Firewall Installation Script for Ubuntu


#!/bin/bash

Default Policy
SetDefaultPolicy() {
Drop Everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
}

Flush Tables
FlushTables() {
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
iptables -X
}

Routing
EnableRouting() {
echo 1 > /proc/sys/net/ipv4/ip_forward
}
DisableRouting() {
echo 0 > /proc/sys/net/ipv4/ip_forward
}

Forwarding
SetForwardingRules() {
iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}

Stans Custom Rules
SetCustomRules() {
iptables -N inbound
iptables -A INPUT -i eth0 -j inbound
iptables -A INPUT -i eth0 -p tcp –syn -j DROP
iptables -A INPUT -i eth0 -p tcp –dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp –dport 1 -j DROP
iptables -A INPUT -i eth0 -p udp –syn -j DROP
iptables -A INPUT -i eth0 -p udp –dport 0 -j DROP
iptables -A INPUT -i eth0 -p udp –dport 1 -j DROP
Drop all traffic thats not allowed
iptables -A INPUT -i eth0 -d $YOURBOX -j LOG –log-level 7 –log-prefix “Default Deny”
iptables -A INPUT -j DROP
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
}

LoopBack
SetLoopbackRules() {
Allow everything
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
}

Private Interfaces
SetPrivateInterfaceRules() {
Allow everything
iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}

Public Interfaces
SetPublicInterfaceRules() {
iptables -A INPUT -i $IF_PUB -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}

SOURCE NAT
EnableSourceNAT() {
Then source NAT everything else
iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT –to $IP_PUB
}
Various ICMP
SetICMP_Open() {
iptables -A INPUT -p icmp –icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 8 -m limit –limit 1/second -j ACCEPT
}

SSH (on a non-standard port)
SetSSH_Open() {
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB –dport 2202 -j ACCEPT
}

Destination NAT
smtp
SetSMTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp –dport smtp -j DNAT –to 192.168.1.254
iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp –dport smtp -j ACCEPT
}

Pop3
SetPOP3_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp –dport pop3 -j DNAT –to 192.168.10.254
iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp –dport pop3 -j ACCEPT
}

Webmail (444/443)
SetWebmail_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp –dport 444 -j DNAT –to 192.168.10.254:443
iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp –dport 443 -j ACCEPT
}

Http
SetHTTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp –dport http -j DNAT –to 192.168.10.253
iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp –dport http -j ACCEPT
}

Blocked Protocols
SetBlockedProtocols() {

Block all normal irc (used by botnets)

iptables -A INPUT -p tcp –dport irc -j DROP
iptables -A INPUT -p udp –dport irc -j DROP
iptables -A INPUT -p tcp –dport irc-serv -j DROP
iptables -A INPUT -p udp –dport irc-serv -j DROP
iptables -A INPUT -p tcp –dport ircs -j DROP
iptables -A INPUT -p udp –dport ircs -j DROP
}

Blocked Hosts
SetBlockedHosts() {
iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j DROP –reject-with icmp-host-prohibited
iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j DROP –reject-with icmp-host-prohibited
}

Blocked Networks
SetBlockedNetworks() {
iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j DROP –reject-with icmp-net-prohibited
iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j DROP –reject-with icmp-net-prohibited
}

Specify things to drop before logging
SetPrelogDropRules() {
DHCP
iptables -A INPUT -i $IF_PUB -p udp –sport bootps -j DROP
}

Log those on the public interface
SetLoggingRules() {
iptables -A INPUT -i $IF_PUB -j LOG –log-prefix=”INPUT ”
iptables -A OUTPUT -o $IF_PUB -j LOG –log-prefix=”OUTPUT ”
iptables -A FORWARD -j LOG –log-prefix=”FORWARD ”

iptables -t nat -A PREROUTING -i $IF_PUB -j LOG –log-prefix=”nPre “

iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG –log-prefix=”nPost “

iptables -t nat -A OUTPUT -o $IF_PUB -j LOG –log-prefix=”NAT OUT “

}

Drop them all
SetDropRules() {

Reset tcp connection attempts on all other ports

This is the standard TCP behaviour for a closed port. Reading

suggests there is no value in stealthing ports and since some are

open on this host it doesn’t seem to matter. Therefore, let’s be a

good TCP citizen.

Stan- Changed rule from REJECT to DROP for stealthing

iptables -A INPUT -p tcp -j DROP –reject-with tcp-reset
}

Script Entry Point
echo -n “Firewall Configuration…”
echo $1
Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24
Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24
Others
ANYWHERE=0.0.0.0/0
. /etc/rc.status
rc_reset

COMMAND LINE
case “$1” in
start)
SetDefaultPolicy
FlushTables
EnableRouting
SetBlockedProtocols
SetBlockedNetworks
SetBlockedHosts
SetForwardingRules
SetCustomRules
SetLoopbackRules
SetPrivateInterfaceRules
SetPublicInterfaceRules
EnableSourceNAT
SetICMP_Open
SetSSH_Open
SetSMTP_DNAT
SetPOP3_DNAT
SetWebmail_DNAT
SetHTTP_DNAT
SetPrelogDropRules
SetLoggingRules
SetDropRules
;;
stop)
SetDefaultPolicy
FlushTables
SetPrivateInterfaceRules
SetPublicInterfaceRules
;;
restart)
$0 stop
$0 start
;;
*)
;;
esac
rc_exit

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s