From 8432e37c9387ee5af1b49bc066bf24400642c554 Mon Sep 17 00:00:00 2001
From: Gardouille <gardouille@gmail.com>
Date: Fri, 11 Sep 2015 19:08:30 +0200
Subject: [PATCH] Iptables script.

---
 firewall | 381 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 381 insertions(+)
 create mode 100755 firewall

diff --git a/firewall b/firewall
new file mode 100755
index 0000000..c7c1f94
--- /dev/null
+++ b/firewall
@@ -0,0 +1,381 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          firewall
+# Required-Start:    $remote_fs $rsyslog
+# Required-Stop:     $remote_fs $rsyslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Firewall initscript
+# Description:       Script de parefeu avec iptables
+#   Pour tester ce script avant de l'appliquer, on peut utiliser la commande:
+# service firewall test
+# Doc: * http://openvz.org/Using_NAT_for_container_with_private_IPs
+#      * ...
+### END INIT INFO
+
+# Author: Gardouille
+
+# **********************************************************************************************
+#
+# Variables globales
+#
+# -----------------------------------------------------------
+# Emplacement de iptables
+IPT="/sbin/iptables"
+# Durée en secondes pour le cas de test des règles du pare-feu
+TIME=42
+
+#### Colors definition
+export REDB='\033[1;31m'
+export GREEN='\033[1;32m'
+export WHITEB='\033[1;37m'
+export RESET='\033[0m'
+
+
+fw_init() {
+
+  #############
+  ## KERNEL  ##
+  #############
+  # active la protection Cookie TCP SYN
+  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+  # Active la protection IP Spoofing
+  # Effectue une verification de l'adresse source
+  for SYS in /proc/sys/net/ipv4/conf/*/rp_filter
+  do
+  echo 1 > ${SYS}
+  done
+  # Desactive l'ICMP Redirect
+  for SYS in /proc/sys/net/ipv4/conf/*/accept_redirects
+  do
+  echo 0 > ${SYS}
+  done
+  # Desactive les paquets Source-Routed
+  for SYS in /proc/sys/net/ipv4/conf/*/accept_source_route
+  do
+  echo 0 > ${SYS}
+  done
+  # Active l'ip forwarding
+  echo 1 > /proc/sys/net/ipv4/ip_forward
+
+
+  #############
+  ## POLICY  ##
+  #############
+  ## drop tout le traffic entrant, sortant et forwardé
+  $IPT -P INPUT DROP
+  $IPT -P FORWARD DROP
+  #$IPT -P OUTPUT DROP
+#  $IPT -P INPUT ACCEPT
+#  $IPT -P FORWARD ACCEPT
+  $IPT -P OUTPUT ACCEPT
+
+  ############
+  ##  BASE  ##
+  ############
+  #### Dropper les nouvelles connections qui n'ont pas le flag syn
+  $IPT -t filter -A INPUT -j DROP -p tcp ! --syn -m state --state NEW
+
+  # Interdire les connections locales qui ne viennent pas de locale
+  $IPT -A INPUT -j REJECT ! -i lo -d 127.0.0.1/8 -m comment --comment "Reject lo not from lo"
+  # Autoriser loopback
+  $IPT -A INPUT -j ACCEPT -i lo -m comment --comment "Loopback in"
+  $IPT -A OUTPUT -j ACCEPT -o lo -m comment --comment "Loopback out"
+
+  ##############
+  ##  OUTPUT  ##
+  ##############
+
+  #### ICMP request (Ping)
+  $IPT -A OUTPUT -j ACCEPT -p icmp -m state --state NEW -m comment --comment "ICMP out"
+}
+
+
+fw_start() {
+
+  #############
+  ##  INPUT  ##
+  #############
+  #### Pour tenter de s'y retrouver avec l'affichage des règles iptables, pour l'écriture des règles,
+  #   respecter cet ordre:
+  # -t TABLE -A CHAINE -j TARGET -p PROTOCOLE -i ETH_IN -o ETH_OUT -s SOURCE -d DESTINATION --sport PORT_SRC --dport PORT_DST -m state --state �TAT -m comment --comment "COMMENTAIRE"
+  ####
+
+  #### Ne pas casser les connexions etablies
+  $IPT -A INPUT -j ACCEPT -p all -i "${ILAN}" -d "${IPLAN}" -m state --state RELATED,ESTABLISHED
+#  $IPT -A FORWARD -j ACCEPT -p all -o "${IVM}" -d "${LANVM}" -m state --state RELATED,ESTABLISHED
+
+  #####
+#  $IPT -A INPUT -j ACCEPT -s 192.168.42.166 -d 192.168.42.1 -m comment --comment "TEST Rules"
+#  $IPT -A OUTPUT -j ACCEPT -s 192.168.42.1 -d 192.168.42.166 -m comment --comment "TEST Rules"
+#
+#  $IPT -A INPUT -j ACCEPT -p icmp -s ${LANVM} -d "${IPLAN}" -m comment --comment "ICMP req LANVM"
+
+
+  #### ICMP (Ping)
+  # Accept all ping
+  #$IPT -A INPUT -p icmp -j ACCEPT
+  # Accept icmp ping from LAN
+  #$IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s ${LAN} -d "${IPLAN}" -m comment --comment "ICMP req LAN"
+
+
+
+  #### SSHD
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH in"
+
+  ## BackupPC
+  $IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" -m comment --comment "ICMP FURY req"
+  $IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH fury in"
+
+  #### Apache2 - Web server
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 80 -m state --state NEW -m comment --comment "New HTTP in"
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 443 -m state --state NEW -m comment --comment "New HTTPS in"
+
+  #### slapd
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "New LDAP in"
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "New LDAPS in"
+
+  #### dhcpd
+  #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "New DHCPD in"
+
+  #### PuppetMaster
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s "${LAN}" -d "${IPLAN}" --dport 8140 -m state --state NEW -m comment --comment "New Puppet in"
+
+  #### NFS Server
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
+  #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
+  #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
+  ## 32769: rpc.quotad
+  #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
+  #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
+
+  #### tftp allowed
+  #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 69 -m state --state NEW -m comment --comment "TFTPD in"
+
+  #### Printers
+  $IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 161 -m state --state NEW -m comment --comment "SNMP IN"
+
+  #########################
+  ##  {Multi,Broad}cast  ##
+  #########################
+  #### DROP Multicast & broadcast
+  $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 255.255.255.255 -m comment --comment "DROP Broadcast1"
+  $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.27.255 -m comment --comment "DROP Broadcast2"
+  $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.255.255 -m comment --comment "DROP Broadcast3"
+  $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.1 -m comment --comment "DROP Multicast1"
+  $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.251 -m comment --comment "DROP Multicast2"
+
+
+
+  ##############
+  ##  OUTPUT  ##
+  ##############
+  #### Ne pas casser les connexions etablies
+#  $IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -s "${IPLAN}" -m state --state RELATED,ESTABLISHED,UNTRACKED
+#
+#  #### ICMP reply (Ping)
+#  #$IPT -A OUTPUT -j ACCEPT -p icmp -o "${ILAN}" --icmp-type 0 -s "${IPLAN}" -d 0/0 -m state --state ESTABLISHED,RELATED -m comment --comment "ICMP reply"
+#
+#  #### SSH
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH out"
+#
+#  #### Mail (rapport d'erreur, ...)
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 25 -m state --state NEW -m comment --comment "SMTP out"
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 143 -m state --state NEW -m comment --comment "Imap"
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 993 -m state --state NEW -m comment --comment "Imaps"
+#
+#  #### DNS (résolution de noms de domaines, ... ...)
+#  $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out udp"
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out tcp"
+#
+#  #### DHCP
+#  $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} -s "${IPLAN}" --sport 68 -m comment --comment "DHCPREQUEST"
+#
+#  #### HTTP (maj, ...)
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 80 -m state --state NEW -m comment --comment "HTTP out"
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 443 -m state --state NEW -m comment --comment "HTTPS out"
+#
+#  #### NTP
+#  $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 123 -m state --state NEW -m comment --comment "NTP"
+#
+#  #### Puppet (connection, ... )
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 8140 -m state --state NEW -m comment --comment "Puppet out"
+#
+#  #### OpenPGP HTTP key server (add key, maj, ...)
+#  $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 11371 -m state --state NEW -m comment --comment "OpenPGP req"
+#
+#  #### Apache2 - Web server
+#  #$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 80 -m state --state NEW -m comment --comment "New HTTP out"
+#  #$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 443 -m state --state NEW -m comment --comment "New HTTPS out"
+#
+#  #### dhcpd
+#  #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out"
+#
+#  #### ldap connection//synchronisation (only the server is allowed to connect without SSL)
+##  $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
+#  #### ldap connection (should be an LDAPS connection when it will be available!)
+#  #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
+#
+#  #### NFS Client
+#  #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
+#  #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
+#  #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
+#  #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
+#  ## Port spécifié par le serveur NFS contacté
+#  #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
+#  #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
+#
+#  #### Printers
+#  $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 161 -m state --state NEW -m comment --comment "SNMP OUT"
+#
+
+}
+
+
+# Règles pour de log
+fw_log() {
+
+  #############
+  ##   LOG   ##
+  #############
+
+  # LOG INPUT DROP PAQUET
+  $IPT -N INPLOG
+  $IPT -A INPUT -j INPLOG
+  $IPT -A INPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [tcp]: "
+  $IPT -A INPLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [udp]: "
+  $IPT -A INPLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [icmp]: "
+
+  # LOG OUTPUT DROP PAQUET
+  #$IPT -N OUTLOG
+  #$IPT -A OUTPUT -j OUTLOG
+  #$IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: "
+  #$IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: "
+  #$IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: "
+
+  # LOG FORWARD DROP PAQUET
+  $IPT -N FORLOG
+  $IPT -A FORWARD -j FORLOG
+  $IPT -A FORLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [tcp]: "
+  $IPT -A FORLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [udp]: "
+  $IPT -A FORLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [icmp]: "
+
+}
+
+
+# Arrêt du firewall
+fw_stop() {
+  # Supprimer une route ajouter automatiquement
+  ip route del 169.254.0.0/16
+  # Vider les tables actuelles
+  $IPT -t filter -F
+  # Vider les règles personnelles
+  $IPT -t filter -X
+  $IPT -t nat -F
+  $IPT -t nat -X
+  $IPT -t mangle -F
+  $IPT -t mangle -X
+  $IPT -P INPUT ACCEPT
+  $IPT -P FORWARD ACCEPT
+  $IPT -P OUTPUT ACCEPT
+  $IPT -t nat -P PREROUTING ACCEPT
+  $IPT -t nat -P OUTPUT ACCEPT
+  $IPT -t nat -P POSTROUTING ACCEPT
+  $IPT -t mangle -P PREROUTING ACCEPT
+  $IPT -t mangle -P INPUT ACCEPT
+  $IPT -t mangle -P FORWARD ACCEPT
+  $IPT -t mangle -P OUTPUT ACCEPT
+  $IPT -t mangle -P POSTROUTING ACCEPT
+
+}
+
+# VPN
+fw_vpn() {
+  # Allow all traffic throught VPN
+  $IPT -A INPUT -j ACCEPT -p all -i "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "VPN in"
+  $IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -m comment --comment "VPN out"
+}
+
+# **********************************************************************************************
+#
+# Programme principale
+#
+# -----------------------------------------------------------
+
+case "${1}" in
+  start|restart)
+    printf '%s\n' "Start firewall …"
+    fw_stop
+    fw_init
+    # List all available interface except localhost
+    for PATH_ILAN in $(find /sys/class/net/ ! -name lo -type l); do
+      # Interface name
+      ILAN=$(basename ${PATH_ILAN})
+      IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
+
+      # Test if interface is connected
+      if [ ${IS_UP} ]; then
+        # Interface IP
+        IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}')
+        # IP/MASK
+        #IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}')
+        # Interface LAN
+        LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}')
+
+        printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n"
+
+        # Load rules for this interface
+        fw_start
+      else
+        printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n"
+      fi
+    done
+
+    fw_log
+    ;;
+  stop)
+    printf '%s\n' "Clean all firewall rules"
+    fw_stop
+    ;;
+  test)
+    printf '%b' "Load firewall rules for ${TIME} secondes …\n"
+
+    $0 start
+    sleep ${TIME}
+    fw_stop
+    ;;
+  vpn)
+    printf '%s\n' "Special rules for VPN interfaces (TUN or TAP)"
+    for PATH_ILAN in $(find /sys/class/net/ \( -iname "*tun*" -o -iname "*tap*" \) -type l ); do
+      ILAN=$(basename ${PATH_ILAN})
+      IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
+
+      if [ ${IS_UP} ]; then
+        # IP
+        IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}')
+        # IP/MASK
+        #IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}')
+        LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}')
+
+        printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n"
+
+        # Load special rules for this interface
+        fw_vpn
+      else
+        printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n"
+      fi
+    done
+    ;;
+  *)
+    echo "Usage: firewall ({start|stop|restart|test})"
+    exit 1
+    ;;
+esac
+
+# Fin du script
+exit 0
+
+# Fin de la boucle principale
+# -----------------------------------------------------------
+