Interesting stuff.
I'm being somewhat timid and don't have much running or exposed right now.
I'm still deciding some of my topology considerations. And I sort of transitioned to
nft and firewalld because I thought it was prudent or I had to. But, it turns out,
iptables is still there. I guess I'm mostly using nft, but I don't see any big
advantages. I guess there are some tools for translating the rulesets between the
different options.
For the few things I expose, I'm using non-standard ports, so I get to play with
selinux too. Temporarily, I figure a little security by obscurity couldn't hurt.
-Gary
On Mon, Oct 24, 2022 at 03:23:51PM -0600, Linus Sphinx wrote:
Lot to be said for consistency.
#=======
#!/usr/local/bin/tclsh
#
# iptables firewall script generator v0.1 by sphinx
# January 1st, 2001
#
set EXTERNALIF "none"
set INTERNALIF "none"
function grok_address {
IP=`ifconfig $1 2>/dev/null| grep inet | cut -d : -f 2 | cut -d \ -f 1`
MASK=`ifconfig $1 2>/dev/null| grep Mask | cut -d : -f 4`
NET=`route -n | grep eth0 | grep $MASK | grep -w "U" | cut -d\ -f1`
echo "$IP/$MASK"
}
function grok_net {
MASK=`ifconfig $1 2>/dev/null| grep Mask | cut -d : -f 4`
NET=`route -n | grep $1 | grep $MASK | grep -w "U" | cut -d\ -f1`
echo "$NET/$MASK"
}
echo -n "Checking External Interface..."
if [ "`grok_interface $EXTERNALIF`" != "1" ];
then
echo "$EXTERNALIF unavailable. Aborting."
export PATH=$ORIGPATH
exit
else
echo "found $EXTERNALIF"
echo "External Interface Data:"
echo "Address: `grok_address $EXTERNALIF`"
echo "Network: `grok_net $EXTERNALIF`"
fi
echo -n "Checking Internal Interface..."
if [ "$INTERNALIF" = "none" ];
then
STANDALONE="1"
echo "None specified"
echo "Going to Standalone Mode"
else
if [ "`grok_interface $INTERNALIF`" != "1" ];
then
echo "$INTERNALIF unavailable."
echo "Going to Standalone Mode"
STANDALONE="1"
else
echo "found $INTERNALIF"
echo "Internal Interface Data:"
echo "Address: `grok_address $INTERNALIF`"
echo "Network: `grok_net $INTERNALIF`"
STANDALONE="0"
fi
fi
if [ "$STANDALONE" = "0" ];
then
echo -n "Checking internal interface for RFC1918"
declare -i DOTQUAD1
declare -i DOTQUAD2
DOTQUAD1=`grok_net $INTERNALIF | cut -f1 -d.`
DOTQUAD2=`grok_net $INTERNALIF | cut -f2 -d.`
if [ "$DOTQUAD1" = "10" ]; then
MASQUERADE="1"
echo "...Class A found"
echo "Going to Masq Mode"
elif [ "$DOTQUAD1" = "192" -a "$DOTQUAD2" =
"168" ]; then
MASQUERADE="1"
echo "...Class C found"
echo "Going to Masq Mode"
elif [ "$DOTQUAD1" = "172" -a $DOTQUAD2 -gt 15 -a $DOTQUAD2 -lt
32 ];
then
MASQUERADE="1"
echo "...Class B found"
echo "Going to Masq Mode"
else
echo "...None found"
echo "Going to Routable Mode"
MASQUERADE="0"
fi
fi
function flush_rulesets {
# No parameters
echo -n "Flushing rulesets.."
# filter table
iptables -F
echo -n "."
# nat table
iptables -t nat -F
echo -n "."
#mangle table
iptables -t mangle -F
echo -n "."
echo "Done!"
}
function masq_setup {
# Parameters: internalnet, externalnet, internal interface, external
interface
echo -n "Masquerading.."
# Forward internal to external and external to internal net traffic
# from and to outside
iptables -A FORWARD -d 0/0 -s $1 -o $4 -j ACCEPT
echo -n "."
iptables -A FORWARD -d $1 -s 0/0 -i $4 -j ACCEPT
echo -n "."
# Masquerade internal to external traffic going out on the external
interface
# using the nat table.
iptables -t nat -A POSTROUTING -d 0/0 -s $1 -o $4 -j MASQUERADE
echo -n "."
# Set INPUT rules in this situation
# in from internal interface
iptables -A INPUT -d $1 -s $1 -i $3 -j ACCEPT
echo -n "."
# in from outside
iptables -A INPUT -d $2 -s 0/0 -i $4 -j ACCEPT
echo -n "."
# Set OUTPUT rules in this situation
# Internal traffic out
iptables -A OUTPUT -d $1 -s $1 -j ACCEPT
echo -n "."
# Out from anywhere on internal network
iptables -A OUTPUT -d 0/0 -s $1 -j ACCEPT
echo -n "."
# Out from anywhere on external network
iptables -A OUTPUT -d 0/0 -s $2 -j ACCEPT
# set Default rule on FORWARD chain to DROP
iptables -P FORWARD DROP
echo -n "."
echo "Done!"
}
function routable_setup {
# Parameters: internalnet, externalnet
echo -n "Forwarding.."
# Forward internal-internal traffic
iptables -A FORWARD -s $1 -d $1 -j ACCEPT
echo -n "."
# Forward external interface direct
iptables -A FORWARD -s $2 -d $0/0 -j ACCEPT
echo -n "."
# Forward internal network going outside
iptables -A FORWARD -s $1 -d $1 -j ACCEPT
echo -n "."
# Forward external network going inside
iptables -A FORWARD -s $2 -d $1 -j ACCEPT
echo -n "."
echo "Done!"
}
function loopback {
# Parameters: No parameters
echo -n "Loopback..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo "Done!"
}
function tos_setup {
# Parameters: No parameters
echo -n "TOS flags.."
iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport www
iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport telnet
iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport ftp
echo -n "..."
# Set ftp-data for maximum throughput
iptables -t mangle -m tos --tos 8 -A PREROUTING -p tcp --dport ftp-data
echo -n "."
echo "Done!"
}
function outbound_setup {
# Parameters: internalnet
echo -n "Outbound connections.."
iptables -A INPUT -s $1 -d 0/0 -j ACCEPT
iptables -A OUTPUT -s $1 -d 0/0 -j ACCEPT
echo -n ".."
echo "Done!"
}
function standard_rules {
# Parameters: target, standalone, internalif
# ---------------------------------------------------------- Trusted
Networks -
# Add in any rules to specifically allow connections from hosts/nets that
# would otherwise be blocked.
# echo -n "Trusted Networks.."
# iptables -A INPUT -p <protocol> -<d/s>port <ports> -s [trusted
host/net]
-d $1 -j ACCEPT
# echo -n "."
# echo "Done!"
# ----------------------------------------------------------- Banned
Networks -
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause you problems. These packets are logged.
## echo -n "Banned Networks.." not adjusted to iptables yet
# This one is generic
# iptables -A INPUT -l -s [banned host/net] -d $1 <ports> -j DROP
# echo -n "."
# This one blocks ICMP attacks
# iptables -A INPUT -l -b -i $LOCALIF -p icmp -s [host/net] -d $1 -j DROP
# echo -n "."
# echo "Done!"
# ------------------------------------------------------ @home-specific
rules -
# This @home stuff is pretty specific to me (terminus). I get massive port
# scans from my neighbors and from pokey admins at @home, so I just got
harsh
# and blocked all their stuff, with a few exceptions, listed below.
#
# If someone out there finds out the ip ranges of JUST tci@home, let me know
# so i don't end up blocking ALL cablemodems like it's doing now.
echo -n "Cable Modem Nets.."
# so we can check mail, use the proxy server, hit @home's webpage.
# you will want to set these to your local servers, and uncomment them
# iptables -A INPUT -p tcp -dport 1023:65535 -s
ha1.rdc1.wa.home.com -d $1
-j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s
mail.tcma1.wa.home.com -d
$1 -j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s
www.tcma1.wa.home.com -d $1
-j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s
proxy.tcma1.wa.home.com -d
$1 -j ACCEPT
# echo -n "...."
# so we can resolve the above hostnames, allow dns queries back to us
# iptables -A INPUT -p tcp -dport 1023:65535 -s
ns1.home.net -d $1 -j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s
ns2.home.net -d $1 -j ACCEPT
# iptables -A INPUT -p udp -dport 1023:65535 -s
ns1.home.net -d $1 -j ACCEPT
# iptables -A INPUT -p udp -dport 1023:65535 -s
ns2.home.net -d $1 -j ACCEPT
# echo -n ".."
# linux iptables building script page (I think)
# iptables -A INPUT -p tcp -dport 1023:65535 -s 24.128.61.117 -d $1 -j
ACCEPT
# echo -n "."
# Non-@home users may want to leave this uncommented, just to block all
# the wannabe crackers. Add any @home hosts you want to allow BEFORE this
line.
# Blast all other @home connections into infinity and log them.
# iptables -A INPUT -s 24.0.0.0/8 -d $1 -j LOG
# iptables -A INPUT -s 24.0.0.0/8 -d $1 -j DROP
# echo -n "."
# Nuke any connections from @home's portscanners (
ops-scan.home.com)
# Note: These are a moving target - apply locally as required.
iptables -A INPUT -s 24.0.84.130 -d $1 -j LOG
iptables -A INPUT -s 24.0.84.130 -d $1 -j DROP
echo -n "."
echo "Done!"
# ---------------------------- Specific port blocks on the external
interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these services
# within your network. Connections to these ports are logged to syslog.
echo -n "Port Blocks.."
# NetBEUI/Samba
iptables -A INPUT -p tcp --dport 137:139 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 137:139 -s 0/0 -d $1 -j DROP
echo -n "."
# Line Printer Daemon (courtesy of Blair Steenerson <blair(a)steenerson.com>)
iptables -A INPUT -p tcp --dport 515 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 515 -s 0/0 -d $1 -j DROP
echo -n "."
# Microsoft SQL
iptables -A INPUT -p tcp --dport 1433 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 1433 -s 0/0 -d $1 -j DROP
echo -n "."
# Postgres SQL
iptables -A INPUT -p tcp --dport 5432 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 5432 -s 0/0 -d $1 -j DROP
echo -n "."
# Network File System
iptables -A INPUT -p tcp --dport 2049 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 2049 -s 0/0 -d $1 -j DROP
echo -n "."
# MySQL
iptables -A INPUT -p tcp --dport 3306 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 3306 -s 0/0 -d $1 -j DROP
echo -n "."
# X Displays
iptables -A INPUT -p tcp --dport 5999:6010 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 5999:6010 -s 0/0 -d $1 -j DROP
echo -n "."
# X Font Server :0-:2-
iptables -A INPUT -p tcp --dport 7100:7101 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 7100:7101 -s 0/0 -d $1 -j DROP
echo -n "."
# Back Orifice (logged)
iptables -A INPUT -p tcp --dport 31337 -s 0/0 -d $1 -j LOG
iptables -A INPUT -p tcp --dport 31337 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 31337 -s 0/0 -d $1 -j LOG
iptables -A INPUT -p udp --dport 31337 -s 0/0 -d $1 -j DROP
echo -n "."
# NetBus (logged)
iptables -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $1 -j LOG
iptables -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $1 -j LOG
iptables -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $1 -j DROP
echo -n "."
echo "Done!"
# --------------------------------------------------- High Unprivileged
ports -
# These are opened up to allow sockets created by connections allowed by
# iptables
echo -n "High Ports.."
iptables -A INPUT -p tcp --dport 1023:65535 -s 0/0 -d $1 -j ACCEPT
iptables -A INPUT -p udp --dport 1023:65535 -s 0/0 -d $1 -j ACCEPT
echo -n "."
echo "Done!"
# ------------------------------------------------------------ Basic
Services -
echo -n "Services.."
# ftp-data (20) and ftp (21)
#iptables -A INPUT -p tcp --dport 20 -s 0/0 -d $1 -j ACCEPT
#iptables -A INPUT -p tcp --dport 21 -s 0/0 -d $1 -j ACCEPT
#echo -n ".."
# ssh (22)
iptables -A INPUT -p tcp --dport 22 -s 0/0 -d $1 -j ACCEPT
echo -n "."
# telnet (23)
# iptables -A INPUT -p tcp --dport 23 -s 0/0 -d $1 -j ACCEPT
# echo -n "."
# smtp (25)
# iptables -A INPUT -p tcp --dport 25 -s 0/0 -d $1 -j ACCEPT
# echo -n "."
# DNS (53)
#iptables -A INPUT -p tcp --dport 53 -s 0/0 -d $1 -j ACCEPT
#iptables -A INPUT -p udp --dport 53-s 0/0 -d $1 -j ACCEPT
#echo -n ".."
if [ "$2" != "1" ]; then
# DHCP on LAN side (to make @Home DHCP work) (67/68)
# iptables -A INPUT -i $3 -p udp --dport 67 -s 0/0 -d 255.255.255.255/24
-j ACCEPT
# iptables -A OUTPUT -i $3 -p udp --dport 68 -s 0/0 -d 255.255.255.255/24
-j ACCEPT
echo -n ".."
fi
# http (80)
#iptables -A INPUT -p tcp --dport 80 -s 0/0 -d $1 -j ACCEPT
#echo -n "."
# POP-3 (110)
# iptables -A INPUT -p tcp --dport 110 -s 0/0 -d $1 -j ACCEPT
# echo -n "."
# identd (113)
#iptables -A INPUT -p tcp --dport 113 -s 0/0 -d $1 -j ACCEPT
#echo -n "."
# nntp (119)
# iptables -A INPUT -p tcp --dport 119 -s 0/0 -d $1 -j ACCEPT
# echo -n "."
# https (443)
# iptables -A INPUT -p tcp --dport 443 -s 0/0 -d $1 -j ACCEPT
# echo -n "."
# ICQ Services (it's a server service) (4000)
# iptables -A INPUT -p tcp --dport 4000 -s 0/0 -d $1 -j ACCEPT
# echo -n "."
echo "Done!"
# ----------------------------------------------------------------------
ICMP -
echo -n "ICMP Rules.."
# Use this to DROP ICMP attacks from specific addresses
# iptables -A INPUT -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DROP
# echo -n "."
# Allow incoming ICMP
iptables -A INPUT -p icmp -s 0/0 -d $1 -j ACCEPT
echo -n ".."
# Allow outgoing ICMP
iptables -A OUTPUT -p icmp -s $1 -d 0/0 -j ACCEPT
echo -n "...."
echo "Done!"
}
function reset_policy {
# Parameters: no parameters
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
function set_policy {
# Parameters: no parameters
iptables -P INPUT DROP
iptables -P OUTPUT DROP
}
function set_timeouts {
# Parameters: no parameters
# not adjusted for iptables yet
echo -n "Setting iptables timeout for tcp tcpfin udp.. "
#iptables -M -S 3600 150 1000
echo "Done!"
}
reset_policy
flush_rulesets
if [ "$STANDALONE" = "1" ];
then
TARGET=`grok_net $EXTERNALIF`
else
if [ "$MASQUERADE" = "1" ];
then
TARGET=`grok_address $EXTERNALIF`
INTERNALNET=`grok_net $INTERNALIF`
EXTERNALNET=`grok_net $EXTERNALIF`
set_timeouts
masq_setup $INTERNALNET $TARGET $INTERNALIF $EXTERNALIF
else
TARGET=`grok_net $INTERNALIF`
INTERNALNET=`grok_net $INTERNALIF`
EXTERNALNET=`grok_net $EXTERNALIF`
outbound_setup $INTERNALNET
routable_setup $INTERNALNET $EXTERNALNET
fi
fi
tos_setup
loopback
standard_rules $TARGET $STANDALONE $INTERNALIF
#configure_vpn $INTERNALNET $EXTERNALNET
set_policy
export PATH=$ORIGPATH
exit
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com