· 5 years ago · Apr 29, 2020, 02:58 AM
1#!/bin/sh
2#
3# Generated iptables firewall script for the Linux 2.4 kernel and later.
4# Script generated by Easy Firewall Generator for IPTables 1.15
5# copyright 2002 Timothy Scott Morizot
6# Modified for Slackware Linux by Eric Hameleers <alien@slackware.com>
7#
8# This generator is adapted from the original to work on Slackware Linux.
9# Basically, I corrected the path name to the iptables* commands
10# and re-wrote this comment.
11#
12# It can be executed with the typical start and stop arguments.
13# If used with stop, it will stop after flushing the firewall.
14# The save and restore arguments will save or restore the rules
15# from the /etc/sysconfig/iptables file. The save and restore
16# arguments are included to preserve compatibility with
17# Redhat's or Fedora's init.d script if you prefer to use it.
18
19# You may want to save this script as /etc/rc.d/rc.firewall
20# and make it executable, like this:
21# chmod +x /etc/rc.d/rc.firewall
22# Slackware Linux will then automatically run this script
23# with the "start" parameter.
24
25###############################################################################
26#
27# Local Settings
28#
29
30# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
31# If this is set to the empty string (or is unset), the use of sysctl
32# is disabled.
33
34SYSCTL="/sbin/sysctl -w"
35
36# To echo the value directly to the /proc file instead
37# SYSCTL=""
38
39# IPTables Location - adjust if needed
40
41IPT="/usr/sbin/iptables"
42IP6T="/usr/sbin/ip6tables"
43IPTS="/usr/sbin/iptables-save"
44IP6TS="/usr/sbin/ip6tables-save"
45IPTR="/usr/sbin/iptables-restore"
46IP6TR="/usr/sbin/ip6tables-restore"
47
48# Internet Interface
49INET_IFACE="+"
50
51# Localhost Interface
52
53LO_IFACE="lo"
54LO_IP="127.0.0.1"
55LO_IP6="::1"
56
57# Save and Restore arguments handled here
58if [ "$1" = "save" ]
59then
60 echo -n "Saving firewall to /etc/sysconfig/iptables ... "
61 $IPTS > /etc/sysconfig/iptables
62 $IP6TS > /etc/sysconfig/ip6tables
63 echo "done"
64 exit 0
65elif [ "$1" = "restore" ]
66then
67 echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
68 $IPTR < /etc/sysconfig/iptables
69 $IP6TR < /etc/sysconfig/ip6tables
70 echo "done"
71 exit 0
72fi
73
74###############################################################################
75#
76# Load Modules
77#
78
79echo "Loading kernel modules ..."
80
81# You should uncomment the line below and run it the first time just to
82# ensure all kernel module dependencies are OK. There is no need to run
83# every time, however.
84
85# /sbin/depmod -a
86
87# Unless you have kernel module auto-loading disabled, you should not
88# need to manually load each of these modules. Other than ip_tables,
89# ip_conntrack, and some of the optional modules, I've left these
90# commented by default. Uncomment if you have any problems or if
91# you have disabled module autoload. Note that some modules must
92# be loaded by another kernel module.
93
94# core netfilter module
95# /sbin/modprobe ip_tables
96
97# the stateful connection tracking module
98# /sbin/modprobe ip_conntrack
99
100# filter table module
101# /sbin/modprobe iptable_filter
102
103# mangle table module
104# /sbin/modprobe iptable_mangle
105
106# nat table module
107# /sbin/modprobe iptable_nat
108
109# LOG target module
110# /sbin/modprobe ipt_LOG
111
112# This is used to limit the number of packets per sec/min/hr
113# /sbin/modprobe ipt_limit
114
115# masquerade target module
116# /sbin/modprobe ipt_MASQUERADE
117
118# filter using owner as part of the match
119# /sbin/modprobe ipt_owner
120
121# REJECT target drops the packet and returns an ICMP response.
122# The response is configurable. By default, connection refused.
123# /sbin/modprobe ipt_REJECT
124
125# This target allows packets to be marked in the mangle table
126# /sbin/modprobe ipt_mark
127
128# This target affects the TCP MSS
129# /sbin/modprobe ipt_tcpmss
130
131# This match allows multiple ports instead of a single port or range
132# /sbin/modprobe multiport
133
134# This match checks against the TCP flags
135# /sbin/modprobe ipt_state
136
137# This match catches packets with invalid flags
138# /sbin/modprobe ipt_unclean
139
140# The ftp nat module is required for non-PASV ftp support
141/sbin/modprobe ip_nat_ftp
142
143# the module for full ftp connection tracking
144/sbin/modprobe ip_conntrack_ftp
145
146# the module for full irc connection tracking
147/sbin/modprobe ip_conntrack_irc
148
149
150###############################################################################
151#
152# Kernel Parameter Configuration
153#
154# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
155# for a detailed tutorial on sysctl and the various settings
156# available.
157
158# Required to enable IPv4 forwarding.
159# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
160# Alternatively, it can be set in /etc/sysctl.conf
161#if [ "$SYSCTL" = "" ]
162#then
163# echo "1" > /proc/sys/net/ipv4/ip_forward
164#else
165# $SYSCTL net.ipv4.ip_forward="1"
166#fi
167
168# This enables dynamic address hacking.
169# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
170#if [ "$SYSCTL" = "" ]
171#then
172# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
173#else
174# $SYSCTL net.ipv4.ip_dynaddr="1"
175#fi
176
177# This enables SYN flood protection.
178# The SYN cookies activation allows your system to accept an unlimited
179# number of TCP connections while still trying to give reasonable
180# service during a denial of service attack.
181if [ "$SYSCTL" = "" ]
182then
183 echo "1" > /proc/sys/net/ipv4/tcp_syncookies
184else
185 $SYSCTL net.ipv4.tcp_syncookies="1"
186fi
187
188# This enables source validation by reversed path according to RFC1812.
189# In other words, did the response packet originate from the same interface
190# through which the source packet was sent? It's recommended for single-homed
191# systems and routers on stub networks. Since those are the configurations
192# this firewall is designed to support, I turn it on by default.
193# Turn it off if you use multiple NICs connected to the same network.
194if [ "$SYSCTL" = "" ]
195then
196 echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
197else
198 $SYSCTL net.ipv4.conf.all.rp_filter="1"
199fi
200
201# This option allows a subnet to be firewalled with a single IP address.
202# It's used to build a DMZ. Since that's not a focus of this firewall
203# script, it's not enabled by default, but is included for reference.
204# See: http://www.sjdjweis.com/linux/proxyarp/
205#if [ "$SYSCTL" = "" ]
206#then
207# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
208#else
209# $SYSCTL net.ipv4.conf.all.proxy_arp="1"
210#fi
211
212# The following kernel settings were suggested by Alex Weeks. Thanks!
213
214# This kernel parameter instructs the kernel to ignore all ICMP
215# echo requests sent to the broadcast address. This prevents
216# a number of smurfs and similar DoS nasty attacks.
217if [ "$SYSCTL" = "" ]
218then
219 echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
220else
221 $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
222fi
223
224# This option can be used to accept or refuse source routed
225# packets. It is usually on by default, but is generally
226# considered a security risk. This option turns it off.
227if [ "$SYSCTL" = "" ]
228then
229 echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
230 echo "0" > /proc/sys/net/ipv6/conf/all/accept_source_route
231else
232 $SYSCTL net.ipv4.conf.all.accept_source_route="0"
233 $SYSCTL net.ipv6.conf.all.accept_source_route="0"
234fi
235
236# This option can disable ICMP redirects. ICMP redirects
237# are generally considered a security risk and shouldn't be
238# needed by most systems using this generator.
239#if [ "$SYSCTL" = "" ]
240#then
241# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
242#else
243# $SYSCTL net.ipv4.conf.all.accept_redirects="0"
244#fi
245
246# However, we'll ensure the secure_redirects option is on instead.
247# This option accepts only from gateways in the default gateways list.
248if [ "$SYSCTL" = "" ]
249then
250 echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
251else
252 $SYSCTL net.ipv4.conf.all.secure_redirects="1"
253fi
254
255# This option logs packets from impossible addresses.
256if [ "$SYSCTL" = "" ]
257then
258 echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
259else
260 $SYSCTL net.ipv4.conf.all.log_martians="1"
261fi
262
263
264###############################################################################
265#
266# Flush Any Existing Rules or Chains
267#
268
269echo "Flushing Tables ..."
270
271# Reset Default Policies
272$IPT -P INPUT ACCEPT
273$IP6T -P INPUT ACCEPT
274$IPT -P FORWARD ACCEPT
275$IP6T -P FORWARD ACCEPT
276$IPT -P OUTPUT ACCEPT
277$IP6T -P OUTPUT ACCEPT
278$IPT -t nat -P PREROUTING ACCEPT
279$IP6T -t nat -P PREROUTING ACCEPT
280$IPT -t nat -P POSTROUTING ACCEPT
281$IP6T -t nat -P POSTROUTING ACCEPT
282$IPT -t nat -P OUTPUT ACCEPT
283$IP6T -t nat -P OUTPUT ACCEPT
284$IPT -t mangle -P PREROUTING ACCEPT
285$IP6T -t mangle -P PREROUTING ACCEPT
286$IPT -t mangle -P OUTPUT ACCEPT
287$IP6T -t mangle -P OUTPUT ACCEPT
288
289# Flush all rules
290$IPT -F
291$IP6T -F
292$IPT -t nat -F
293$IP6T -t nat -F
294$IPT -t mangle -F
295$IP6T -t mangle -F
296
297# Erase all non-default chains
298$IPT -X
299$IP6T -X
300$IPT -t nat -X
301$IP6T -t nat -X
302$IPT -t mangle -X
303$IP6T -t mangle -X
304
305if [ "$1" = "stop" ]
306then
307 echo "Firewall completely flushed! Now running with no firewall."
308 exit 0
309fi
310
311###############################################################################
312#
313# Rules Configuration
314#
315
316###############################################################################
317#
318# Filter Table
319#
320###############################################################################
321
322# Set Policies
323
324$IPT -P INPUT DROP
325$IP6T -P INPUT DROP
326$IPT -P OUTPUT DROP
327$IP6T -P OUTPUT DROP
328$IPT -P FORWARD DROP
329$IP6T -P FORWARD DROP
330
331###############################################################################
332#
333# User-Specified Chains
334#
335# Create user chains to reduce the number of rules each packet
336# must traverse.
337
338echo "Create and populate custom rule chains ..."
339
340# Create a chain to filter INVALID packets
341
342$IPT -N bad_packets
343$IP6T -N bad_packets
344
345# Create another chain to filter bad tcp packets
346
347$IPT -N bad_tcp_packets
348$IP6T -N bad_tcp_packets
349
350# Create separate chains for icmp, tcp (incoming and outgoing),
351# and incoming udp packets.
352
353$IPT -N icmp_packets
354$IP6T -N icmp_packets
355
356# Used for UDP packets inbound from the Internet
357$IPT -N udp_inbound
358$IP6T -N udp_inbound
359
360# Used to block outbound UDP services from internal network
361# Default to allow all
362$IPT -N udp_outbound
363$IP6T -N udp_outbound
364
365# Used to allow inbound services if desired
366# Default fail except for established sessions
367$IPT -N tcp_inbound
368$IP6T -N tcp_inbound
369
370# Used to block outbound services from internal network
371# Default to allow all
372$IPT -N tcp_outbound
373$IP6T -N tcp_outbound
374
375# GRE tunneling for PPTP VPN - inbound
376$IPT -N gre_inbound
377
378# GRE tunneling - outbound
379$IPT -N gre_outbound
380
381# OSPF - inbound
382$IPT -N ospf_inbound
383$IP6T -N ospf_inbound
384
385# OSPF - outbound
386$IPT -N ospf_outbound
387$IP6T -N ospf_outbound
388
389###############################################################################
390#
391# Populate User Chains
392#
393
394# bad_packets chain
395#
396
397# Drop INVALID packets immediately
398$IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j LOG \
399 --log-prefix "Invalid packet: "
400$IP6T -A bad_packets -p ALL -m conntrack --ctstate INVALID -j LOG \
401 --log-prefix "Invalid packet: "
402
403$IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j DROP
404$IP6T -A bad_packets -p ALL -m conntrack --ctstate INVALID -j DROP
405
406# Then check the tcp packets for additional problems
407$IPT -A bad_packets -p tcp -j bad_tcp_packets
408$IP6T -A bad_packets -p tcp -j bad_tcp_packets
409
410# All good, so return
411$IPT -A bad_packets -p ALL -j RETURN
412$IP6T -A bad_packets -p ALL -j RETURN
413
414# bad_tcp_packets chain
415#
416# All tcp packets will traverse this chain.
417# Every new connection attempt should begin with
418# a syn packet. If it doesn't, it is likely a
419# port scan. This drops packets in state
420# NEW that are not flagged as syn packets.
421
422
423$IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG \
424 --log-prefix "New not syn: "
425$IP6T -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG \
426 --log-prefix "New not syn: "
427$IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
428$IP6T -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
429
430$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
431 --log-prefix "Stealth scan: "
432$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
433 --log-prefix "Stealth scan: "
434$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
435$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
436
437$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
438 --log-prefix "Stealth scan: "
439$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
440 --log-prefix "Stealth scan: "
441$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
442$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
443
444$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
445 --log-prefix "Stealth scan: "
446$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
447 --log-prefix "Stealth scan: "
448$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
449$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
450
451$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
452 --log-prefix "Stealth scan: "
453$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
454 --log-prefix "Stealth scan: "
455$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
456$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
457
458$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
459 --log-prefix "Stealth scan: "
460$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
461 --log-prefix "Stealth scan: "
462$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
463$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
464
465$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
466 --log-prefix "Stealth scan: "
467$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
468 --log-prefix "Stealth scan: "
469$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
470$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
471
472# All good, so return
473$IPT -A bad_tcp_packets -p tcp -j RETURN
474$IP6T -A bad_tcp_packets -p tcp -j RETURN
475
476# icmp_packets chain
477#
478# This chain is for inbound (from the Internet) icmp packets only.
479# Type 8 (Echo Request) is not accepted by default
480# Enable it if you want remote hosts to be able to reach you.
481# 11 (Time Exceeded) is the only one accepted
482# that would not already be covered by the established
483# connection rule. Applied to INPUT on the external interface.
484#
485# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
486# for more info on ICMP types.
487#
488# Note that the stateful settings allow replies to ICMP packets.
489# These rules allow new packets of the specified types.
490
491# ICMP packets should fit in a Layer 2 frame, thus they should
492# never be fragmented. Fragmented ICMP packets are a typical sign
493# of a denial of service attack.
494$IPT -A icmp_packets --fragment -p ICMP -j LOG \
495 --log-prefix "ICMP Fragment: "
496$IPT -A icmp_packets --fragment -p ICMP -j DROP
497
498# Echo - uncomment to allow your system to be pinged.
499# Uncomment the LOG command if you also want to log PING attempts
500#
501# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
502# --log-prefix "Ping detected: "
503# $IP6T -A icmp_packets -p icmpv6 -s 0/0 --icmpv6-type 128 -j LOG \
504# --log-prefix "Ping detected: "
505 $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
506 $IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 128 -j ACCEPT
507
508# By default, however, drop pings without logging. Blaster
509# and other worms have infected systems blasting pings.
510# Comment the line below if you want pings logged, but it
511# will likely fill your logs.
512#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
513#$IP6T -A icmp_packets -p icmpv6 -s 0/0 --icmpv6-type 128 -j DROP
514
515# Time Exceeded
516$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
517$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 3 -j ACCEPT
518
519# additional ICMPv6
520$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 1 -j ACCEPT
521$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 2 -j ACCEPT
522$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 4 -j ACCEPT
523$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 130 -j ACCEPT
524$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 131 -j ACCEPT
525$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 132 -j ACCEPT
526$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 134 -j ACCEPT
527$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 135 -j ACCEPT
528$IP6T -A icmp_packets -p icmpv6 -s ::/0 --icmpv6-type 136 -j ACCEPT
529
530# Not matched, so return so it will be logged
531$IPT -A icmp_packets -p ICMP -j RETURN
532$IP6T -A icmp_packets -p icmpv6 -j RETURN
533
534# TCP & UDP
535# Identify ports at:
536# http://www.chebucto.ns.ca/~rakerman/port-table.html
537# http://www.iana.org/assignments/port-numbers
538
539# udp_inbound chain
540#
541# This chain describes the inbound UDP packets it will accept.
542# It's applied to INPUT on the external or Internet interface.
543# Note that the stateful settings allow replies.
544# These rules are for new requests.
545# It drops netbios packets (windows) immediately without logging.
546
547# Drop netbios calls
548# Please note that these rules do not really change the way the firewall
549# treats netbios connections. Connections from the localhost and
550# internal interface (if one exists) are accepted by default.
551# Responses from the Internet to requests initiated by or through
552# the firewall are also accepted by default. To get here, the
553# packets would have to be part of a new request received by the
554# Internet interface. You would have to manually add rules to
555# accept these. I added these rules because some network connections,
556# such as those via cable modems, tend to be filled with noise from
557# unprotected Windows machines. These rules drop those packets
558# quickly and without logging them. This prevents them from traversing
559# the whole chain and keeps the log from getting cluttered with
560# chatter from Windows systems.
561$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
562$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
563
564# Ident requests (Port 113) must have a REJECT rule rather than the
565# default DROP rule. This is the minimum requirement to avoid
566# long delays while connecting. Also see the tcp_inbound rule.
567$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
568$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 113 -j REJECT
569
570# A more sophisticated configuration could accept the ident requests.
571# $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
572# $IP6T -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
573
574# Dynamic Address
575# If DHCP, the initial request is a broadcast. The response
576# doesn't exactly match the outbound packet. This explicitly
577# allow the DHCP ports to alleviate this problem.
578# If you receive your dynamic address by a different means, you
579# can probably comment this line.
580$IPT -A udp_inbound -p UDP --source-port 67 -s 0/0 --destination-port 68 \
581 -j ACCEPT
582$IP6T -A udp_inbound -p UDP --source-port 547 -s fe80::/10 --destination-port 546 -d fe80::/10 \
583 -j ACCEPT
584#$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 547 \
585# -j ACCEPT
586
587# mDNS
588$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 5353 \
589 -j ACCEPT
590$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 5353 \
591 -j ACCEPT
592
593# SNMP
594$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 161 -j ACCEPT
595$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 162 -j ACCEPT
596$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 161 -j ACCEPT
597$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 162 -j ACCEPT
598
599# TFTP
600$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 69 -j ACCEPT
601$IP6T -A udp_inbound -p UDP -s ::/0 --destination-port 69 -j ACCEPT
602
603# cups
604$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631 -j ACCEPT
605$IP6T -A udp_inbound -p UDP -s 0/0 --destination-port 631 -j ACCEPT
606
607# Not matched, so return for logging
608$IPT -A udp_inbound -p UDP -j RETURN
609$IP6T -A udp_inbound -p UDP -j RETURN
610
611# udp_outbound chain
612#
613# This chain is used with a private network to prevent forwarding for
614# UDP requests on specific protocols. Applied to the FORWARD rule from
615# the internal network. Ends with an ACCEPT
616
617
618# No match, so ACCEPT
619$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
620$IP6T -A udp_outbound -p UDP -s ::/0 -j ACCEPT
621
622# tcp_inbound chain
623#
624# This chain is used to allow inbound connections to the
625# system/gateway. Use with care. It defaults to none.
626# It's applied on INPUT from the external or Internet interface.
627
628# Ident requests (Port 113) must have a REJECT rule rather than the
629# default DROP rule. This is the minimum requirement to avoid
630# long delays while connecting. Also see the tcp_inbound rule.
631$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
632$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 113 -j REJECT
633
634# A more sophisticated configuration could accept the ident requests.
635# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT
636# $IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT
637
638# sshd rate-limiting
639$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -m state \
640 --state NEW -m recent --update --seconds 600 --hitcount 5 -j LOG \
641 --log-prefix "sshd rate-limit: "
642$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -m state \
643 --state NEW -m recent --update --seconds 600 --hitcount 5 -j LOG \
644 --log-prefix "sshd rate-limit: "
645$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -m state \
646 --state NEW -m recent --update --seconds 600 --hitcount 5 -j DROP
647$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -m state \
648 --state NEW -m recent --update --seconds 600 --hitcount 5 -j DROP
649$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -m state \
650 --state NEW -m recent --set
651$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -m state \
652 --state NEW -m recent --set
653
654# sshd
655$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
656$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 22 -j ACCEPT
657
658# vnc-zero
659$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5900 -j ACCEPT
660$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 5900 -j ACCEPT
661
662# vnc-daniel
663$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5901 -j ACCEPT
664$IP6T -A tcp_inbound -p TCP -s ::/0 --destination-port 5901 -j ACCEPT
665
666# cups
667$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 631 -j ACCEPT
668$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 631 -j ACCEPT
669
670# httpd
671$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
672$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
673$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
674$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
675
676# rsyncd
677$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT
678$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT
679
680# pleroma
681$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4000 -j ACCEPT
682$IP6T -A tcp_inbound -p TCP -s 0/0 --destination-port 4000 -j ACCEPT
683
684# Not matched, so return so it will be logged
685$IPT -A tcp_inbound -p TCP -j RETURN
686$IP6T -A tcp_inbound -p TCP -j RETURN
687
688# tcp_outbound chain
689#
690# This chain is used with a private network to prevent forwarding for
691# requests on specific protocols. Applied to the FORWARD rule from
692# the internal network. Ends with an ACCEPT
693
694
695# No match, so ACCEPT
696$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
697$IP6T -A tcp_outbound -p TCP -s ::/0 -j ACCEPT
698
699# gre_inbound
700
701$IPT -A gre_inbound -p gre -s 0/0 -d 0/0 -j ACCEPT
702
703# gre_outbound
704
705$IPT -A gre_outbound -p gre -s 0/0 -d 0/0 -j ACCEPT
706
707# ospf_inbound
708$IPT -A ospf_inbound -p ospf -s 0/0 -d 0/0 -j ACCEPT
709$IP6T -A ospf_inbound -p ospf -s ::/0 -d ::/0 -j ACCEPT
710
711# ospf_outbound
712$IPT -A ospf_outbound -p ospf -s 0/0 -d 0/0 -j ACCEPT
713$IP6T -A ospf_outbound -p ospf -s ::/0 -d ::/0 -j ACCEPT
714
715###############################################################################
716#
717# INPUT Chain
718#
719
720echo "Process INPUT chain ..."
721
722# Allow all on localhost interface
723$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
724$IP6T -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
725
726# Drop bad packets
727$IPT -A INPUT -p ALL -j bad_packets
728$IP6T -A INPUT -p ALL -j bad_packets
729
730# DOCSIS compliant cable modems
731# Some DOCSIS compliant cable modems send IGMP multicasts to find
732# connected PCs. The multicast packets have the destination address
733# 224.0.0.1. You can accept them. If you choose to do so,
734# Uncomment the rule to ACCEPT them and comment the rule to DROP
735# them The firewall will drop them here by default to avoid
736# cluttering the log. The firewall will drop all multicasts
737# to the entire subnet (224.0.0.1) by default. To only affect
738# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
739# if they aren't accepted elsewhere, it will only ensure that
740# multicasts on other protocols are logged.
741# Drop them without logging.
742# $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
743# The rule to accept the packets.
744$IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
745$IP6T -A INPUT -p ALL -d ff02::1 -j ACCEPT
746
747
748# Inbound Internet Packet Rules
749
750# Accept Established Connections
751$IPT -A INPUT -p ALL -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED \
752 -j ACCEPT
753$IP6T -A INPUT -p ALL -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED \
754 -j ACCEPT
755
756# Route the rest to the appropriate user chain
757$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
758$IP6T -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
759$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
760$IP6T -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
761$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
762$IP6T -A INPUT -p icmpv6 -i $INET_IFACE -j icmp_packets
763$IPT -A INPUT -p gre -i $INET_IFACE -j gre_inbound
764$IPT -A INPUT -p ospf -i $INET_IFACE -j ospf_inbound
765$IP6T -A INPUT -p ospf -i $INET_IFACE -j ospf_inbound
766
767# Drop without logging broadcasts that get this far.
768# Cuts down on log clutter.
769# Comment this line if testing new rules that impact
770# broadcast protocols.
771$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
772$IP6T -A INPUT -m pkttype --pkt-type broadcast -j DROP
773
774# Log packets that still don't match
775$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
776 --log-prefix "INPUT packet died: "
777$IP6T -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
778 --log-prefix "INPUT packet died: "
779
780###############################################################################
781#
782# FORWARD Chain
783#
784
785echo "Process FORWARD chain ..."
786
787# Used if forwarding for a private network
788
789
790###############################################################################
791#
792# OUTPUT Chain
793#
794
795echo "Process OUTPUT chain ..."
796
797# Generally trust the firewall on output
798
799# However, invalid icmp packets need to be dropped
800# to prevent a possible exploit.
801$IPT -A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
802$IP6T -A OUTPUT -p icmpv6 -m conntrack --ctstate INVALID -j DROP
803
804# Localhost
805$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
806$IP6T -A OUTPUT -p ALL -s $LO_IP6 -j ACCEPT
807$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
808$IP6T -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
809
810# To internet
811$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
812$IP6T -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
813
814# Log packets that still don't match
815$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
816 --log-prefix "OUTPUT packet died: "
817$IP6T -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
818 --log-prefix "OUTPUT packet died: "
819
820###############################################################################
821#
822# nat table
823#
824###############################################################################
825
826# The nat table is where network address translation occurs if there
827# is a private network. If the gateway is connected to the Internet
828# with a static IP, snat is used. If the gateway has a dynamic address,
829# masquerade must be used instead. There is more overhead associated
830# with masquerade, so snat is better when it can be used.
831# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
832# Another, POSTROUTING, handles snat and masquerade.
833
834echo "Load rules for nat table ..."
835
836###############################################################################
837#
838# PREROUTING chain
839#
840
841
842###############################################################################
843#
844# POSTROUTING chain
845#
846
847
848###############################################################################
849#
850# mangle table
851#
852###############################################################################
853
854# The mangle table is used to alter packets. It can alter or mangle them in
855# several ways. For the purposes of this generator, we only use its ability
856# to alter the TTL in packets. However, it can be used to set netfilter
857# mark values on specific packets. Those marks could then be used in another
858# table like filter, to limit activities associated with a specific host, for
859# instance. The TOS target can be used to set the Type of Service field in
860# the IP header. Note that the TTL target might not be included in the
861# distribution on your system. If it is not and you require it, you will
862# have to add it. That may require that you build from source.
863
864echo "Load rules for mangle table ..."