commit | author | age
|
7c99ef
|
1 |
#!/bin/sh |
T |
2 |
# |
|
3 |
# /sbin/bastille-netfilter Load/unload netfilter rulesets |
|
4 |
# |
|
5 |
# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-netfilter,v $ |
|
6 |
# Modified by: $Author: peterw $ |
|
7 |
# $Date: 2002/01/11 02:23:14 $ |
|
8 |
# $Revision: 1.27 $ |
|
9 |
# |
|
10 |
# Copyright (C) 1999-2001 Peter Watkins |
|
11 |
# |
|
12 |
# This program is distributed in the hope that it will be useful, |
|
13 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
14 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
15 |
# GNU General Public License for more details. |
|
16 |
# |
|
17 |
# You should have received a copy of the GNU General Public License |
|
18 |
# along with this program; if not, write to the Free Software |
|
19 |
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
|
20 |
# |
|
21 |
# Thanks to David Ranch, Brad A, Don G, Jay Beale and others |
|
22 |
# (especially the netfilter mailing list!) for their suggestions |
|
23 |
# |
|
24 |
# This script is designed to be called BY a SysV-style init script. |
|
25 |
# |
|
26 |
# It should be run with a "start" argument |
|
27 |
# 1) BY an rc?.d "S" script, _before_ the "network" script |
|
28 |
# (normally via the "bastille-firewall" init script; |
|
29 |
# as of 2001/02/14, the only purpose of bastille-firewall |
|
30 |
# is to start this script) |
|
31 |
# 2) any time an interface is brought up or changed, e.g. |
|
32 |
# establishing a PPP conection or renewing a DHCP lease |
|
33 |
# [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and |
|
34 |
# 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script] |
|
35 |
# |
|
36 |
# Normally you Do Not _Ever_ Want to run this with a "stop" argument! |
|
37 |
# |
|
38 |
# Note that running this with "stop" will disable the firewall and open |
|
39 |
# your system to all network traffic; if you make changes to these rules, |
|
40 |
# apply them by running the script again with a "start" argument. |
|
41 |
|
|
42 |
PATH=/bin:/sbin:/usr/bin:/usr/sbin |
|
43 |
IPTABLES=/sbin/iptables |
|
44 |
CONFIG=/etc/Bastille/bastille-firewall.cfg |
|
45 |
|
|
46 |
if [ ! -x ${IPTABLES} ]; then |
|
47 |
echo "ERROR: \"${IPTABLES}\" does not exist!" |
|
48 |
if [ -x /sbin/bastille-ipchains ]; then |
|
49 |
# better to fall back to 'ipchains' than do nothing |
|
50 |
unset IPTABLES |
|
51 |
echo "Executing /sbin/bastille-ipchains $1" |
|
52 |
/sbin/bastille-ipchains $1 |
|
53 |
exit $? |
|
54 |
fi |
|
55 |
exit 1 |
|
56 |
fi |
|
57 |
|
|
58 |
if [ ! -f ${CONFIG} ]; then |
|
59 |
echo "ERROR: unable to read configuration file \"${CONFIG}\"" |
|
60 |
exit 1 |
|
61 |
fi |
|
62 |
|
|
63 |
# source the configuration file, which will set environment variables |
|
64 |
. ${CONFIG} |
|
65 |
|
|
66 |
if [ -z "${REJECT_METHOD}" ]; then |
|
67 |
echo "ERROR: no reject method specified (corrupt config file?) Exiting!" |
|
68 |
exit 1 |
|
69 |
fi |
|
70 |
|
|
71 |
|
|
72 |
# |
|
73 |
# Computed values |
|
74 |
# |
|
75 |
# These things should be queried/computed at run time |
|
76 |
# |
|
77 |
# LOCAL_ADDRESSES |
|
78 |
# |
|
79 |
# LOCAL_ADDRESSES lists all IP addresses for this server |
|
80 |
# (for the INTERNAL_SERVICES rules); if you have virtual |
|
81 |
# network devices, you may want to hand-code this, e.g. |
|
82 |
# LOCAL_ADDRESSES="127.0.0.0/8" |
|
83 |
# |
|
84 |
# The following makes a list of all current IP addresses |
|
85 |
LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: ` |
|
86 |
# |
|
87 |
# |
|
88 |
# DEFAULT_GW_IFACE |
|
89 |
# |
|
90 |
# The name of the address that is the default gateway (for SNAT) |
|
91 |
DEFAULT_GW_IFACE=`netstat -nr | awk '$1 == "0.0.0.0" {print $8}'` |
|
92 |
# |
|
93 |
# |
|
94 |
# INTERNAL_NETWORKS |
|
95 |
# |
|
96 |
# INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES |
|
97 |
# e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0" |
|
98 |
# The following makes a list of all current internal IP addresses _with netmasks_ |
|
99 |
for i in ${INTERNAL_IFACES} ; do |
|
100 |
INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`" |
|
101 |
if [ $i = "${DEFAULT_GW_IFACE}" ]; then |
|
102 |
DEFAULT_GW_IP=`ifconfig ${i} | grep "inet addr" | awk '{print $2}'` |
|
103 |
fi |
|
104 |
done |
|
105 |
# |
|
106 |
# |
|
107 |
# CALLED_METHOD |
|
108 |
# |
|
109 |
# Variable to hold $1, for use in functions (which have their own $1 vars) |
|
110 |
CALLED_METHOD="$1" |
|
111 |
# |
|
112 |
# |
|
113 |
# REJECT_METHOD |
|
114 |
# |
|
115 |
# Convert ipchains/DENY to netfilter/DROP |
|
116 |
if [ "${REJECT_METHOD}" = "DENY" ]; then |
|
117 |
REJECT_METHOD="DROP" |
|
118 |
fi |
|
119 |
|
|
120 |
# counter number to help toubleshoot |
|
121 |
RULENUM=0 |
|
122 |
|
|
123 |
# |
|
124 |
# Shell functions |
|
125 |
# |
|
126 |
# include_supplemental |
|
127 |
# source supplemental (plug-in) firewall scripts |
|
128 |
include_supplemental() |
|
129 |
{ |
|
130 |
# args: $1 = nickname for the supplemental phase |
|
131 |
nickname="$1" |
|
132 |
if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then |
|
133 |
cd /etc/Bastille/firewall.d && . ./${nickname}.sh |
|
134 |
fi |
|
135 |
if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then |
|
136 |
for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do |
|
137 |
cd /etc/Bastille/firewall.d/${nickname}.d && \ |
|
138 |
. ${s} |
|
139 |
done |
|
140 |
fi |
|
141 |
} |
|
142 |
# |
|
143 |
# incr_rule_num |
|
144 |
# Increment counter number to help toubleshoot |
|
145 |
incr_rule_num() |
|
146 |
{ |
|
147 |
RULENUM=`expr $RULENUM + 1` |
|
148 |
return 0 |
|
149 |
} |
|
150 |
# |
|
151 |
# do_masq_mods |
|
152 |
# Function to load/unload NAT kernel modules |
|
153 |
do_masq_mods() |
|
154 |
{ |
|
155 |
# args: $1 = "load" or "unload" |
|
156 |
# |
|
157 |
# find the currently loaded modules |
|
158 |
masq_mods=`lsmod | awk '{print $1}' | grep '^ip_nat_'` |
|
159 |
# |
|
160 |
# Step 1: unload unwanted modules |
|
161 |
for m in ${masq_mods} ; do |
|
162 |
UNLOAD_THIS_MOD=Y |
|
163 |
for normal_mod in ${IP_MASQ_MODULES} ; do |
|
164 |
if [ "ip_nat_${normal_mod}" = $m -o "ip_nat_${normal_mod}_conntrack" = $m ]; then |
|
165 |
# this module is _supposed_ to be loaded |
|
166 |
UNLOAD_THIS_MOD=N |
|
167 |
fi |
|
168 |
done |
|
169 |
if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then |
|
170 |
# we're either disabling the firewall or we've disabled masquerading, |
|
171 |
# so we should unload _all_ masq modules |
|
172 |
UNLOAD_THIS_MOD=Y |
|
173 |
fi |
|
174 |
if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then |
|
175 |
rmmod ${m} || echo "Error unloading ${m} module" |
|
176 |
fi |
|
177 |
done |
|
178 |
# Step 2: load wanted modules that are not already loaded |
|
179 |
if [ $1 = "load" ]; then |
|
180 |
for normal_mod in ${IP_MASQ_MODULES} ; do |
|
181 |
MOD_LOADED=N |
|
182 |
for m in ${masq_mods} ; do |
|
183 |
if [ "ip_nat_${normal_mod}" = $m ]; then |
|
184 |
MOD_LOADED=Y |
|
185 |
fi |
|
186 |
done |
|
187 |
if [ $MOD_LOADED = "N" ]; then |
|
188 |
insmod "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module" |
|
189 |
fi |
|
190 |
# try to load any _conntrack variants |
|
191 |
modprobe "ip_nat_${normal_mod}_conntrack" 2>/dev/null |
|
192 |
done |
|
193 |
fi |
|
194 |
} |
|
195 |
|
|
196 |
# See how we were called. |
|
197 |
case "$1" in |
|
198 |
start|restart|reload) |
|
199 |
# |
|
200 |
# anything to do before resetting? |
|
201 |
include_supplemental pre-reset |
|
202 |
# |
|
203 |
# Make sure we don't have any ipchains rules! |
|
204 |
for c in INPUT OUTPUT FORWARD; do |
|
205 |
ipchains -P ${c} DENY 2>/dev/null |
|
206 |
ipchains -F ${c} 2>/dev/null |
|
207 |
done |
|
208 |
ipchains -X 2>/dev/null |
|
209 |
rmmod ipchains 2>/dev/null |
|
210 |
# |
|
211 |
# For Red Hat users, let's ensure that its firewalls are disabled |
|
212 |
rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on` |
|
213 |
rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on` |
|
214 |
bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on` |
|
215 |
if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then |
|
216 |
echo |
|
217 |
echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'" |
|
218 |
echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls." |
|
219 |
[ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off |
|
220 |
[ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off |
|
221 |
echo |
|
222 |
fi |
|
223 |
# |
|
224 |
# Make sure the iptables/netfilter kernel module is loaded |
|
225 |
modprobe ip_tables |
|
226 |
# |
|
227 |
# Clean up the default chains |
|
228 |
# |
|
229 |
# we set defaults to DROP to minimize possible interruptions |
|
230 |
# if this script is re-run to reset rules |
|
231 |
# |
|
232 |
for chain in INPUT OUTPUT FORWARD ; do |
|
233 |
${IPTABLES} -P ${chain} DROP |
|
234 |
# flush rules |
|
235 |
${IPTABLES} -F ${chain} |
|
236 |
done |
|
237 |
# |
|
238 |
for chain in PREROUTING POSTROUTING ; do |
|
239 |
${IPTABLES} -t nat -F ${chain} |
|
240 |
done |
|
241 |
${IPTABLES} -t mangle -F PREROUTING |
|
242 |
# Our custom chains |
|
243 |
for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do |
|
244 |
${IPTABLES} -N ${chain} 2> /dev/null |
|
245 |
${IPTABLES} -F ${chain} |
|
246 |
${IPTABLES} -A ${chain} -j DROP |
|
247 |
done |
|
248 |
|
|
249 |
# PAROLE chain is used for TCP services |
|
250 |
${IPTABLES} -N PAROLE 2> /dev/null |
|
251 |
${IPTABLES} -F PAROLE |
|
252 |
if [ "${IP_ALWAYS_USE_STATE}" = "Y" ]; then |
|
253 |
# nmap NULL scans pass the --syn test, but this doesn't seem |
|
254 |
# to catch them, either |
|
255 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
256 |
${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num |
|
257 |
${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j ${REJECT_METHOD} |
|
258 |
${IPTABLES} -A PAROLE -p tcp -m state --state NEW --syn -j ACCEPT |
|
259 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
260 |
${IPTABLES} -A PAROLE -p tcp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num |
|
261 |
${IPTABLES} -A PAROLE -p tcp -j ${REJECT_METHOD} |
|
262 |
fi |
|
263 |
${IPTABLES} -A PAROLE -j ACCEPT |
|
264 |
|
|
265 |
# Run our "early" custom script if it exists |
|
266 |
[ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh |
|
267 |
|
|
268 |
# any new-style "early" plugins? |
|
269 |
include_supplemental early |
|
270 |
|
|
271 |
# enable stateful rules |
|
272 |
modprobe ip_conntrack |
|
273 |
modprobe ip_conntrack_ftp |
|
274 |
modprobe ipt_LOG |
|
275 |
|
|
276 |
# from the ipchains HOWTO |
|
277 |
if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then |
|
278 |
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then |
|
279 |
echo -n "Setting up IP spoofing protection..." |
|
280 |
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do |
|
281 |
echo 1 > $f |
|
282 |
done |
|
283 |
echo " done." |
|
284 |
else |
|
285 |
echo "WARNING: errors encountered while trying to enable IP spoofing protection!" |
|
286 |
fi |
|
287 |
fi |
|
288 |
|
|
289 |
include_supplemental pre-local-block |
|
290 |
|
|
291 |
# Block any non-local attempts to get localhost addresses |
|
292 |
# per woody@thebunker.net's bugtraq post |
|
293 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
294 |
${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM" ; incr_rule_num |
|
295 |
${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} |
|
296 |
|
|
297 |
# Uncomment this to really, truly block active FTP |
|
298 |
# (shouldn't be necessary if ip_conntrack_ftp does its job) |
|
299 |
#if [ ${FORCE_PASV_FTP} = "Y" ]; then |
|
300 |
# [ "${LOG_FAILURES}" = "Y" ] && \ |
|
301 |
# ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
302 |
# ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j ${REJECT_METHOD} |
|
303 |
# [ "${LOG_FAILURES}" = "Y" ] && \ |
|
304 |
# ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
305 |
# ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j ${REJECT_METHOD} |
|
306 |
#fi |
|
307 |
|
|
308 |
include_supplemental pre-established |
|
309 |
|
|
310 |
# Stateful data returns (this should include ICMP messages) |
|
311 |
# ...for data to this box |
|
312 |
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
313 |
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
314 |
|
|
315 |
# Fragments |
|
316 |
if [ "${ALLOW_FRAGMENTS}" = "N" ]; then |
|
317 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
318 |
${IPTABLES} -A INPUT -f -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
319 |
${IPTABLES} -A INPUT -f -j ${REJECT_METHOD} |
|
320 |
fi |
|
321 |
|
|
322 |
include_supplemental pre-trusted |
|
323 |
|
|
324 |
# Allow all traffic from trusted interfaces |
|
325 |
echo -n "Allowing traffic from trusted interfaces..." |
|
326 |
for t_iface in ${TRUSTED_IFACES} ; do |
|
327 |
# we could be pickier here, e.g. only allow traffic |
|
328 |
# that looks valid |
|
329 |
${IPTABLES} -A INPUT -i ${t_iface} -j ACCEPT |
|
330 |
done |
|
331 |
echo " done. " |
|
332 |
|
|
333 |
# If you have networks that route traffic to each other through this |
|
334 |
# server, you may want to add some forwarding rules, here, e.g. |
|
335 |
# one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0" |
|
336 |
# |
|
337 |
# Note: I _think_ this is right; if not, please let me know! |
|
338 |
# |
|
339 |
#${IPTABLES} -A FORWARD -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT |
|
340 |
# the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1" |
|
341 |
#${IPTABLES} -A FORWARD -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT |
|
342 |
|
|
343 |
include_supplemental pre-mcast-block |
|
344 |
|
|
345 |
# No packets with multicast source addresses (Joshua K, RFC 1122) |
|
346 |
# (If you want to enable multicast, comment this out!) |
|
347 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
348 |
${IPTABLES} -A INPUT -s 224.0.0.0/4 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
349 |
${IPTABLES} -A INPUT -s 224.0.0.0/4 -j ${REJECT_METHOD} |
|
350 |
|
|
351 |
# Forwarding |
|
352 |
|
|
353 |
include_supplemental pre-nat |
|
354 |
|
|
355 |
# IP Masquerading/forwarding |
|
356 |
# |
|
357 |
# Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list) |
|
358 |
#do_masq_mods unload |
|
359 |
# |
|
360 |
if [ -n "${IP_MASQ_NETWORK}" ]; then |
|
361 |
echo -n "Loading NAT modules..." |
|
362 |
modprobe iptable_nat |
|
363 |
echo " done." |
|
364 |
echo -n "Setting up masquerading rules..." |
|
365 |
# since we've set the default forwarding policy to |
|
366 |
# reject, we can enable forwarding now |
|
367 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
368 |
# set up rules for masqueraded networks |
|
369 |
for net in ${IP_MASQ_NETWORK} ; do |
|
370 |
for pub in ${PUBLIC_IFACES} ; do |
|
371 |
# NAT should be one-way, deny traffic from public |
|
372 |
# interfaces that is addresses to masq'ed networks |
|
373 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
374 |
${IPTABLES} -A INPUT -d ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
375 |
${IPTABLES} -A INPUT -d ${net} -i ${pub} -j ${REJECT_METHOD} |
|
376 |
# spoofed addreses from outside |
|
377 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
378 |
${IPTABLES} -A INPUT -s ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
379 |
${IPTABLES} -A INPUT -s ${net} -i ${pub} -j ${REJECT_METHOD} |
|
380 |
if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then |
|
381 |
# NetBIOS |
|
382 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
383 |
${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
384 |
${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD} |
|
385 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
386 |
${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
387 |
${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD} |
|
388 |
fi |
|
389 |
# set up a NAT rule with MASQ -- se below for SNAT |
|
390 |
${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE |
|
391 |
${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT |
|
392 |
done |
|
393 |
done |
|
394 |
# If you have a statuc address for the public interface, |
|
395 |
# you might prefer setting upp static NAT instead of the |
|
396 |
# -j MASQUERADE code above: |
|
397 |
#${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP} |
|
398 |
echo " done." |
|
399 |
echo -n "Loading masquerading modules..." |
|
400 |
do_masq_mods load |
|
401 |
echo " done." |
|
402 |
fi |
|
403 |
|
|
404 |
include_supplemental pre-chain-split |
|
405 |
|
|
406 |
echo -n "Setting up chains for public/internal interface traffic..." |
|
407 |
|
|
408 |
# Direct PUBLIC interface traffic to the proper chain |
|
409 |
for iface in ${PUBLIC_IFACES} ; do |
|
410 |
${IPTABLES} -A INPUT -i ${iface} -j PUB_IN |
|
411 |
${IPTABLES} -A OUTPUT -o ${iface} -j PUB_OUT |
|
412 |
done |
|
413 |
|
|
414 |
|
|
415 |
# disallow any attempts to get to internal interfaces from outside |
|
416 |
# not good if this is supposed to route between normal networks |
|
417 |
for int in ${INTERNAL_NETWORKS} ; do |
|
418 |
# deny traffic from public |
|
419 |
# interfaces that is addressed to internal networks |
|
420 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
421 |
${IPTABLES} -A PUB_IN -d ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
422 |
${IPTABLES} -A PUB_IN -d ${int} -j ${REJECT_METHOD} |
|
423 |
# spoofed addreses from outside |
|
424 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
425 |
${IPTABLES} -A PUB_IN -s ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
426 |
${IPTABLES} -A PUB_IN -s ${int} -j ${REJECT_METHOD} |
|
427 |
done |
|
428 |
|
|
429 |
# direct packets to the INTERNAL_* chains |
|
430 |
for iface in ${INTERNAL_IFACES} ; do |
|
431 |
${IPTABLES} -A INPUT -i ${iface} -j INT_IN |
|
432 |
${IPTABLES} -A OUTPUT -o ${iface} -j INT_OUT |
|
433 |
done |
|
434 |
echo " done. " |
|
435 |
|
|
436 |
echo -n "Setting up general rules..." |
|
437 |
|
|
438 |
include_supplemental pre-dhcp |
|
439 |
|
|
440 |
# Allow response from DHCP servers |
|
441 |
for iface in ${DHCP_IFACES} ; do |
|
442 |
# make link so dhcpcd runs firewall when IP changes (if no such file already) |
|
443 |
[ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750 |
|
444 |
if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then |
|
445 |
ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe |
|
446 |
fi |
|
447 |
done |
|
448 |
|
|
449 |
include_supplemental pre-internal |
|
450 |
|
|
451 |
# internal interface rules |
|
452 |
# Allow accessses to TCP services on this system |
|
453 |
for serv in ${TCP_INTERNAL_SERVICES} ; do |
|
454 |
${IPTABLES} -A INT_IN -p tcp --dport ${serv} -j PAROLE |
|
455 |
done |
|
456 |
# UDP services |
|
457 |
for serv in ${UDP_INTERNAL_SERVICES} ; do |
|
458 |
${IPTABLES} -A INT_IN -p udp --dport ${serv} -j ACCEPT |
|
459 |
done |
|
460 |
# ICMP |
|
461 |
# hopefully you don't care about hiding from internal hosts! |
|
462 |
${IPTABLES} -A INT_IN -p icmp -j ACCEPT |
|
463 |
${IPTABLES} -A INT_OUT -p icmp -j ACCEPT |
|
464 |
# ...but if you do... try this... (and see the PUB_IN rules below) |
|
465 |
#for type in ${ICMP_ALLOWED_TYPES} ; do |
|
466 |
# ${IPTABLES} -A INT_IN -p icmp --icmp-type ${type} -j ACCEPT |
|
467 |
#done |
|
468 |
|
|
469 |
include_supplemental pre-input |
|
470 |
|
|
471 |
# input rules |
|
472 |
# |
|
473 |
# public interfaces |
|
474 |
|
|
475 |
# --------------------- ICMP -------------------------- |
|
476 |
for type in ${ICMP_ALLOWED_TYPES} ; do |
|
477 |
${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -j ACCEPT |
|
478 |
done |
|
479 |
|
|
480 |
# --------------------- TCP -------------------------- |
|
481 |
for serv in ${TCP_PUBLIC_SERVICES} ; do |
|
482 |
${IPTABLES} -A PUB_IN -p tcp --dport ${serv} -j PAROLE |
|
483 |
done |
|
484 |
|
|
485 |
# --------------------- UDP -------------------------- |
|
486 |
for serv in ${UDP_PUBLIC_SERVICES} ; do |
|
487 |
${IPTABLES} -A PUB_IN -p udp --dport ${serv} -j ACCEPT |
|
488 |
done |
|
489 |
|
|
490 |
include_supplemental pre-audit |
|
491 |
|
|
492 |
# -------------- Public interface input auditing --------------- |
|
493 |
# Note that this will only audit services that are not actually available |
|
494 |
# |
|
495 |
for service in ${TCP_AUDIT_SERVICES} ; do |
|
496 |
${IPTABLES} -A PUB_IN -p tcp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" |
|
497 |
done |
|
498 |
for service in ${UDP_AUDIT_SERVICES} ; do |
|
499 |
${IPTABLES} -A PUB_IN -p udp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" |
|
500 |
done |
|
501 |
for type in ${ICMP_AUDIT_TYPES} ; do |
|
502 |
${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" |
|
503 |
done |
|
504 |
|
|
505 |
# if you're disallowing ICMP, you may be trying to look |
|
506 |
# invisible/disable ping, so let's just drop these attempts |
|
507 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
508 |
${IPTABLES} -A PUB_IN -p icmp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN DROP $RULENUM" ; incr_rule_num |
|
509 |
${IPTABLES} -A PUB_IN -p icmp -j DROP |
|
510 |
|
|
511 |
# --------------------- catch-all -------------------------- |
|
512 |
# Reject all other traffic (redundant if not logging) |
|
513 |
if [ ${LOG_FAILURES} = "Y" ]; then |
|
514 |
for chain in INPUT PUB_IN INT_IN ; do |
|
515 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
516 |
${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
517 |
${IPTABLES} -A ${chain} -j ${REJECT_METHOD} |
|
518 |
done |
|
519 |
fi |
|
520 |
|
|
521 |
# |
|
522 |
echo " done." |
|
523 |
|
|
524 |
include_supplemental pre-output |
|
525 |
|
|
526 |
echo -n "Setting up outbound rules..." |
|
527 |
# |
|
528 |
# Here you might really lock things down if this is a server, |
|
529 |
# e.g., to keep it from doing anything but connecting to |
|
530 |
# SMTP servers and responding to Web requests, or whatever |
|
531 |
# the specific requirements are. |
|
532 |
# |
|
533 |
# Such lockdowns are recommended if the situation affords you |
|
534 |
# that flexibility. |
|
535 |
# |
|
536 |
# If you want to only allow the server to respond to requests |
|
537 |
# (and not even make DNS/dhcp/ntp queries!), then uncomment these lines: |
|
538 |
# # Note: if the connection table fills, you won't be able to |
|
539 |
# # respond to requests if you rely on "-m state" with these rules |
|
540 |
# ${IPTABLES} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
541 |
# [ ${LOG_FAILURES} = "Y" ] && \ |
|
542 |
# ${IPTABLES} -A OUTPUT -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "OUTPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
543 |
# ${IPTABLES} -A OUTPUT -j REJECT |
|
544 |
# |
|
545 |
# default is to enable outbound traffic |
|
546 |
${IPTABLES} -P OUTPUT ACCEPT |
|
547 |
|
|
548 |
include_supplemental pre-policy-reset |
|
549 |
|
|
550 |
# Now that all rules are set, we can change the policies |
|
551 |
# to the user preference safely |
|
552 |
[ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A FORWARD -j ${REJECT_METHOD} |
|
553 |
[ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A INPUT -j ${REJECT_METHOD} |
|
554 |
# to set default "policies" for PUB_* and INT_* chains, add a final rule |
|
555 |
if [ ${LOG_FAILURES} != "Y" ]; then |
|
556 |
# if LOG_FAILURES were set, we would have already done this |
|
557 |
for chain in PUB_IN INT_IN INPUT FORWARD; do |
|
558 |
[ "${LOG_FAILURES}" = "Y" ] && \ |
|
559 |
${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
|
560 |
${IPTABLES} -A ${chain} -j ${REJECT_METHOD} |
|
561 |
done |
|
562 |
fi |
|
563 |
for chain in PUB_OUT INT_OUT ; do |
|
564 |
${IPTABLES} -A ${chain} -j ACCEPT |
|
565 |
done |
|
566 |
# rule 1 in all of these chains is a deny rule; remove it so other rules work |
|
567 |
for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do |
|
568 |
${IPTABLES} -D ${chain} -j DROP |
|
569 |
done |
|
570 |
|
|
571 |
include_supplemental post-rule-setup |
|
572 |
|
|
573 |
echo " done." |
|
574 |
|
|
575 |
;; |
|
576 |
stop) |
|
577 |
include_supplemental pre-drop-rules |
|
578 |
echo |
|
579 |
echo "WARNING: reverting to default settings (dropping firewall)" |
|
580 |
# We should disable NAT/forwarding even if not set to restore defaults |
|
581 |
echo -n "disabling IP forwarding..." |
|
582 |
echo 0 > /proc/sys/net/ipv4/ip_forward |
|
583 |
echo " done." |
|
584 |
echo -n "unloading masquerading modules..." |
|
585 |
do_masq_mods unload |
|
586 |
echo " done." |
|
587 |
# flushing leaves the default input at ${REJECT_METHOD} |
|
588 |
echo -n "resetting default input rules to accept..." |
|
589 |
${IPTABLES} -P INPUT ACCEPT |
|
590 |
echo " done." |
|
591 |
echo -n "resetting default output rule to accept..." |
|
592 |
${IPTABLES} -P OUTPUT ACCEPT |
|
593 |
echo " done." |
|
594 |
# We disabled forwarding with the /proc interface, but we |
|
595 |
# reset FORWARD to ACCEPT because that;s the normal default |
|
596 |
echo -n "resetting default forward rule to accept..." |
|
597 |
${IPTABLES} -P FORWARD ACCEPT |
|
598 |
echo " done." |
|
599 |
for chain in INPUT OUTPUT FORWARD ; do |
|
600 |
echo -n "flushing ${chain} rules..." |
|
601 |
${IPTABLES} -F ${chain} |
|
602 |
echo " done." |
|
603 |
done |
|
604 |
for chain in PREROUTING POSTROUTING ; do |
|
605 |
${IPTABLES} -t nat -F ${chain} |
|
606 |
done |
|
607 |
${IPTABLES} -t mangle -F PREROUTING |
|
608 |
# flush and delete the user-defined chains |
|
609 |
echo -n "removing user-defined chains..." |
|
610 |
for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do |
|
611 |
${IPTABLES} -F ${chain} |
|
612 |
${IPTABLES} -X ${chain} |
|
613 |
done |
|
614 |
include_supplemental post-drop-rules |
|
615 |
echo " done." |
|
616 |
;; |
|
617 |
status) |
|
618 |
${IPTABLES} -L -v -n |
|
619 |
;; |
|
620 |
*) |
|
621 |
echo "Usage: $0 {start|restart|reload|stop|status}" |
|
622 |
exit 1 |
|
623 |
esac |
|
624 |
|
|
625 |
exit 0 |
|
626 |
|