scripts/firewall

388 lines
15 KiB
Bash
Executable File

#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $remote_fs $rsyslog
# Required-Stop: $remote_fs $rsyslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall initscript
# Description: Script de parefeu avec iptables
# Pour tester ce script avant de l'appliquer, on peut utiliser la commande:
# service firewall test
# Doc: * http://openvz.org/Using_NAT_for_container_with_private_IPs
# * ...
### END INIT INFO
# Author: Gardouille
# **********************************************************************************************
#
# Variables globales
#
# -----------------------------------------------------------
# Emplacement de iptables
IPT="/sbin/iptables"
# Durée en secondes pour le cas de test des règles du pare-feu
TIME=42
#### Colors definition
export REDB='\033[1;31m'
export GREEN='\033[1;32m'
export WHITEB='\033[1;37m'
export RESET='\033[0m'
fw_init() {
#############
## KERNEL ##
#############
# active la protection Cookie TCP SYN
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Active la protection IP Spoofing
# Effectue une verification de l'adresse source
for SYS in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > ${SYS}
done
# Desactive l'ICMP Redirect
for SYS in /proc/sys/net/ipv4/conf/*/accept_redirects
do
echo 0 > ${SYS}
done
# Desactive les paquets Source-Routed
for SYS in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > ${SYS}
done
# Active l'ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#############
## POLICY ##
#############
## drop tout le traffic entrant, sortant et forwardé
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#$IPT -P OUTPUT DROP
# $IPT -P INPUT ACCEPT
# $IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
############
## BASE ##
############
#### Dropper les nouvelles connections qui n'ont pas le flag syn
$IPT -t filter -A INPUT -j DROP -p tcp ! --syn -m state --state NEW
# Interdire les connections locales qui ne viennent pas de locale
$IPT -A INPUT -j REJECT ! -i lo -d 127.0.0.1/8 -m comment --comment "Reject lo not from lo"
# Autoriser loopback
$IPT -A INPUT -j ACCEPT -i lo -m comment --comment "Loopback in"
$IPT -A OUTPUT -j ACCEPT -o lo -m comment --comment "Loopback out"
##############
## OUTPUT ##
##############
#### ICMP request (Ping)
$IPT -A OUTPUT -j ACCEPT -p icmp -m state --state NEW -m comment --comment "ICMP out"
}
fw_start() {
#############
## INPUT ##
#############
#### Pour tenter de s'y retrouver avec l'affichage des règles iptables, pour l'écriture des règles,
# respecter cet ordre:
# -t TABLE -A CHAINE -j TARGET -p PROTOCOLE -i ETH_IN -o ETH_OUT -s SOURCE -d DESTINATION --sport PORT_SRC --dport PORT_DST -m state --state LIST_OF_STATE -m comment --comment "tiny DESCRIPTION"
####
#### Ne pas casser les connexions etablies
$IPT -A INPUT -j ACCEPT -p all -i "${ILAN}" -d "${IPLAN}" -m state --state RELATED,ESTABLISHED
# $IPT -A FORWARD -j ACCEPT -p all -o "${IVM}" -d "${LANVM}" -m state --state RELATED,ESTABLISHED
#####
# $IPT -A INPUT -j ACCEPT -s 192.168.42.166 -d 192.168.42.1 -m comment --comment "TEST Rules"
# $IPT -A OUTPUT -j ACCEPT -s 192.168.42.1 -d 192.168.42.166 -m comment --comment "TEST Rules"
#
# $IPT -A INPUT -j ACCEPT -p icmp -s ${LANVM} -d "${IPLAN}" -m comment --comment "ICMP req LANVM"
#### ICMP (Ping)
# Accept all ping
#$IPT -A INPUT -p icmp -j ACCEPT
# Accept icmp ping from LAN
#$IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s ${LAN} -d "${IPLAN}" -m comment --comment "ICMP req LAN"
#### SSHD
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH in"
## BackupPC
$IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" -m comment --comment "ICMP FURY req"
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH fury in"
#### Apache2 - Web server
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 80 -m state --state NEW -m comment --comment "New HTTP in"
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 443 -m state --state NEW -m comment --comment "New HTTPS in"
if [ $(command -v slapd) ]; then
#### slapd
#### if 389 is use, ldap connections should be in TLS
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "New LDAP in"
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "New LDAPS in"
fi
#### dhcpd
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "New DHCPD in"
#### PuppetMaster
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s "${LAN}" -d "${IPLAN}" --dport 8140 -m state --state NEW -m comment --comment "New Puppet in"
#### NFS Server
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
## 32769: rpc.quotad
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
#### tftp allowed
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 69 -m state --state NEW -m comment --comment "TFTPD in"
#### Printers
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 161 -m state --state NEW -m comment --comment "SNMP IN"
#########################
## {Multi,Broad}cast ##
#########################
#### DROP Multicast & broadcast
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 255.255.255.255 -m comment --comment "DROP Broadcast1"
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.27.255 -m comment --comment "DROP Broadcast2"
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.255.255 -m comment --comment "DROP Broadcast3"
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.1 -m comment --comment "DROP Multicast1"
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.251 -m comment --comment "DROP Multicast2"
##############
## OUTPUT ##
##############
#### Ne pas casser les connexions etablies
# $IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -s "${IPLAN}" -m state --state RELATED,ESTABLISHED,UNTRACKED
#
# #### ICMP reply (Ping)
# #$IPT -A OUTPUT -j ACCEPT -p icmp -o "${ILAN}" --icmp-type 0 -s "${IPLAN}" -d 0/0 -m state --state ESTABLISHED,RELATED -m comment --comment "ICMP reply"
#
# #### SSH
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH out"
#
# #### Mail (rapport d'erreur, ...)
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 25 -m state --state NEW -m comment --comment "SMTP out"
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 143 -m state --state NEW -m comment --comment "Imap"
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 993 -m state --state NEW -m comment --comment "Imaps"
#
# #### DNS (résolution de noms de domaines, ... ...)
# $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out udp"
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out tcp"
if [ $(command -v dhclient) ]; then
#### DHCP
$IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} -s "${IPLAN}" --sport 68 -m comment --comment "DHCPREQUEST"
fi
# #### HTTP (maj, ...)
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 80 -m state --state NEW -m comment --comment "HTTP out"
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 443 -m state --state NEW -m comment --comment "HTTPS out"
#
# #### NTP
# $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 123 -m state --state NEW -m comment --comment "NTP"
#
# #### Puppet (connection, ... )
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 8140 -m state --state NEW -m comment --comment "Puppet out"
#
# #### OpenPGP HTTP key server (add key, maj, ...)
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 11371 -m state --state NEW -m comment --comment "OpenPGP req"
#
# #### Apache2 - Web server
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 80 -m state --state NEW -m comment --comment "New HTTP out"
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 443 -m state --state NEW -m comment --comment "New HTTPS out"
#
# #### dhcpd
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out"
if [ -d /etc/ldap ]; then
#### ldap connection should be in TLS or at least in LDAPS/SSL
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "LDAPS out"
fi
# #### NFS Client
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
# ## Port spécifié par le serveur NFS contacté
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
#
# #### Printers
# $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 161 -m state --state NEW -m comment --comment "SNMP OUT"
#
}
# Règles pour de log
fw_log() {
#############
## LOG ##
#############
# LOG INPUT DROP PAQUET
$IPT -N INPLOG
$IPT -A INPUT -j INPLOG
$IPT -A INPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [tcp]: "
$IPT -A INPLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [udp]: "
$IPT -A INPLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [icmp]: "
# LOG OUTPUT DROP PAQUET
#$IPT -N OUTLOG
#$IPT -A OUTPUT -j OUTLOG
#$IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: "
#$IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: "
#$IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: "
# LOG FORWARD DROP PAQUET
$IPT -N FORLOG
$IPT -A FORWARD -j FORLOG
$IPT -A FORLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [tcp]: "
$IPT -A FORLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [udp]: "
$IPT -A FORLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [icmp]: "
}
# Arrêt du firewall
fw_stop() {
# Supprimer une route ajouter automatiquement
ip route del 169.254.0.0/16
# Vider les tables actuelles
$IPT -t filter -F
# Vider les règles personnelles
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
}
# VPN
fw_vpn() {
# Allow all traffic throught VPN
$IPT -A INPUT -j ACCEPT -p all -i "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "VPN in"
$IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -m comment --comment "VPN out"
}
# **********************************************************************************************
#
# Programme principale
#
# -----------------------------------------------------------
case "${1}" in
start|restart)
printf '%s\n' "Start firewall …"
fw_stop
fw_init
# List all available interface except localhost
for PATH_ILAN in $(find /sys/class/net/ ! -name lo -type l); do
# Interface name
ILAN=$(basename ${PATH_ILAN})
IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
# Test if interface is connected
if [ ${IS_UP} ]; then
# Interface IP
IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}')
# IP/MASK
#IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}')
# Interface LAN
LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}')
printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n"
# Load rules for this interface
fw_start
else
printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n"
fi
done
fw_log
;;
stop)
printf '%s\n' "Clean all firewall rules"
fw_stop
;;
test)
printf '%b' "Load firewall rules for ${TIME} secondes …\n"
$0 start
sleep ${TIME}
fw_stop
;;
vpn)
printf '%s\n' "Special rules for VPN interfaces (TUN or TAP)"
for PATH_ILAN in $(find /sys/class/net/ \( -iname "*tun*" -o -iname "*tap*" \) -type l ); do
ILAN=$(basename ${PATH_ILAN})
IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
if [ ${IS_UP} ]; then
# IP
IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}')
# IP/MASK
#IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}')
LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}')
printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n"
# Load special rules for this interface
fw_vpn
else
printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n"
fi
done
;;
*)
echo "Usage: firewall ({start|stop|restart|test})"
exit 1
;;
esac
# Fin du script
exit 0
# Fin de la boucle principale
# -----------------------------------------------------------