[gull] one good netfilter firewall

Philippe STRAUSS philippe at strauss.pas.nu
Fri Jan 3 23:31:59 CET 2014 

J'ai passé du temps à "cookbooker" ce script netfilter, oh shame sur du openVZ cela torche.

Qq'un ayant passé par l'expérience douloureuse de mettre au point un bon script netfilter pour des containers openVZ?

thanks!


--8<--

#!/bin/sh

#
# One good netfilter firewall
# Philippe STRAUSS, 1.2014
#

#NET_IFACE=venet0:0
NET_IFACE=eth1
IPT=/sbin/iptables


start() {

echo -n "Starting the firewall: "

#
# Global protections to common attacks
#

# Prevent IP spoofing
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $file
done

# Log spoofed packets, source routed packets, redirect packets. 
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route 

# Disable ICMP redirect acceptance.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects 
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable response to broadcasts. 
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# Enable bad error message protection. 
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Disable IP forwarding
echo "0" > /proc/sys/net/ipv4/ip_forward

# Load kernel modules
# depmod -a
# modprobe ip_tables 
# modprobe ip_conntrack

# Clear any previous rules.
$IPT -F

# Default drop policy.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT

# Allow anything over loopback and vpn.
$IPT -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPT -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# $IPT -A INPUT -i tun0 -j ACCEPT
# $IPT -A OUTPUT -o tun0 -j ACCEPT
# $IPT -A INPUT -p esp -j ACCEPT
# $IPT -A OUTPUT -p esp -j ACCEPT

# Drop any tcp packet that does not start a connection with a syn flag.
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Drop any invalid packet that could not be identified.
$IPT -A INPUT -m state --state INVALID -j DROP

# Drop invalid packets.
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP

# Reject broadcasts to 224.0.0.1
$IPT -A INPUT -s 224.0.0.0/4 -j DROP
$IPT -A INPUT -d 224.0.0.0/4 -j DROP
$IPT -A INPUT -s 240.0.0.0/5 -j DROP

# Reject private IP ranges
$IPT -A INPUT -i $NET_IFACE -s 127.0.0.0/8 -j DROP
#$IPT -A INPUT -i $NET_IFACE -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -i $NET_IFACE -s 172.16.0.0/16 -j DROP
#$IPT -A INPUT -i $NET_IFACE -s 10.0.0.0/8 -j DROP

# Close/reject IDENT requests
$IPT -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

# Blocked ports example
$IPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 8010 -j DROP

# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
$IPT -A INPUT  -p tcp -m state --state ESTABLISHED     -j ACCEPT
$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT  -p udp -m state --state ESTABLISHED     -j ACCEPT
$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

# ICMP
$IPT -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type time-exceeded -j ACCEPT

# ICMP echo requests (ping) rate-limiting
$IPT -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 5/second -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-reply -j ACCEPT

# or block inbound ICMP allow only ping out
# $IPT -A INPUT  -p icmp -m state --state NEW -j DROP
# $IPT -A INPUT  -p icmp -m state --state ESTABLISHED -j ACCEPT
# $IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow services connections in.
$IPT -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 -m state --state NEW  -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/minute -j ACCEPT
$IPT -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 22 -j DROP
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 4/second  -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m connlimit --connlimit-above 700 -j REJECT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# NTP
$IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW  -j ACCEPT
# submission
$IPT -A INPUT -p tcp --dport 587 -m state --state NEW  -j ACCEPT
# imaps
$IPT -A INPUT -p tcp --dport 993 -m state --state NEW  -j ACCEPT
# pop3s
$IPT -A INPUT -p tcp --dport 995 -m state --state NEW  -j ACCEPT


# Drop everything that did not match above or drop and log it.
$IPT -A INPUT   -j LOG --log-level 4 --log-prefix "IPTABLES_INPUT: "
$IPT -A INPUT   -j DROP
$IPT -A FORWARD -j LOG --log-level 4 --log-prefix "IPTABLES_FORWARD: "
$IPT -A FORWARD -j DROP
$IPT -A OUTPUT  -j LOG --log-level 4 --log-prefix "IPTABLES_OUTPUT: "
$IPT -A OUTPUT  -j ACCEPT

echo "done"
}


stop() {

    echo -n "Changing target policies to ACCEPT: "      
	$IPT -P INPUT ACCEPT && \
	$IPT -P FORWARD ACCEPT && \
	$IPT -P OUTPUT ACCEPT && \
	echo "done"
    echo -n "Flushing all chains: "
	$IPT -F && echo "done"
}


case "$0" in
	*-start)
        command=start
        ;;

	*-stop)
        command=stop
        ;;
        *)
	command=$1
esac

case "$command" in
	start)
        start
        ;;

	stop)
        stop
        ;;

	restart)
        stop
        start
        ;;

	status)
        $IPT -L -v
        ;;

    *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0

--8<--

--
Philippe STRAUSS
http://strauss.pas.nu/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://forum.linux-gull.ch/pipermail/gull/attachments/20140103/97db9f03/attachment.sig>

More information about the gull mailing list