Installing the firewall
Submitted by Vlad on Tue, 06/22/2010 - 14:17
There are many ways of establishing iptables rules in Linux, but my favorite one is to create my own bash script in which I can use things like conditional filtering. So for that we will avoid using iptables-save(restore) and we'll create the following script:
#!/bin/bash # A Linux Shell Script with common rules for IPTABLES Firewall. # VladGh.com. # ------------------------------------------------------------------------- IPT="/sbin/iptables" PUB_IF="eth0" [ -f /srv/scripts/firewall/badips.list ] && BADIPS=$(grep -v -E "^#|^$" /srv/scripts/firewall/badips.list) echo "Starting IPv4 Wall..." $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X # Counter $IPT -I INPUT -d 127.0.0.1 $IPT -I OUTPUT -s 127.0.0.1 $IPT -I INPUT -d YOUR.EXTERNAL.IP.ADDRESS $IPT -I OUTPUT -s YOUR.EXTERNAL.IP.ADDRESS #unlimited $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # DROP all incomming traffic $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # block all bad ips echo "Blocking bad ips..." for ip in $BADIPS do $IPT -A INPUT -s $ip -j DROP done # sync $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "IPT -- Drop Syn - " $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP # Fragments $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "IPT -- Fragments Packets - " $IPT -A INPUT -i ${PUB_IF} -f -j DROP # block bad stuff $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "IPT -- NULL Packets - " $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "IPT -- XMAS Packets - " $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "IPT -- Fin Packets Scan - " $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Allow full outgoing connection but no incomming stuff $IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow Ports: $IPT -A INPUT -p tcp --destination-port 22222 -j ACCEPT $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT #$IPT -A INPUT -p tcp --destination-port 443 -j ACCEPT # allow incoming ICMP ping pong stuff $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # No smb/windows sharing packets - too much logging $IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT $IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT # Log everything else # *** Required for psad **** $IPT -A INPUT -j LOG --log-level 4 --log-prefix "IPT -- Input Traffic - " $IPT -A FORWARD -j LOG --log-level 4 --log-prefix "IPT -- Forward Traffic - " $IPT -A INPUT -j DROP echo "Firewall started" exit 0
You can save it anywhere you want but do not forget to rewrite the path for the badips at line 8. You should name this file firewall.sh.
After this you should also create a new script to flush everything in case things go wrong. So create the file firewall.stop.sh:
#!/bin/bash # Linux Firewall: Simple Shell Script To Stop and Flush All Iptables Rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT echo "Firewall stopped."
As you saw I mentioned a file called badips.list. This is were you should add your known attackers ips:
# Blocked IPs List: 217.195.122.0/24 222.45.112.59 124.232.152.116
Now let's create a script that initiates this firewall every time you restart your machine or you make modifications to it. You should call this file "firewall":
#!/bin/sh -e ### BEGIN INIT INFO # Provides: firewall # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Firewall Vlad Ghinea. ### END INIT INFO case "$1" in start) sudo /srv/scripts/firewall/firewall.sh exit 0 ;; stop) sudo /srv/scripts/firewall/firewall.stop.sh exit 0 ;; restart) echo "Stopping Firewall" sudo /srv/scripts/firewall/firewall.stop.sh sudo /srv/scripts/firewall/firewall.sh exit 0 ;; *) echo "Usage: /etc/init.d/firewall.init {start|stop|restart}" exit 1 ;; esac exit 0
Save this file in /etc/init.d folder and make it executable:
chmod +x /etc/init.d/firewall
And now add it to the Ubuntu startup routine:
update-rc.d -f firewall defaultsSo from now on you should a basic firewall protecting you, which you can restart and stop whenever you feel like it.
