firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Complete the last commit.

Browse Source
This commit is contained in:
Christoph 2019-03-07 05:07:46 +01:00
parent 040f453e6d
commit 15accbe3a6
10 changed files with 4283 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
ban_ipv4.list.sample → OLD/ban_ipv4.list.sample
View File

0
ban_ipv6.list.sample → OLD/ban_ipv6.list.sample
View File

1743
OLD/ip6t-firewall-server Executable file
View File

File diff suppressed because it is too large Load Diff

0
ip6t-firewall-server.conf.sample → OLD/ip6t-firewall-server.conf.sample
View File

2063
OLD/ipt-firewall-server Executable file
View File

File diff suppressed because it is too large Load Diff

0
ipt-firewall-server.conf.sample → OLD/ipt-firewall-server.conf.sample
View File

49
README.systemd.server
View File

@ -1,26 +1,57 @@
## - Create a systemd service # ---
## - # - Install scripts
# ---
# - Copy firewall scripts to /usr/local/sbin # - Copy firewall scripts to /usr/local/sbin
# - # -
cp -a /usr/local/src/ipt-server/ipt-firewall-server /usr/local/sbin/ cp -a /usr/local/src/ipt-server/ipt-firewall-server /usr/local/sbin/
cp -a /usr/local/src/ipt-server/ip6t-firewall-server /usr/local/sbin/ cp -a /usr/local/src/ipt-server/ip6t-firewall-server /usr/local/sbin/
# ---
# - Configuration
# ---
# - Copy Configuration files to /etc/ipt-firewall # - Copy Configuration files to /etc/ipt-firewall
# - # -
mkdir /etc/ipt-firewall mkdir /etc/ipt-firewall
cp -a /usr/local/src/ipt-server/ipt-firewall-server.conf.sample /etc/ipt-firewall/ipt-firewall-server.conf
cp -a /usr/local/src/ipt-server/ip6t-firewall-server.conf.sample /etc/ipt-firewall/ip6t-firewall-server.conf
cp -a /usr/local/src/ipt-server/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list cp /usr/local/src/ipt-server/conf/default_ports.conf \
cp -a /usr/local/src/ipt-server/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list /usr/local/src/ipt-server/conf/include_functions.conf \
/usr/local/src/ipt-server/conf/load_modules_ipv4.conf \
/usr/local/src/ipt-server/conf/load_modules_ipv6.conf \
/usr/local/src/ipt-server/conf/logging_ipv4.conf \
/usr/local/src/ipt-server/conf/logging_ipv6.conf \
/usr/local/src/ipt-server/conf/post_decalrations.conf /etc/ipt-firewall/
cp -a /usr/local/src/ipt-server/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list
cp -a /usr/local/src/ipt-server/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list
# - Adjust Configuration files # - IPv4
# - # -
vim /etc/ipt-firewall/ipt-firewall-server.conf # - At least adjust files
vim /etc/ipt-firewall/ip6t-firewall-server.conf # - /etc/ipt-firewall/interfaces_ipv4.conf
# - /etc/ipt-firewall/main_ipv4.conf
# -
cp /usr/local/src/ipt-server/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/
cp /usr/local/src/ipt-server/conf/main_ipv4.conf.sample /etc/ipt-firewall/
vim /etc/ipt-firewall/interfaces_ipv4.conf
vim /etc/ipt-firewall/main_ipv4.conf
# - IPv6
# -
# - At least adjust files
# - /etc/ipt-firewall/interfaces_ipv6.conf
# - /etc/ipt-firewall/main_ipv6.conf
# -
cp /usr/local/src/ipt-server/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf
cp /usr/local/src/ipt-server/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf
vim /etc/ipt-firewall/interfaces_ipv6.conf
vim /etc/ipt-firewall/main_ipv6.conf
# IPv4 # IPv4

59
README.ulogd Normal file
View File

@ -0,0 +1,59 @@
# ---
# - Install netfilter userspace logging daemon.
# ---
apt-get install ulogd2
# ---
# - Adjust configuration file '/etc/ulogd.conf'
# ---
# - (1)
# -
# - Define two new plugin stacks inside '[global]'.
# -
# - directly after the last "plugin="/usr/lib.." statement add:
# -
# - # ====================================================================
# - # Define two new plugin stacks inside for iptables logging
# - # ====================================================================
# - # -
# - # - firewall11 - for IPv4 Firewall
# - # - firewall12 - for IPv6 Firewall
# - # -
# - stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU
# - stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU
# -
vim /etc/ulogd.conf
# - (2)
# -
# - - Define input plugins using above specified netlink group
# - - Define output plugins
# -
cat <<EOF >> /etc/ulogd.conf
# =========================================================
# Define input plugins using specified netlink group inside
# =========================================================
[firewall11]
group=11
[firewall12]
group=12
# =====================
# Define output plugins
# =====================
[emu11]
file="/var/log/ulog/iptables.log"
sync=1
[emu12]
file="/var/log/ulog/ip6tables.log"
sync=1
EOF

244
ip6t-firewall-server
View File

@ -10,43 +10,137 @@
# Short-Description: IPv6 Firewall # Short-Description: IPv6 Firewall
### END INIT INFO ### END INIT INFO
CONFIG_DIR="/etc/ipt-firewall"
CONFIG_FILE="${CONFIG_DIR}/ip6t-firewall-server.conf" # -------------
# - Settings
# -------------
ipt_conf_dir="/etc/ipt-firewall"
inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
ip6t=$(which ip6tables)
if [[ -z "$fail2ban_client" ]]; then if [[ -z "$fail2ban_client" ]]; then
fail2ban_client="$(which fail2ban-client)" fail2ban_client="$(which fail2ban-client)"
fi fi
# ------------- Load Kernel Modules ------------- # -------------
# # - Some checks and preloads..
# Load appropriate modules. # -------------
if ! $host_is_vm ; then
/sbin/modprobe ip6_tables
/sbin/modprobe ip6table_filter if [[ -z "$ip6t" ]] ; then
/sbin/modprobe ip6t_REJECT echo ""
echo -e "\tip6tables was not found on this server!"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
fi fi
#
# ------------- End: Load Kernel Modules ------------- if [[ ! -f "$inc_functions_file" ]] ; then
echo ""
echo -e "\tMissing include file '$inc_functions_file'"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
else
source $inc_functions_file
fi
# - Check if running inside a container
# -
host_is_vm=false
# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc'
# - returns "container=lxc"
# -
r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)"
if [[ -n "$r_val" ]] ; then
host_is_vm=true
else
# ---
# - For other container types we need a few more tricks
# ---
# Detect old-style libvirt
[ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true
# Detect vserver
if ! $host_is_vm ; then
VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true
[ "${VXID:-0}" -gt 1 ] && host_is_vm=true
fi
fi
if [[ ! -f "$load_modules_file" ]] ; then
warn "No modules for loading configured. Missing file '$load_modules_file'!"
else
if ! $host_is_vm ; then
while read -r module ; do
if ! lsmod | grep -q -E "^$module\s+" ; then
/sbin/modprobe $module > /dev/null 2>&1
if [[ "$?" != "0" ]]; then
warn "Loading module '$module' failed!"
fi
fi
done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
fi
fi
if [[ ! -f "$conf_logging" ]]; then
fatal "Missing configuration for logging - file '$conf_logging'"
else
source $conf_logging
fi
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_default_ports
fi
if [[ ! -f "$conf_interfaces" ]]; then
fatal "Missing interface configurations - file '$conf_interfaces'"
else
source $conf_interfaces
fi
if [[ ! -f "$conf_main" ]]; then
fatal "Missing main configurations - file '$conf_main'"
else
source $conf_main
fi
if [[ ! -f "$conf_post_declarations" ]]; then
fatal "Missing post declarations - file '$conf_post_declarations'"
else
source $conf_post_declarations
fi
echo echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m" echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m"
echo echo
## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
if [[ -f "$CONFIG_FILE" ]]; then
source $CONFIG_FILE
else
echo
echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
echo
exit 1
fi
# ------------- # -------------
# --- Activate IP Forwarding # --- Activate IP Forwarding
@ -173,6 +267,26 @@ fi
echo echo
# -------------
# ---- Log given IP Addresses
# -------------
echononl "\tLog given IPv6 Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
for _ip in ${log_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: "
$ip6t -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: "
$ip6t -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: "
$ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: "
done
echo_done
else
echo_skipped
fi
# ------------- # -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------ Stopping firewall if only flushing was requested (parameter flush)
@ -196,10 +310,10 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
echononl "\tPass through Devices (not firewalled)" echononl "\tPass through Devices (not firewalled)"
for _dev in ${unprotected_if_arr[@]} ; do for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then if $log_unprotected || $log_all ; then
$ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ip6t -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
fi fi
$ip6t -A INPUT -i $_dev -j ACCEPT $ip6t -A INPUT -i $_dev -j ACCEPT
$ip6t -A OUTPUT -o $_dev -j ACCEPT $ip6t -A OUTPUT -o $_dev -j ACCEPT
@ -224,9 +338,9 @@ echononl "\tBlock IPs / Networks / Interfaces.."
for _ip in $blocked_ips ; do for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
fi fi
fi fi
$ip6t -A INPUT -i $_dev -s $_ip -j DROP $ip6t -A INPUT -i $_dev -s $_ip -j DROP
@ -244,11 +358,11 @@ done
for _if in ${blocked_if_arr[@]} ; do for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then if $log_blocked_if || $log_all ; then
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ip6t -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ip6t -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi fi
$ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ip6t -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ip6t -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi fi
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j DROP $ip6t -A FORWARD -i $_if -j DROP
@ -351,9 +465,9 @@ if [[ -f "${CONFIG_DIR}/ban_ipv6.list" ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
fi fi
fi fi
@ -415,7 +529,7 @@ echononl "\tProtections against several attacks / unwanted packages.."
$ip6t -N syn-flood $ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then if $log_syn_flood || $log_all ; then
$ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level $ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
fi fi
$ip6t -A syn-flood -j DROP $ip6t -A syn-flood -j DROP
@ -425,10 +539,10 @@ $ip6t -A syn-flood -j DROP
# --- # ---
if $log_new_not_sync || $log_all ; then if $log_new_not_sync || $log_all ; then
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
fi fi
fi fi
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
@ -443,9 +557,9 @@ fi
# --- # ---
if $log_invalid_state || $log_all ; then if $log_invalid_state || $log_all ; then
$ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level $ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level $ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
fi fi
fi fi
$ip6t -A INPUT -m state --state INVALID -j DROP $ip6t -A INPUT -m state --state INVALID -j DROP
@ -460,13 +574,13 @@ fi
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then if $log_invalid_flags || $log_all ; then
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
fi fi
fi fi
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
@ -487,9 +601,9 @@ done
# - Refuse spoofed packets pretending to be from your IP address. # - Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then if $log_spoofed || $log_all ; then
for _ip in ${ext_ip_arr[@]} ; do for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level $ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level $ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
fi fi
done done
fi fi
@ -504,11 +618,11 @@ done
# - private Adressen auf externen interface verwerfen # - private Adressen auf externen interface verwerfen
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then if $log_spoofed || $log_all ; then
$ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level $ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level $ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level $ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level $ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi fi
fi fi
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP $ip6t -A INPUT -i $_dev -s $ula_block -j DROP
@ -601,17 +715,17 @@ echononl "\tGenerally prohibited traffic.."
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then if $log_prohibited || $log_all ; then
for _port in ${block_tcp_port_arr[@]} ; do for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done done
for _port in ${block_udp_port_arr[@]} ; do for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ip6t -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done done
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
for _port in ${block_tcp_port_arr[@]} ; do for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done done
for _port in ${block_udp_port_arr[@]} ; do for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done done
fi fi
fi fi
@ -1693,14 +1807,14 @@ echo
echononl "\tLogging all rejected traffic" echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
#$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level $ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level $ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
#$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level $ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
fi fi
echo_done echo_done
else else

328
ipt-firewall-server
View File

@ -10,87 +10,137 @@
# Short-Description: IPv4 Firewall # Short-Description: IPv4 Firewall
### END INIT INFO ### END INIT INFO
CONFIG_DIR="/etc/ipt-firewall"
CONFIG_FILE="${CONFIG_DIR}/ipt-firewall-server.conf" # -------------
# - Settings
# -------------
ipt_conf_dir="/etc/ipt-firewall"
inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
ipt=$(which iptables)
if [[ -z "$fail2ban_client" ]]; then if [[ -z "$fail2ban_client" ]]; then
fail2ban_client="$(which fail2ban-client)" fail2ban_client="$(which fail2ban-client)"
fi fi
# ------------- Load Kernel Modules ------------- # -------------
# # - Some checks and preloads..
## - Load appropriate modules. # -------------
## -
if ! $host_is_vm ; then
/sbin/modprobe ip_tables > /dev/null 2>&1
/sbin/modprobe iptable_nat > /dev/null 2>&1
# - Note:!
# - Since Kernel 4.7 the automatic conntrack helper assignment
# - is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# - Enable it by setting this variable in file /etc/sysctl.conf:
# -
# - net.netfilter.nf_conntrack_helper = 1
# -
# - Reboot or type "sysctl -p"
# -
# - !! But this is NOT the recommend method !!
# --- if [[ -z "$ipt" ]] ; then
# - Load module for FTP Connection tracking and NAT echo ""
# --- echo -e "\tiptables was not found on this server!"
echo
# - Once a helper is loaded, it will treat packets for a given port and all IP addresses. echo -e "\tFirewall Script was stopped!"
# - As explained before, this is not optimal and is even a security risk. A better echo
# - solution is to load the module helper and deactivate their parsing by default. Each exit 1
# - helper we need to use is then set by using a call to the CT target.
# -
# - Desactivate the automatic conntrack helper assignment:
# -
# - method 1: modprobe nf_conntrack nf_conntrack_helper=0
# - method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
# -
# - Note:
# - =====
# - Each helper we need to use is then set by using a call to the CT target.
# - Example for ftp helper on standardport:
# -
# - ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
# -
/sbin/modprobe nf_conntrack nf_conntrack_helper=0 > /dev/null 2>&1
#echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
/sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1
/sbin/modprobe nf_nat > /dev/null 2>&1
/sbin/modprobe nf_nat_ftp > /dev/null 2>&1
## - Load modules for SIP VOIP
## -
#/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1
#/sbin/modprobe nf_nat_sip > /dev/null 2>&1
fi fi
#
# ------------- End: Load Kernel Modules ------------- if [[ ! -f "$inc_functions_file" ]] ; then
echo ""
echo -e "\tMissing include file '$inc_functions_file'"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
else
source $inc_functions_file
fi
# - Check if running inside a container
# -
host_is_vm=false
# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc'
# - returns "container=lxc"
# -
r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)"
if [[ -n "$r_val" ]] ; then
host_is_vm=true
else
# ---
# - For other container types we need a few more tricks
# ---
# Detect old-style libvirt
[ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true
# Detect vserver
if ! $host_is_vm ; then
VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true
[ "${VXID:-0}" -gt 1 ] && host_is_vm=true
fi
fi
if [[ ! -f "$load_modules_file" ]] ; then
warn "No modules for loading configured. Missing file '$load_modules_file'!"
else
if ! $host_is_vm ; then
while read -r module ; do
if ! lsmod | grep -q -E "^$module\s+" ; then
/sbin/modprobe $module > /dev/null 2>&1
if [[ "$?" != "0" ]]; then
warn "Loading module '$module' failed!"
fi
fi
done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
fi
fi
if [[ ! -f "$conf_logging" ]]; then
fatal "Missing configuration for logging - file '$conf_logging'"
else
source $conf_logging
fi
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_default_ports
fi
if [[ ! -f "$conf_interfaces" ]]; then
fatal "Missing interface configurations - file '$conf_interfaces'"
else
source $conf_interfaces
fi
if [[ ! -f "$conf_main" ]]; then
fatal "Missing main configurations - file '$conf_main'"
else
source $conf_main
fi
if [[ ! -f "$conf_post_declarations" ]]; then
fatal "Missing post declarations - file '$conf_post_declarations'"
else
source $conf_post_declarations
fi
echo echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m"
echo echo
## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
if [[ -f "$CONFIG_FILE" ]]; then
source $CONFIG_FILE
else
echo
echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
echo
exit 1
fi
# ------------- # -------------
@ -276,6 +326,26 @@ fi
echo echo
# -------------
# ---- Log given IP Addresses
# -------------
echononl "\tLog given IPv4 Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
for _ip in ${log_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: "
$ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: "
$ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: "
$ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: "
done
echo_done
else
echo_skipped
fi
# ------------- # -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------ Stopping firewall if only flushing was requested (parameter flush)
@ -299,10 +369,10 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
echononl "\tPass through Devices (not firewalled)" echononl "\tPass through Devices (not firewalled)"
for _dev in ${unprotected_if_arr[@]} ; do for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then if $log_unprotected || $log_all ; then
$ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ipt -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
fi fi
$ipt -A INPUT -i $_dev -j ACCEPT $ipt -A INPUT -i $_dev -j ACCEPT
$ipt -A OUTPUT -o $_dev -j ACCEPT $ipt -A OUTPUT -o $_dev -j ACCEPT
@ -327,9 +397,9 @@ echononl "\tBlock IPs / Networks / Interfaces.."
for _ip in $blocked_ips ; do for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:"
fi fi
fi fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP $ipt -A INPUT -i $_dev -s $_ip -j DROP
@ -347,11 +417,11 @@ done
for _if in ${blocked_if_arr[@]} ; do for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then if $log_blocked_if || $log_all ; then
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ipt -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
$ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
fi fi
$ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
$ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
fi fi
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_if -j DROP $ipt -A FORWARD -i $_if -j DROP
@ -523,9 +593,9 @@ if [[ -f "${CONFIG_DIR}/ban_ipv4.list" ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
fi fi
fi fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP $ipt -A INPUT -i $_dev -s $_ip -j DROP
@ -584,7 +654,7 @@ echononl "\tProtections against several attacks / unwanted packages.."
$ipt -N syn-flood $ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
fi fi
$ipt -A syn-flood -j DROP $ipt -A syn-flood -j DROP
@ -602,9 +672,9 @@ $ipt -A syn-flood -j DROP
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_fragments || $log_all ; then if $log_fragments || $log_all ; then
$ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level $ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level $ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
fi fi
fi fi
$ipt -A INPUT -i $_dev -f -j DROP $ipt -A INPUT -i $_dev -f -j DROP
@ -619,10 +689,10 @@ done
# --- # ---
if $log_new_not_sync || $log_all ; then if $log_new_not_sync || $log_all ; then
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
fi fi
fi fi
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
@ -637,9 +707,9 @@ fi
# --- # ---
if $log_invalid_state || $log_all ; then if $log_invalid_state || $log_all ; then
$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level $ipt -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level $ipt -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
fi fi
fi fi
$ipt -A INPUT -m state --state INVALID -j DROP $ipt -A INPUT -m state --state INVALID -j DROP
@ -654,13 +724,13 @@ fi
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then if $log_invalid_flags || $log_all ; then
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
fi fi
fi fi
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
@ -682,9 +752,9 @@ done
if $log_spoofed || $log_all ; then if $log_spoofed || $log_all ; then
# input # input
for _ip in ${ext_ip_arr[@]} ; do for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level $ipt -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level $ipt -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
fi fi
done done
fi fi
@ -706,22 +776,22 @@ done
# broadcast address # broadcast address
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
$ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
$ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
$ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level $ipt -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
$ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
$ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
# #
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
$ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
$ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
$ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
fi fi
fi fi
# Refuse packets claiming to be from a Class A private network. # Refuse packets claiming to be from a Class A private network.
@ -766,9 +836,9 @@ done
# quench to the loopback. # quench to the loopback.
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_to_lo || $log_all ; then if $log_to_lo || $log_all ; then
$ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level $ipt -A INPUT -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level $ipt -A FORWARD -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
fi fi
fi fi
$ipt -A INPUT -i $_dev -d $loopback -j DROP $ipt -A INPUT -i $_dev -d $loopback -j DROP
@ -784,15 +854,15 @@ done
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed_out || $log_all ; then if $log_spoofed_out || $log_all ; then
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
$ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level $ipt -A OUTPUT -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level $ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
$ipt -A FORWARD -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level $ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
$ipt -A FORWARD -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level $ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
$ipt -A FORWARD -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level $ipt -A FORWARD -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
fi fi
fi fi
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
@ -881,17 +951,17 @@ echononl "\tGenerally prohibited traffic.."
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then if $log_prohibited || $log_all ; then
for _port in ${block_tcp_port_arr[@]} ; do for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ipt -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done done
for _port in ${block_udp_port_arr[@]} ; do for _port in ${block_udp_port_arr[@]} ; do
$ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ipt -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done done
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
for _port in ${block_tcp_port_arr[@]} ; do for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done done
for _port in ${block_udp_port_arr[@]} ; do for _port in ${block_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level $ipt -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done done
fi fi
fi fi
@ -1975,14 +2045,14 @@ echo
echononl "\tLogging all rejected traffic" echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level $ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
#$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
fi fi
echo_done echo_done
else else