#!/bin/sh # Exemple de script iptables par tonio AT starbridge DOT org. (01-2008) echo " [pas de spoofing]" if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then for filtre in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $filtre done fi # pas "trop" de icmp !!!! echo " [pas de icmp]" echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo " [protection contre les mauvais messages d'erreurs ICMP]" echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo " [SYN Cookie Protection]" echo 1 > /proc/sys/net/ipv4/tcp_syncookies ########################################################## ### NET TWEAKS ########################################################## # Reduce DoS'ing ability by reducing timeouts # Defaults: # echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout # echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time # echo 1 > /proc/sys/net/ipv4/tcp_window_scaling # echo 1 > /proc/sys/net/ipv4/tcp_sack ############################################################# echo "Enabling reduction of the DoS'ing ability." echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack echo "64" > /proc/sys/net/ipv4/ip_default_ttl # Increase the default queuelength. (Kernel Default: 1024) ########################################################## if [ -e /proc/sys/net/ipv4/ipv4/ip_queue_maxlen ]; then echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen fi # Enable ECN? (Explicit Congestion Notification) default no ################################################ if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo "Enabling ECN (Explicit Congestion Notification)." echo "1" > /proc/sys/net/ipv4/tcp_ecn fi ######################################################### # FIN TWEAKS ####################################################### echo " [LOAD MODULES !!!]" modprobe ip_tables modprobe ip_nat_ftp modprobe ip_nat_irc modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack_ftp modprobe iptable_mangle modprobe ipt_tos modprobe ipt_esp echo " [FLUSH]" iptables -F iptables -X iptables -t nat -F echo " [NOUVELLES CHAINES LOG]" iptables -N LOG_DROP iptables -A LOG_DROP -m limit --limit 1/s -j LOG --log-prefix '[IPTABLES DROP] : ' iptables -A LOG_DROP -j DROP iptables -N LOG_ACCEPT iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' iptables -A LOG_ACCEPT -j ACCEPT iptables -N LOGd_ACCEPT iptables -A LOGd_ACCEPT -j LOG --log-prefix '[dns ACCEPT] : ' iptables -A LOGd_ACCEPT -j ACCEPT iptables -N LOG1_DROP iptables -A LOG1_DROP -j LOG --log-prefix '[IPTABLES TCP state] : ' iptables -A LOG1_DROP -j DROP iptables -N LOG2_DROP iptables -A LOG2_DROP -j LOG --log-prefix '[IPTABLES INVALID SOURCE] : ' iptables -A LOG2_DROP -j DROP iptables -N LOG3_DROP iptables -A LOG3_DROP -m limit --limit 1/s -j LOG --log-prefix '[NEW TCP are not SYN !] : ' iptables -A LOG3_DROP -j DROP iptables -N LOG4_DROP iptables -A LOG4_DROP -m limit --limit 1/s -j LOG --log-prefix '[LIMITING INCOMING !] : ' iptables -A LOG4_DROP -j DROP iptables -N LOG5_DROP iptables -A LOG5_DROP -j LOG --log-prefix '[IPTABLES INVALID PACKET] : ' iptables -A LOG5_DROP -j DROP echo " [DROP PAR DEFAUT]" iptables -P INPUT DROP iptables -P OUTPUT DROP echo " [INTERFACE LOCALE OK]" iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT echo " [PING ENABLING]" iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -A INPUT -p igmp -j ACCEPT iptables -A OUTPUT -p igmp -j ACCEPT echo " [Ping of death]" iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT ################################################################# #PROTECTION BASIQUE ## SYN-FLOODING PROTECTION iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 10/s --limit-burst 15 -j RETURN iptables -A syn-flood -m limit --limit 1/s -j LOG --log-prefix '[SYN FLOOD max rate !] : ' iptables -A syn-flood -j DROP ## FRAGMENTS iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP # All of the bits are cleared iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG1_DROP # SYN and FIN are both set iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG1_DROP # SYN and RST are both set iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG1_DROP # FIN and RST are both set iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG1_DROP # FIN is set without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG1_DROP # PSH is set without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG1_DROP # URG is set without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG1_DROP ################################################################################## echo " [DROP NETBIOS SANS LOGGING]" #DROP pour le netbios et le 445 depuis le net sans logging iptables -A INPUT -i eth0 -p tcp --dport 445 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 135 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 137 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 138 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 139 -j DROP iptables -A INPUT -i eth0 -p udp --dport 445 -j DROP iptables -A INPUT -i eth0 -p udp --dport 135 -j DROP iptables -A INPUT -i eth0 -p udp --dport 137 -j DROP iptables -A INPUT -i eth0 -p udp --dport 138 -j DROP iptables -A INPUT -i eth0 -p udp --dport 139 -j DROP echo " [DROP SQL-HAMMER SANS LOGGING]" #DROP 1433 depuis le net sans logging iptables -A INPUT -i eth0 -p tcp --dport 1433 -j DROP iptables -A INPUT -i eth0 -p udp --dport 1434 -j DROP echo " [DROP RPC-LSA SANS LOGGING]" #DROP 1024 depuis le net sans logging iptables -A INPUT -i eth0 -p tcp --dport 1025 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 1026 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 1027 -j DROP iptables -A INPUT -i eth0 -p udp --dport 1025 -j DROP iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROP iptables -A INPUT -i eth0 -p udp --dport 1027 -j DROP #DROP INVALID SOURCE On adapte a son reseau local bien sur echo " [DROP INVALID SOURCE]" iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG2_DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG2_DROP iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG2_DROP iptables -A INPUT -d 127.0.0.0/8 -j LOG2_DROP #Paquets invalides iptables -A INPUT -p tcp -m state --state INVALID -j DROP #ACCES COMPLET EN SORTIE echo " [REGLES SERVEUR VERS NET]" iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #FILTRAGE NET VERS SERVEUR echo " [NET VERS SERVEUR]" iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 22 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 25 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 80 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 143 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 143 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 443 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 587 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 587 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 993 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 993 -j ACCEPT #Limit incoming connection 30/secondes pour le port80 iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j LOG4_DROP # udpflood iptables -N udp-flood iptables -A INPUT -p udp -j udp-flood iptables -A udp-flood -m limit --limit 1/s --limit-burst 2 -j RETURN iptables -A udp-flood -m limit --limit 1/s -j LOG --log-prefix '[UDP FLOOD max rate !] : ' iptables -A udp-flood -j DROP # block and log udp iptables -A INPUT -p udp -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix 'Denied UDP port: ' iptables -A INPUT -p udp -j DROP ###################### echo " [POUR FINIR DROP GENERAL]" iptables -A FORWARD -j LOG_DROP iptables -A INPUT -j LOG_DROP iptables -A OUTPUT -j LOG_DROP echo " [FIREWALL RULES FULLY LOADED !!!!]"