWALL] = > Set for INPUT FORWARD OUTPUT IPv6 set default policy = DROP"
|
||||
ip6tables -P INPUT DROP
|
||||
ip6tables -P FORWARD DROP
|
||||
ip6tables -P OUTPUT DROP
|
||||
|
||||
# allow (ESTABLISHED RELATED)
|
||||
echo "[FIREWALL] = > Set for traffic ESTABLISHED,RELATED = ACCEPT"
|
||||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
echo "[FIREWALL] = > For invalid INPUT OUTPUT FORWARD = DROP"
|
||||
iptables -A INPUT -m state --state INVALID -j DROP
|
||||
iptables -A FORWARD -m state --state INVALID -j DROP
|
||||
iptables -A OUTPUT -m state --state INVALID -j DROP
|
||||
|
||||
echo "[FIREWALL] = > Set for INPUT OUTPUT localhost = ACCEPT"
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
#
|
||||
# **** Adding rules routes to tables ****
|
||||
#
|
||||
#example#echo "[FIREWALL] = > Cleaning all route rules and tables."
|
||||
#example#ip route flush table 221 > /dev/null 2>&1
|
||||
#example#ip rule delete table 221 > /dev/null 2>&1
|
||||
|
||||
#example#echo "[FIREWALL] = > Adding route rules and tables."
|
||||
#example#ip route add default via 10.48.5.2 table 221 # see OpenVPN conf 'up /etc/openvpn/ip_route.sh
|
||||
#example#ip rule add fwmark 0x05 table 221
|
||||
|
||||
#example#echo "[FIREWALL] = > Printing route rules and tables."
|
||||
#example#ip route list table 221 | sed 's/^/[FIREWALL] = > /'
|
||||
#example#ip rule list | sed 's/^/[FIREWALL] = > /'
|
||||
|
||||
#
|
||||
# **** Adding blackhole routes to tables ****
|
||||
#
|
||||
echo "[FIREWALL] = > Deleting blackhole route for BOGON networks."
|
||||
black_hole_ip=$(ip route list | grep 'blackhole' | awk '{print $2}')
|
||||
for i in $black_hole_ip; do ip route del blackhole $i; done
|
||||
|
||||
echo "[FIREWALL] = > Adding blackhole route for BOGON networks."
|
||||
ip route add blackhole 10.0.0.0/8
|
||||
ip route add blackhole 192.168.0.0/16
|
||||
ip route add blackhole 172.16.0.0/12
|
||||
ip route add blackhole 169.254.0.0/16
|
||||
|
||||
# ******************************************************************
|
||||
# ******************************************************************
|
||||
|
||||
echo "[FIREWALL] = > Starting iptables."
|
||||
|
||||
# Add new chain (LOGDROP) for debug
|
||||
#iptables -N LOGDROP
|
||||
#iptables -A LOGDROP -j LOG --log-prefix "iptables log: "
|
||||
#iptables -A LOGDROP -j DROP
|
||||
|
||||
# mangle FORWARD MSS TCP fix
|
||||
iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||
|
||||
# deny INPUT FIRST packet has to be TCP SYN
|
||||
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "deny INPUT FIRST packet has to be TCP SYN"
|
||||
# deny INPUT drop incoming fragments
|
||||
iptables -A INPUT -f -j DROP -m comment --comment "deny INPUT drop incoming fragments"
|
||||
# deny INPUT XMAS/NULL packets
|
||||
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -m comment --comment "deny INPUT XMAS packets"
|
||||
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "deny INPUT NULL packets"
|
||||
# accept INPUT excessive RST packets to avoid smurf attacks
|
||||
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT -m comment --comment "accept INPUT excessive RST packets to avoid smurf attacks"
|
||||
# deny INPUT smurf attacks
|
||||
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -m comment --comment "INPUT smurf attacks"
|
||||
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -m comment --comment "INPUT smurf attacks"
|
||||
|
||||
# DROP BOGON
|
||||
/etc/network/firewall_bogon.sh
|
||||
|
||||
#
|
||||
# **** Adding INPUT rules ****
|
||||
#
|
||||
echo "[FIREWALL] = > Adding rules for INPUT"
|
||||
# allow INPUT outside ---> ME (ICMP ping)
|
||||
iptables -A INPUT -i $outside_interface -p icmp -m state --state NEW -j ACCEPT
|
||||
|
||||
# allow INPUT inside ---> ME
|
||||
iptables -A INPUT -i $inside_interface -m state --state NEW -j ACCEPT
|
||||
|
||||
# allow INPUT outside ---> ME (TCP SSH)
|
||||
iptables -A INPUT -i $outside_interface -m multiport -p tcp -d $outside --dports 22,422 -m state --state NEW -j ACCEPT
|
||||
|
||||
# allow INPUT outside ---> ME (UDP 500,1701,4500) L2TP/IPsec
|
||||
#example#iptables -A INPUT -i $outside_interface -m multiport -p udp -d $outside --dports 500,1701,4500 -m state --state NEW -j ACCEPT
|
||||
|
||||
# allow INPUT for Stunnel + OpenVPN XXX <---> XXX
|
||||
#example#iptables -A INPUT -i $outside_interface -m multiport -p tcp -s 33.33.33.33 -d $outside -m state --state NEW --dports 443 -j ACCEPT
|
||||
|
||||
# allow INPUT via OVPN NLSRV ---> ME (ICMP)
|
||||
#example#iptables -A INPUT -i tun0 -p icmp -s 10.37.4.1 -d 10.37.4.2 -m state --state NEW -j ACCEPT
|
||||
|
||||
|
||||
#
|
||||
# **** Adding FORWARD rules ****
|
||||
#
|
||||
|
||||
echo "[FIREWALL] = > Adding rules for FORWARD"
|
||||
# deny FORWARD inside -->> ouside (DNS traffic)
|
||||
iptables -A FORWARD -o $outside_interface -m multiport -p tcp -m state --state NEW --dport 53,953 -j DROP
|
||||
iptables -A FORWARD -o $outside_interface -m multiport -p udp -m state --state NEW --dport 53,953 -j DROP
|
||||
|
||||
# deny FORWARD for some host -> outside
|
||||
#example#iptables -A FORWARD -o $outside_interface -s 192.168.77.3 -m state --state NEW -j DROP
|
||||
|
||||
# allow FORWARD from inside|VPN ---> inside|VPN
|
||||
#example#iptables -A FORWARD -i $inside_interface -o tunTR -s $inside -m state --state NEW -j ACCEPT
|
||||
#example#iptables -A FORWARD -i tunTR -o $inside_interface -s 192.168.98.0/24 -m state --state NEW -j ACCEPT
|
||||
|
||||
# allow FORWARD outside -->> inside (DNAT) TCP 3389 -->> 192.168.77.25 TCP 3389
|
||||
#example##iptables -A FORWARD -i $outside_interface -o $inside_interface -m multiport -p tcp -s 99.99.99.99 -d 192.168.77.25 --dports 3389 -m state --state NEW -j ACCEPT
|
||||
#example##iptables -A FORWARD -i $outside_interface -o $inside_interface -m multiport -p udp -s 99.99.99.99 -d 192.168.77.25 --dports 3389 -m state --state NEW -j ACCEPT
|
||||
|
||||
# allow FORWARD from insdie ---> outside (SNAT)
|
||||
#iptables -A FORWARD -i $inside_interface -o $outside_interface -s $inside -m state --state NEW -j ACCEPT
|
||||
|
||||
# deny INPUT outside -->> ME (Block scan port)
|
||||
iptables -A INPUT -m multiport -p tcp --dports 1:65535 -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||
iptables -A INPUT -m multiport -p udp --dports 1:65535 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
# deny FORWARD (Block scan port)
|
||||
iptables -A FORWARD -m multiport -p tcp --dports 1:65535 -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||
iptables -A FORWARD -m multiport -p udp --dports 1:65535 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
#
|
||||
# **** Adding rules for MANGLE ****
|
||||
#
|
||||
echo "[FIREWALL] = > Adding rules for MANGLE table"
|
||||
# For routing to OVPN tunnel NLVPN tun1
|
||||
#example## for mark route#iptables -A PREROUTING -i $inside_interface -t mangle -p tcp -s 192.168.77.25 --sport 3389 -d 94.198.195.220 -j MARK --set-mark 0x05
|
||||
#example## for mark route#iptables -A PREROUTING -i $inside_interface -t mangle -p udp -s 192.168.77.25 --sport 3389 -d 94.198.195.220 -j MARK --set-mark 0x05
|
||||
#example#iptables -A PREROUTING -i $inside_interface -t mangle -s 192.168.77.3 ! -d 192.168.98.0/24 -j MARK --set-mark 0x05
|
||||
|
||||
#
|
||||
# **** NAT ****
|
||||
#
|
||||
#
|
||||
echo "[FIREWALL] = > Adding rules for SNAT"
|
||||
#iptables -t nat -A POSTROUTING -o $outside_interface -s $inside -j SNAT --to-source $outside
|
||||
#
|
||||
echo "[FIREWALL] = > Adding rules for DNAT"
|
||||
#iptables -t nat -A PREROUTING -i $outside_interface -p tcp -m tcp -s 99.99.99.99 -d $outside --dport 3389 -j DNAT --to-destination 192.168.77.25:3389
|
||||
#iptables -t nat -A PREROUTING -i $outside_interface -p udp -m udp -s 99.99.99.99 -d $outside --dport 3389 -j DNAT --to-destination 192.168.77.25:3389
|
||||
#
|
||||
# **** NAT ****
|
||||
#
|
||||
|
||||
#
|
||||
# **** Final list iptables rules ****
|
||||
#
|
||||
echo "[FIREWALL] = > List all iptables rules."
|
||||
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
|
||||
echo "= List FILTER table rules =" | sed 's/^/[FIREWALL] = > /'
|
||||
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
|
||||
iptables -L -n -v --line-numbers | sed 's/^/[FIREWALL] = > /'
|
||||
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
|
||||
echo "= List NAT table rules =" | sed 's/^/[FIREWALL] = > /'
|
||||
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
|
||||
iptables -t nat -L -n -v --line-numbers | sed 's/^/[FIREWALL] = > /'
|
||||
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
|
||||
echo "[FIREWALL] = > Done."
|
||||
#
|
||||
# **** Final list iptables rules ****
|
||||
#
|
||||
59
iptables-def/firewall_bogon.sh
Normal file
59
iptables-def/firewall_bogon.sh
Normal file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# For debug
|
||||
#set -e # Abort script when command exits with error
|
||||
#set -x # Print each command before it is executed (only for debugging)
|
||||
|
||||
outside_interface="ppp0"
|
||||
|
||||
echo "[FIREWALL] = > Adding rules for BOGON networks = DROP"
|
||||
# deny INPUT from BOGON networks -->> ME
|
||||
iptables -A INPUT -i $outside_interface -s 0.0.0.0/8 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 127.0.0.0/16 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 10.0.0.0/8 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 172.16.0.0/12 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 192.168.0.0/16 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 169.254.0.0/16 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 192.0.2.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 198.51.100.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 203.0.113.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 198.18.0.0/15 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 192.88.99.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 100.64.0.0/10 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 240.0.0.0/4 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 224.0.0.0/4 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
iptables -A INPUT -i $outside_interface -s 255.255.255.255 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
|
||||
|
||||
# deny FORWARD from BOGON networks -->> inside (+ route blackhole)
|
||||
iptables -A FORWARD -i $outside_interface -s 0.0.0.0/8 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 127.0.0.0/16 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 10.0.0.0/8 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 172.16.0.0/12 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 192.168.0.0/16 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 169.254.0.0/16 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 192.0.2.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 198.51.100.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 203.0.113.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 198.18.0.0/15 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 192.88.99.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 100.64.0.0/10 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 240.0.0.0/4 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 224.0.0.0/4 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
iptables -A FORWARD -i $outside_interface -s 255.255.255.255 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
|
||||
|
||||
# deny OUTPUT from BOGON networks -->> outside (+ route blackhole)
|
||||
iptables -A OUTPUT -o $outside_interface -d 0.0.0.0/8 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 127.0.0.0/16 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 10.0.0.0/8 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 172.16.0.0/12 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 192.168.0.0/16 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 169.254.0.0/16 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 192.0.2.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 198.51.100.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 203.0.113.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 198.18.0.0/15 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 192.88.99.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 100.64.0.0/10 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 240.0.0.0/4 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 224.0.0.0/4 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
iptables -A OUTPUT -o $outside_interface -d 255.255.255.255 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
|
||||
Loading…
x
Reference in New Issue
Block a user