> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Linux Man > Sent: Wednesday, December 20, 2006 11:44 PM > To: CentOS mailing list > Subject: Re: [CentOS] creating script for init.d > > This is what I found in /var/lor/messages: > > Dec 21 02:02:28 Promaster firewall.light: + /sbin/iptables -t > nat -A POSTROUTING -o eth0 -s 192.168.15.50 -j SNAT > --to-source 192.168.1.5 <http://192.168.1.5> Dec 21 02:02:28 > Promaster firewall.light: + echo ...done Dec 21 02:02:28 > Promaster firewall.light: + echo '' > Dec 21 02:02:28 Promaster firewall.light: + echo '--> > IPTABLES firewall loaded/activated <--' > Dec 21 02:02:28 Promaster firewall.light: + exit 0 Dec 21 > 02:02:28 Promaster rc: Iniciando firewall.light: succeeded > Dec 21 02:02:28 Promaster haldaemon: Iniciación de haldaemon > succeeded Dec 21 02:02:28 Promaster fstab-sync[3722]: removed > all generated mount points Dec 21 02:02:28 Promaster > fstab-sync[3739]: added mount point /media/cdrom for /dev/hdc > Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo > OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= > 127.0.0.1 DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 > ID=22436 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 > ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 > a=DROP IN=lo OUT= > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= 127.0.0.1 > DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22438 DF > PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 > Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo > OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= > 127.0.0.1 DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 > ID=22440 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 > ACK PSH URGP=0 > > As you can see, it look like the script execute good, but > hangs de keybordad, monitor, mouse, etc. Nevertheless theres > some activicty from lo to lo ?¿?¿?¿ > > > 2006/12/20, Linux Man <linuxman.uru at gmail.com>: > > If I hit ENTER anything hapens (even with a lots of enter's) > In /var/log/messages seems to compleate the scrips, I'm > realy comfiusing (and :( of course) > Can be SElinux? can I disable it to try? > At terminal all work smooth, I don't understand why > hangs at boot time > Thanks a lot guys for you help!! > > 2006/12/20, Michael Velez <mikev777 at hotmail.com>: > > At this point, I doubt you have the same problem I had (SELinux is not asking a question for you to respond to). What Craig is saying is accurate. CentOS 4.4 already has an iptables script. You should start with that. Then add your customized iptables rules from the command line and once you have verified them, save them to /etc/sysconfig/iptables with 'service iptables save'. Are you using your old Fedora iptables script? I don't know enough about the iptables script to help you out here. Other experts on the list should know but starting from the base Centos 4.4 script should be better. In any case, I posted your own script below (which you had sent out). Michael > > This is the scrpit that I use, there's somethig wrong? > > > > > > #Script configurado y optimizado para el servidor SunSet # > > #chkconfig: 35 98 27 > > # > > #Description: Firewall > > > > > > # Hubicacion de los binarios de IPTABLES y sus comandos > > IPTABLES="/sbin/iptables" > > > > > > case "$1" in > > stop) > > echo "Shutting down firewall..." > > $IPTABLES -F > > $IPTABLES -F -t mangle > > $IPTABLES -F -t nat > > $IPTABLES -X > > $IPTABLES -X -t mangle > > $IPTABLES -X -t nat > > > > $IPTABLES -P INPUT ACCEPT > > $IPTABLES -P OUTPUT ACCEPT > > $IPTABLES -P FORWARD ACCEPT > > echo "...done" > > ;; > > status) > > echo $"Table: filter" > > iptables --list > > echo $"Table: nat" > > iptables -t nat --list > > echo $"Table: mangle" > > iptables -t mangle --list > > ;; > > restart|reload) > > $0 stop > > $0 start > > ;; > > start) > > echo "Starting Firewall..." > > echo "" > > > > > > ##--------------------------Inicio del > > Firewall---------------------------------## > > > > > > #----Interfaces por Defecto-----# > > > > ## Interface Externa (a Internet) > > DEFAULT_EXTIF="eth0" > > > > ## Interface Interna (a Lan) > > DEFAULT_INTIF="eth1" > > > > ## Interface Interna (a CAMARA) > > DEFAULT_CAMIF="eth2" > > > > #----Variables Especiales-----# > > > > # IP y Mascara para todas las IP (all) UNIVERSE="0.0.0.0/0" > > > > # Specification of the high unprivileged IP ports. > > UNPRIVPORTS="1024:65535" > > > > # Specification of X Window System (TCP) ports. > > XWINPORTS="6000:6063" > > > > # Ports for IRC-Connection-Tracking > > IRCPORTS="6665,6666,6667,6668,6669,7000" > > > > # Maquinas del Cyber > > A1="192.168.0.3" > > A2=" 192.168.0.4 <http://192.168.0.4> " > > A3="192.168.0.5" > > A4="192.168.0.6" > > A5="192.168.0.7" > > A6=" 192.168.0.8" > > A7="192.168.0.9" > > A8="192.168.0.10" > > B1=" 192.168.0.11 <http://192.168.0.11> " > > B2="192.168.0.12" > > B3="192.168.0.13" > > B4="192.168.0.14" > > B5="192.168.0.15" > > B6="192.168.0.16" > > J1="192.168.0.100" > > J2=" 192.168.0.101 <http://192.168.0.101> " > > J3="192.168.0.103" > > J4="192.168.0.105" > > J5="192.168.0.104" > > J6="192.168.0.102" > > JEJE="192.168.0.2" > > > > # Casa > > # Almaceno en la variable "actual" el valor de la IP actual > > ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 63.208.196.90 | > > grep address | awk '{ print $4}') > > > > # Pruebo por si no hubo respuesta del servidor y en ese > caso uso ns2 > > if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > > latinloveruy.homelinux.net 204.13.249.81 | grep address | > awk '{ print > > $4}') fi > > > > # Pruebo por si no hubo respuesta del servidor y en ese > caso uso ns3 > > if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > > latinloveruy.homelinux.net 204.13.250.81 | grep address | > awk '{ print > > $4}') fi > > > > # Pruebo por si no hubo respuesta del servidor y en ese > caso uso ns4 > > if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > > latinloveruy.homelinux.net 213.155.150.205 | grep address | awk '{ > > print $4}') fi > > > > # Pruebo por si no hubo respuesta del servidor y en ese > caso uso ns5 > > if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > > latinloveruy.homelinux.net 63.170.10.81 | grep address | > awk '{ print > > $4}') fi > > > > > > #-----Port-Forwarding Variables-----# > > > > > > #IP's a Forewardear > > > > #MUNDAKA="172.16.1.191" > > CAMARA="192.168.15.50 " > > > > #----Flood Variables-----# > > > > # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" > > # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" > > > > # Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" > > # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10" > > > > #Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" > > # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10" > > > > > > > > #----Determinacion Automatica de la informacion para las > > Interfaces-----# > > > > #Permite la determinacion de datos de configuracion de las > interfaces > > #de forma automatica permitiendo adaptarce a los cambios > logicos de la > > red #sin necesidad de editar el script ### Interface Externa > > (Internet-IPpublica): > > > > ## Obtener informacion de la Interface Externa ## Si no > encuentra una > > interface se pondra el valor por > > defecto: DEFAULT_EXTIF como EXTIF > > if [ "x$2" != "x" ]; then > > EXTIF=$2 > > else > > EXTIF=$DEFAULT_EXTIF > > fi > > echo External Interface: $EXTIF > > > > ## Determinacion de la IP externa (publica) > EXTIP="`ifconfig $EXTIF | > > grep inet | cut -d : -f 2 | cut -d \ -f 1`" > > if [ "$EXTIP" = '' ]; then > > echo "Aborting: Unable to determine the IP-address of $EXTIF !" > > exit 1 > > fi > > echo External IP: $EXTIP > > > > ## Determincion del Gateway Externo > > EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'` echo > Default GW: > > $EXTGW > > > > > > echo " --- " > > > > > > ### Interface Interna (Lan-IPprivada): > > > > ## Obtener informacion de la Interface InternaGet internal > interface > > from command-line ## Si no encuentra una interface de > pondra el valor > > por > > defecto: $DEFAULT_INTIF as INTIF > > if [ "x$3" != "x" ]; then > > INTIF=$3 > > else > > INTIF=$DEFAULT_INTIF > > fi > > echo Internal Interface: $INTIF > > > > ## Determinacion de IP Interna > > INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut > -d \ -f 1`" > > if [ "$INTIP" = '' ]; then > > echo "Aborting: Unable to determine the IP-address of > $INTIF !" > > exit 1 > > fi > > echo Internal IP: $INTIP > > > > ## Determinacion de Mascara Interna > > INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`" > > echo Internal Netmask: $INTMASK > > > > ## Determinacion de la Network Interna > INTLAN=$INTIP'/'$INTMASK echo > > Internal LAN: $INTLAN > > > > echo "" > > > > ###--- Interface hacia la CAMARA --- > > > > CAMIF="eth2" > > CAMIFIP="192.168.15.5 " > > CAMMASK="255.255.255.0" > > > > ##--- Reparo problemas de ruteo --- > > if [ "$(route | grep 169.254.0.0)" != "" ]; then ip route del > > 169.254.0.0/16 fi > > > > > > #----Cargando Modulos de IPTABLES-----# > > > > > > #Insert modules- should be done automatically if needed > > > > #If the IRC-modules are available, uncomment them below > > > > echo "Loading IPTABLES modules" > > > > dmesg -n 1 #Kill copyright display on module load /sbin/modprobe > > ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack > > /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp > > /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS /sbin/modprobe > > ip_nat_irc ports=$IRCPORTS #dmesg -n 6 > > > > echo " --- " > > > > > > #----Clear/Reset all chains-----# > > > > #Clear all IPTABLES-chains > > > > #Flush everything, start from scratch > > $IPTABLES -F > > $IPTABLES -F -t mangle > > $IPTABLES -F -t nat > > $IPTABLES -X > > $IPTABLES -X -t mangle > > $IPTABLES -X -t nat > > > > #Set default policies to DROP > > $IPTABLES -P INPUT DROP > > $IPTABLES -P OUTPUT DROP > > $IPTABLES -P FORWARD DROP > > > > > > #----Set network sysctl options-----# > > > > > > echo "Setting sysctl options" > > > > #Enable forwarding in kernel > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > #Disabling IP Spoofing attacks. > > echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter > > > > #Don't respond to broadcast pings > (Smurf-Amplifier-Protection) echo 1 > > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > > > #Block source routing > > echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > > > > #Kill timestamps > > echo 0 > /proc/sys/net/ipv4/tcp_timestamps > > > > #Enable SYN Cookies > > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > > > #Kill redirects > > echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > > > > #Enable bad error message protection > > echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > > > > #Log martians (packets with impossible addresses) echo 1 > > > /proc/sys/net/ipv4/conf/all/log_martians > > > > #Set out local port range > > echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range > > > > #Reduce DoS'ing ability by reducing timeouts echo 30 > > > /proc/sys/net/ipv4/tcp_fin_timeout > > echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time > > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > > echo 0 > /proc/sys/net/ipv4/tcp_sack > > > > > > echo " --- " > > > > echo "Creating user-chains" > > > > > > > > #----Create logging chains-----# > > > > ##These are the logging-chains. They all have a certain limit of > > log-entries/sec to prevent log-flooding ##The > syslog-entries will be > > fireparse-compatible (see http://www.fireparse.com > > <http://www.fireparse.com> ) > > > > > > #Invalid packets (not ESTABLISHED,RELATED or NEW) > > $IPTABLES -N LINVALID > > $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix > > "fp=INVALID:1 a=DROP " --log-level info > > $IPTABLES -A LINVALID -j DROP > > > > #TCP-Packets with one ore more bad flags > > $IPTABLES -N LBADFLAG > > $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix > > "fp=BADFLAG:1 a=DROP " --log-level info > > $IPTABLES -A LBADFLAG -j DROP > > > > #Acceso no permitido a la Camara > > $IPTABLES -N LNOCAM > > $IPTABLES -A LNOCAM -m limit --limit $LOGLIMIT --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix "fp=NOCAM:1 a=DROP " > > $IPTABLES -A LNOCAM -j DROP > > > > #Logging of connection attempts on special ports (Trojan portscans, > > special services, etc.) > > $IPTABLES -N LSPECIALPORT > > $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT > --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix > > "fp=SPECIALPORT:1 a=DROP " --log-level info > > $IPTABLES -A LSPECIALPORT -j DROP > > > > #Logging of possible TCP-SYN-Floods > > $IPTABLES -N LSYNFLOOD > > $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix > > "fp=SYNFLOOD:1 a=DROP " --log-level info > > $IPTABLES -A LSYNFLOOD -j DROP > > > > #Logging of possible Ping-Floods > > $IPTABLES -N LPINGFLOOD > > $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT > --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix > > "fp=PINGFLOOD:1 a=DROP " --log-level info > > $IPTABLES -A LPINGFLOOD -j DROP > > > > > > #All other dropped packets > > $IPTABLES -N LDROP > > $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT > --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " > --log-level info > > $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT > --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " > --log-level info > > $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT > > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 > a=DROP " > > --log-level info > > $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix > > "fp=FRAGMENT:4 a=DROP " --log-level info > > $IPTABLES -A LDROP -j DROP > > > > #All other rejected packets > > $IPTABLES -N LREJECT > > $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT > > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 > a=REJECT " > > --log-level info > > $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT > > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 > a=REJECT " > > --log-level info > > $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT > > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 > a=REJECT " > > --log-level info > > $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT > --limit-burst > > $LOGLIMITBURST -j LOG --log-prefix > > "fp=FRAGMENT:4 a=REJECT " --log-level info > > $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset > > $IPTABLES -A LREJECT -p udp -j REJECT --reject-with > > icmp-port-unreachable > > $IPTABLES -A LREJECT -j REJECT > > > > #passtrue > > > > # $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT # > $IPTABLES -A > > FORWARD -p tcp -d $MUNDAKA -j ACCEPT > > > > > > > > > > > > #----Create Accept-Chains-----# > > > > > > #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in > > > > $IPTABLES -N TCPACCEPT > > $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit > $TCPSYNLIMIT > > --limit-burst $TCPSYNLIMITBURST -j ACCEPT > > $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD > > $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT > > > > > > #----Create special User-Chains-----# > > > > > > #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with > impossible > > flag-combinations (Some port-scanners use these, eg. nmap > > Xmas,Null,etc.-scan) > > > > $IPTABLES -N CHECKBADFLAG > > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j > > LBADFLAG > > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL > > SYN,RST,ACK,FIN,URG -j LBADFLAG > > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j > LBADFLAG > > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE > -j LBADFLAG > > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j > > LBADFLAG > > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j > > LBADFLAG > > > > > > > > #FILTERING FOR SPECIAL PORTS > > > > > > #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't > want in our > > Logs) > > > > #SMB-Traffic > > $IPTABLES -N SMB > > > > $IPTABLES -A SMB -p tcp --dport 137 -j DROP > > $IPTABLES -A SMB -p tcp --dport 138 -j DROP > > $IPTABLES -A SMB -p tcp --dport 139 -j DROP > > $IPTABLES -A SMB -p tcp --dport 445 -j DROP > > $IPTABLES -A SMB -p udp --dport 137 -j DROP > > $IPTABLES -A SMB -p udp --dport 138 -j DROP > > $IPTABLES -A SMB -p udp --dport 139 -j DROP > > $IPTABLES -A SMB -p udp --dport 445 -j DROP > > > > $IPTABLES -A SMB -p tcp --sport 137 -j DROP > > $IPTABLES -A SMB -p tcp --sport 138 -j DROP > > $IPTABLES -A SMB -p tcp --sport 139 -j DROP > > $IPTABLES -A SMB -p tcp --sport 445 -j DROP > > $IPTABLES -A SMB -p udp --sport 137 -j DROP > > $IPTABLES -A SMB -p udp --sport 138 -j DROP > > $IPTABLES -A SMB -p udp --sport 139 -j DROP > > $IPTABLES -A SMB -p udp --sport 445 -j DROP > > > > > > #Inbound Special Ports > > > > $IPTABLES -N SPECIALPORTS > > > > #Deepthroat Scan > > $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j > > LSPECIALPORT > > > > #Subseven Scan > > $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j > > LSPECIALPORT > > $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j > > LSPECIALPORT > > $IPTABLES -A SPECIALPORTS -p tcp --dport > > 27374 -j LSPECIALPORT > > $IPTABLES -A SPECIALPORTS -p udp --dport > > 27374 -j LSPECIALPORT > > $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j > > LSPECIALPORT > > > > #Netbus Scan > > $IPTABLES -A SPECIALPORTS -p tcp --dport > > 12345:12346 -j LSPECIALPORT > > $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j > > LSPECIALPORT > > > > #Back Orifice scan > > $IPTABLES -A SPECIALPORTS -p udp --dport > > 31337:31338 -j LSPECIALPORT > > > > #X-Win > > $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j > > LSPECIALPORT > > > > #Hack'a'Tack 2000 > > $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j > LSPECIALPORT > > > > > > #ICMP/TRACEROUTE FILTERING > > > > > > #Inbound ICMP/Traceroute > > > > $IPTABLES -N ICMPINBOUND > > > > #Ping Flood protection. Accept $PINGLIMIT > echo-requests/sec, > > rest will be logged/dropped > > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > echo-request -m > > limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT > > # > > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > echo-request -j > > LPINGFLOOD > > > > #Block ICMP-Redirects (Should already be catched by > > sysctl-options, if enabled) > > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j > > LDROP > > > > #Block ICMP-Timestamp (Should already be catched by > > sysctl-options, if enabled) > > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > > timestamp-request -j LDROP > > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > timestamp-reply > > -j LDROP > > > > #Block ICMP-address-mask (can help to prevent > > OS-fingerprinting) > > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > > address-mask-request -j LDROP > > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > > address-mask-reply -j LDROP > > > > > > #Allow all other ICMP in > > $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT > > > > > > > > > > #Outbound ICMP/Traceroute > > > > $IPTABLES -N ICMPOUTBOUND > > > > #Block ICMP-Redirects (Should already be catched by > > sysctl-options, if enabled) > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j > > LDROP > > > > #Block ICMP-TTL-Expired > > #MS Traceroute (MS uses ICMP instead of UDp for tracert) > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > > ttl-zero-during-transit -j LDROP > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > > ttl-zero-during-reassembly -j LDROP > > > > #Block ICMP-Parameter-Problem > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > > parameter-problem -j LDROP > > > > #Block ICMP-Timestamp (Should already be catched by > > sysctl-options, if enabled) > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > > timestamp-request -j LDROP > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > > timestamp-reply -j LDROP > > > > #Block ICMP-address-mask (can help to prevent > > OS-fingerprinting) > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > > address-mask-request -j LDROP > > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > > address-mask-reply -j LDROP > > > > > > ##Accept all other ICMP going out > > $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT > > > > > > # CHAIN PARA LA SEPARACION DE TRAFICO BASADO EN LA IP DE > ORIGEN DE LA > > LAN > > > > $IPTABLES -t mangle -N SETEAMARCA > > $IPTABLES -t mangle -A SETEAMARCA -s $A1 -j MARK --set-mark 1 > > $IPTABLES -t mangle -A SETEAMARCA -s $A2 -j MARK --set-mark 2 > > $IPTABLES -t mangle -A SETEAMARCA -s $A3 -j MARK --set-mark 3 > > $IPTABLES -t mangle -A SETEAMARCA -s $A4 -j MARK --set-mark 4 > > $IPTABLES -t mangle -A SETEAMARCA -s $A5 -j MARK --set-mark 5 > > $IPTABLES -t mangle -A SETEAMARCA -s $A6 -j MARK --set-mark 6 > > $IPTABLES -t mangle -A SETEAMARCA -s $A7 -j MARK --set-mark 7 > > $IPTABLES -t mangle -A SETEAMARCA -s $A8 -j MARK --set-mark 8 > > $IPTABLES -t mangle -A SETEAMARCA -s $B1 -j MARK --set-mark 9 > > $IPTABLES -t mangle -A SETEAMARCA -s $B2 -j MARK --set-mark 10 > > $IPTABLES -t mangle -A SETEAMARCA -s $B3 -j MARK --set-mark 11 > > $IPTABLES -t mangle -A SETEAMARCA -s $B4 -j MARK --set-mark 12 > > $IPTABLES -t mangle -A SETEAMARCA -s $B5 -j MARK --set-mark 13 > > $IPTABLES -t mangle -A SETEAMARCA -s $B6 -j MARK --set-mark 14 > > $IPTABLES -t mangle -A SETEAMARCA -s $J1 -j MARK --set-mark 15 > > $IPTABLES -t mangle -A SETEAMARCA -s $J2 -j MARK --set-mark 16 > > $IPTABLES -t mangle -A SETEAMARCA -s $J3 -j MARK --set-mark 17 > > $IPTABLES -t mangle -A SETEAMARCA -s $J4 -j MARK --set-mark 18 > > $IPTABLES -t mangle -A SETEAMARCA -s $J5 -j MARK --set-mark 19 > > $IPTABLES -t mangle -A SETEAMARCA -s $J6 -j MARK --set-mark 20 > > $IPTABLES -t mangle -A SETEAMARCA -s $JEJE -j MARK --set-mark 21 > > # $IPTABLES -t mangle -A SETEAMARCA -s $CAMARA -j MARK > > --set-mark 22 > > > > > > #----End User-Chains-----# > > > > > > > > echo " --- " > > > > > > #----Start Ruleset-----# > > > > echo "Implementing firewall rules..." > > > > > > ################# > > ## INPUT-Chain ## (everything that is addressed to the firewall > > itself) ################# > > > > > > ##GENERAL Filtering > > > > # Kill INVALID packets (not ESTABLISHED, RELATED or NEW) > > $IPTABLES -A INPUT -m state --state INVALID -j LINVALID > > > > # Check TCP-Packets for Bad Flags > > $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG > > > > > > ##Packets FROM FIREWALL-BOX ITSELF > > > > #Local IF > > $IPTABLES -A INPUT -i lo -j ACCEPT > > # > > #Kill connections to the local interface from the outside > > world (--> Should be already catched by kernel/rp_filter) > > $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT > > > > > > ##Packets FROM INTERNAL NET > > > > > > ##Allow unlimited traffic from internal network using legit > > addresses to firewall-box > > ##If protection from the internal interface is needed, alter it > > > > $IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT > > #Kill anything from outside claiming to be from internal > > network (Address-Spoofing --> Should be already catched by > rp_filter) > > $IPTABLES -A INPUT -s $INTLAN -j LREJECT > > $IPTABLES -A INPUT -i $EXTIF -s $INTLAN -j LREJECT > > > > > > > > ##Packets FROM EXTERNAL NET > > > > > > ##ICMP & Traceroute filtering > > > > #Filter ICMP > > $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND > > > > #Block UDP-Traceroute > > $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP > > > > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > > > #Drop all SMB-Traffic > > $IPTABLES -A INPUT -i $EXTIF -j SMB > > > > #Silently reject Ident (Don't DROP ident, because of > > possible delays when establishing an outbound connection) > > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT > > --reject-with tcp-reset > > > > > > ##Public services running ON FIREWALL-BOX (comment out to > activate): > > > > > > > > # ftp-data > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT > > > > # ftp > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT > > > > # ssh > > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT > > > > #telnet > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT > > > > > > # smtp > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT > > > > # webmail > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 26 -j TCPACCEPT > > > > # DNS > > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT > > $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT > > > > # http > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT > > > > # https > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT > > > > # POP-3 > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT > > > > # Bnc > > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31337 -j TCPACCEPT > > > > > > ##Separate logging of special portscans/connection attempts > > > > $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS > > > > > > > > ##Allow ESTABLISHED/RELATED connections in > > > > $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED > -j ACCEPT > > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m > > state --state RELATED -j TCPACCEPT > > $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m > > state --state RELATED -j ACCEPT > > > > > > ##Catch all rule > > $IPTABLES -A INPUT -j LDROP > > > > > > > > > > > > ################## > > ## Output-Chain ## (everything that comes directly from the > > Firewall-Box) > > ################## > > > > > > > > ##Packets TO FIREWALL-BOX ITSELF > > > > #Local IF > > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > > > > > ##Packets TO INTERNAL NET > > > > #Allow unlimited traffic to internals networks using legit > > addresses > > $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -s $INTIP -j ACCEPT > > $IPTABLES -A OUTPUT -o $CAMIF -d $CAMARA -s $CAMIFIP -j ACCEPT > > > > > > > > ##Packets TO EXTERNAL NET > > > > > > ##ICMP & Traceroute > > > > $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND > > > > > > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > > > #SMB > > $IPTABLES -A OUTPUT -o $EXTIF -j SMB > > > > #Ident > > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT > > --reject-with tcp-reset > > > > > > > > ##Public services running ON FIREWALL-BOX (comment out to > activate): > > > > # ftp-data > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT > > > > # ftp > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT > > > > # ssh > > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state > > --state ESTABLISHED -j ACCEPT > > > > #telnet > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state > > --state ESTABLISHED -j ACCEPT > > > > # smtp > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state > > --state ESTABLISHED -j ACCEPT > > > > # webmail > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 88 -j ACCEPT > > > > # DNS > > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT > > $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT > > > > # http > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state > > --state ESTABLISHED -j ACCEPT > > > > # https > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state > > --state ESTABLISHED -j ACCEPT > > > > # POP-3 > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state > > --state ESTABLISHED -j ACCEPT > > > > #Netmeeting > > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1720 -j ACCEPT > > $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 1720 -j ACCEPT > > > > #BNC > > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 31337 -j ACCEPT > > > > > > > > ##Accept all tcp/udp traffic on unprivileged ports going out > > > > $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport > > $UNPRIVPORTS -j ACCEPT > > $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport > > $UNPRIVPORTS -j ACCEPT > > > > > > ##Darle una via privada de salida a paquetes del firewall itself > > $IPTABLES -t mangle -A OUTPUT -o $EXTIF -s $EXTIP -j MARK > > --set-mark 23 > > > > > > ##Catch all rule > > > > $IPTABLES -A OUTPUT -j LDROP > > > > > > > > > > #################### > > ## FORWARD-Chain ## (everything that passes the firewall) > > #################### > > > > > > ##GENERAL Filtering > > > > #Kill invalid packets (not ESTABLISHED, RELATED or NEW) > > $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID > > > > # Check TCP-Packets for Bad Flags > > $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG > > > > ##Filtering FROM INTERNAL NET > > > > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > > > #SMB > > $IPTABLES -A FORWARD -o $EXTIF -j SMB > > > > > > ##Special Drops/Rejects > > # - To be done - > > > > > > ##Filter for some Trojans communicating to outside > > # - To be done - > > > > > > ##Port-Forwarding from Ports < 1024 [outbound] (--> Also > > see chain PREROUTING) > > > > #Forwarding a mundaka > > #$IPTABLES -A FORWARD -o $EXTIF -s $SAND2002 -p tcp > > --sport 25 -j ACCEPT > > > > > > > > ##Allow all other forwarding (from Ports > 1024) from > > Internals Net's to External Net > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp > > --sport $UNPRIVPORTS -j ACCEPT > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp > > --sport $UNPRIVPORTS -j ACCEPT > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp > > -j ACCEPT > > $IPTABLES -A FORWARD -i $CAMIF -o $EXTIF -s $CAMARA -d > > $ACTUAL -p tcp --sport 9090 -j ACCEPT > > > > > > ##Filtering FROM EXTERNAL NET > > > > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > > > #SMB > > $IPTABLES -A FORWARD -i $EXTIF -j SMB > > > > > > ##Allow replies coming in > > $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED > > -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS > > -m state --state RELATED -j TCPACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS > > -m state --state RELATED -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state > > RELATED -j ACCEPT > > > > > > ##Port-Forwarding [inbound] (--> Also see chain PREROUTING) > > > > #Forwarding > > #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport > > 80 -j ACCEPT > > #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport > > 22 -j ACCEPT > > #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SAND2002 --dport > > 25 -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -o $CAMIF -s $ACTUAL -d > > $CAMARA -p tcp --dport 9090 -j ACCEPT > > > > ##Some ip forward > > > > # $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT > > # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT > > > > ## Forward entre las redes internas > > $IPTABLES -A FORWARD -s $CAMARA -i $CAMIF -o $INTIF -d > > $INTLAN -p tcp --sport 9090 -j ACCEPT > > $IPTABLES -A FORWARD -d $CAMARA -o $CAMIF -i $INTIF -s > > $INTLAN -p tcp --dport 9090 -j ACCEPT > > > > ## Cortar comunicacion Cyber-Cam (todo lo que vaya o venga a > > la Cam, y que no me halla > > ## interesado admitir antes, es logeado y luego muere) > > $IPTABLES -A FORWARD -o $CAMIF -j LNOCAM > > $IPTABLES -A FORWARD -i $CAMIF -j LNOCAM > > > > ##Catch all rule/Deny every other forwarding > > > > $IPTABLES -A FORWARD -j LDROP > > > > ################ > > ## PREROUTING ## > > ################ > > > > ##Port-Forwarding (--> Also see chain FORWARD) > > > > #Puertos Trasladados > > # $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP > > --dport 25 -j DNAT --to-destination $SAND2002 > > $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -s > > $ACTUAL -p tcp --dport 9090 -j DNAT --to-destination $CAMARA > > > > > > > > ################### > > ## POSTROUTING ## > > ################### > > > > #Seteo de marca basado en la dirección de origen > > $IPTABLES -t mangle -A POSTROUTING -s $INTLAN -o $EXTIF -j > > SETEAMARCA > > $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -s $CAMARA -j > > MARK --set-mark 22 > > > > #Masquerade from Internal Net to External Net > > > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j > > SNAT --to-source $EXTIP > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $CAMARA -j > > SNAT --to-source $EXTIP > > #$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE > > > > > > > > #------End Ruleset------# > > > > echo "...done" > > echo "" > > > > > > echo "--> IPTABLES firewall loaded/activated <--" > > > > > > ##--------------------------------End > > Firewall---------------------------------## > > > > > > > > ;; > > *) > > echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" > > exit 1 > > esac > > > > exit 0 > > > > > > > > > > >