#!/bin/sh # /etc/network/firewall # Generic Drogon Systems Server Firewall script # # Version 1.1. # Copyright (c) 2011-2013 Gordon Henderson # Hardware device to firewal against device=eth0 # iptables location ip4t=/sbin/iptables ip6t=/sbin/ip6tables #################################################################################################### # System settings #################################################################################################### # echo "1" > /proc/sys/net/ipv4/ip_always_defrag # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # ? # echo "1" > /proc/sys/net/ipv4/ip_forward #################################################################################################### # Flush and remove all chains, set default rules #################################################################################################### $ip4t --flush $ip6t --flush $ip4t --delete-chain $ip6t --delete-chain $ip4t -P OUTPUT ACCEPT $ip6t -P OUTPUT ACCEPT $ip4t -P INPUT ACCEPT $ip6t -P INPUT ACCEPT #################################################################################################### # Create Log & Drop, and Log & Reject tables #################################################################################################### $ip4t -N logDrop4 $ip4t -A logDrop4 -j LOG $ip4t -A logDrop4 -j DROP $ip4t -N logReject4 $ip4t -A logReject4 -j LOG $ip4t -A logReject4 -j REJECT $ip6t -N logDrop6 $ip6t -A logDrop6 -j LOG $ip6t -A logDrop6 -j DROP $ip6t -N logReject6 $ip6t -A logReject6 -j LOG $ip6t -A logReject6 -j REJECT #################################################################################################### # Setup an icmp table # We're allowing most ICMPs #################################################################################################### $ip4t -N icmpAcc $ip4t -A icmpAcc -p icmp --icmp-type echo-reply -j ACCEPT $ip4t -A icmpAcc -p icmp --icmp-type echo-request -j ACCEPT $ip4t -A icmpAcc -p icmp --icmp-type destination-unreachable -j ACCEPT $ip4t -A icmpAcc -p icmp --icmp-type source-quench -j ACCEPT $ip4t -A icmpAcc -p icmp --icmp-type time-exceeded -j ACCEPT $ip4t -A icmpAcc -p icmp --icmp-type parameter-problem -j ACCEPT $ip4t -A icmpAcc -p icmp --icmp-type redirect -j ACCEPT #################################################################################################### # Define input Firewall and call it inetIn #################################################################################################### $ip4t -N inetIn4 $ip6t -N inetIn6 # Look for ICMP types $ip4t -A inetIn4 -p icmp -j icmpAcc $ip6t -A inetIn6 -p icmpv6 -j ACCEPT # Let open connections continue $ip4t -A inetIn4 -p tcp ! --syn -j ACCEPT $ip6t -A inetIn6 -p tcp ! --syn -j ACCEPT # Sites to allow everything from: while read site do case "$site" in ""|\#*) continue ;; esac echo Applying IPv4 allow to $site $ip4t -A inetIn4 -s $site -j ACCEPT done < /etc/network/allowSites4 # Sites to allow everything from: while read site do case "$site" in ""|\#*) continue ;; esac echo Applying IPv6 allow to $site $ip6t -A inetIn6 -s $site -j ACCEPT done < /etc/network/allowSites6 # Sites to reject (drop) totally while read site do case "$site" in ""|\#*) continue ;; esac echo Applying IPv4 block to $site $ip4t -A inetIn4 -s $site -j DROP done < /etc/network/blockSites4 while read site do case "$site" in ""|\#*) continue ;; esac echo Applying IPv6 block to $site $ip6t -A inetIn6 -s $site -j DROP done < /etc/network/blockSites6 # Individual cases # Reject port 113 - Auth and don't log it # (Reject rather than Deny stops some web servers from timing out) $ip4t -A inetIn4 -p tcp --dport auth -j REJECT $ip6t -A inetIn6 -p tcp --dport auth -j REJECT # Drop basic Microsoft services. We have no need for them here and they just generate noise in the logs. $ip4t -A inetIn4 -p tcp --dport loc-srv -j DROP $ip4t -A inetIn4 -p tcp --dport netbios-ns -j DROP $ip4t -A inetIn4 -p tcp --dport netbios-dgm -j DROP $ip4t -A inetIn4 -p tcp --dport netbios-ssn -j DROP $ip4t -A inetIn4 -p tcp --dport microsoft-ds -j DROP $ip4t -A inetIn4 -p udp --dport loc-srv -j DROP $ip4t -A inetIn4 -p udp --dport netbios-ns -j DROP $ip4t -A inetIn4 -p udp --dport netbios-dgm -j DROP $ip4t -A inetIn4 -p udp --dport netbios-ssn -j DROP $ip4t -A inetIn4 -p udp --dport microsoft-ds -j DROP $ip6t -A inetIn6 -p tcp --dport loc-srv -j DROP $ip6t -A inetIn6 -p tcp --dport netbios-ns -j DROP $ip6t -A inetIn6 -p tcp --dport netbios-dgm -j DROP $ip6t -A inetIn6 -p tcp --dport netbios-ssn -j DROP $ip6t -A inetIn6 -p tcp --dport microsoft-ds -j DROP $ip6t -A inetIn6 -p udp --dport loc-srv -j DROP $ip6t -A inetIn6 -p udp --dport netbios-ns -j DROP $ip6t -A inetIn6 -p udp --dport netbios-dgm -j DROP $ip6t -A inetIn6 -p udp --dport netbios-ssn -j DROP $ip6t -A inetIn6 -p udp --dport microsoft-ds -j DROP # Some stupid VPS/LAN host is broadcasting this $ip4t -A inetIn4 -p udp --dport 51515 -j DROP $ip4t -A inetIn4 -p tcp --dport 51515 -j DROP # Allow DNS $ip4t -A inetIn4 -p udp --sport 53 --dport 1024: -j ACCEPT $ip4t -A inetIn4 -p tcp --sport 53 --dport 1024: -j ACCEPT $ip4t -A inetIn4 -p udp --dport 53 -j ACCEPT $ip4t -A inetIn4 -p tcp --dport 53 -j ACCEPT $ip6t -A inetIn6 -p udp --sport 53 --dport 1024: -j ACCEPT $ip6t -A inetIn6 -p tcp --sport 53 --dport 1024: -j ACCEPT $ip6t -A inetIn6 -p udp --dport 53 -j ACCEPT $ip6t -A inetIn6 -p tcp --dport 53 -j ACCEPT # Allow FTP # Note: FTP-Data port range ought to be setup in ProFtpd config file too. # $ip4t -A inetIn4 -p tcp --dport 21 -j ACCEPT # FTP # $ip4t -A inetIn4 -p tcp --dport 20 -j ACCEPT # FTP-Data # $ip4t -A inetIn4 -p tcp --dport 49152:49999 -j ACCEPT # FTP-Data # $ip4t -A inetIn4 -p tcp --sport 20 --dport 1024: -j ACCEPT # FTP-Data # $ip6t -A inetIn6 -p tcp --dport 21 -j ACCEPT # FTP # $ip6t -A inetIn6 -p tcp --dport 20 -j ACCEPT # FTP-Data # $ip6t -A inetIn6 -p tcp --dport 49152:49999 -j ACCEPT # FTP-Data # $ip6t -A inetIn6 -p tcp --sport 20 --dport 1024: -j ACCEPT # FTP-Data # Allow NTP $ip4t -A inetIn4 -p udp --dport 123 -j ACCEPT $ip4t -A inetIn4 -p udp --sport 123 --dport 1024: -j ACCEPT $ip6t -A inetIn6 -p udp --dport 123 -j ACCEPT $ip6t -A inetIn6 -p udp --sport 123 --dport 1024: -j ACCEPT # Allow SSH $ip4t -A inetIn4 -p tcp --dport 2212 -j ACCEPT $ip6t -A inetIn6 -p tcp --dport 2212 -j ACCEPT # Allow WWW & HTTPS traffic $ip4t -A inetIn4 -p tcp --dport www -j ACCEPT $ip4t -A inetIn4 -p tcp --dport https -j ACCEPT $ip6t -A inetIn6 -p tcp --dport www -j ACCEPT $ip6t -A inetIn6 -p tcp --dport https -j ACCEPT # Allow SMTP, IMAP and POP-3 traffic $ip4t -A inetIn4 -p tcp --dport smtp -j ACCEPT # $ip4t -A inetIn4 -p tcp --dport submission -j ACCEPT # $ip4t -A inetIn4 -p tcp --dport pop-3 -j ACCEPT # $ip4t -A inetIn4 -p tcp --dport imap2 -j ACCEPT # $ip4t -A inetIn4 -p tcp --dport imap3 -j ACCEPT # $ip4t -A inetIn4 -p tcp --dport imaps -j ACCEPT # $ip4t -A inetIn4 -p udp --dport imap2 -j ACCEPT # $ip4t -A inetIn4 -p udp --dport imap3 -j ACCEPT # $ip4t -A inetIn4 -p udp --dport imaps -j ACCEPT $ip6t -A inetIn6 -p tcp --dport smtp -j ACCEPT # $ip6t -A inetIn6 -p tcp --dport submission -j ACCEPT # $ip6t -A inetIn6 -p tcp --dport pop-3 -j ACCEPT # $ip6t -A inetIn6 -p tcp --dport imap2 -j ACCEPT # $ip6t -A inetIn6 -p tcp --dport imap3 -j ACCEPT # $ip6t -A inetIn6 -p tcp --dport imaps -j ACCEPT # $ip6t -A inetIn6 -p udp --dport imap2 -j ACCEPT # $ip6t -A inetIn6 -p udp --dport imap3 -j ACCEPT # $ip6t -A inetIn6 -p udp --dport imaps -j ACCEPT # Drop and log everything else $ip4t -A inetIn4 -j logDrop4 $ip6t -A inetIn6 -j logDrop6 # Finally, connect the inetIn4 table to the input devices $ip4t -A INPUT -i $device -j inetIn4 $ip6t -A INPUT -i $device -j inetIn6