Changing rules for protection against several ddos attacks.
This commit is contained in:
parent
498b34741c
commit
bcdee40228
@ -110,8 +110,13 @@ priv_class_a="10.0.0.0/8"
|
||||
priv_class_b="172.16.0.0/12"
|
||||
priv_class_c="192.168.0.0/16"
|
||||
|
||||
link_local_rfc_5735="169.254.0.0/16"
|
||||
|
||||
test_net_1_rfc_5735="192.0.2.0/24"
|
||||
this_net_rfc_5735="0.0.0.0/8"
|
||||
|
||||
# - Multicast Addresse
|
||||
class_d_multicast="224.0.0.0/4"
|
||||
class_d_multicast="224.0.0.0/3"
|
||||
|
||||
# Reserved Addresse
|
||||
class_e_reserved="240.0.0.0/5"
|
||||
@ -123,6 +128,8 @@ class_e_reserved="240.0.0.0/5"
|
||||
|
||||
# unique local address (ULA) - private address block
|
||||
ula_block="fc00::/7"
|
||||
link_local_unicast_block="fe80::/10"
|
||||
multicast_ipv6="ff00::/8"
|
||||
|
||||
# - Loopback
|
||||
loopback_ipv6="::1/128"
|
||||
|
||||
@ -20,8 +20,12 @@ fi
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
|
||||
@ -20,8 +20,12 @@ fi
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
|
||||
@ -20,6 +20,13 @@
|
||||
do_not_firewall_bridged_traffic=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop ICMP
|
||||
# -------------
|
||||
|
||||
drop_icmp=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Allow all outgoing traffic
|
||||
# -------------
|
||||
|
||||
@ -20,6 +20,13 @@
|
||||
do_not_firewall_bridged_traffic=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop ICMP
|
||||
# -------------
|
||||
|
||||
drop_icmp=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Allow all outgoing traffic
|
||||
# -------------
|
||||
|
||||
@ -522,131 +522,265 @@ fi
|
||||
# --- Protections against several attacks / unwanted packages
|
||||
# -------------
|
||||
echo
|
||||
echononl "\tProtections against several attacks / unwanted packages.."
|
||||
echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m"
|
||||
|
||||
|
||||
# ---
|
||||
# - Drop invalid packets
|
||||
# ---
|
||||
echononl "\tDrop invalid packets"
|
||||
if $log_invalid_packets || $log_all ; then
|
||||
$ip6t -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:"
|
||||
fi
|
||||
$ip6t -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# Drop TCP packets that are new and are not SYN
|
||||
# ---
|
||||
|
||||
echononl "\tDrop TCP packets that are new and are not SYN"
|
||||
if $log_new_not_sync || $log_all ; then
|
||||
$ip6t -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
|
||||
fi
|
||||
$ip6t -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Drop SYN packets with suspicious MSS value
|
||||
# ---
|
||||
|
||||
echononl "\tDrop SYN packets with suspicious MSS value"
|
||||
if $log_syn_with_suspicious_mss || $log_all ; then
|
||||
$ip6t -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:"
|
||||
fi
|
||||
$ip6t -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Block packets with bogus TCP flags
|
||||
# ---
|
||||
|
||||
echononl "\tBlock packets with bogus TCP flags"
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
fi
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Block spoofed (own ip) packets
|
||||
# ---
|
||||
|
||||
echononl "\tBlock spoofed (own ip) packets"
|
||||
if $log_spoofed || $log_all ; then
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ip6t -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
|
||||
done
|
||||
fi
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ip6t -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP
|
||||
done
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Block spoofed (private/reserved) packets
|
||||
# ---
|
||||
|
||||
echononl "\tBlock spoofed (private/reserved) packets"
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_spoofed || $log_all ; then
|
||||
$ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||
$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (Link Local Unicast): "
|
||||
$ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Multicast: "
|
||||
fi
|
||||
done
|
||||
|
||||
if $log_spoofed || $log_all ; then
|
||||
$ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix Loopback: "
|
||||
fi
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j DROP
|
||||
$ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j DROP
|
||||
done
|
||||
$ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Drop ICMP all ICMP traffic (you usually don't need this protocol)
|
||||
# ---
|
||||
|
||||
echononl "\tDrop all ICMP traffic.."
|
||||
if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
|
||||
if $log_rejected || $log_all ; then
|
||||
$ip6t -t mangle -A PREROUTING -p ipv6-icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
|
||||
fi
|
||||
$ip6t -t mangle -A PREROUTING -p ipv6-icmp -j DROP
|
||||
echo_done
|
||||
fi
|
||||
echo_skipped
|
||||
|
||||
|
||||
# ---
|
||||
# - Don't allow spoofing out from this server
|
||||
# ---
|
||||
|
||||
echo ""
|
||||
echononl "\tDon't allow spoofing out from this server"
|
||||
if $log_spoofed_out || $log_all ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A OUTPUT -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
$ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
$ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j DROP
|
||||
$ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j DROP
|
||||
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j DROP
|
||||
$ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j DROP
|
||||
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against syn-flooding
|
||||
# ---
|
||||
|
||||
echo
|
||||
echononl "\tProtection against syn-flooding"
|
||||
$ip6t -N syn-flood
|
||||
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
||||
if $log_syn_flood || $log_all ; then
|
||||
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
|
||||
fi
|
||||
$ip6t -A syn-flood -j DROP
|
||||
|
||||
|
||||
# ---
|
||||
# - drop new packages without syn flag
|
||||
# ---
|
||||
|
||||
if $log_new_not_sync || $log_all ; then
|
||||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - drop invalid packages
|
||||
# ---
|
||||
|
||||
if $log_invalid_state || $log_all ; then
|
||||
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -m state --state INVALID -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -m state --state INVALID -j DROP
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - ungewöhnliche Flags verwerfen
|
||||
# ---
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Refuse private addresses on extern interfaces
|
||||
# ---
|
||||
|
||||
# - Refuse spoofed packets pretending to be from your IP address.
|
||||
if $log_spoofed || $log_all ; then
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
|
||||
fi
|
||||
done
|
||||
fi
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# - private Adressen auf externen interface verwerfen
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_spoofed || $log_all ; then
|
||||
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
||||
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
|
||||
fi
|
||||
|
||||
# Don't allow spoofing from that server
|
||||
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against port scanning
|
||||
# ---
|
||||
|
||||
echononl "\tProtection against port scanning"
|
||||
$ip6t -N port-scanning
|
||||
$ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
|
||||
if $log_port_scanning || $log_all ; then
|
||||
$ip6t -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
|
||||
fi
|
||||
$ip6t -A port-scanning -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against SSH brute-force attacks
|
||||
# ---
|
||||
|
||||
echononl "\tProtection against SSH brute-force attacks"
|
||||
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
|
||||
if $log_ssh_brute_force || $log_all ; then
|
||||
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
|
||||
fi
|
||||
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Limit connections per source IP
|
||||
# ---
|
||||
|
||||
echononl "\tLimit connections per source IP"
|
||||
if $log_rejected || $log_all ; then
|
||||
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
|
||||
fi
|
||||
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Limit RST packets
|
||||
# ---
|
||||
|
||||
echononl "\tLimit RST packets"
|
||||
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
||||
if $log_rejected || $log_all ; then
|
||||
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
||||
fi
|
||||
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Limit new TCP connections per second per source IP
|
||||
# ---
|
||||
|
||||
echononl "\tLimit new TCP connections per second per source IP"
|
||||
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
|
||||
if $log_rejected || $log_all ; then
|
||||
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
|
||||
fi
|
||||
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Use SYNPROXY on all ports (disables connection limiting rule)
|
||||
# ---
|
||||
|
||||
#echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)"
|
||||
#$ip6t -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
|
||||
#$ip6t -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
|
||||
#$ip6t -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
#echo_done
|
||||
|
||||
|
||||
|
||||
# -------------
|
||||
# ------------- Stopping firewall here if requested (parameter stop)
|
||||
|
||||
@ -647,243 +647,298 @@ fi
|
||||
# --- Protections against several attacks / unwanted packages
|
||||
# -------------
|
||||
echo
|
||||
echononl "\tProtections against several attacks / unwanted packages.."
|
||||
echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m"
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against syn-flooding
|
||||
# - Drop invalid packets
|
||||
# ---
|
||||
|
||||
$ipt -N syn-flood
|
||||
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
||||
if $log_syn_flood || $log_all ; then
|
||||
$ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
|
||||
echononl "\tDrop invalid packets"
|
||||
if $log_invalid_packets|| $log_all ; then
|
||||
$ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:"
|
||||
fi
|
||||
$ipt -A syn-flood -j DROP
|
||||
$ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Drop Fragments
|
||||
# ---
|
||||
|
||||
# I have to say that fragments scare me more than anything.
|
||||
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
||||
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
||||
# fragments is very OS-dependent (see this paper for details).
|
||||
# I am not going to trust any fragments.
|
||||
# Log fragments just to see if we get any, and deny them too
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_fragments || $log_all ; then
|
||||
$ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -i $_dev -f -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -f -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - drop new packages without syn flag
|
||||
# Drop TCP packets that are new and are not SYN
|
||||
# ---
|
||||
|
||||
echononl "\tDrop TCP packets that are new and are not SYN"
|
||||
if $log_new_not_sync || $log_all ; then
|
||||
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
|
||||
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
|
||||
fi
|
||||
$ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
|
||||
fi
|
||||
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Drop SYN packets with suspicious MSS value
|
||||
# ---
|
||||
|
||||
echononl "\tDrop SYN packets with suspicious MSS value"
|
||||
if $log_syn_with_suspicious_mss || $log_all ; then
|
||||
$ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:"
|
||||
fi
|
||||
$ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - drop invalid packages
|
||||
# - Block packets with bogus TCP flags
|
||||
# ---
|
||||
|
||||
if $log_invalid_state || $log_all ; then
|
||||
$ipt -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -m state --state INVALID -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -m state --state INVALID -j DROP
|
||||
echononl "\tBlock packets with bogus TCP flags"
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
fi
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
|
||||
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - ungewöhnliche Flags verwerfen
|
||||
# - Block spoofed (own ip) packets
|
||||
# ---
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Refuse private addresses on extern interfaces
|
||||
# ---
|
||||
|
||||
# Refuse spoofed packets pretending to be from your IP address.
|
||||
echononl "\tBlock spoofed (own ip) packets"
|
||||
if $log_spoofed || $log_all ; then
|
||||
# input
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ipt -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
|
||||
fi
|
||||
$ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
|
||||
done
|
||||
fi
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ipt -A INPUT -s $_ip -d $_ip -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -s $_ip -d $_ip -j DROP
|
||||
fi
|
||||
$ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP
|
||||
done
|
||||
echo_done
|
||||
|
||||
|
||||
# Refuse packets claiming to be from a
|
||||
# Class A private network
|
||||
# Class B private network
|
||||
# Class C private network
|
||||
# loopback interface
|
||||
# Class D multicast address
|
||||
# Class E reserved IP address
|
||||
# broadcast address
|
||||
# ---
|
||||
# - Block spoofed (private/reserved) packets
|
||||
# ---
|
||||
|
||||
echononl "\tBlock spoofed (private/reserved) packets"
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_spoofed || $log_all ; then
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
|
||||
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
|
||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
|
||||
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
|
||||
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
|
||||
#
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
|
||||
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
|
||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
|
||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
|
||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
|
||||
fi
|
||||
fi
|
||||
# Refuse packets claiming to be from a Class A private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
|
||||
# Refuse packets claiming to be from a Class B private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j DROP
|
||||
# Retfuse packets claiming to be from a Class C private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
|
||||
# Refuse packets claiming to be from loopback interface.
|
||||
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
|
||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
|
||||
# Refuse Class E reserved IP addresses.
|
||||
$ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP
|
||||
# Refuse broadcast address packets.
|
||||
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
# Refuse packets claiming to be from a Class A private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP
|
||||
# Refuse packets claiming to be from a Class B private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP
|
||||
# Refuse packets claiming to be from a Class C private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
|
||||
# Refuse packets claiming to be from loopback interface.
|
||||
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
|
||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
|
||||
# Refuse Class E reserved IP addresses.
|
||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP
|
||||
# Refuse broadcast address packets.
|
||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix link local block: "
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix TEST-NET-1: "
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix THIS NET: "
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
|
||||
fi
|
||||
done
|
||||
|
||||
if $log_spoofed || $log_all ; then
|
||||
/sbin/iptables -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||
fi
|
||||
|
||||
# ---
|
||||
# - Refuse packets claiming to be to the loopback interface.
|
||||
# ---
|
||||
|
||||
# Refusing packets claiming to be to the loopback interface protects against
|
||||
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||
# quench to the loopback.
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_to_lo || $log_all ; then
|
||||
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
|
||||
fi
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j DROP
|
||||
/sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j DROP
|
||||
done
|
||||
/sbin/iptables -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Drop fragments in all chains
|
||||
# ---
|
||||
|
||||
echononl "\tDrop fragments in all chains"
|
||||
if $log_fragments || $log_all ; then
|
||||
/sbin/iptables -t mangle -A PREROUTING -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
|
||||
fi
|
||||
/sbin/iptables -t mangle -A PREROUTING -f -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Drop ICMP all ICMP traffic (you usually don't need this protocol)
|
||||
# ---
|
||||
|
||||
echononl "\tDrop all ICMP traffic.."
|
||||
if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
|
||||
if $log_rejected || $log_all ; then
|
||||
$ipt -t mangle -A PREROUTING -p icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
|
||||
fi
|
||||
$ipt -t mangle -A PREROUTING -p icmp -j DROP
|
||||
echo_done
|
||||
fi
|
||||
echo_skipped
|
||||
|
||||
|
||||
# ---
|
||||
# - Don't allow spoofing from that server
|
||||
# ---
|
||||
|
||||
echo ""
|
||||
echononl "\tDon't allow spoofing out from this server"
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_spoofed_out || $log_all ; then
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
|
||||
$ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:"
|
||||
$ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:"
|
||||
$ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:"
|
||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
|
||||
$ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
|
||||
$ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
|
||||
$ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:"
|
||||
$ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:"
|
||||
$ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:"
|
||||
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
|
||||
fi
|
||||
fi
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
|
||||
$ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
|
||||
$ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
|
||||
$ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j DROP
|
||||
$ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j DROP
|
||||
$ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j DROP
|
||||
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against syn-flooding
|
||||
# ---
|
||||
|
||||
echo
|
||||
echononl "\tProtection against syn-flooding"
|
||||
$ipt -N syn-flood
|
||||
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
||||
if $log_syn_flood || $log_all ; then
|
||||
$ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
|
||||
fi
|
||||
$ipt -A syn-flood -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against port scanning
|
||||
# ---
|
||||
|
||||
echononl "\tProtection against port scanning"
|
||||
$ipt -N port-scanning
|
||||
$ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
|
||||
if $log_port_scanning || $log_all ; then
|
||||
$ipt -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
|
||||
fi
|
||||
$ipt -A port-scanning -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against SSH brute-force attacks
|
||||
# ---
|
||||
|
||||
echononl "\tProtection against SSH brute-force attacks"
|
||||
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
|
||||
if $log_ssh_brute_force || $log_all ; then
|
||||
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
|
||||
fi
|
||||
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Limit connections per source IP
|
||||
# ---
|
||||
|
||||
echononl "\tLimit connections per source IP"
|
||||
if $log_rejected || $log_all ; then
|
||||
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
|
||||
fi
|
||||
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Limit RST packets
|
||||
# ---
|
||||
|
||||
echononl "\tLimit RST packets"
|
||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
||||
if $log_rejected || $log_all ; then
|
||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
||||
fi
|
||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Limit new TCP connections per second per source IP
|
||||
# ---
|
||||
|
||||
echononl "\tLimit new TCP connections per second per source IP"
|
||||
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
|
||||
if $log_rejected || $log_all ; then
|
||||
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
|
||||
fi
|
||||
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Use SYNPROXY on all ports (disables connection limiting rule)
|
||||
# ---
|
||||
|
||||
#echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)"
|
||||
#$ipt -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
|
||||
#$ipt -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
|
||||
#$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
#echo_done
|
||||
|
||||
|
||||
|
||||
# -------------
|
||||
# ------------- Stopping firewall here if requested (parameter stop)
|
||||
# -------------
|
||||
@ -2447,11 +2502,11 @@ if $log_rejected || $log_all ; then
|
||||
#$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
#$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
if $kernel_activate_forwarding ; then
|
||||
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
fi
|
||||
echo_done
|
||||
else
|
||||
|
||||
Loading…
Reference in New Issue
Block a user