#! /bin/sh ##################################################################### # # Script per l'impostazione del Firewall e del Masquerading # # Scritto da Piergiorgio Ghezzo # # HISTORY: # # 1.0 - 14/05/2002 - Versione iniziale # # 1.1 - 18/09/2002 - Gestione del target NETLINK per bloccare gli # IP degli attaccanti per un determinato periodo # ##################################################################### ### Interfaccia esterna INET_IP="212.41.210.168" INET_IFACE="ppp0" # INET_IP = ifconfig | grep P-t-P | awk '{print $2}' | cut -b 6- # In caso di IP dinamico ### Interfaccia interna LAN_IP="192.168.4.1" LAN_IP_RANGE="192.168.4.0/24" LAN_BCAST_ADRESS="192.168.4.255" LAN_IFACE="eth0" # Interfaccia del modem MODEM_IP="10.0.0.1" MODEM_IFACE="eth1" ## Interfaccia locale LO_IFACE="lo" LO_IP="127.0.0.1" IPTABLES="/sbin/iptables" ### Carico i moduli necessari /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_nat /sbin/modprobe iptable_mangle /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_LOG /sbin/modprobe ipt_ttl /sbin/modprobe ipt_ULOG # Mi serve per salvare il log su MySQL /sbin/modprobe ipt_TTL # Mi serve per rendere il router invisibile nei traceroute /sbin/modprobe ipt_NETLINK # Mi serve per bloccare gli IP degli attaccanti /sbin/modprobe ipt_state /sbin/modprobe ipt_psd # Mi serve per bloccare i portscan /sbin/modprobe ipt_limit # Mi serve per limitare i log /sbin/modprobe ipt_length # Mi serve per il controllo del ping /sbin/modprobe ip_nat_ftp # Gestione connessioni FTP /sbin/modprobe ip_nat_irc # Gestioni collegamenti DCC su IRC ### Attivo il forward dei pacchetti echo -n "Setting up IP forwarding: " echo "1" > /proc/sys/net/ipv4/ip_forward echo "done" # Imposta il Source Address Verification per attivare la protezione # dallo spoofing in tutte le interfacce configurate. echo -n "Setting up IP spoofing protection: " echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "done" #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Non ho IP dinamico # Imposta le regole per il Firewall echo -n "Starting firewalling: " $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # Crea canali separati per i pacchetti ICMP, TCP e UDP $IPTABLES -N bad_tcp_packets $IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udp_packets # Canale bad_tcp_packets $IPTABLES -A bad_tcp_packets -i ! $MODEM_IFACE -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -i ! $MODEM_IFACE -p tcp ! --syn -m state --state NEW -j DROP # (l'interfaccia del modem viene esclusa perche' incapsula i dati quindi non ha SYN) # Canale allowed $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # TCP rules $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport ftp -j allowed ## FTP $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport ssh -j allowed ## SSH $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport http -j allowed ## Web $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport https -j allowed ## Web $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport auth -j allowed ## Ident $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 666 -j allowed ## Webmin #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport pop3 -j allowed ## POP3 #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport pop3s -j allowed ## POP3 con SSL $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport imap -j allowed ## IMAP $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport imaps -j allowed ## IMAP con SSL $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5800 -j allowed ## VNC $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5900 -j allowed ## VNC # UDP rules # $IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT ## ICQ (USO Socks) $IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 33000: -m length --length 38 -m ttl --ttl 2 -j ACCEPT ## Accetto i pacchetti del traceroute # ICMP rules $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m length --length 93: -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "Ping flood: " $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m length --length 93: -m limit --limit 1/minute --limit-burst 1 -j ULOG --ulog-nlgroup 1 --ulog-prefix "Ping flood: " $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m length --length 93: -j NETLINK --nldrop $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Blocca le richieste da IP riservati $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $MODEM_IFACE -d $MODEM_IP -j ACCEPT # Individua portscan e li blocca $IPTABLES -A INPUT -m psd -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "Scanport: " $IPTABLES -A INPUT -m psd -m limit --limit 1/minute -j ULOG --ulog-nlgroup 1 --ulog-prefix "Scanport: " $IPTABLES -A INPUT -m psd -j NETLINK --nldrop # Regole per il traffico in arrivo da internet $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Scrivo sul log eventuali pacchetti non contemplati $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Pacchetto INPUT rifiutato: " $IPTABLES -A INPUT -m limit --limit 1/minute -j ULOG --ulog-nlgroup 1 --ulog-prefix "Pacchetto INPUT rifiutato: " # Analizzo i pacchetti del canale di forward $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # Accetto i pacchetti che voglio utilizzare $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d 192.168.4.7 --dport 5800 -j ACCEPT $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d 192.168.4.7 --dport 5900 -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Scrivo sul log eventuali pacchetti non contemplati $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Pacchetto FORWARD rifiutato: " $IPTABLES -A FORWARD -m limit --limit 1/minute -j ULOG --ulog-nlgroup 1 --ulog-prefix "Traffico FORWARD rifiutato: " # Analizzo i pacchetti in uscita $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # Regole per stabilire cosa deve uscire $IPTABLES -A OUTPUT -o $LO_IFACE -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $MODEM_IP -j ACCEPT # Scrivo sul log eventuali pacchetti non contemplati $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Pacchetto OUTPUT rifiutato: " $IPTABLES -A OUTPUT -m limit --limit 1/minute -j ULOG --ulog-nlgroup 1 --ulog-prefix "Pacchetto OUTPUT rifiutato: " # Rendo il server invisibile ai traceroute dall'interno $IPTABLES -t mangle -A PREROUTING -j TTL --ttl-inc 1 echo "done" echo -n "Starting NAT: " ### Redirigo le connessioni per il VNC di sandra $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 5800 -j DNAT --to 192.168.4.7:5800 $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 5900 -j DNAT --to 192.168.4.7:5900 # Abilita il Network Address Translation $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP echo "done" echo -n "Starting ulogd: " /usr/sbin/ulogd >/dev/null 2>/dev/null echo "done" echo -n "Starting BlockBadIP: " /usr/sbin/BlockBadIP -b -s >/dev/null 2>/dev/null echo "done"