#-----------------------
# FONCTIONS Firewall
# guibo@guibo.com
# version 1.2
# tested on slk
#-----------------------
load_module() {
IP_MODULES=`/sbin/lsmod | awk '{print $1}' | /bin/grep '^ip' | grep $1`
if [ -z "$IP_MODULES" ]; then
if [ -e $PATH_modules/$1.$EXTENSION_module ]; then
/sbin/insmod $PATH_modules/$1.$EXTENSION_module
else
echo " - MUST HAVE Compiled kernel $1 support"
fi
fi
}
load_module_q() {
IP_MODULES=`/sbin/lsmod | awk '{print $1}'`
if [ -z "$IP_MODULES" ]; then
if [ -e $PATH_modules_q/$1.$EXTENSION_module ]; then
/sbin/insmod $PATH_modules_q/$1.$EXTENSION_module
else
echo " - MUST HAVE Compiled kernel $1 support"
fi
fi
}
flush_regle() {
echo " - Flushing Table"
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -F FORWARD
$IPTABLES -t nat --flush PREROUTING
$IPTABLES -t nat --flush POSTROUTING
$IPTABLES -t nat --flush OUTPUT
$IPTABLES -X
}
zero_compteur() {
echo " - Reseting compteur"
$IPTABLES -t filter -Z INPUT
$IPTABLES -t filter -Z OUTPUT
$IPTABLES -t filter -Z FORWARD
$IPTABLES -t nat -Z PREROUTING
$IPTABLES -t nat -Z POSTROUTING
$IPTABLES -t nat -Z OUTPUT
$IPTABLES -t mangle -F
}
config_kernel() {
echo " - Rejecting non routable ip"
for i in $KERNEL_conf/conf/*/rp_filter ; do echo 1 > $i ; done
echo " - Logging Martians"
if [ -e $KERNEL_conf/conf/all/log_martians ]; then
for i in $KERNEL_conf/conf/*/log_martians ; do
echo 1 > $i ; done
fi
echo " - Ignore broadcast PING"
if [ -e $KERNEL_conf/icmp_echo_ignore_broadcasts ]; then
echo 1 > $KERNEL_conf/icmp_echo_ignore_broadcasts
fi
echo " - Icmp Bogus reponse"
if [ -e $KERNEL_conf/icmp_ignore_bogus_error_responses ]; then
echo 1 > $KERNEL_conf/icmp_ignore_bogus_error_responses
fi
echo " - DROP icmp_redirect"
if [ -e $KERNEL_conf/conf/all/accept_redirects ]; then
echo 0 > $KERNEL_conf/conf/all/accept_redirects
fi
echo " - Active ip_forward"
echo 1 > $KERNEL_conf/ip_forward
if [ -e $KERNEL_conf/conf/all/accept_source_route ];then
echo 1 > $KERNEL_conf/conf/all/accept_source_route
fi
}
net_redirect() {
IF_EXT=$1 # external interface
PORT_ex=$2 # external port to redirect
IP_REDIR_in=$3 # internal IP
PORT_REDIR_in=$4 # internal port
echo " - Redirecting $IF_EXT:$PORT_ex to $IP_REDIR_in:$PORT_REDIR_in"
$IPTABLES -A FORWARD -p tcp -i $IF_EXT --dport $PORT_ex -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $IF_EXT --dport $PORT_ex -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $IF_EXT --dport $PORT_ex \
-j DNAT --to $IP_REDIR_in:$PORT_REDIR_in
}
default_rule() {
echo " - Default rule set"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# $IPTABLES -A FORWARD -f -j ACCEPT # accept fragment
}
block_nmap() {
echo " - Creating VALID_CHECK rule"
$IPTABLES -N VALID_CHECK
$IPTABLES -F VALID_CHECK
LOGLEVEL=7
# (NMAP) FIN/URG/PSH
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS scan: "
# SYN/RST/ACK/FIN/URG
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-PSH scan: "
# ALL/ALL
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-ALL scan: "
# NMAP FIN Stealth
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth FIN scan: "
# SYN/RST
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/RST scan: "
# SYN/FIN (probably)
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): "
# Null scan
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth Null scan: "
# NMAP FIN/URG/PSH
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# SYN/RST/ACK/FIN/URG
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# ALL/ALL Scan
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
# NMAP FIN Stealth
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
# SYN/RST
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(probably)
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# NMAP Null Scan
$IPTABLES -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
# Port 0 fingerprint attempt
echo " - Detecting Fingerprint attempt"
$IPTABLES -N CHECK
$IPTABLES -F CHECK
$IPTABLES -A CHECK -p tcp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "TCP port 0 OS fingerprint: "
$IPTABLES -A CHECK -p udp --dport 0 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "UDP port 0 OS fingerprint: "
# Drop port 0 port scan packets
$IPTABLES -A CHECK -p tcp --dport 0 -j DROP
$IPTABLES -A CHECK -p udp --dport 0 -j DROP
}
set_tos() {
# TOS table
# Options:
# Normal-Service = 0 (0x00)
# Minimize-Cost = 2 (0x02)
# Maximize-Reliability = 4 (0x04)
# Maximize-Throughput = 8 (0x08)
# Minimize-Delay = 16 (0x10)
IF_EXT=$1
echo " - Setting Tos"
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport ftp-data -j TOS --set-tos Minimize-Cost
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport ftp -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport ssh -j TOS --set-tos Minimize-Delay
#$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport smtp -j TOS --set-tos Minimize-Cost
$IPTABLES -t mangle -A OUTPUT -p udp -o $IF_EXT --dport domain -j TOS --set-tos Maximize-Throughput
#$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport bootps -j TOS --set-tos Minimize-Delay
# to add http in priority list of QoS, is set in Minimize-Delay not in Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport http -j TOS --set-tos Minimize-Delay
# http internal
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport 81 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport pop3 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport auth -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport ntp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport imap -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport https -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport imaps -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport pop3s -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport socks -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
# rules for mldonkey
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport 4080 -j MARK --set-mark 1
$IPTABLES -t mangle -A OUTPUT -p tcp -o $IF_EXT --dport 4662 -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp-data -j TOS --set-tos Minimize-Cost
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
#$IPTABLES -t mangle -A PREROUTING -p tcp --dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport smtp -j TOS --set-tos Minimize-Cost
$IPTABLES -t mangle -A PREROUTING -p udp --dport domain -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport bootps -j TOS --set-t Minimize-Delay
# http internal
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 81 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport http -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport pop3 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport auth -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ntp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport imap -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport https -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport imaps -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport pop3s -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport socks -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
}
masquerade_net() {
HOME_NET=$1 # ex: 10.0.1.0/24
echo " - Masquerading $HOME_NET"
$IPTABLES -t nat -A POSTROUTING -s $HOME_NET -j MASQUERADE
}
accept_tcp() {
IN_ETH=$1 # input interface
PORT=$2 # port for network service
echo " - Accept TCP port $PORT on $IN_ETH"
$IPTABLES -A INPUT -p tcp -i $IN_ETH --dport $PORT -j ACCEPT
}
accept_udp() {
IN_ETH=$1 # input interface
PORT=$2 # port for network service
echo " - Accept UDP port $PORT from $IN_ETH"
$IPTABLES -A INPUT -p udp -i $IN_ETH --dport $PORT -j ACCEPT
}
create_block() {
echo " - Creating Block "
$IPTABLES -N block
$IPTABLES -F block
}
accept_interne() {
# accept all traffic from internal network
echo " - Accept traffic coming from internal"
$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A block -m state --state NEW -i ! $IF_EXT -j ACCEPT
}
reject_host() {
IF_ETH=$1
IP_DENIED=$2
echo " - Deny $IP_DENIED on $IF_ETH"
$IPTABLES -I INPUT -p tcp -s $IP_DENIED -j DROP
$IPTABLES -I INPUT -p udp -s $IP_DENIED -j DROP
}
reject_tcp_udp() {
IF_ETH=$1
IP_DENIED=$2
PORT=$3
echo " - Deny $IP_DENIED on $IF_ETH port $PORT"
$IPTABLES -I INPUT -p tcp -i $IF_ETH --dport $PORT -s $IP_DENIED -j DROP
$IPTABLES -I INPUT -p udp -i $IF_ETH --dport $PORT -s $IP_DENIED -j DROP
}
drop_trojan() {
PORT_DENY=$1
NAME_trojan=$2
PROTOCOL=$3
echo " - Deny $NAME_trojan $PORT_DENY $PROTOCOL"
$IPTABLES -A DENY_PORTS -p $PROTOCOL --dport $PORT_DENY -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "$NAME_trojan:"
$IPTABLES -A DENY_PORTS -p $PROTOCOL --sport $PORT_DENY -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "$NAME_trojan:"
$IPTABLES -A DENY_PORTS -p $PROTOCOL --sport $PORT_DENY -j DROP
$IPTABLES -A DENY_PORTS -p $PROTOCOL --dport $PORT_DENY -j DROP
}
reject_all() {
echo " - Reject all with Block"
$IPTABLES -A block -j LOG
$IPTABLES -A INPUT -j block
$IPTABLES -A FORWARD -j block
$IPTABLES -A block -j REJECT
}
reject_classic() {
echo " - Drop Status invalid, flood and PoD"
# invalid state
$IPTABLES -A INPUT -m state --state INVALID -i $IF_EXT -j DROP
$IPTABLES -A FORWARD -m state --state NEW,INVALID -i $IF_EXT -j DROP
# flood
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# ping of death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j DROP
echo " - Creating and Applying DENY_PORTS"
$IPTABLES -N DENY_PORTS
$IPTABLES -F DENY_PORTS
# samba
$IPTABLES -A DENY_PORTS -p tcp -i $IF_EXT --dport 137:139 -j DROP
$IPTABLES -A DENY_PORTS -p tcp -i $IF_EXT --sport 137:139 -j DROP
# Drop X
$IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP
#Drop VNC
$IPTABLES -A DENY_PORTS -p tcp --dport 5900:5910 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5900:5910 -j DROP
# Drop NFS
$IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j DROP
}
mangle_tc() {
# from http://downloads.thedonkeynetwork.com/dserver_patch/shaped
# This script use QOS (Quality OF Service) to control the bandwidth of the Internet line
# Note : QOS controls only the upload
# CBQ uses timers to control the bandwitdh, and a finer resolution of timer means a finer control of
# the bandwidth
echo " - Setting QoS"
UPLINK=$UPLINK
LOWUP=$LOWUP
DEV=$IF_EXT
LOCALNET=$HOME_NET
AVPKT=200
# clean existing qdiscs, hide errors
tc qdisc del dev $DEV root >/dev/null 2>&1
# qdisc
tc qdisc add dev $DEV root handle 1: cbq avpkt $AVPKT bandwidth 10mbit allot 1514 cell 8 mpu 96
# classe locale pour notre reseau local, on utilise 9mbit seulement.
# tc class add dev $DEV parent 1: classid 1:1 cbq bandwidth 10mbit rate 9mbit allot 1514 maxburst 40 avpkt $AVPKT prio 5 bounded
# shape everything at $UPLINK speed - this prevents huge queues in your
# DSL modem which destroy latency:
# main class
# tc class add dev $DEV parent 1: classid 1:2 cbq bandwidth 10mbit rate ${UPLINK} allot 1514 cell 8 maxburst 10 avpkt $AVPKT bounded prio 1
# high prio class 1:10:
tc class add dev $DEV parent 1: classid 1:10 cbq rate ${UPLINK} weight 118kbit allot 1514 cell 8 prio 1 avpkt $AVPKT isolated
# low prio class 1:20:
tc class add dev $DEV parent 1: classid 1:20 cbq rate ${LOWUP} weight 10kbit allot 1514 prio 8 mpu 96 avpkt $AVPKT bounded
tc qdisc add dev $DEV parent 1:10 handle 10: sfq quantum 1514b perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq quantum 1514b perturb 10
# comunications on our LAN are at full speed of the link
# Les communications vers le réseau local sont a 10mbit
# tc filter add dev $DEV parent 1:0 protocol ip prio 5 u32 match ip dst $LOCALNET flowid 1:1
# TOS Minimum Delay (ssh) prioritaire
# This is for us, admins, who want to log to our machine remotely with SSH
tc filter add dev $DEV parent 1:0 protocol ip prio 5 u32 match ip tos 0x10 0xff flowid 1:10
# We want SYN packets to be in High priority flow
tc filter add dev $DEV parent 1: protocol ip prio 5 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u8 0x02 0xff at 33 flowid 1:10
# everything else in Low priority flow
tc filter add dev $DEV parent 1: protocol ip prio 5 u32 match ip dst 0.0.0.0/0 flowid 1:20
# mldonkey rules
tc class add dev $DEV parent 1:0 classid 1:3 cbq bandwidth 10Mbit \
rate 10Kbit allot 1514 prio 8 maxburst 2 avpkt 200 bounded
tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:3
}