View difference between Paste ID: vvbMH6S9 and Ss9bwLy3
SHOW: | | - or go back to the newest paste.
1
#!/bin/sh
2
#
3
# Generated iptables firewall script for the Linux 2.4 kernel and later.
4
# Script generated by Easy Firewall Generator for IPTables 1.15
5
# copyright 2002 Timothy Scott Morizot
6
# Modified for Slackware Linux by Eric Hameleers <[email protected]>
7
#
8
# This generator is adapted from the original to work on Slackware Linux.
9
# Basically, I corrected the path name to the iptables* commands
10
# and re-wrote this comment.
11
#
12
# It can be executed with the typical start and stop arguments.
13
# If used with stop, it will stop after flushing the firewall.
14
# The save and restore arguments will save or restore the rules
15
# from the /etc/sysconfig/iptables file.  The save and restore
16
# arguments are included to preserve compatibility with
17
# Redhat's or Fedora's init.d script if you prefer to use it.
18
19
# You may want to save this script as /etc/rc.d/rc.firewall
20
# and make it executable, like this:
21
#   chmod +x /etc/rc.d/rc.firewall
22
# Slackware Linux will then automatically run this script
23
# with the "start" parameter.
24
25
###############################################################################
26
#
27
# Local Settings
28
#
29
30
# sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
31
# If this is set to the empty string (or is unset), the use of sysctl
32
# is disabled.
33
34
SYSCTL="/sbin/sysctl -w"
35
36
# To echo the value directly to the /proc file instead
37
# SYSCTL=""
38
39
# IPTables Location - adjust if needed
40
41
IPT="/usr/sbin/iptables"
42
IP6T="/usr/sbin/ip6tables"
43
IPTS="/usr/sbin/iptables-save"
44
IP6TS="/usr/sbin/ip6tables-save"
45
IPTR="/usr/sbin/iptables-restore"
46
IP6TR="/usr/sbin/ip6tables-restore"
47
48
# Internet Interface
49
INET_IFACE="+"
50
51
# Localhost Interface
52
53
LO_IFACE="lo"
54
LO_IP="127.0.0.1"
55
LO_IP6="::1"
56
57
# Save and Restore arguments handled here
58
if [ "$1" = "save" ]
59
then
60
	echo -n "Saving firewall to /etc/sysconfig/iptables ... "
61
	$IPTS > /etc/sysconfig/iptables
62
	$IP6TS > /etc/sysconfig/ip6tables
63
	echo "done"
64
	exit 0
65
elif [ "$1" = "restore" ]
66
then
67
	echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
68
	$IPTR < /etc/sysconfig/iptables
69
	$IP6TR < /etc/sysconfig/ip6tables
70
	echo "done"
71
	exit 0
72
fi
73
74
###############################################################################
75
#
76
# Load Modules
77
#
78
79
echo "Loading kernel modules ..."
80
81
# You should uncomment the line below and run it the first time just to
82
# ensure all kernel module dependencies are OK.  There is no need to run
83
# every time, however.
84
85
# /sbin/depmod -a
86
87
# Unless you have kernel module auto-loading disabled, you should not
88
# need to manually load each of these modules.  Other than ip_tables,
89
# ip_conntrack, and some of the optional modules, I've left these
90
# commented by default.  Uncomment if you have any problems or if
91
# you have disabled module autoload.  Note that some modules must
92
# be loaded by another kernel module.
93
94
# core netfilter module
95
# /sbin/modprobe ip_tables
96
97
# the stateful connection tracking module
98
# /sbin/modprobe ip_conntrack
99
100
# filter table module
101
# /sbin/modprobe iptable_filter
102
103
# mangle table module
104
# /sbin/modprobe iptable_mangle
105
106
# nat table module
107
# /sbin/modprobe iptable_nat
108
109
# LOG target module
110
# /sbin/modprobe ipt_LOG
111
112
# This is used to limit the number of packets per sec/min/hr
113
# /sbin/modprobe ipt_limit
114
115
# masquerade target module
116
# /sbin/modprobe ipt_MASQUERADE
117
118
# filter using owner as part of the match
119
# /sbin/modprobe ipt_owner
120
121
# REJECT target drops the packet and returns an ICMP response.
122
# The response is configurable.  By default, connection refused.
123
# /sbin/modprobe ipt_REJECT
124
125
# This target allows packets to be marked in the mangle table
126
# /sbin/modprobe ipt_mark
127
128
# This target affects the TCP MSS
129
# /sbin/modprobe ipt_tcpmss
130
131
# This match allows multiple ports instead of a single port or range
132
# /sbin/modprobe multiport
133
134
# This match checks against the TCP flags
135
# /sbin/modprobe ipt_state
136
137
# This match catches packets with invalid flags
138
# /sbin/modprobe ipt_unclean
139
140
# The ftp nat module is required for non-PASV ftp support
141
/sbin/modprobe ip_nat_ftp
142
143
# the module for full ftp connection tracking
144
/sbin/modprobe ip_conntrack_ftp
145
146
# the module for full irc connection tracking
147
/sbin/modprobe ip_conntrack_irc
148
149
150
###############################################################################
151
#
152
# Kernel Parameter Configuration
153
#
154
# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
155
# for a detailed tutorial on sysctl and the various settings
156
# available.
157
158
# Required to enable IPv4 forwarding.
159
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
160
# Alternatively, it can be set in /etc/sysctl.conf
161
#if [ "$SYSCTL" = "" ]
162
#then
163
#    echo "1" > /proc/sys/net/ipv4/ip_forward
164
#else
165
#    $SYSCTL net.ipv4.ip_forward="1"
166
#fi
167
168
# This enables dynamic address hacking.
169
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
170
#if [ "$SYSCTL" = "" ]
171
#then
172
#    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
173
#else
174
#    $SYSCTL net.ipv4.ip_dynaddr="1"
175
#fi
176
177
# This enables SYN flood protection.
178
# The SYN cookies activation allows your system to accept an unlimited
179
# number of TCP connections while still trying to give reasonable
180
# service during a denial of service attack.
181
if [ "$SYSCTL" = "" ]
182
then
183
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
184
else
185
    $SYSCTL net.ipv4.tcp_syncookies="1"
186
fi
187
188
# This enables source validation by reversed path according to RFC1812.
189
# In other words, did the response packet originate from the same interface
190
# through which the source packet was sent?  It's recommended for single-homed
191
# systems and routers on stub networks.  Since those are the configurations
192
# this firewall is designed to support, I turn it on by default.
193
# Turn it off if you use multiple NICs connected to the same network.
194
if [ "$SYSCTL" = "" ]
195
then
196
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
197
else
198
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
199
fi
200
201
# This option allows a subnet to be firewalled with a single IP address.
202
# It's used to build a DMZ.  Since that's not a focus of this firewall
203
# script, it's not enabled by default, but is included for reference.
204
# See: http://www.sjdjweis.com/linux/proxyarp/
205
#if [ "$SYSCTL" = "" ]
206
#then
207
#    echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
208
#else
209
#    $SYSCTL net.ipv4.conf.all.proxy_arp="1"
210
#fi
211
212
# The following kernel settings were suggested by Alex Weeks. Thanks!
213
214
# This kernel parameter instructs the kernel to ignore all ICMP
215
# echo requests sent to the broadcast address.  This prevents
216
# a number of smurfs and similar DoS nasty attacks.
217
if [ "$SYSCTL" = "" ]
218
then
219
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
220
else
221
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
222
fi
223
224
# This option can be used to accept or refuse source routed
225
# packets.  It is usually on by default, but is generally
226
# considered a security risk.  This option turns it off.
227
if [ "$SYSCTL" = "" ]
228
then
229
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
230
    echo "0" > /proc/sys/net/ipv6/conf/all/accept_source_route
231
else
232
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
233
    $SYSCTL net.ipv6.conf.all.accept_source_route="0"
234
fi
235
236
# This option can disable ICMP redirects.  ICMP redirects
237
# are generally considered a security risk and shouldn't be
238
# needed by most systems using this generator.
239
#if [ "$SYSCTL" = "" ]
240
#then
241
#    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
242
#else
243
#    $SYSCTL net.ipv4.conf.all.accept_redirects="0"
244
#fi
245
246
# However, we'll ensure the secure_redirects option is on instead.
247
# This option accepts only from gateways in the default gateways list.
248
if [ "$SYSCTL" = "" ]
249
then
250
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
251
else
252
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
253
fi
254
255
# This option logs packets from impossible addresses.
256
if [ "$SYSCTL" = "" ]
257
then
258
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
259
else
260
    $SYSCTL net.ipv4.conf.all.log_martians="1"
261
fi
262
263
264
###############################################################################
265
#
266
# Flush Any Existing Rules or Chains
267
#
268
269
echo "Flushing Tables ..."
270
271
# Reset Default Policies
272
$IPT -P INPUT ACCEPT
273
$IP6T -P INPUT ACCEPT
274
$IPT -P FORWARD ACCEPT
275
$IP6T -P FORWARD ACCEPT
276
$IPT -P OUTPUT ACCEPT
277
$IP6T -P OUTPUT ACCEPT
278
$IPT -t nat -P PREROUTING ACCEPT
279
$IP6T -t nat -P PREROUTING ACCEPT
280
$IPT -t nat -P POSTROUTING ACCEPT
281
$IP6T -t nat -P POSTROUTING ACCEPT
282
$IPT -t nat -P OUTPUT ACCEPT
283
$IP6T -t nat -P OUTPUT ACCEPT
284
$IPT -t mangle -P PREROUTING ACCEPT
285
$IP6T -t mangle -P PREROUTING ACCEPT
286
$IPT -t mangle -P OUTPUT ACCEPT
287
$IP6T -t mangle -P OUTPUT ACCEPT
288
289
# Flush all rules
290
$IPT -F
291
$IP6T -F
292
$IPT -t nat -F
293
$IP6T -t nat -F
294
$IPT -t mangle -F
295
$IP6T -t mangle -F
296
297
# Erase all non-default chains
298
$IPT -X
299
$IP6T -X
300
$IPT -t nat -X
301
$IP6T -t nat -X
302
$IPT -t mangle -X
303
$IP6T -t mangle -X
304
305
if [ "$1" = "stop" ]
306
then
307
	echo "Firewall completely flushed!  Now running with no firewall."
308
	exit 0
309
fi
310
311
###############################################################################
312
#
313
# Rules Configuration
314
#
315
316
###############################################################################
317
#
318
# Filter Table
319
#
320
###############################################################################
321
322
# Set Policies
323
324
$IPT -P INPUT DROP
325
$IP6T -P INPUT DROP
326
$IPT -P OUTPUT DROP
327
$IP6T -P OUTPUT DROP
328
$IPT -P FORWARD DROP
329
$IP6T -P FORWARD DROP
330
331
###############################################################################
332
#
333
# User-Specified Chains
334
#
335
# Create user chains to reduce the number of rules each packet
336
# must traverse.
337
338
echo "Create and populate custom rule chains ..."
339
340
# Create a chain to filter INVALID packets
341
342
$IPT -N bad_packets
343
$IP6T -N bad_packets
344
345
# Create another chain to filter bad tcp packets
346
347
$IPT -N bad_tcp_packets
348
$IP6T -N bad_tcp_packets
349
350
# Create separate chains for icmp, tcp (incoming and outgoing),
351
# and incoming udp packets.
352
353
$IPT -N icmp_packets
354
$IP6T -N icmp_packets
355
356
# Used for UDP packets inbound from the Internet
357
$IPT -N udp_inbound
358
$IP6T -N udp_inbound
359
360
# Used to block outbound UDP services from internal network
361
# Default to allow all
362
$IPT -N udp_outbound
363
$IP6T -N udp_outbound
364
365
# Used to allow inbound services if desired
366
# Default fail except for established sessions
367
$IPT -N tcp_inbound
368
$IP6T -N tcp_inbound
369
370
# Used to block outbound services from internal network
371
# Default to allow all
372
$IPT -N tcp_outbound
373
$IP6T -N tcp_outbound
374
375
# GRE tunneling for PPTP VPN - inbound
376
$IPT -N gre_inbound
377
378
# GRE tunneling - outbound
379
$IPT -N gre_outbound
380
381
# OSPF - inbound
382
$IPT -N ospf_inbound
383
$IP6T -N ospf_inbound
384
385
# OSPF - outbound
386
$IPT -N ospf_outbound
387
$IP6T -N ospf_outbound
388
389
###############################################################################
390
#
391
# Populate User Chains
392
#
393
394
# bad_packets chain
395
#
396
397
# Drop INVALID packets immediately
398
$IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j LOG \
399
    --log-prefix "Invalid packet: "
400
$IP6T -A bad_packets -p ALL -m conntrack --ctstate INVALID -j LOG \
401
    --log-prefix "Invalid packet: "
402
403
$IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j DROP
404
$IP6T -A bad_packets -p ALL -m conntrack --ctstate INVALID -j DROP
405
406
# Then check the tcp packets for additional problems
407
$IPT -A bad_packets -p tcp -j bad_tcp_packets
408
$IP6T -A bad_packets -p tcp -j bad_tcp_packets
409
410
# All good, so return
411
$IPT -A bad_packets -p ALL -j RETURN
412
$IP6T -A bad_packets -p ALL -j RETURN
413
414
# bad_tcp_packets chain
415
#
416
# All tcp packets will traverse this chain.
417
# Every new connection attempt should begin with
418
# a syn packet.  If it doesn't, it is likely a
419
# port scan.  This drops packets in state
420
# NEW that are not flagged as syn packets.
421
422
423
$IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG \
424
    --log-prefix "New not syn: "
425
$IP6T -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG \
426
    --log-prefix "New not syn: "
427
$IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
428
$IP6T -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
429
430
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
431
    --log-prefix "Stealth scan: "
432
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
433
    --log-prefix "Stealth scan: "
434
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
435
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
436
437
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
438
    --log-prefix "Stealth scan: "
439
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
440
    --log-prefix "Stealth scan: "
441
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
442
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
443
444
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
445
    --log-prefix "Stealth scan: "
446
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
447
    --log-prefix "Stealth scan: "
448
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
449
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
450
451
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
452
    --log-prefix "Stealth scan: "
453
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
454
    --log-prefix "Stealth scan: "
455
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
456
$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
457
458
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
459
    --log-prefix "Stealth scan: "
460
$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
461
    --log-prefix "Stealth scan: "
462
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
463
$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
464
465
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
466
    --log-prefix "Stealth scan: "
467
$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
468
    --log-prefix "Stealth scan: "
469
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
470
$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
471
472
# All good, so return
473
$IPT -A bad_tcp_packets -p tcp -j RETURN
474
$IP6T -A bad_tcp_packets -p tcp -j RETURN
475
476
# icmp_packets chain
477
#
478
# This chain is for inbound (from the Internet) icmp packets only.
479
# Type 8 (Echo Request) is not accepted by default
480
# Enable it if you want remote hosts to be able to reach you.
481
# 11 (Time Exceeded) is the only one accepted
482
# that would not already be covered by the established
483
# connection rule.  Applied to INPUT on the external interface.
484
#
485
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
486
# for more info on ICMP types.
487
#
488
# Note that the stateful settings allow replies to ICMP packets.
489
# These rules allow new packets of the specified types.
490
491
# ICMP packets should fit in a Layer 2 frame, thus they should
492
# never be fragmented.  Fragmented ICMP packets are a typical sign
493
# of a denial of service attack.
494
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
495
    --log-prefix "ICMP Fragment: "
496
$IPT -A icmp_packets --fragment -p ICMP -j DROP
497
498
# Echo - uncomment to allow your system to be pinged.
499
# Uncomment the LOG command if you also want to log PING attempts
500
#
501
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
502
#    --log-prefix "Ping detected: "
503
# $IP6T -A icmp_packets -p icmpv6 -s 0/0 --icmpv6-type 128 -j LOG \
504
#    --log-prefix "Ping detected: "
505
 $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
506
 $IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 128 -j ACCEPT
507
508
# By default, however, drop pings without logging. Blaster
509
# and other worms have infected systems blasting pings.
510
# Comment the line below if you want pings logged, but it
511
# will likely fill your logs.
512
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
513
#$IP6T -A icmp_packets -p icmpv6 -s 0/0 --icmpv6-type 128 -j DROP
514
515
# Time Exceeded
516
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
517
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 3 -j ACCEPT
518
519
# additional ICMPv6
520
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 1 -j ACCEPT
521
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 2 -j ACCEPT
522
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 4 -j ACCEPT
523
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 130 -j ACCEPT
524
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 131 -j ACCEPT
525
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 132 -j ACCEPT
526
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 134 -j ACCEPT
527
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 135 -j ACCEPT
528
$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 136 -j ACCEPT
529
530
# Not matched, so return so it will be logged
531
$IPT -A icmp_packets -p ICMP -j RETURN
532
$IP6T -A icmp_packets -p icmpv6 -j RETURN
533
534
# TCP & UDP
535
# Identify ports at:
536
#    http://www.chebucto.ns.ca/~rakerman/port-table.html
537
#    http://www.iana.org/assignments/port-numbers
538
539
# udp_inbound chain
540
#
541
# This chain describes the inbound UDP packets it will accept.
542
# It's applied to INPUT on the external or Internet interface.
543
# Note that the stateful settings allow replies.
544
# These rules are for new requests.
545
# It drops netbios packets (windows) immediately without logging.
546
547
# Drop netbios calls
548
# Please note that these rules do not really change the way the firewall
549
# treats netbios connections.  Connections from the localhost and
550
# internal interface (if one exists) are accepted by default.
551
# Responses from the Internet to requests initiated by or through
552
# the firewall are also accepted by default.  To get here, the
553
# packets would have to be part of a new request received by the
554
# Internet interface.  You would have to manually add rules to
555
# accept these.  I added these rules because some network connections,
556
# such as those via cable modems, tend to be filled with noise from
557
# unprotected Windows machines.  These rules drop those packets
558
# quickly and without logging them.  This prevents them from traversing
559
# the whole chain and keeps the log from getting cluttered with
560
# chatter from Windows systems.
561
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
562
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
563
564
# Ident requests (Port 113) must have a REJECT rule rather than the
565
# default DROP rule.  This is the minimum requirement to avoid
566
# long delays while connecting.  Also see the tcp_inbound rule.
567
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
568
$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 113 -j REJECT
569
570
# A more sophisticated configuration could accept the ident requests.
571
# $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
572
# $IP6T -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
573
574
# Dynamic Address
575
# If DHCP, the initial request is a broadcast. The response
576
# doesn't exactly match the outbound packet.  This explicitly
577
# allow the DHCP ports to alleviate this problem.
578
# If you receive your dynamic address by a different means, you
579
# can probably comment this line.
580
$IPT -A udp_inbound -p UDP --source-port 67 -s 0/0 --destination-port 68 \
581
     -j ACCEPT
582
$IP6T -A udp_inbound -p UDP --source-port 547 -s fe80::/10 --destination-port 546 -d fe80::/10 \
583
     -j ACCEPT
584
#$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 547 \
585
#     -j ACCEPT
586
587
# mDNS
588
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 5353 \
589
     -j ACCEPT
590
$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 5353 \
591
     -j ACCEPT
592
593
# SNMP
594
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 161 -j ACCEPT
595
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 162 -j ACCEPT
596
$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 161 -j ACCEPT
597
$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 162 -j ACCEPT
598
599
# TFTP
600
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 69 -j ACCEPT
601
$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 69 -j ACCEPT
602
603
# cups
604
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631 -j ACCEPT
605
$IP6T -A udp_inbound -p UDP -s 0/0 --destination-port 631 -j ACCEPT
606
607
# Not matched, so return for logging
608
$IPT -A udp_inbound -p UDP -j RETURN
609
$IP6T -A udp_inbound -p UDP -j RETURN
610
611
# udp_outbound chain
612
#
613
# This chain is used with a private network to prevent forwarding for
614
# UDP requests on specific protocols.  Applied to the FORWARD rule from
615
# the internal network.  Ends with an ACCEPT
616
617
618
# No match, so ACCEPT
619
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
620
$IP6T -A udp_outbound -p UDP -s ::/0 -j ACCEPT
621
622
# tcp_inbound chain
623
#
624
# This chain is used to allow inbound connections to the
625
# system/gateway.  Use with care.  It defaults to none.
626
# It's applied on INPUT from the external or Internet interface.
627
628
# Ident requests (Port 113) must have a REJECT rule rather than the
629
# default DROP rule.  This is the minimum requirement to avoid
630
# long delays while connecting.  Also see the tcp_inbound rule.
631
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
632
$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 113 -j REJECT
633
634
# A more sophisticated configuration could accept the ident requests.
635
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT
636
# $IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT
637
638
# sshd rate-limiting
639
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -m state \
640
	        --state NEW -m recent --update --seconds 600 --hitcount 5 -j LOG \
641
		    --log-prefix "sshd rate-limit: "
642
$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -m state \
643
	        --state NEW -m recent --update --seconds 600 --hitcount 5 -j LOG \
644
		    --log-prefix "sshd rate-limit: "
645
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -m state \
646
	        --state NEW -m recent --update --seconds 600 --hitcount 5 -j DROP
647
$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -m state \
648
	        --state NEW -m recent --update --seconds 600 --hitcount 5 -j DROP
649
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -m state \
650
	        --state NEW -m recent --set
651
$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -m state \
652
	        --state NEW -m recent --set
653
654
# sshd
655
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
656
$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -j ACCEPT
657
658
# vnc-zero
659
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5900 -j ACCEPT
660
$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 5900 -j ACCEPT
661
662
# vnc-daniel
663
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5901 -j ACCEPT
664
$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 5901 -j ACCEPT
665
666
# cups
667
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 631 -j ACCEPT
668
$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 631 -j ACCEPT
669
670
# httpd
671
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
672
$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
673
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
674
$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
675
676
# rsyncd
677
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT
678
$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT
679
680
# pleroma
681
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4000 -j ACCEPT
682
$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 4000 -j ACCEPT
683
684
# Not matched, so return so it will be logged
685
$IPT -A tcp_inbound -p TCP -j RETURN
686
$IP6T -A tcp_inbound -p TCP -j RETURN
687
688
# tcp_outbound chain
689
#
690
# This chain is used with a private network to prevent forwarding for
691
# requests on specific protocols.  Applied to the FORWARD rule from
692
# the internal network.  Ends with an ACCEPT
693
694
695
# No match, so ACCEPT
696
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
697
$IP6T -A tcp_outbound -p TCP -s ::/0 -j ACCEPT
698
699
# gre_inbound
700
701
$IPT -A gre_inbound -p gre -s 0/0 -d 0/0 -j ACCEPT
702
703
# gre_outbound
704
705
$IPT -A gre_outbound -p gre -s 0/0 -d 0/0 -j ACCEPT
706
707
# ospf_inbound
708
$IPT -A ospf_inbound -p ospf -s 0/0 -d 0/0 -j ACCEPT
709
$IP6T -A ospf_inbound -p ospf -s ::/0 -d ::/0 -j ACCEPT
710
711
# ospf_outbound
712
$IPT -A ospf_outbound -p ospf -s 0/0 -d 0/0 -j ACCEPT
713
$IP6T -A ospf_outbound -p ospf -s ::/0 -d ::/0 -j ACCEPT
714
715
###############################################################################
716
#
717
# INPUT Chain
718
#
719
720
echo "Process INPUT chain ..."
721
722
# Allow all on localhost interface
723
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
724
$IP6T -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
725
726
# Drop bad packets
727
$IPT -A INPUT -p ALL -j bad_packets
728
$IP6T -A INPUT -p ALL -j bad_packets
729
730
# DOCSIS compliant cable modems
731
# Some DOCSIS compliant cable modems send IGMP multicasts to find
732
# connected PCs.  The multicast packets have the destination address
733
# 224.0.0.1.  You can accept them.  If you choose to do so,
734
# Uncomment the rule to ACCEPT them and comment the rule to DROP
735
# them  The firewall will drop them here by default to avoid
736
# cluttering the log.  The firewall will drop all multicasts
737
# to the entire subnet (224.0.0.1) by default.  To only affect
738
# IGMP multicasts, change '-p ALL' to '-p 2'.  Of course,
739
# if they aren't accepted elsewhere, it will only ensure that
740
# multicasts on other protocols are logged.
741
# Drop them without logging.
742
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
743
# The rule to accept the packets.
744
$IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
745
$IP6T -A INPUT -p ALL -d ff02::1 -j ACCEPT
746
747
748
# Inbound Internet Packet Rules
749
750
# Accept Established Connections
751
$IPT -A INPUT -p ALL -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED \
752
     -j ACCEPT
753
$IP6T -A INPUT -p ALL -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED \
754
     -j ACCEPT
755
756
# Route the rest to the appropriate user chain
757
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
758
$IP6T -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
759
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
760
$IP6T -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
761
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
762
$IP6T -A INPUT -p icmpv6 -i $INET_IFACE -j icmp_packets
763
$IPT -A INPUT -p gre -i $INET_IFACE -j gre_inbound
764
$IPT -A INPUT -p ospf -i $INET_IFACE -j ospf_inbound
765
$IP6T -A INPUT -p ospf -i $INET_IFACE -j ospf_inbound
766
767
# Drop without logging broadcasts that get this far.
768
# Cuts down on log clutter.
769
# Comment this line if testing new rules that impact
770
# broadcast protocols.
771
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
772
$IP6T -A INPUT -m pkttype --pkt-type broadcast -j DROP
773
774
# Log packets that still don't match
775
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
776
    --log-prefix "INPUT packet died: "
777
$IP6T -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
778
    --log-prefix "INPUT packet died: "
779
780
###############################################################################
781
#
782
# FORWARD Chain
783
#
784
785
echo "Process FORWARD chain ..."
786
787
# Used if forwarding for a private network
788
789
790
###############################################################################
791
#
792
# OUTPUT Chain
793
#
794
795
echo "Process OUTPUT chain ..."
796
797
# Generally trust the firewall on output
798
799
# However, invalid icmp packets need to be dropped
800
# to prevent a possible exploit.
801
$IPT -A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
802
$IP6T -A OUTPUT -p icmpv6 -m conntrack --ctstate INVALID -j DROP
803
804
# Localhost
805
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
806
$IP6T -A OUTPUT -p ALL -s $LO_IP6 -j ACCEPT
807
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
808
$IP6T -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
809
810
# To internet
811
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
812
$IP6T -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
813
814
# Log packets that still don't match
815
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
816
    --log-prefix "OUTPUT packet died: "
817
$IP6T -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
818
    --log-prefix "OUTPUT packet died: "
819
820
###############################################################################
821
#
822
# nat table
823
#
824
###############################################################################
825
826
# The nat table is where network address translation occurs if there
827
# is a private network.  If the gateway is connected to the Internet
828
# with a static IP, snat is used.  If the gateway has a dynamic address,
829
# masquerade must be used instead.  There is more overhead associated
830
# with masquerade, so snat is better when it can be used.
831
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
832
# Another, POSTROUTING, handles snat and masquerade.
833
834
echo "Load rules for nat table ..."
835
836
###############################################################################
837
#
838
# PREROUTING chain
839
#
840
841
842
###############################################################################
843
#
844
# POSTROUTING chain
845
#
846
847
848
###############################################################################
849
#
850
# mangle table
851
#
852
###############################################################################
853
854
# The mangle table is used to alter packets.  It can alter or mangle them in
855
# several ways.  For the purposes of this generator, we only use its ability
856
# to alter the TTL in packets.  However, it can be used to set netfilter
857
# mark values on specific packets.  Those marks could then be used in another
858
# table like filter, to limit activities associated with a specific host, for
859
# instance.  The TOS target can be used to set the Type of Service field in
860
# the IP header.  Note that the TTL target might not be included in the
861
# distribution on your system.  If it is not and you require it, you will
862
# have to add it.  That may require that you build from source.
863
864
echo "Load rules for mangle table ..."