MRKAVANA (mrkavana@gmail.com) - www.facebook.com/kavanathai

Sep 23, 2011

Script IPTABLES for WEB server firewall

#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani:  10-10-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999  Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development.  This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis.  He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
#              used to provide Firewall network services.

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
        exit 0
fi

if [ ! -x /sbin/ipchains ]; then
    exit 0
fi

# See how we were called.
case "$1" in
  start)
        echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0"               # Internet connected interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
IPADDR="my.ip.address" # Your IP address
ANYWHERE="any/0" # Match any IP address
NAMESERVER_1="my.name.server.1" # Everyone must have at least one
NAMESERVER_2="my.name.server.2" # Your secondary name server

SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.
SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server
SYSLOG_CLIENT="sys.int.client.range/24" # Your syslog internal client range

LOOPBACK="127.0.0.0/8" # Reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_SRC="0.0.0.0" # Broadcast source address
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
PRIVPORTS="0:1023" # Well known, privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023"                   # range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Clearing all current rules and user defined chains
    ipchains -X

    # Set the default policy of the filter to deny.
    # Don't even bother sending an error message back.
    ipchains -P input  DENY
    ipchains -P output DENY
    ipchains -P forward DENY

# ----------------------------------------------------------------------------
# LOOPBACK

    # Unlimited traffic on the loopback interface.
    ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT
    ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks

    # /etc/rc.d/rc.firewall.blocked contains a list of
    # ipchains -A input  -i $EXTERNAL_INTERFACE -s address -j DENY
    # rules to block from any access.

    # Refuse any connection from problem sites
    #if [ -f /etc/rc.d/rc.firewall.blocked ]; then
    #    . /etc/rc.d/rc.firewall.blocked
    #fi

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

    # Refuse incoming packets pretending to be from the external address.
    ipchains -A input   -s $IPADDR -j DENY -l

    # Refuse incoming packets claiming to be from a Class A, B or C private network
    ipchains -A input   -s $CLASS_A -j DENY
    ipchains -A input   -s $CLASS_B -j DENY
#    ipchains -A input   -s $CLASS_C -j DENY

    # Refuse broadcast address SOURCE packets
    ipchains -A input   -s $BROADCAST_DEST -j DENY -l
    ipchains -A input   -d $BROADCAST_SRC -j DENY -l

    # Refuse Class D multicast addresses
    # Multicast is illegal as a source address.
    # Multicast uses UDP.
    ipchains -A input   -s $CLASS_D_MULTICAST -j DENY

    # Refuse Class E reserved IP  addresses
    ipchains -A input   -s $CLASS_E_RESERVED_NET -j DENY -l

    # Refuse addresses defined as reserved by the IANA.
    # Note:  this list includes the loopback, multicast, & reserved addresses.
    # The following are based on reservations as listed by IANA as of 10/10/2000.
    # Please regularly check at http://www.iana.org/ for the latest status.

    # 0.*.*.*           - Can't be blocked for DHCP users.
    # 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
    # 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*
    # 49-50.*.*.*, 58-60.*.*.*
    # 67-127.*.*.*
    # 169.254.*.*       - Link Local Networks
    # 192.0.2.*         - TEST-NET
    # 197.*.*.*, 217-255.*.*.*

    ipchains -A input   -s 0.0.0.0/8 -j DENY -l
    ipchains -A input   -s 1.0.0.0/8 -j DENY -l
    ipchains -A input   -s 2.0.0.0/8 -j DENY -l
    ipchains -A input   -s 5.0.0.0/8 -j DENY -l
    ipchains -A input   -s 7.0.0.0/8 -j DENY -l
    ipchains -A input   -s 23.0.0.0/8 -j DENY -l
    ipchains -A input   -s 27.0.0.0/8 -j DENY -l
    ipchains -A input   -s 31.0.0.0/8 -j DENY -l
    ipchains -A input   -s 36.0.0.0/8 -j DENY -l
    ipchains -A input   -s 37.0.0.0/8 -j DENY -l
    ipchains -A input   -s 39.0.0.0/8 -j DENY -l
    ipchains -A input   -s 41.0.0.0/8 -j DENY -l
    ipchains -A input   -s 42.0.0.0/8 -j DENY -l
    ipchains -A input   -s 49.0.0.0/8 -j DENY -l
    ipchains -A input   -s 50.0.0.0/8 -j DENY -l
    ipchains -A input   -s 58.0.0.0/7 -j DENY -l
    ipchains -A input   -s 60.0.0.0/8 -j DENY -l
    ipchains -A input   -s 67.0.0.0/8 -j DENY -l
    ipchains -A input   -s 68.0.0.0/6 -j DENY -l
    ipchains -A input   -s 72.0.0.0/5 -j DENY -l
    ipchains -A input   -s 80.0.0.0/4 -j DENY -l
    ipchains -A input   -s 96.0.0.0/3 -j DENY -l
    ipchains -A input   -s 169.254.0.0/16 -j DENY -l
    ipchains -A input   -s 192.0.2.0/24 -j DENY -l
    ipchains -A input   -s 197.0.0.0/8 -j DENY -l
    ipchains -A input   -s 218.0.0.0/7 -j DENY -l
    ipchains -A input   -s 220.0.0.0/6 -j DENY -l
    ipchains -A input   -s 224.0.0.0/3 -j DENY -l

# ----------------------------------------------------------------------------
# ICMP

    #    To prevent denial of service attacks based on ICMP bombs, filter
    #    incoming Redirect (5) and outgoing Destination Unreachable (3).
    #    Note, however, disabling Destination Unreachable (3) is not
    #    advisable, as it is used to negotiate packet fragment size.

    # For bi-directional ping.
    #     Message Types:  Echo_Reply (0),  Echo_Request (8)
    #     To prevent attacks, limit the src addresses to your ISP range.
    #
    # For outgoing traceroute.
    #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
    #     default UDP base: 33434 to base+nhops-1
    #
    # For incoming traceroute.
    #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
    #     To block this, deny OUTGOING 3 and 11

    #  0: echo-reply (pong)
    #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
    #  4: source-quench
    #  5: redirect
    #  8: echo-request (ping)
    # 11: time-exceeded
    # 12: parameter-problem

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type echo-reply \
             -d $IPADDR -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type destination-unreachable \
             -d $IPADDR -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type source-quench \
             -d $IPADDR -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type time-exceeded \
             -d $IPADDR -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type parameter-problem \
             -d $IPADDR -j ACCEPT


    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR fragmentation-needed -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR source-quench -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR echo-request -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR parameter-problem -j ACCEPT

# ----------------------------------------------------------------------------
    # UDP INCOMING TRACEROUTE
    # traceroute usually uses -S 32769:65535 -D 33434:33523

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $MY_ISP $TRACEROUTE_SRC_PORTS \
             -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE $TRACEROUTE_SRC_PORTS \
             -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------
    # DNS forwarding, caching only nameserver (53)
    # --------------------------------------------

    # server to server query or response
    # Caching only name server only requires UDP, not TCP

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_1 53 \
             -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR 53 \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_2 53 \
             -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR 53 \
             -d $NAMESERVER_2 53 -j ACCEPT

    # DNS client (53)
    # ---------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT

# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT

# ----------------------------------------------------------------------------
    # TCP accept only on selected ports
    # ---------------------------------
    # ------------------------------------------------------------------

    # SSH server (22)
    # ---------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 22 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $SSH_PORTS \
             -d $IPADDR 22 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $SSH_PORTS -j ACCEPT


    # ------------------------------------------------------------------

    # HTTP server (80)
    # ----------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 80 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 80 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------

    # HTTPS server (443)
    # ------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 443 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 443 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------

    # SYSLOG server (514)
    # -----------------

    # Provides full remote logging. Using  this feature you're able to
    # control all syslog messages on one host.

#    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
#             -s $SYSLOG_CLIENT \
#             -d $IPADDR 514 -j ACCEPT

    # SYSLOG client (514)
    # -----------------

#    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
#             -s $IPADDR 514 \
#             -d $SYSLOG_SERVER 514 -j ACCEPT

    # ------------------------------------------------------------------

    # AUTH server (113)
    # -----------------

    # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE \
             -d $IPADDR 113 -j REJECT

    # ------------------------------------------------------------------

    # SMTP client (25)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $SMTP_SERVER 25 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $SMTP_SERVER 25 -j ACCEPT

    # ------------------------------------------------------------------

    # FTP server (20, 21)
    # -------------------

    # incoming request

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 21 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 21 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # PORT MODE data channel responses
    #
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
            -s $ANYWHERE $UNPRIVPORTS \
            -d $IPADDR 20 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
            -s $IPADDR 20 \
            -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # PASSIVE MODE data channel responses

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------
    # OUTGOING TRACEROUTE
    # -------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $TRACEROUTE_SRC_PORTS \
             -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT

# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $PRIVPORTS -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $UNPRIVPORTS -j DENY -l


    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type 5 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type 13:255 -j DENY -l

    ipchains -A output -i $EXTERNAL_INTERFACE  -j REJECT -l

# ----------------------------------------------------------------------------

        ;;
  stop)
        echo -n "Shutting Firewalling Services: "

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Delete all user-defined chain to this filter
    ipchains -X

    # Reset the default policy of the filter to accept.
    ipchains -P input  ACCEPT
    ipchains -P output ACCEPT
    ipchains -P forward ACCEPT

;;
  status)
        status firewall
;;
  restart|reload)
$0 stop
$0 start
;;
  *)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac

exit 0


No comments:

Post a Comment