#!/bin/sh ### BEGIN INIT INFO # Provides: firewall # Required-Start: $remote_fs $rsyslog # Required-Stop: $remote_fs $rsyslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Firewall initscript # Description: Script de parefeu avec iptables # Pour tester ce script avant de l'appliquer, on peut utiliser la commande: # service firewall test # Doc: * http://openvz.org/Using_NAT_for_container_with_private_IPs # * ... ### END INIT INFO # Author: Gardouille # ********************************************************************************************** # # Variables globales # # ----------------------------------------------------------- # Emplacement de iptables IPT="/sbin/iptables" # Durée en secondes pour le cas de test des règles du pare-feu TIME=42 #### Colors definition export REDB='\033[1;31m' export GREEN='\033[1;32m' export WHITEB='\033[1;37m' export RESET='\033[0m' fw_init() { ############# ## KERNEL ## ############# # active la protection Cookie TCP SYN echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Active la protection IP Spoofing # Effectue une verification de l'adresse source for SYS in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > ${SYS} done # Desactive l'ICMP Redirect for SYS in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > ${SYS} done # Desactive les paquets Source-Routed for SYS in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > ${SYS} done # Active l'ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ############# ## POLICY ## ############# ## drop tout le traffic entrant, sortant et forwardé $IPT -P INPUT DROP $IPT -P FORWARD DROP #$IPT -P OUTPUT DROP # $IPT -P INPUT ACCEPT # $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT ############ ## BASE ## ############ #### Dropper les nouvelles connections qui n'ont pas le flag syn $IPT -t filter -A INPUT -j DROP -p tcp ! --syn -m state --state NEW # Interdire les connections locales qui ne viennent pas de locale $IPT -A INPUT -j REJECT ! -i lo -d 127.0.0.1/8 -m comment --comment "Reject lo not from lo" # Autoriser loopback $IPT -A INPUT -j ACCEPT -i lo -m comment --comment "Loopback in" $IPT -A OUTPUT -j ACCEPT -o lo -m comment --comment "Loopback out" ############## ## OUTPUT ## ############## #### ICMP request (Ping) $IPT -A OUTPUT -j ACCEPT -p icmp -m state --state NEW -m comment --comment "ICMP out" } fw_start() { ############# ## INPUT ## ############# #### Pour tenter de s'y retrouver avec l'affichage des règles iptables, pour l'écriture des règles, # respecter cet ordre: # -t TABLE -A CHAINE -j TARGET -p PROTOCOLE -i ETH_IN -o ETH_OUT -s SOURCE -d DESTINATION --sport PORT_SRC --dport PORT_DST -m state --state LIST_OF_STATE -m comment --comment "tiny DESCRIPTION" #### #### Ne pas casser les connexions etablies $IPT -A INPUT -j ACCEPT -p all -i "${ILAN}" -d "${IPLAN}" -m state --state RELATED,ESTABLISHED # $IPT -A FORWARD -j ACCEPT -p all -o "${IVM}" -d "${LANVM}" -m state --state RELATED,ESTABLISHED ##### # $IPT -A INPUT -j ACCEPT -s 192.168.42.166 -d 192.168.42.1 -m comment --comment "TEST Rules" # $IPT -A OUTPUT -j ACCEPT -s 192.168.42.1 -d 192.168.42.166 -m comment --comment "TEST Rules" # # $IPT -A INPUT -j ACCEPT -p icmp -s ${LANVM} -d "${IPLAN}" -m comment --comment "ICMP req LANVM" #### ICMP (Ping) # Accept all ping #$IPT -A INPUT -p icmp -j ACCEPT # Accept icmp ping from LAN #$IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s ${LAN} -d "${IPLAN}" -m comment --comment "ICMP req LAN" if [ $(command -v sshd) ]; then #### SSHD $IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH in" fi ## BackupPC $IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" -m comment --comment "ICMP FURY req" $IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH fury in" if [ $(command -v apache2) ] || [ $(command -v nginx) ]; then #### Web server $IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 80 -m state --state NEW -m comment --comment "New HTTP in" $IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 443 -m state --state NEW -m comment --comment "New HTTPS in" fi if [ $(command -v slapd) ]; then #### slapd #### if 389 is use, ldap connections should be in TLS $IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "New LDAP in" $IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "New LDAPS in" fi if [ $(command -v dhcpd) ]; then #### dhcpd $IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "New DHCPD in" fi #### PuppetMaster #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s "${LAN}" -d "${IPLAN}" --dport 8140 -m state --state NEW -m comment --comment "New Puppet in" #### NFS Server #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out" #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out" #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in" #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in" ## 32769: rpc.quotad #$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in" #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in" #### tftp allowed #$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 69 -m state --state NEW -m comment --comment "TFTPD in" #### Printers $IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 161 -m state --state NEW -m comment --comment "SNMP IN" ######################### ## {Multi,Broad}cast ## ######################### #### DROP Multicast & broadcast $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 255.255.255.255 -m comment --comment "DROP Broadcast1" $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.27.255 -m comment --comment "DROP Broadcast2" $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.255.255 -m comment --comment "DROP Broadcast3" $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.1 -m comment --comment "DROP Multicast1" $IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.251 -m comment --comment "DROP Multicast2" ############## ## OUTPUT ## ############## #### Ne pas casser les connexions etablies # $IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -s "${IPLAN}" -m state --state RELATED,ESTABLISHED,UNTRACKED # # #### ICMP reply (Ping) # #$IPT -A OUTPUT -j ACCEPT -p icmp -o "${ILAN}" --icmp-type 0 -s "${IPLAN}" -d 0/0 -m state --state ESTABLISHED,RELATED -m comment --comment "ICMP reply" # # #### SSH # $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH out" # # #### Mail (rapport d'erreur, ...) # $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 25 -m state --state NEW -m comment --comment "SMTP out" # $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 143 -m state --state NEW -m comment --comment "Imap" # $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 993 -m state --state NEW -m comment --comment "Imaps" # # #### DNS (résolution de noms de domaines, ... ...) # $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out udp" # $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out tcp" if [ $(command -v dhclient) ]; then #### DHCP $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} -s "${IPLAN}" --sport 68 -m comment --comment "DHCPREQUEST" fi #### HTTP (maj, ...) $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 80 -m state --state NEW -m comment --comment "HTTP out" $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 443 -m state --state NEW -m comment --comment "HTTPS out" if [ $(command -v ntpd) ]; then #### NTP $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 123 -m state --state NEW -m comment --comment "NTP out" fi # #### Puppet (connection, ... ) # $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 8140 -m state --state NEW -m comment --comment "Puppet out" #### OpenPGP HTTP key server (add key, maj, ...) $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 11371 -m state --state NEW -m comment --comment "OpenPGP req" if [ $(command -v apache2) ] || [ $(command -v nginx) ]; then #### Web server $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 80 -m state --state NEW -m comment --comment "New HTTPD out" $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 443 -m state --state NEW -m comment --comment "New HTTPDs out" fi if [ -d /etc/ldap ]; then #### ldap connection should be in TLS or at least in LDAPS/SSL $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out" $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "LDAPS out" fi if [ $(command -v dhcpd) ]; then #### dhcpd $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out" fi # #### NFS Client # #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out" # #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out" # #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out" # #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out" # ## Port spécifié par le serveur NFS contacté # #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out" # #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out" # # #### Printers # $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 161 -m state --state NEW -m comment --comment "SNMP OUT" # } # Règles pour de log fw_log() { ############# ## LOG ## ############# # LOG INPUT DROP PAQUET $IPT -N INPLOG $IPT -A INPUT -j INPLOG $IPT -A INPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [tcp]: " $IPT -A INPLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [udp]: " $IPT -A INPLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [icmp]: " # LOG OUTPUT DROP PAQUET #$IPT -N OUTLOG #$IPT -A OUTPUT -j OUTLOG #$IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: " #$IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: " #$IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: " # LOG FORWARD DROP PAQUET $IPT -N FORLOG $IPT -A FORWARD -j FORLOG $IPT -A FORLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [tcp]: " $IPT -A FORLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [udp]: " $IPT -A FORLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [icmp]: " } # Arrêt du firewall fw_stop() { # Supprimer une route ajouter automatiquement ip route del 169.254.0.0/16 # Vider les tables actuelles $IPT -t filter -F # Vider les règles personnelles $IPT -t filter -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P INPUT ACCEPT $IPT -t mangle -P FORWARD ACCEPT $IPT -t mangle -P OUTPUT ACCEPT $IPT -t mangle -P POSTROUTING ACCEPT } # VPN fw_vpn() { # Allow all traffic throught VPN $IPT -I INPUT -j ACCEPT -p all -i "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "VPN in" $IPT -I OUTPUT -j ACCEPT -p all -o "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -m comment --comment "VPN out" } # ********************************************************************************************** # # Programme principale # # ----------------------------------------------------------- case "${1}" in start|restart) printf '%s\n' "Start firewall …" fw_stop fw_init # List all available interface except localhost for PATH_ILAN in $(find /sys/class/net/ ! -name lo -type l); do # Interface name ILAN=$(basename ${PATH_ILAN}) IS_UP=$(grep 1 ${PATH_ILAN}/carrier) # Test if interface is connected if [ ${IS_UP} ]; then # Interface IP IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}') # IP/MASK #IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}') # Interface LAN LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}') printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n" # Load rules for this interface fw_start else printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n" fi done fw_log ;; stop) printf '%s\n' "Clean all firewall rules" fw_stop ;; test) printf '%b' "Load firewall rules for ${TIME} secondes …\n" $0 start sleep ${TIME} fw_stop ;; vpn) printf '%s\n' "Special rules for VPN interfaces (TUN or TAP)" for PATH_ILAN in $(find /sys/class/net/ \( -iname "*tun*" -o -iname "*tap*" \) -type l ); do ILAN=$(basename ${PATH_ILAN}) IS_UP=$(grep 1 ${PATH_ILAN}/carrier) if [ ${IS_UP} ]; then # IP IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}') # IP/MASK #IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}') LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}') printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n" # Load special rules for this interface fw_vpn else printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n" fi done ;; *) echo "Usage: firewall ({start|stop|restart|test})" exit 1 ;; esac # Fin du script exit 0 # Fin de la boucle principale # -----------------------------------------------------------