From 4f74be93690544b9d020e92565d6adcc3e64af9d Mon Sep 17 00:00:00 2001
From: Sergei Bobkov <sergant@git.aassdd.ru>
Date: Thu, 19 Sep 2024 14:11:05 +0300
Subject: [PATCH] Added iptables-def

---
 iptables-def/README.md         |  14 +++
 iptables-def/firewall.sh       | 213 +++++++++++++++++++++++++++++++++
 iptables-def/firewall_bogon.sh |  59 +++++++++
 3 files changed, 286 insertions(+)
 create mode 100644 iptables-def/README.md
 create mode 100644 iptables-def/firewall.sh
 create mode 100644 iptables-def/firewall_bogon.sh

diff --git a/iptables-def/README.md b/iptables-def/README.md
new file mode 100644
index 0000000..8f96843
--- /dev/null
+++ b/iptables-def/README.md
@@ -0,0 +1,14 @@
+# IPTABLES base config
+
+<br/>
+This repo has Ansible, Packer by HashiCorp and etc auto tools for maintenance and service IT infrastructure.<br/>
+<br/>
+Look at these envs:<br/>
+
+`outside="11.11.11.11"`<br/>
+`inside="192.168.77.0/24"`<br/>
+`outside_interface="ppp0"`<br/>
+`inside_interface="eth1"`<br/>
+<br/>
+
+
diff --git a/iptables-def/firewall.sh b/iptables-def/firewall.sh
new file mode 100644
index 0000000..a916724
--- /dev/null
+++ b/iptables-def/firewall.sh
@@ -0,0 +1,213 @@
+#!/bin/bash
+#
+# For debug
+#set -e # Abort script when command exits with error
+#set -x # Print each command before it is executed (only for debugging)
+
+echo "[FIREWALL] = > Enable IP Forwarding."
+echo "1" > /proc/sys/net/ipv4/ip_forward
+#
+# **** Clean all firewall rules. ****
+#
+echo "[FIREWALL] = > Cleaning all iptables rules."
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+iptables -t nat -P PREROUTING ACCEPT
+iptables -t nat -P POSTROUTING ACCEPT
+iptables -t nat -P OUTPUT ACCEPT
+iptables -t mangle -P PREROUTING ACCEPT
+iptables -t mangle -P OUTPUT ACCEPT
+
+iptables -F
+iptables -t nat -F
+iptables -t mangle -F
+
+iptables -X
+iptables -t nat -X
+iptables -t mangle -X
+
+# ****
+outside="11.11.11.11"
+inside="192.168.77.0/24"
+outside_interface="ppp0"
+inside_interface="eth1"
+echo "[FIREWALL] = > Outside IP = $outside on inteface = $outside_interface"
+echo "[FIREWALL] = > Inside  IP = $inside on inteface = $inside_interface"
+
+#
+# **** Set default policy  ****
+#
+echo "[FIREWALL] = > Set for INPUT FORWARD set default policy = DROP"
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+echo "[FIREWALL] = > Set for INPUT FORWARD OUTPUT IPv6 set default policy = DROP"
+ip6tables -P INPUT   DROP
+ip6tables -P FORWARD DROP
+ip6tables -P OUTPUT  DROP
+
+# allow (ESTABLISHED RELATED)
+echo "[FIREWALL] = > Set for traffic ESTABLISHED,RELATED = ACCEPT"
+iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+echo "[FIREWALL] = > For invalid INPUT OUTPUT FORWARD  = DROP"
+iptables -A INPUT -m state --state INVALID -j DROP
+iptables -A FORWARD -m state --state INVALID -j DROP
+iptables -A OUTPUT -m state --state INVALID -j DROP
+
+echo "[FIREWALL] = > Set for INPUT OUTPUT localhost = ACCEPT"
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+#
+# **** Adding rules routes to tables ****
+#
+#example#echo "[FIREWALL] = > Cleaning all route rules and tables."
+#example#ip route flush table 221 > /dev/null 2>&1
+#example#ip rule delete table 221 > /dev/null 2>&1
+
+#example#echo "[FIREWALL] = > Adding route rules and tables."
+#example#ip route add default via 10.48.5.2 table 221 # see OpenVPN conf 'up /etc/openvpn/ip_route.sh
+#example#ip rule add fwmark 0x05 table 221
+
+#example#echo "[FIREWALL] = > Printing route rules and tables."
+#example#ip route list table 221 | sed 's/^/[FIREWALL] = > /'
+#example#ip rule list | sed 's/^/[FIREWALL] = > /'
+
+#
+# **** Adding blackhole routes to tables ****
+#
+echo "[FIREWALL] = > Deleting blackhole route for BOGON networks."
+black_hole_ip=$(ip route list | grep 'blackhole' | awk '{print $2}')
+for i in $black_hole_ip; do ip route del blackhole  $i; done
+
+echo "[FIREWALL] = > Adding blackhole route for BOGON networks."
+ip route add blackhole 10.0.0.0/8
+ip route add blackhole 192.168.0.0/16
+ip route add blackhole 172.16.0.0/12
+ip route add blackhole 169.254.0.0/16
+
+# ******************************************************************
+# ******************************************************************
+
+echo "[FIREWALL] = > Starting iptables."
+
+# Add new chain (LOGDROP) for debug
+#iptables -N LOGDROP
+#iptables -A LOGDROP -j LOG --log-prefix "iptables log: "
+#iptables -A LOGDROP -j DROP
+
+# mangle FORWARD MSS TCP fix
+iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
+
+# deny INPUT FIRST packet has to be TCP SYN
+iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "deny INPUT FIRST packet has to be TCP SYN"
+# deny INPUT drop incoming fragments
+iptables -A INPUT -f -j DROP -m comment --comment "deny INPUT drop incoming fragments"
+# deny INPUT XMAS/NULL packets
+iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP  -m comment --comment "deny INPUT XMAS packets"
+iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP  -m comment --comment "deny INPUT NULL packets"
+# accept INPUT excessive RST packets to avoid smurf attacks
+iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT  -m comment --comment "accept INPUT excessive RST packets to avoid smurf attacks"
+# deny INPUT smurf attacks
+iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP   -m comment --comment "INPUT smurf attacks"
+iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP   -m comment --comment "INPUT smurf attacks"
+
+# DROP BOGON
+/etc/network/firewall_bogon.sh
+
+#
+# **** Adding INPUT rules ****
+#
+echo "[FIREWALL] = > Adding rules for INPUT"
+# allow INPUT outside ---> ME (ICMP ping)
+iptables -A INPUT -i $outside_interface -p icmp -m state --state NEW -j ACCEPT
+
+# allow INPUT inside ---> ME
+iptables -A INPUT -i $inside_interface -m state --state NEW -j ACCEPT
+
+# allow INPUT outside ---> ME (TCP SSH)
+iptables -A INPUT -i $outside_interface -m multiport -p tcp -d $outside --dports 22,422 -m state --state NEW -j ACCEPT
+
+# allow INPUT outside ---> ME (UDP 500,1701,4500) L2TP/IPsec
+#example#iptables -A INPUT -i $outside_interface -m multiport -p udp -d $outside --dports 500,1701,4500 -m state --state NEW -j ACCEPT
+
+# allow INPUT for Stunnel + OpenVPN XXX <---> XXX
+#example#iptables -A INPUT -i $outside_interface -m multiport -p tcp -s 33.33.33.33 -d $outside -m state --state NEW --dports 443 -j ACCEPT
+
+# allow INPUT via OVPN NLSRV ---> ME (ICMP)
+#example#iptables -A INPUT -i tun0 -p icmp -s 10.37.4.1 -d 10.37.4.2 -m state --state NEW -j ACCEPT
+
+
+#
+# **** Adding FORWARD rules ****
+#
+
+echo "[FIREWALL] = > Adding rules for FORWARD"
+# deny FORWARD inside -->> ouside (DNS traffic)
+iptables -A FORWARD -o $outside_interface -m multiport -p tcp -m state --state NEW --dport 53,953 -j DROP
+iptables -A FORWARD -o $outside_interface -m multiport -p udp -m state --state NEW --dport 53,953 -j DROP
+
+# deny FORWARD for some host -> outside
+#example#iptables -A FORWARD -o $outside_interface -s 192.168.77.3 -m state --state NEW -j DROP
+
+# allow FORWARD from inside|VPN ---> inside|VPN
+#example#iptables -A FORWARD -i $inside_interface -o tunTR -s $inside -m state --state NEW -j ACCEPT
+#example#iptables -A FORWARD -i tunTR -o $inside_interface -s 192.168.98.0/24  -m state --state NEW -j ACCEPT
+
+# allow FORWARD outside -->> inside (DNAT) TCP 3389 -->> 192.168.77.25 TCP 3389
+#example##iptables -A FORWARD -i $outside_interface -o $inside_interface -m multiport -p tcp -s 99.99.99.99 -d 192.168.77.25 --dports 3389 -m state --state NEW -j ACCEPT
+#example##iptables -A FORWARD -i $outside_interface -o $inside_interface -m multiport -p udp -s 99.99.99.99 -d 192.168.77.25 --dports 3389 -m state --state NEW -j ACCEPT
+
+# allow FORWARD from insdie ---> outside (SNAT)
+#iptables -A FORWARD -i $inside_interface -o $outside_interface -s $inside -m state --state NEW -j ACCEPT
+
+# deny INPUT outside -->> ME (Block scan port)
+iptables -A INPUT -m multiport -p tcp --dports 1:65535 -m state --state NEW -j REJECT --reject-with tcp-reset
+iptables -A INPUT -m multiport -p udp --dports 1:65535 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
+
+# deny FORWARD (Block scan port)
+iptables -A FORWARD -m multiport -p tcp --dports 1:65535 -m state --state NEW -j REJECT --reject-with tcp-reset
+iptables -A FORWARD -m multiport -p udp --dports 1:65535 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
+
+#
+# **** Adding rules for MANGLE ****
+#
+echo "[FIREWALL] = > Adding rules for MANGLE table"
+# For routing to OVPN tunnel NLVPN tun1
+#example## for mark route#iptables -A PREROUTING -i $inside_interface -t mangle -p tcp -s 192.168.77.25 --sport 3389 -d 94.198.195.220 -j MARK --set-mark 0x05
+#example## for mark route#iptables -A PREROUTING -i $inside_interface -t mangle -p udp -s 192.168.77.25 --sport 3389 -d 94.198.195.220 -j MARK --set-mark 0x05
+#example#iptables -A PREROUTING -i $inside_interface -t mangle -s 192.168.77.3 ! -d 192.168.98.0/24 -j MARK --set-mark 0x05
+
+#
+# **** NAT ****
+#
+#
+echo "[FIREWALL] = > Adding rules for SNAT"
+#iptables -t nat -A POSTROUTING -o $outside_interface -s $inside -j SNAT --to-source $outside
+#
+echo "[FIREWALL] = > Adding rules for DNAT"
+#iptables -t nat -A PREROUTING -i $outside_interface -p tcp -m tcp -s 99.99.99.99 -d $outside --dport 3389 -j DNAT --to-destination 192.168.77.25:3389
+#iptables -t nat -A PREROUTING -i $outside_interface -p udp -m udp -s 99.99.99.99 -d $outside --dport 3389 -j DNAT --to-destination 192.168.77.25:3389
+#
+# **** NAT ****
+#
+
+#
+# ****  Final list iptables rules ****
+#
+echo "[FIREWALL] = > List all iptables rules."
+echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
+echo "=                           List FILTER table rules                                 =" | sed 's/^/[FIREWALL] = > /'
+echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
+iptables -L -n -v --line-numbers | sed 's/^/[FIREWALL] = > /'
+echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
+echo "=                           List  NAT   table rules                                 =" | sed 's/^/[FIREWALL] = > /'
+echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
+iptables -t nat -L -n -v --line-numbers | sed 's/^/[FIREWALL] = > /'
+echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
+echo "[FIREWALL] = > Done."
+#
+# ****  Final list iptables rules ****
+#
diff --git a/iptables-def/firewall_bogon.sh b/iptables-def/firewall_bogon.sh
new file mode 100644
index 0000000..07b961d
--- /dev/null
+++ b/iptables-def/firewall_bogon.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# For debug
+#set -e # Abort script when command exits with error
+#set -x # Print each command before it is executed (only for debugging)
+
+outside_interface="ppp0"
+
+echo "[FIREWALL] = > Adding rules for BOGON networks = DROP"
+# deny INPUT from BOGON networks -->> ME
+iptables -A INPUT -i $outside_interface -s 0.0.0.0/8 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 127.0.0.0/16 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 10.0.0.0/8 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 172.16.0.0/12 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 192.168.0.0/16 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 169.254.0.0/16 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 192.0.2.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 198.51.100.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 203.0.113.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 198.18.0.0/15 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 192.88.99.0/24 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 100.64.0.0/10 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 240.0.0.0/4 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 224.0.0.0/4 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+iptables -A INPUT -i $outside_interface -s 255.255.255.255 -j DROP -m comment --comment "deny INPUT from BOGON networks -->> ME"
+
+# deny FORWARD from BOGON networks -->> inside (+ route blackhole)
+iptables -A FORWARD -i $outside_interface -s 0.0.0.0/8 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 127.0.0.0/16 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 10.0.0.0/8 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 172.16.0.0/12 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 192.168.0.0/16 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 169.254.0.0/16 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 192.0.2.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 198.51.100.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 203.0.113.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 198.18.0.0/15 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 192.88.99.0/24 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 100.64.0.0/10 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 240.0.0.0/4 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 224.0.0.0/4 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+iptables -A FORWARD -i $outside_interface -s 255.255.255.255 -j DROP -m comment --comment "deny FORWARD from BOGON networks -->> inside"
+
+# deny OUTPUT from BOGON networks -->> outside (+ route blackhole)
+iptables -A OUTPUT -o $outside_interface -d 0.0.0.0/8 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 127.0.0.0/16 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 10.0.0.0/8 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 172.16.0.0/12 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 192.168.0.0/16 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 169.254.0.0/16 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 192.0.2.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 198.51.100.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 203.0.113.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 198.18.0.0/15 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 192.88.99.0/24 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 100.64.0.0/10 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 240.0.0.0/4 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 224.0.0.0/4 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"
+iptables -A OUTPUT -o $outside_interface -d 255.255.255.255 -j DROP -m comment --comment "deny OUTPUT from BOGON networks -->> outside"