User Tools

Site Tools


simplefirewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
simplefirewall [2006/10/16 23:14] 209.8.40.19simplefirewall [2007/12/11 13:56] (current) – old revision restored 62.177.78.190
Line 1: Line 1:
 +====== simplefirewall ======
 +
 +The firewall below will let in SSH, HTTP and FTP. To avoid SSH brute force dictionary attacks it uses the iptables recent match module for connection rate limiting. It is intended for a Host with a single interface connected to the net, eg. a webserver.
 +
 +
 +Hint before enabling it add this to your ''/etc/crontab'':
 +
 +<code>
 +*/5 *   * * *   root /etc/init.d/simplefirewall stop >> /var/log/firewall.stop
 +</code>
 +
 +And check ''/var/log/firewall.stop'' to make sure it runs. This will open your firewall again after 5 minutes to avoid locking yourself out. When everything works as expected comment it out.
 +
 +
 +<code bash>
 +#!/bin/bash
 +  
 +# Very simple firewall for a single interface
 +
 +IF="eth0"   #Interface
 +HIPORT="1024:65535" #Highports (dont change)
 +  
 +IPTABLES=`which iptables` || IPTABLES="/usr/sbin/iptables"
 +  
 +case $1 in
 +  close)
 +  $IPTABLES -F
 +  $IPTABLES -X
 +  $IPTABLES -F INPUT
 +  $IPTABLES -F OUTPUT
 +  $IPTABLES -P INPUT DROP
 +  $IPTABLES -P OUTPUT ACCEPT
 +  $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
 +  $IPTABLES -A INPUT -i lo -j ACCEPT
 +  echo "Firewall closed, all connections blocked"
 +  exit 0
 +  ;;
 +  
 +  stop)
 +  $IPTABLES -F 
 +  $IPTABLES -X 
 +  $IPTABLES -F INPUT
 +  $IPTABLES -F OUTPUT
 +  $IPTABLES -P INPUT ACCEPT
 +  $IPTABLES -P OUTPUT ACCEPT
 +  echo "Firewall closed, all connections allowed"
 +  exit 0
 +  ;;
 +
 +  start)
 +  # First of all, flush all rules
 +  $IPTABLES -F
 +  $IPTABLES -F -t nat
 +  $IPTABLES -X 
 +  $IPTABLES -F INPUT
 +  $IPTABLES -F OUTPUT
 +  $IPTABLES -F FORWARD
 +
 +  # set default policy and create additional chains
 +  $IPTABLES -P INPUT DROP
 +  $IPTABLES -P OUTPUT DROP
 +  $IPTABLES -P FORWARD DROP
 +  $IPTABLES -N dropchain
 +  $IPTABLES -N ssh
 +  $IPTABLES -N blacklist
 +
 +  # enable additional kernel security
 +  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
 +  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +  echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 +  echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter
 +  echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects
 +  echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route
 +  echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay
 +  echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians
 +
 +  # tune tcp params see for info:
 +  # http://www.ussg.iu.edu/hypermail/linux/kernel/0202.1/0436.html
 +  echo "30"  > /proc/sys/net/ipv4/tcp_keepalive_intvl
 +  echo "5"   > /proc/sys/net/ipv4/tcp_keepalive_probes
 +  echo "900" > /proc/sys/net/ipv4/tcp_keepalive_time
 +
 +  # local processes:
 +  $IPTABLES -A INPUT -i lo -j ACCEPT
 +  $IPTABLES -A OUTPUT -o lo -j ACCEPT
 +
 +  # icmp stuff:
 +  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT
 +  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT
 +  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-request -j ACCEPT
 +  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-reply -j ACCEPT
 +  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type source-quench -j ACCEPT
 +  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT
 +  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type time-exceeded -j ACCEPT
 +  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type parameter-problem -j ACCEPT
 +  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type parameter-problem -j ACCEPT
 +  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
 +  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
 +
 +  # let answers out:
 +  $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -o $IF -p tcp -j ACCEPT
 +  $IPTABLES -A OUTPUT -m state --state ESTABLISHED -o $IF -p udp -j ACCEPT
 +
 +  # let all answers in:
 +  $IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -i $IF -p tcp -j ACCEPT
 +  $IPTABLES -A INPUT  -m state --state ESTABLISHED -i $IF -p udp -j ACCEPT
 +
 +  # ssh rate limit support - iptables recent module needed!
 +  # see http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/
 +
 +  # prepare blacklist
 +  $IPTABLES -A blacklist -m recent --name blacklist --set
 +  $IPTABLES -A blacklist -j LOG --log-level info --log-prefix "FW log BLACKLIST: "
 +  $IPTABLES -A blacklist -j DROP
 +
 +  # drop everyone currently on the blacklist
 +  $IPTABLES -A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP
 +
 +  # count incomers
 +  $IPTABLES -A ssh -m recent --set    --name counting1
 +  $IPTABLES -A ssh -m recent --set    --name counting2
 +  $IPTABLES -A ssh -m recent --set    --name counting3
 +  $IPTABLES -A ssh -m recent --set    --name counting4
 +
 +  # add to blacklist on rate exceed
 +  $IPTABLES -A ssh -m recent --update --name counting1 --seconds    20 --hitcount   5 -j blacklist
 +  $IPTABLES -A ssh -m recent --update --name counting2 --seconds   200 --hitcount  15 -j blacklist
 +  $IPTABLES -A ssh -m recent --update --name counting3 --seconds  2000 --hitcount  80 -j blacklist
 +  $IPTABLES -A ssh -m recent --update --name counting4 --seconds 20000 --hitcount 400 -j blacklist
 +
 +  # accept at the end of SSH chain
 +  $IPTABLES -A ssh -j ACCEPT
 +
 +  # put all SSH traffic in the ssh chain
 +  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ssh -j ssh
 +
 +  ########### start of custom rules ############
 +
 +  # let HTTP in
 +  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport http -j ACCEPT
 +
 +  # let FTP in (needs loaded ip_conntrack_ftp module)
 +  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ftp -j ACCEPT
 +
 +  ########### end of custom rules ############
 +
 +  # drop & log everything else
 +  $IPTABLES -A INPUT  -j dropchain
 +  $IPTABLES -A OUTPUT -j dropchain
 +  
 +  # dropchain: every packet will be dropped, and, if defined logged...
 +  $IPTABLES -A dropchain -p icmp -j DROP      #dont log outgoing icmp
 +  $IPTABLES -A dropchain -p tcp -m state --state INVALID -j LOG --log-level info --log-prefix "FW log INVALID: "
 +  $IPTABLES -A dropchain -j LOG --log-level info --log-prefix "FW log: "      #log everything
 +  $IPTABLES -A dropchain -j DROP
 +
 +  #done
 +  echo "Firewall up and running..."
 +  exit 0
 +  ;;
 +
 +  *)
 +  echo "usage: start | stop | close"
 +  exit 1
 +  ;;
 +esac
 +
 +exit 1;
 +</code>