grazie in anticipo
Codice: Seleziona tutto
#!/bin/sh
#*****************************************************************
#AlbanianWizard Iptables Firewall Script v 2.0 [re-design]
#Tested against most nmap personalised scans.
#Author : Arditi
#License : GPLv3
#Contact : arditi[nospam]hush.ai
#WARNINGS: You must be root to run this,
# This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters
# Dont change the chain/rule-set order
#Technologies for building this mini-firewall:
# a) Static rule based policies (not to be confused with a "static firewall")
# b) Connection based stateful policies
# c) Sanity based policies
#*****************************************************************
#Variables, please check the correct location of iptables
#whereis iptables ; whereis ip6tables and edit the Variables below
#*****************************************************************
IPT=/usr/sbin/iptables
IPT6=/usr/sbin/ip6tables
MP=/sbin/modprobe
IF=wlan0
echo $USER is setting up AW iptables firewall on $HOSTNAME
#*****************************************************************
#Setting up Connection Tracking Modules
echo \* [+] Setting up Connection Tracking Modules
$MP ip_conntrack
$MP iptable_nat
$MP ip_conntrack_ftp
$MP ip_nat_ftp
$MP nfnetlink_log
#*****************************************************************
#Initial Setup
#*****************************************************************
echo \* [+] Setting up Chains
$IPT -F
$IPT -X
$IPT -P INPUT DROP #Set the default policy for chaing INPUT to DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
$IPT -N BAD_CHAIN #Chain dedicated to scanning /fragmentation attacks
$IPT -N TCP_CHAIN #Chain to define what packets we accept from TCP
$IPT -N UDP_CHAIN #Chain to define what packets we accept from UDP
$IPT -N ICMP_CHAIN #Chain to define what packets we accept from ICMP
#*****************************************************************
#Blocking all IPV6 traffic
echo \* [+] Blocking all IPV6 Traffic
$IPT6 -P INPUT DROP
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT DROP
#*****************************************************************
#Setting up the Rules
echo \* [+] Setting up the rules \( accepting good things \)
#Accept already established connections.
$IPT -A INPUT -i $IF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $IF -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Other rule for UDP
$IPT -A INPUT -i $IF -p udp -m limit --limit 2/s --limit-burst 20 -j UDP_CHAIN
#Accept loopback traffic
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
#####################################################################
# WORMING UP THE INPUT
#####################################################################
#Anti-spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
#Force --syn packet check for NEW connections, if not send it to BAD_CHAIN!
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j BAD_CHAIN
#Throw away fragmentation attacks
$IPT -A INPUT -f -j BAD_CHAIN
#Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
$IPT -A INPUT -m conntrack --ctstate INVALID -j BAD_CHAIN
#nmap scans not blocked by "INVALID" state
$IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,PSH -j BAD_CHAIN
$IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,URG -j BAD_CHAIN
$IPT -A INPUT -p tcp -i $IF --tcp-flags ALL NONE -j BAD_CHAIN
#**********************************************************************#
# FLOOD CHAIN REDIRECTS #
#This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
#This will work for UDPTCPICMP floods sending more than 5 packet/s and also try to block nmap -sS scan.
$IPT -A INPUT -i $IF -p tcp -m limit --limit 1/s --limit-burst 1 -j TCP_CHAIN
$IPT -A INPUT -i $IF -p icmp -m limit --limit 1/s --limit-burst 1 -j ICMP_CHAIN
#Accept only 5 packet/sec and we match only the first 5 packet.
#########################################################################
# BAD CHAIN #
#########################################################################
$IPT -A BAD_CHAIN -i $IF -j LOG --log-level info --log-prefix "# Bad Packets #"
$IPT -A BAD_CHAIN -i $IF -j DROP
#******************************************************************
echo \* [+] Setting up the TCP_CHAIN
#WEB-SERVER
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl
$IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing
$IPT -A TCP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# TCP_CHAIN BLOCKED PACKET #"
$IPT -A TCP_CHAIN -i $IF -j DROP
echo \* [+] Setting up the UDP_CHAIN
#UDP_CHAIN
#$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT if you want some DNS server
$IPT -A UDP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# UDP DROPPED #"
$IPT -A UDP_CHAIN -p udp -i $IF -j DROP
echo \* [+] Setting up the ICMP_CHAIN
#ICMP_CHAIN
#allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged]
#$IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT (allow others to ping you)
$IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT #allow ping from you to others
$IPT -A ICMP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# ICMP BAD PACKET #"
$IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
#Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
#application designed for performing layer 7 application checks.
#Yes, iptalbes can do this stuff but it is to mutch resource consuming
#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#print the configuration
#$IPT -nvL