Io tempo fa avevo fatto uno scriptino un po' più estensibile. Se vuoi dagli un'occhiata.
Per usarlo devi creare il gruppo "nonet", che è quello bannato dall'accesso alla rete. Lo uso per dare il setgid ad un programma che non voglio che acceda a internet. Se non vuoi creare il gruppo allora elimina la catena relativa al ban del gruppo nonet
Codice: Seleziona tutto
#!/bin/sh
#Interfacce
IFACE=wlan0 #Interfaccia esterna ethernet
LFACE=eth0 #Interfaccia interna
#Nameservers
NAMESERVER_1=213.205.32.70
NAMESERVER_2=213.205.36.70
#Default gateway
GATEWAY=192.168.0.1
#Group to ban from net access
BAN_GROUP=nonet
#IP to ban from net access (list separated with spaces)
BAN_IP=""
#BAN_IP="192.168.0.200-192.168.0.255 192.168.0.110"
#IP to log if connection is detected
LOG_IP=""
#LOG_IP="192.168.0.200-192.168.0.255"
#INPUT FILES
#List of banned ip addresses
#INPUTF="/etc/blocklist_ip"
#if [ ! -f $INPUTF ]; then
# echo ERROR! FILE $INPUTF NOT FOUND!
# exit 1
#fi
#Port definitions
SSH_PORT=22
P_PORTS=0:1023
UP_PORTS=1024:65535
BITTORRENT_PORTS=6881:6889
TRANSMISSION_PORT=51413
EKIGA_PORTS=5000:5100
#Some stuff which usually is standard
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
##########################################################################
#Definisco i set di regole da caricare
##########################################################################
#Queste regole sono definite come funzioni da chiamare al momento di
#applicare le catene. Ogni funzione definisce le funzioni input, output e
#forward da applicare rispettivamente a INPUT, OUTPUT e FORWARD.
#A seconda dei parametri passati da riga di comando posso chiamare diversi
#set di regole. Se non specifico niente chiama il set di default.
#Ricordarsi sempre di aggiornare la lista dei parametri accettati.
#Le funzioni devono avere lo stesso nome dei parametri corrispondenti.
LISTA_PARAMETRI="default block forward status stop"
default() {
input() {
echo "FW: Carico set di regole 'default'"
$IPTABLES -A INPUT -j ssh_in
$IPTABLES -A INPUT -j transmission_in
return 0
}
output() {
# $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT
# $IPTABLES -A OUTPUT -d 10.0.2.2 -j ACCEPT
$IPTABLES -A OUTPUT -j ban_group
$IPTABLES -A OUTPUT -d 10.0.2.2 -j ACCEPT
return 0
}
forward() {
return 0
}
}
forward() {
input() {
$IPTABLES -A INPUT -j ssh_in
return 0
}
output() {
$IPTABLES -A OUTPUT -j ban_group
return 0
}
forward() {
echo "FW: Forwarding dalla porta $LFACE a $GATEWAY"
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $LFACE -j SNAT --to $GATEWAY
return 0
}
}
status() {
echo "-------------- RULES STATUS : --------------"
echo ""
$IPTABLES -L -n -v --line-numbers
echo ""
echo "--------------- NAT STATUS : ---------------"
echo ""
$IPTABLES -L -n -v --line-numbers -t nat
exit 0
}
stop() {
echo "FW: Arresto del firewall (tutte le regole su ACCEPT)"
#Clear all chains in all tables
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set Defaults to ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
exit 0
}
block() {
echo "FW: blocking all network trafic 'in' and 'out'"
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
exit 0
}
#Definisco quanto specificato da parametro.
if [ ${#@} -gt 0 ]; then
if [ `echo $LISTA_PARAMETRI|grep -e $1|wc -l` -gt 0 ]; then
$1
else
echo "parametro '$1' sconosciuto"
echo "Lista dei parametri accettati:"
echo $LISTA_PARAMETRI
exit 0
fi
else
default
fi
##########################################################################
#Pulisco tutte le regole e ripristino quelle di default (ACCEPT)
##########################################################################
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set Defaults to ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
##########################################################################
#Definisco la policy di default
##########################################################################
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
##########################################################################
#Definisco le catene per i vari tipi di paccehtti
##########################################################################
#Genero lista indirizzi da bloccare
# $IPTABLES -N blocklist
# $IPTABLES -F blocklist
# old_IFS=$IFS
# IFS=$'\n'
# for i in $(cat $INPUTF|egrep -v "^#|^$"); do
# $IPTABLES -A blocklist -m iprange --dst-range $i -j DROP
# done
# IFS=$old_IFS
#Catena per il ban di uno specifico utente dall'accesso a determinati siti
#$IPTABLES -N ban_user
#$IPTABLES -F ban_user
#$IPTABLES -A ban_user -m owner --uid-owner $BAN_USER -j blocklist
#Catena per le connessioni gia' avviate (da mettere in fondo alle regole)
$IPTABLES -N connessioni_avviate
$IPTABLES -F connessioni_avviate
$IPTABLES -A connessioni_avviate -m state --state ESTABLISHED,RELATED -j ACCEPT
# $IPTABLES -A connessioni_avviate -i $IFACE -m limit -j LOG --log-prefix "FW:Bad packet from ${IFACE}:"
$IPTABLES -A connessioni_avviate -j DROP
#Catena per il ban di un determinato gruppo di utenti dalla rete.
$IPTABLES -N ban_group
$IPTABLES -F ban_group
$IPTABLES -A ban_group -m owner --gid-owner $BAN_GROUP -j LOG --log-prefix "FW:BAN_GROUP:"
$IPTABLES -A ban_group -m owner --gid-owner $BAN_GROUP -j DROP
#Catena per bloccare uno specifico ip
$IPTABLES -N ban_ip
$IPTABLES -F ban_ip
for i in $BAN_IP; do
if [ `echo $i|grep "-"|wc -l` -gt 0 ]; then
$IPTABLES -A ban_ip -m iprange --src-range $i -j DROP
else
$IPTABLES -A ban_ip -s $i -j DROP
fi
done
#Catena per loggare uno specifico ip
$IPTABLES -N log_ip
$IPTABLES -F log_ip
for i in $LOG_IP; do
if [ `echo $i|grep "-"|wc -l` -gt 0 ]; then
$IPTABLES -A log_ip -m iprange --src-range $i -m limit -j LOG --log-prefix "FW:LOG_IP: "
else
$IPTABLES -A log_ip -s $i -m limit -j LOG --log-prefix "FW:LOG_IP: "
fi
done
#Catena per il traffico ICMP in entrata
#ICMP (in entrata) Solo se fanno parte di connessioni preesistenti, cioe' si tratta di una risposta ad un
#pacchetto inviato dalla nostra rete
$IPTABLES -N icmp_in
$IPTABLES -F icmp_in
$IPTABLES -A icmp_in -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_in -p icmp --icmp-type destination-unreachable -j ACCEPT
#protezione dai PING-FLOOD
$IPTABLES -A icmp_in -p icmp --icmp-type ping -m limit --limit 1/s -j ACCEPT
$IPTABLES -A icmp_in -p icmp -j LOG --log-prefix "FW:Bad ICMP traffic:"
#Protezione dai SYN-FLOOD
# $IPTABLES -N syn_flood
# $IPTABLES -F syn_flood
# $IPTABLES -A syn_flood -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
# $IPTABLES -A syn_flood -p tcp --syn -j DROP
#Catena per il traffico ICMP in uscita
#ICMP (in uscita) Tutti gli icmp
$IPTABLES -N icmp_out
$IPTABLES -F icmp_out
$IPTABLES -A icmp_out -o $IFACE -p icmp -j ACCEPT
#Catena per il DNS query
#DNS (client -> server) Vengono abilitate le query in uscita ai DNS servers
$IPTABLES -N dns_query
$IPTABLES -F dns_query
$IPTABLES -A dns_query -o $IFACE -p udp -s $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A dns_query -o $IFACE -p udp -s $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per SSH in entrata
#SSH (in entrata) In entrata abilitato il traffico per la porta $SSH_PORT
#Limtati i pacchetti RST FIN e SYN a 1/second
$IPTABLES -N ssh_in
$IPTABLES -F ssh_in
$IPTABLES -A ssh_in -i $IFACE -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport $SSH_PORT -j ACCEPT
$IPTABLES -A ssh_in -i $IFACE -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport $SSH_PORT -j ACCEPT
$IPTABLES -A ssh_in -i $IFACE -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport $SSH_PORT -j ACCEPT
$IPTABLES -A ssh_in -i $IFACE -p tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per SSH in uscita abilita le connessioni ssh alla porta $SSH_PORT e a quella di default (22)
$IPTABLES -N ssh_out
$IPTABLES -F ssh_out
$IPTABLES -A ssh_out -o $IFACE -p tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPTABLES -A ssh_out -o $IFACE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per il traffico HTTP e HTTPS in uscita
$IPTABLES -N http_out
$IPTABLES -F http_out
$IPTABLES -A http_out -o $IFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A http_out -o $IFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per SAMBA in entrata
$IPTABLES -N samba_in
$IPTABLES -F samba_in
$IPTABLES -A samba_in -i $IFACE -p udp --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A samba_in -i $IFACE -p udp --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A samba_in -i $IFACE -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A samba_in -i $IFACE -p tcp --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per FTP in entrata
$IPTABLES -N ftp_in
$IPTABLES -F ftp_in
$IPTABLES -A ftp_in -i $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per RSYNC in entrata
$IPTABLES -N rsync_in
$IPTABLES -F rsync_in
$IPTABLES -A rsync_in -i $IFACE -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per BITTORRENT in entrata
$IPTABLES -N bittorrent_in
$IPTABLES -F bittorrent_in
$IPTABLES -A bittorrent_in -i $IFACE -p tcp --dport $BITTORRENT_PORTS -m state --state NEW,ESTABLISHED -j ACCEPT
#Catena per TRANSMISSION in entrata
$IPTABLES -N transmission_in
$IPTABLES -F transmission_in
$IPTABLES -A transmission_in -i $IFACE -p tcp --dport $TRANSMISSION_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
##########################################################################
#Definisco la catene per intercettare i portscan
##########################################################################
#Catena per loggare i portscan
$IPTABLES -N portscan
$IPTABLES -F portscan
#NMAP-XMAS
$IPTABLES -A portscan -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "FW:SCAN:NMAP-XMAS:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
#XMAS
$IPTABLES -A portscan -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "FW:SCAN:XMAS:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL ALL -j DROP
#XMAS-PSH
$IPTABLES -A portscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "FW:SCAN:XMAS-PSH:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#NULL_SCAN
$IPTABLES -A portscan -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "FW:SCAN:NULL_SCAN:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL NONE -j DROP
#SYN/RST
$IPTABLES -A portscan -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "FW:SCAN:SYN/RST:"
$IPTABLES -A portscan -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#SYN/FIN
$IPTABLES -A portscan -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "FW:SCAN:SYN/FIN:"
$IPTABLES -A portscan -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
##########################################################################
#Variabili SYS-CTL
##########################################################################
#Abilita o disabilita l'IP FORWARDING
#echo "1" > /proc/sys/net/ipv4/ip_forward
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
#DYNAMIC ADDRESSING (utile per il forwarding)
#/bin/echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Disabilita l'IP Spoofing
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#Non rispondere ai PING
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#Non rispondere agli ICMP BROADCAST (attacchi smurf)
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Disabilita l'accettazione dei REDIRECT
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
#Protezione verso i messaggi di errore ICMP malformati
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Disabilita i pacchetti source routed (previene dal guardare attraverso il NAT)
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#Abilita LOG_MARTIANS (effettua il log dei pacchetti strani)
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#Abilita il REVERSE PATH FILTERING
for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
done
##########################################################################
#Applico le catene a INPUT, OUTPUT e FORWARD
#Scarto i pacchetti INVALID
##########################################################################
#Applico le catene a INPUT
$IPTABLES -A INPUT -j portscan
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -j log_ip
$IPTABLES -A INPUT -j ban_ip
$IPTABLES -A INPUT -j icmp_in
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
input
$IPTABLES -A INPUT -j connessioni_avviate
#Applico le catene a OUTPUT
# $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT
output
#Applico le catene a FORWARD
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
forward
$IPTABLES -A FORWARD -j connessioni_avviate