iptables_setting.sh

日付	2007.01.08
タイトル	iptables_setting.sh
本文	#!/bin/sh # # basic iptables setting script for inet global ipaddr servers with local # interface machine. # # written by yoshito sasaki(sasaki@livewell.jp) # # parameters ============================================== #LAN_IF=eth1 #LAN_NET=192.168.1.0/24 INET_IF=eth0 #VPN_NET=10.8.0.0/24 #VPN_IF=tun0 #SNAT_WAN=192.168.1.11 #SNAT_LAN=192.168.10.0/24 # !important! if you use this script first time and want to stay a happy day, # you !must! set it true. DEBUG=true # validation ============================================== IPTABLES=/sbin/iptables MODPROBE=/sbin/modprobe # check command exist? if [ ! -x $IPTABLES ]; then echo "can't find iptables.\n" exit 1 fi if [ ! -x $MODPROBE ]; then echo "can't find modprobe.\n" exit 1; fi # for safety remote control. if [ ! $DEBUG == 'false' ]; then echo "debug mode. after some seconds, all rules clear."; sleep 24 && $IPTABLES -P INPUT ACCEPT && $IPTABLES -P OUTPUT ACCEPT && $IPTABLES -P FORWARD ACCEPT && $IPTABLES -t filter -F && $IPTABLES -t filter -X && $IPTABLES -t filter -Z && $IPTABLES -t nat -F && $IPTABLES -t nat -X && $IPTABLES -t nat -Z && echo "all chain cleard. finish debug mode." & fi # delete all before settings ============================== $IPTABLES -P INPUT ACCEPT && $IPTABLES -P OUTPUT ACCEPT && $IPTABLES -P FORWARD ACCEPT && $IPTABLES -t filter -F && $IPTABLES -t filter -X && $IPTABLES -t filter -Z && $IPTABLES -t nat -F && $IPTABLES -t nat -X && $IPTABLES -t nat -Z # log & drop for input chain ============================== $IPTABLES -N log_drop_in #$IPTABLES -A log_drop_in -j LOG --log-prefix '[packet in: DROP]' $IPTABLES -A log_drop_in -j DROP echo 'set drop packet logging chain(for input) done...' # log & drop for output chain ============================= $IPTABLES -N log_drop_out #$IPTABLES -A log_drop_out -j LOG --log-prefix '[packet out: DROP]' $IPTABLES -A log_drop_out -j DROP echo 'set drop packet logging chain(for output) done...' # for ip spoof ============================================= $IPTABLES -N chk_spoof # loopback $IPTABLES -A chk_spoof -s 127.0.0.0/8 -j log_drop_in $IPTABLES -A chk_spoof -d 127.0.0.0/8 -j log_drop_in # historical broadcast $IPTABLES -A chk_spoof -s 0.0.0.0/8 -j log_drop_in $IPTABLES -A chk_spoof -d 0.0.0.0/8 -j log_drop_in # RFC1918 $IPTABLES -A chk_spoof -s 10.0.0.0/8 -j log_drop_in $IPTABLES -A chk_spoof -d 10.0.0.0/8 -j log_drop_in $IPTABLES -A chk_spoof -s 172.16.0.0/12 -j log_drop_in $IPTABLES -A chk_spoof -d 172.16.0.0/12 -j log_drop_in $IPTABLES -A chk_spoof -s 192.168.0.0/16 -j log_drop_in $IPTABLES -A chk_spoof -d 192.168.0.0/16 -j log_drop_in # link local networks $IPTABLES -A chk_spoof -s 169.254.0.0/16 -j log_drop_in $IPTABLES -A chk_spoof -d 169.254.0.0/16 -j log_drop_in # test-net $IPTABLES -A chk_spoof -s 192.0.2.0/24 -j log_drop_in $IPTABLES -A chk_spoof -d 192.0.2.0/24 -j log_drop_in # class d multicast $IPTABLES -A chk_spoof -s 224.0.0.0/4 -j log_drop_in $IPTABLES -A chk_spoof -d 224.0.0.0/4 -j log_drop_in # class e reserved $IPTABLES -A chk_spoof -s 240.0.0.0/5 -j log_drop_in $IPTABLES -A chk_spoof -d 240.0.0.0/5 -j log_drop_in # unallocated $IPTABLES -A chk_spoof -s 248.0.0.0/5 -j log_drop_in $IPTABLES -A chk_spoof -d 248.0.0.0/5 -j log_drop_in # broadcast $IPTABLES -A chk_spoof -s 255.255.255.255/32 -j log_drop_in $IPTABLES -A chk_spoof -d 255.255.255.255/32 -j log_drop_in # internet input chain ==================================== $IPTABLES -N inet_in # already connected. done $IPTABLES -A inet_in -m state --modprobe=$MODPROBE \ --state ESTABLISHED,RELATED -j ACCEPT # check ip spoofing. if you need drop ipaddr spoofing packets, uncomment here. #$IPTABLES -A inet_in -j chk_spoof # TCP services $IPTABLES -A inet_in -p tcp --syn -m state --state NEW --dport ftp-data:ftp -j ACCEPT $IPTABLES -A inet_in -p tcp --syn -m state --state NEW \ -m multiport --dports ssh,smtp,www,pop3,imap,https,submission -j ACCEPT $IPTABLES -A inet_in -p tcp --syn -m state --state NEW \ -m multiport --dports auth -j REJECT # UDP services #$IPTABLES -A inet_in -p udp -m state --state NEW \ # -m multiport --dports domain,ntp,openvpn -j ACCEPT #$IPTABLES -A inet_in -p udp -m state --state NEW -s [manage host] --dport snmp -j ACCEPT #$IPTABLES -A inet_in -p udp -m state --state NEW -s [logger host] --dport syslog -j ACCEPT # traceroute $IPTABLES -A inet_in -p udp -m state --state NEW \ --sport 32769:65535 --dport 33434:33523 -j ACCEPT # other resp $IPTABLES -A inet_in -p icmp -j ACCEPT $IPTABLES -A inet_in -j log_drop_in echo 'set internet input chain done...' # internet output chain =================================== $IPTABLES -N inet_out # already connected or tcp not syn. accept $IPTABLES -A inet_out -m state --modprobe=$MODPROBE \ --state ESTABLISHED,RELATED -j ACCEPT # TCP services #$IPTABLES -A inet_out -p tcp --syn -m state --state NEW \ # --dport ftp-data:ftp -j ACCEPT $IPTABLES -A inet_out -p tcp --syn -m state --state NEW \ -m multiport --dports smtp,domain,auth,www,https -j ACCEPT # UDP services $IPTABLES -A inet_out -p udp -m state --state NEW \ -m multiport --dports domain,ntp -j ACCEPT # traceroute $IPTABLES -A inet_out -p udp -m state --state NEW \ --sport 32769:65535 --dport 33434:33523 -j ACCEPT # other resp $IPTABLES -A inet_out -p icmp -j ACCEPT $IPTABLES -A inet_out -j log_drop_out echo 'set internet output chain done...' # base line settings ====================================== # input ------------------------------------- $IPTABLES -A INPUT -i lo -j ACCEPT # if use VPN ##$IPTABLES -A INPUT -i $VPN_IF -j ACCEPT #$IPTABLES -A INPUT -i tun+ -j ACCEPT # illegal state packet drop $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # available service check and drop $IPTABLES -A INPUT -i $INET_IF -j inet_in $IPTABLES -A INPUT -j log_drop_in # output ------------------------------------ $IPTABLES -A OUTPUT -o lo -j ACCEPT # if use VPN ##$IPTABLES -A OUTPUT -o $VPN_IF -j ACCEPT #$IPTABLES -A OUTPUT -o tun+ -j ACCEPT # usable outside service check and drop $IPTABLES -A OUTPUT -o $INET_IF -j inet_out $IPTABLES -A OUTPUT -j log_drop_out # MASQUERADING # with /proc/sys/net/ipv4/ip_forward = 1 #$IPTABLES -A FORWARD -i $LAN_IF -s $SNAT_LAN -j ACCEPT #$IPTABLES -A FORWARD -i $INET_IF -d $SNAT_LAN -j ACCEPT #$IPTABLES -t nat -A POSTROUTING -o $INET_IF -j SNAT --to-source $SNAT_WAN ## VPN forwarding ##$IPTABLES -A FORWARD -i $VPN_IF -d $LAN_NET -j ACCEPT #$IPTABLES -A FORWARD -i tun+ -j ACCEPT ##$IPTABLES -A FORWARD -o $VPN_IF -j ACCEPT #$IPTABLES -A FORWARD -o tun+ -j ACCEPT ##$IPTABLES -t nat -A POSTROUTING -s $VPN_NET -d $LAN_NET -j MASQUERADE # policy drop ============================================= $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # loading modules ========================================= $MODPROBE ip_nat_ftp $MODPROBE ip_conntrack_ftp $MODPROBE ip_nat_tftp $MODPROBE ip_conntrack_tftp echo 'firewall settings complete!' exit $?

日付

2007.01.08

タイトル

iptables_setting.sh

本文

#!/bin/sh
#
# basic iptables setting script for inet global ipaddr servers with local
# interface machine.
#
# written by yoshito sasaki(sasaki@livewell.jp)
#
# parameters ==============================================
#LAN_IF=eth1
#LAN_NET=192.168.1.0/24
INET_IF=eth0
#VPN_NET=10.8.0.0/24
#VPN_IF=tun0
#SNAT_WAN=192.168.1.11
#SNAT_LAN=192.168.10.0/24

# !important! if you use this script first time and want to stay a happy day,
# you !must! set it true.
DEBUG=true


# validation ==============================================
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

# check command exist?
if [ ! -x $IPTABLES ]; then
    echo "can't find iptables.\n"
    exit 1
fi
if [ ! -x $MODPROBE ]; then
    echo "can't find modprobe.\n"
    exit 1;
fi


# for safety remote control.
if [ ! $DEBUG == 'false' ]; then
    echo "debug mode. after some seconds, all rules clear.";
    sleep 24 &&
        $IPTABLES -P INPUT ACCEPT &&
        $IPTABLES -P OUTPUT ACCEPT &&
        $IPTABLES -P FORWARD ACCEPT &&
        $IPTABLES -t filter -F &&
        $IPTABLES -t filter -X &&
        $IPTABLES -t filter -Z &&
        $IPTABLES -t nat -F &&
        $IPTABLES -t nat -X &&
        $IPTABLES -t nat -Z &&
        echo "all chain cleard. finish debug mode." &
fi


# delete all before settings ==============================
$IPTABLES -P INPUT ACCEPT &&
  $IPTABLES -P OUTPUT ACCEPT &&
  $IPTABLES -P FORWARD ACCEPT &&
  $IPTABLES -t filter -F &&
  $IPTABLES -t filter -X &&
  $IPTABLES -t filter -Z &&
  $IPTABLES -t nat -F &&
  $IPTABLES -t nat -X &&
  $IPTABLES -t nat -Z


# log & drop for input chain ==============================
$IPTABLES -N log_drop_in
#$IPTABLES -A log_drop_in -j LOG --log-prefix '[packet in: DROP]'
$IPTABLES -A log_drop_in -j DROP
echo 'set drop packet logging chain(for input) done...'


# log & drop for output chain =============================
$IPTABLES -N log_drop_out
#$IPTABLES -A log_drop_out -j LOG --log-prefix '[packet out: DROP]'
$IPTABLES -A log_drop_out -j DROP
echo 'set drop packet logging chain(for output) done...'


# for ip spoof =============================================
$IPTABLES -N chk_spoof

# loopback
$IPTABLES -A chk_spoof -s 127.0.0.0/8           -j log_drop_in
$IPTABLES -A chk_spoof -d 127.0.0.0/8           -j log_drop_in

# historical broadcast
$IPTABLES -A chk_spoof -s 0.0.0.0/8             -j log_drop_in
$IPTABLES -A chk_spoof -d 0.0.0.0/8             -j log_drop_in

# RFC1918
$IPTABLES -A chk_spoof -s 10.0.0.0/8            -j log_drop_in
$IPTABLES -A chk_spoof -d 10.0.0.0/8            -j log_drop_in
$IPTABLES -A chk_spoof -s 172.16.0.0/12         -j log_drop_in
$IPTABLES -A chk_spoof -d 172.16.0.0/12         -j log_drop_in
$IPTABLES -A chk_spoof -s 192.168.0.0/16        -j log_drop_in
$IPTABLES -A chk_spoof -d 192.168.0.0/16        -j log_drop_in

# link local networks
$IPTABLES -A chk_spoof -s 169.254.0.0/16        -j log_drop_in
$IPTABLES -A chk_spoof -d 169.254.0.0/16        -j log_drop_in

# test-net
$IPTABLES -A chk_spoof -s 192.0.2.0/24          -j log_drop_in
$IPTABLES -A chk_spoof -d 192.0.2.0/24          -j log_drop_in

# class d multicast
$IPTABLES -A chk_spoof -s 224.0.0.0/4           -j log_drop_in
$IPTABLES -A chk_spoof -d 224.0.0.0/4           -j log_drop_in

# class e reserved
$IPTABLES -A chk_spoof -s 240.0.0.0/5           -j log_drop_in
$IPTABLES -A chk_spoof -d 240.0.0.0/5           -j log_drop_in

# unallocated
$IPTABLES -A chk_spoof -s 248.0.0.0/5           -j log_drop_in
$IPTABLES -A chk_spoof -d 248.0.0.0/5           -j log_drop_in

# broadcast
$IPTABLES -A chk_spoof -s 255.255.255.255/32    -j log_drop_in
$IPTABLES -A chk_spoof -d 255.255.255.255/32    -j log_drop_in



# internet input chain ====================================
$IPTABLES -N inet_in

# already connected. done
$IPTABLES -A inet_in -m state --modprobe=$MODPROBE \
        --state ESTABLISHED,RELATED -j ACCEPT

# check ip spoofing. if you need drop ipaddr spoofing packets, uncomment here.
#$IPTABLES -A inet_in -j chk_spoof

# TCP services
$IPTABLES -A inet_in -p tcp --syn -m state --state NEW --dport ftp-data:ftp -j ACCEPT
$IPTABLES -A inet_in -p tcp --syn -m state --state NEW \
        -m multiport --dports ssh,smtp,www,pop3,imap,https,submission -j ACCEPT
$IPTABLES -A inet_in -p tcp --syn -m state --state NEW \
        -m multiport --dports auth -j REJECT

# UDP services
#$IPTABLES -A inet_in -p udp -m state --state NEW \
#  -m multiport --dports domain,ntp,openvpn -j ACCEPT
#$IPTABLES -A inet_in -p udp -m state --state NEW -s [manage host] --dport snmp -j ACCEPT
#$IPTABLES -A inet_in -p udp -m state --state NEW -s [logger host] --dport syslog -j ACCEPT

# traceroute
$IPTABLES -A inet_in -p udp -m state --state NEW \
        --sport 32769:65535 --dport 33434:33523 -j ACCEPT 

# other resp
$IPTABLES -A inet_in -p icmp                    -j ACCEPT
$IPTABLES -A inet_in                            -j log_drop_in
echo 'set internet input chain done...'


# internet output chain ===================================
$IPTABLES -N inet_out

# already connected or tcp not syn. accept
$IPTABLES -A inet_out -m state --modprobe=$MODPROBE \
        --state ESTABLISHED,RELATED             -j ACCEPT

# TCP services
#$IPTABLES -A inet_out -p tcp --syn -m state --state NEW \
#  --dport ftp-data:ftp -j ACCEPT
$IPTABLES -A inet_out -p tcp --syn -m state --state NEW \
  -m multiport --dports smtp,domain,auth,www,https -j ACCEPT

# UDP services
$IPTABLES -A inet_out -p udp -m state --state NEW \
  -m multiport --dports domain,ntp -j ACCEPT

# traceroute
$IPTABLES -A inet_out -p udp -m state --state NEW \
        --sport 32769:65535 --dport 33434:33523 -j ACCEPT 

# other resp
$IPTABLES -A inet_out -p icmp -j ACCEPT
$IPTABLES -A inet_out -j log_drop_out
echo 'set internet output chain done...'


# base line settings ======================================

# input -------------------------------------
$IPTABLES -A INPUT -i lo -j ACCEPT
# if use VPN
##$IPTABLES -A INPUT -i $VPN_IF -j ACCEPT
#$IPTABLES -A INPUT -i tun+ -j ACCEPT
# illegal state packet drop
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# available service check and drop
$IPTABLES -A INPUT -i $INET_IF -j inet_in
$IPTABLES -A INPUT -j log_drop_in

# output ------------------------------------
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# if use VPN
##$IPTABLES -A OUTPUT -o $VPN_IF -j ACCEPT
#$IPTABLES -A OUTPUT -o tun+ -j ACCEPT
# usable outside service check and drop
$IPTABLES -A OUTPUT -o $INET_IF -j inet_out
$IPTABLES -A OUTPUT -j log_drop_out

# MASQUERADING
#   with /proc/sys/net/ipv4/ip_forward = 1
#$IPTABLES -A FORWARD -i $LAN_IF -s $SNAT_LAN -j ACCEPT
#$IPTABLES -A FORWARD -i $INET_IF -d $SNAT_LAN -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -o $INET_IF -j SNAT --to-source $SNAT_WAN

## VPN forwarding
##$IPTABLES -A FORWARD -i $VPN_IF -d $LAN_NET -j ACCEPT
#$IPTABLES -A FORWARD -i tun+ -j ACCEPT
##$IPTABLES -A FORWARD -o $VPN_IF -j ACCEPT
#$IPTABLES -A FORWARD -o tun+ -j ACCEPT
##$IPTABLES -t nat -A POSTROUTING -s $VPN_NET -d $LAN_NET -j MASQUERADE


# policy drop =============================================
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


# loading modules =========================================
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_tftp
$MODPROBE ip_conntrack_tftp


echo 'firewall settings complete!'
exit $?