< < Back to My Firewall Script Page
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 | #!/bin/bash # Firewall Script - 0.7 - Development Version # Note: Script assumes a single interface "$INT0" with a fixed ipaddress "$LANIP" ############################################################### # Enviroment Variables ############################################################### IPT="/sbin/iptables" # Shortcut LOOPBACK="lo" INT0="eth0" # Interface for this machine LANIP="192.168.0.7" # IP for this machine LAN="192.168.0.0/24" # IP Range for LAN printer="192.168.0.2" # Machine with printer or allowed IP Range client_mac="xx:xx:xx:xx:xx:xx" # MAC Addresses of allowed clients 192.168.0.2 server_mac="xx:xx:xx:xx:xx:xx" router_mac="xx:xx:xx:xx:xx:xx" laptop_mac="xx:xx:xx:xx:xx:xx" ############################################################### # Set Policies for Chains #------------------------- # Set all to DROP as default as this is the most secure. # Rules can then be used to allow the traffic that is desired. ############################################################### ###SETUP #Flush old rules $IPT -F #Delete User Created Chains $IPT -X #Create New Chains $IPT -N ICMP_IN $IPT -N ICMP_OUT $IPT -N BAD_FLAGS $IPT -N VALIDMAC #Set Policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP ############################################################### # Module Loading ############################################################### # Note: Hardcode these into "/etc/modules.autoload.d/kernel-2.6" if script not executed at startup # Load additional modules modprobe x_tables modprobe ip_tables modprobe iptable_filter modprobe ipt_REJECT modprobe xt_tcpudp modprobe nf_conntrack modprobe nf_conntrack_ipv4 modprobe nf_conntrack_ftp modprobe nf_conntrack_irc modprobe xt_state modprobe ipt_LOG modprobe nfnetlink modprobe xt_limit modprobe xt_mac ############################################################### # Kernel Parameters ############################################################### # Note: Hardcode these into "/etc/sysctl.conf" if script not executed at startup # Enable broadcast echo protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable packet forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # Disable source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface, which, if replied to, # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians ############################################################### # Rules ############################################################### # # Enable loopback traffic - Means the machine can talk to itself (127.0.0.1) echo "Loopback" $IPT -A INPUT -i $LOOPBACK -j ACCEPT $IPT -A OUTPUT -o $LOOPBACK -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- ### Spoofing/Hijacking/DoS Protection echo "Spoof/Hijack/Dos Protection" # Drop inbound traffic with a source address the same as this machine $IPT -A INPUT -i $INT0 -s $LANIP -j DROP # Drop outbound traffic with a source address NOT the same as this machine $IPT -A OUTPUT -o $INT0 -s ! $LANIP -j DROP # Drop internet traffic from RFC 1918 private address space ranges $IPT -A INPUT -s 10.0.0.0/8 -j DROP $IPT -A INPUT -s 172.16.0.0/12 -j DROP # Cannot drop 192.168.0.0/16 range as used for local LAN. Can only be dropped on an internet-facing connecting directly to the internet. #$IPT -A INPUT -s 192.168.0.0/16 -j DROP # Drop Traffic on Zeroconf address range $IPT -A INPUT -s 168.254.0.0/16 -j DROP # Drop TEST-NET address range $IPT -A INPUT -s 192.0.2.0/24 -j DROP # Drop reserved/unallocated address ranges $IPT -A INPUT -s 224.0.0.0/4 -j DROP $IPT -A INPUT -s 240.0.0.0/5 -j DROP $IPT -A INPUT -s 248.0.0.0/5 -j DROP # Drop loopback and zero addresses - Enable for internet-facing interfaces only. #$IPT -A INPUT -s 127.0.0.0/8 -j DROP #$IPT -A INPUT -s 255.255.255.255/32 -j DROP #$IPT -A INPUT -s 0.0.0.0/8 -j DROP #--------------------------------------------------------------------------------------------------------------------------------------------- # Send inbound traffic through the BAD_FLAGS Chain before being processed furthur $IPT -A INPUT -p tcp -j BAD_FLAGS #--------------------------------------------------------------------------------------------------------------------------------------------- # Prevent SYN Flooding - Might need tuning to traffic load #$IPT -A INPUT -p tcp --syn -m limit --limit 10/second -j ACCEPT # LOG/DROP Traffic in INVALID State $IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "IPT: INV_STATE: " $IPT -A INPUT -m state --state INVALID -j DROP # LOG/DROP Fragmented Traffic $IPT -A INPUT -f -j LOG --log-prefix "IPT: Frag: " $IPT -A INPUT -f -j DROP #--------------------------------------------------------------------------------------------------------------------------------------------- # Redirect ICMP Traffic to User Created Chains echo "ICMP Processing Redirect" $IPT -A INPUT -p icmp -j ICMP_IN $IPT -A OUTPUT -p icmp -j ICMP_OUT #--------------------------------------------------------------------------------------------------------------------------------------------- # DNS Rules - Allow this machine to contact the DNS server echo "DNS" $IPT -A INPUT -p udp --sport domain -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p udp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # Web Browsing - Allow for browsing to take place from this machine. # - Do not allow new inbound HTTP requests echo "Web Browsing" #HTTP $IPT -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT #HTTPS $IPT -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # FTP - Allow outgoing FTP connections for update purposes # Note: Uses nf_conntrack_ftp module echo "FTP - Outgoing Connections" $IPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT echo "------> Active FTP" $IPT -A INPUT -p tcp --sport 20 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 20 --sport 1024: -m state --state ESTABLISHED -j ACCEPT echo "------> Passive FTP" $IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # SSH Rule Set A - Allows for new connections to be made to the machine from the local lan. # - Outbound SSH connections cannot be made from the machine. #echo "SSH Rule Set A" #$IPT -A INPUT -p tcp -s 192.168.0.0/24 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -p tcp -d 192.168.0.0/24 --sport ssh -m state --state ESTABLISHED -j ACCEPT # SSH Rule Set B - Allows for new connections to be made from this machine. # - Does not allow for inbound SSH connections #echo "SSH Rule Set B" #$IPT -A INPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # Following Rules still being researched and tested #--------------------------------------------------------------------------------------------------------------------------------------------- # Bittorrent - Uptp 5 connections # Tidy this up a bit #echo "Bittorrent" #Does it need to accept new connections or are they established first? #$IPT -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT #$IPT -A INPUT -p udp --dport 6881:6886 -m state --state NEW -j ACCEPT # Need to add outbound connection restriction #$IPT -A OUTPUT -p tcp --dport 6881:6886 -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # Azureues - WEBUI for home server echo "Azureus Web UI" $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 62836 -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 62836 -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # NTP - Network Time Protocol - To allow system clock sync with time servers # Might be able to secure this more by limiting connection to a handful of time servers echo "NTP" $IPT -A INPUT -p udp -m state --state ESTABLISHED --sport ntp -j ACCEPT $IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport ntp -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # RSYNC echo "RSYNC" $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport rsync -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport rsync -j ACCEPT # Local RSYNC Mirror (This machine being the mirror) echo "RSYNC Mirror" # Configure source variable to only allow access from known clients $IPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.0.10 --dport rsync -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state ESTABLISHED --sport rsync -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # Live-F1 Script echo "Live-F1" $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 4321 -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 4321 -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # Synergy echo "Synergy" # Need to harden to only allow packets to/from synergy server on 192.168.0.2 $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 24800 -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 24800 -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # No-IP (Dynamic DNS) echo "No-IP" $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 8245 -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8245 -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # Netselect - Enable if required #echo "Netselect" #$IPT -A INPUT -p ICMP -m state --state RELATED -j ACCEPT #$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 33000:34000 -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- # PIDGIN/IM echo "PIDGIN/IM" echo "- - - - - > Jabber/XMPP (Google Talk)" $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 5222 -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 5222 -j ACCEPT echo "- - - - - > MSN Messenger Protocol" $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 1863 -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 1863 -j ACCEPT # Need to allow for instant messaging protocols #Other Protocol Ports #5050 -- Yahoo #5190 -- AIM/ICQ #--------------------------------------------------------------------------------------------------------------------------------------------- # IRC # Note: Look into using nf_conntrack_irc module echo "IRC" $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 6660:7003 -j ACCEPT #Are these port ranges correct? $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 6660:7003 -j ACCEPT #$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 9999 -j ACCEPT #$IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 9999 -j ACCEPT # DROP IDENT $IPT -A INPUT -p tcp --dport 113 -j DROP #IDENT Port - Drop requests here to prevent them clogging up the log file $IPT -A OUTPUT -p tcp --sport 113 -j DROP #IDENT Port - Drop requests here to prevent them clogging up the log file #Will need rules for DCC Chat (Ports 2056:2066) #--------------------------------------------------------------------------------------------------------------------------------------------- # DHCP Traffic - Reference http://www.linklogger.com/UDP67_68.htm echo "DHCP Traffic" # UDP Ports 67/68 are used to allocate an IPAddress. # Typically a machine will broadcast a request to the DHCP server UDP 0.0.0.0:68 > 255.255.255.255:67 # These ip addresses are used as the machine does not know the IP Address of the server and hasnt got an ipaddress allocated to itself # It is typical for the server to respond with something like 192.168.1.1:67 > 255.255.255.255:68. The response will contain # the ipaddress that the server is offering for the machine to use. # Might want to tighten these rules by resticting to 0.0.0.0 and 255.255.255.255 but this wouldnt allow for renewal requests. $IPT -A INPUT -p udp --dport 68 --sport 67 -m state --state ESTABLISHED -j ACCEPT #Accept requested info from DHCP server $IPT -A INPUT -p udp --dport 67 --sport 68 -j DROP # Drop traffic from other machines meant for the DHCP server (prevents it being logged) $IPT -A OUTPUT -p udp --sport 68 --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- #SMB/CIFS & CUPS echo "SMB/CIFS & CUPS Support" # Ports # ----- # Note: Only allow for local lan. # 137 - NetBIOS Name Service (UDP) # 138 - NetBIOS Datagram Service (UDP) # 139 - SMB over NetBios over TCP/IP [NetBIOS Session Service](TCP) # 445 - SMB over TCP/IP (without NetBios Overhead) [Microsoft Directory Service](TCP) # 515 - LPD (Line Printer Daemon protocol) ### Server ------------------------------------------- # CUPS Web Interface [Remote Administration] #Note: CUPS needs to be configured to allow remote administration on this port # Local access through 127.0.0.1 is allowed via "Loopback" rule $IPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 631 -s $LAN -j VALIDMAC $IPT -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 631 -d $LAN -j ACCEPT # Only allow inputs from known mac addresses which are on the local lan $IPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 139,445 -s $LAN -j VALIDMAC $IPT -A INPUT -p udp -m state --state NEW,ESTABLISHED -m multiport --dports 137,138 -s $LAN -j VALIDMAC $IPT -A INPUT -p tcp -m state --state ESTABLISHED --sport 445 -s $LAN -j VALIDMAC # Only allow output to established connections on the local lan $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 137:139 -d $LAN -j ACCEPT $IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED --sport 137:139 -d $LAN -j ACCEPT $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 445 -d $LAN -j ACCEPT ### Client ------------------------------------------- # CUPS Web Interface [Remote Administration] #Note: CUPS needs to be configured to allow remote administration on this port # Local access through 127.0.0.1 is allowed via "Loopback" rule #$IPT -A INPUT -p tcp -m state --state ESTABLISHED --dport 631 -s $LAN -j VALIDMAC #$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 631 -d $LAN -j ACCEPT # Only allow inputs from known mac addresses which are on the local lan #$IPT -A INPUT -p tcp -m state --state ESTABLISHED -m multiport --dports 139,445 -s $LAN -j VALIDMAC #$IPT -A INPUT -p udp -m state --state ESTABLISHED -m multiport --dports 137,138 -s $LAN -j VALIDMAC # Only allow output to established connections on the local lan #$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 137:139 -d $LAN -j ACCEPT #$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED --sport 137:139 -d $LAN -j ACCEPT ### Extra -------------------------------------------- # Disabled as not used #$IPT -A INPUT -p tcp -m state --state ESTABLISHED --dport 515 -m mac --mac-source $client_mac -j ACCEPT #$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 515 -d 0.0.0.0 -j ACCEPT #--------------------------------------------------------------------------------------------------------------------------------------------- ####################### # Valid MAC Addresses # ####################### # # Check for valid inbound MAC addresses. Only valid MACs can access restricted services. # echo "Valid MAC Check" $IPT -A VALIDMAC -m mac --mac-source $server_mac -j ACCEPT $IPT -A VALIDMAC -m mac --mac-source $client_mac -j ACCEPT $IPT -A VALIDMAC -m mac --mac-source $router_mac -j ACCEPT $IPT -A VALIDMAC -m mac --mac-source $laptop_mac -j ACCEPT $IPT -A VALIDMAC -j LOG --log-prefix "IPT: Invalid MAC Addr: " $IPT -A VALIDMAC -j DROP # #--------------------------------------------------------------------------------------------------------------------------------------------- ########## ## ICMP ## ########## # # ICMP Message Types # ================== # # Type Description # ---- ----------- # 0 Echo Reply # 3 Destination Unreachable # 4 Source Quench # 5 Redirect # 8 Echo Request # 11 Time Exceeded # 12 Parameter Problem # 13 Timestamp # 14 Timestamp Reply # 15 Information Request # 16 Information Reply # # ================== # ICMP Inbound Rules $IPT -A ICMP_IN -p icmp --icmp-type 8 -j DROP $IPT -A ICMP_IN -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A ICMP_IN -p icmp --icmp-type 3 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A ICMP_IN -p icmp --icmp-type 11 -m state --state ESTABLISHED,RELATED -j ACCEPT # Log and Drop inbound ICMP Traffic $IPT -A ICMP_IN -p icmp -j LOG --log-prefix "IPT: ICMP_IN: " $IPT -A ICMP_IN -p icmp -j DROP # ICMP Outbound Rules $IPT -A ICMP_OUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT # Log and Drop outbound ICMP Traffic $IPT -A ICMP_OUT -p icmp -j LOG --log-prefix "IPT: ICMP_OUT: " $IPT -A ICMP_OUT -p icmp -j DROP #--------------------------------------------------------------------------------------------------------------------------------------------- ##################### ## BAD FLAGS CHAIN ## ##################### $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPT: Bad SF Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPT: Bad SR Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j LOG --log-prefix "IPT: Bad SFP Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j LOG --log-prefix "IPT: Bad SFR Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j LOG --log-prefix "IPT: Bad SFRP Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j DROP # Disable as dropping valid traffic #$IPT -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j LOG --log-prefix "IPT: Bad F Flag: " #$IPT -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "IPT: Bad FR Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "IPT: Bad F Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "IPT: Bad P Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "IPT: Bad U Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ACK,URG URG -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j LOG --log-prefix "IPT: Bad SFPU Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "IPT: Null Flag: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL NONE -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "IPT: All Flags: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL ALL -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "IPT: Nmap:Xmas Flags: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "IPT: Merry Xmas Flags: " $IPT -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP #--------------------------------------------------------------------------------------------------------------------------------------------- ############# ## LOGGING ## ############# # LOG & DROP traffic thats not dealt with by the other rules (DROP by default after logging due to policy) - Working # Note: Investigate port 137/138 traffic. Its creating alot of log data. # Note: Wireless traffic is generating alot of log entries, see what can be done about this. # Temporarily disable logging whilst above issue is being resolved. echo "Enable LOG of DROP packets" #Logging disabled as log locations need creating & rotations setup $IPT -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IPT INPUT: DROP " $IPT -A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "IPT FORWARD: DROP " $IPT -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "IPT OUTPUT: DROP " #--------------------------------------------------------------------------------------------------------------------------------------------- echo "End of script" exit 0 |
The applied tweaks should have reduced some of the weaknesses found in the 0.6 version.