From bcdee402281d53730b077df4302d4494a4973a1b Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 28 Oct 2020 20:57:08 +0100 Subject: [PATCH] Changing rules for protection against several ddos attacks. --- conf/default_ports.conf | 9 +- conf/logging_ipv4.conf | 4 + conf/logging_ipv6.conf | 4 + conf/main_ipv4.conf.sample | 7 + conf/main_ipv6.conf.sample | 7 + ip6t-firewall-server | 354 +++++++++++++++++++++++----------- ipt-firewall-server | 385 +++++++++++++++++++++---------------- 7 files changed, 494 insertions(+), 276 deletions(-) diff --git a/conf/default_ports.conf b/conf/default_ports.conf index 95a06d3..f6b509e 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -110,8 +110,13 @@ priv_class_a="10.0.0.0/8" priv_class_b="172.16.0.0/12" priv_class_c="192.168.0.0/16" +link_local_rfc_5735="169.254.0.0/16" + +test_net_1_rfc_5735="192.0.2.0/24" +this_net_rfc_5735="0.0.0.0/8" + # - Multicast Addresse -class_d_multicast="224.0.0.0/4" +class_d_multicast="224.0.0.0/3" # Reserved Addresse class_e_reserved="240.0.0.0/5" @@ -123,6 +128,8 @@ class_e_reserved="240.0.0.0/5" # unique local address (ULA) - private address block ula_block="fc00::/7" +link_local_unicast_block="fe80::/10" +multicast_ipv6="ff00::/8" # - Loopback loopback_ipv6="::1/128" diff --git a/conf/logging_ipv4.conf b/conf/logging_ipv4.conf index 78875c2..f690616 100644 --- a/conf/logging_ipv4.conf +++ b/conf/logging_ipv4.conf @@ -20,8 +20,12 @@ fi log_all=false log_syn_flood=false +log_port_scanning=false +log_ssh_brute_force=false log_fragments=false log_new_not_sync=false +log_syn_with_suspicious_mss=false +log_invalid_packets=false log_invalid_state=false log_invalid_flags=false log_spoofed=false diff --git a/conf/logging_ipv6.conf b/conf/logging_ipv6.conf index 8395f36..b762fa6 100644 --- a/conf/logging_ipv6.conf +++ b/conf/logging_ipv6.conf @@ -20,8 +20,12 @@ fi log_all=false log_syn_flood=false +log_port_scanning=false +log_ssh_brute_force=false log_fragments=false log_new_not_sync=false +log_syn_with_suspicious_mss=false +log_invalid_packets=false log_invalid_state=false log_invalid_flags=false log_spoofed=false diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index ed77a8f..8084c5f 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -20,6 +20,13 @@ do_not_firewall_bridged_traffic=false +# ------------- +# --- Drop ICMP +# ------------- + +drop_icmp=false + + # ------------- # --- Allow all outgoing traffic # ------------- diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 67d0e24..5e21826 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -20,6 +20,13 @@ do_not_firewall_bridged_traffic=false +# ------------- +# --- Drop ICMP +# ------------- + +drop_icmp=false + + # ------------- # --- Allow all outgoing traffic # ------------- diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 7001d61..b755a47 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -522,131 +522,265 @@ fi # --- Protections against several attacks / unwanted packages # ------------- echo -echononl "\tProtections against several attacks / unwanted packages.." +echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m" + + +# --- +# - Drop invalid packets +# --- +echononl "\tDrop invalid packets" +if $log_invalid_packets || $log_all ; then + $ip6t -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:" +fi +$ip6t -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP +echo_done + + +# --- +# Drop TCP packets that are new and are not SYN +# --- + +echononl "\tDrop TCP packets that are new and are not SYN" +if $log_new_not_sync || $log_all ; then + $ip6t -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" +fi +$ip6t -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP +echo_done + + +# --- +# - Drop SYN packets with suspicious MSS value +# --- + +echononl "\tDrop SYN packets with suspicious MSS value" +if $log_syn_with_suspicious_mss || $log_all ; then + $ip6t -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:" +fi +$ip6t -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP +echo_done + + +# --- +# - Block packets with bogus TCP flags +# --- + +echononl "\tBlock packets with bogus TCP flags" +if $log_invalid_flags || $log_all ; then + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" +fi +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP +$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +echo_done + + +# --- +# - Block spoofed (own ip) packets +# --- + +echononl "\tBlock spoofed (own ip) packets" +if $log_spoofed || $log_all ; then + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " + done +fi +for _ip in ${ext_ip_arr[@]} ; do + $ip6t -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP +done +echo_done + + +# --- +# - Block spoofed (private/reserved) packets +# --- + +echononl "\tBlock spoofed (private/reserved) packets" +for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " + $ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (Link Local Unicast): " + $ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Multicast: " + fi +done + +if $log_spoofed || $log_all ; then + $ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix Loopback: " +fi + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j DROP + $ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j DROP + $ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j DROP +done +$ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j DROP +echo_done + + +# --- +# - Drop ICMP all ICMP traffic (you usually don't need this protocol) +# --- + +echononl "\tDrop all ICMP traffic.." +if [[ -n "$drop_icmp" ]] && $drop_icmp ; then + if $log_rejected || $log_all ; then + $ip6t -t mangle -A PREROUTING -p ipv6-icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: " + fi + $ip6t -t mangle -A PREROUTING -p ipv6-icmp -j DROP + echo_done +fi +echo_skipped + + +# --- +# - Don't allow spoofing out from this server +# --- + +echo "" +echononl "\tDon't allow spoofing out from this server" +if $log_spoofed_out || $log_all ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + $ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + $ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + $ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + $ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " + fi + done +fi + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP + $ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j DROP + $ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j DROP + $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j DROP + $ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j DROP + $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP + fi +done +echo_done + # --- # - Protection against syn-flooding # --- +echo +echononl "\tProtection against syn-flooding" $ip6t -N syn-flood $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then $ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " fi $ip6t -A syn-flood -j DROP - - -# --- -# - drop new packages without syn flag -# --- - -if $log_new_not_sync || $log_all ; then - $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " - $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " - fi -fi -$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP -if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP -fi - - -# --- -# - drop invalid packages -# --- - -if $log_invalid_state || $log_all ; then - $ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " - fi -fi -$ip6t -A INPUT -m state --state INVALID -j DROP -if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -m state --state INVALID -j DROP -fi - - -# --- -# - ungewöhnliche Flags verwerfen -# --- - -for _dev in ${ext_if_arr[@]} ; do - if $log_invalid_flags || $log_all ; then - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " - fi - fi - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - fi -done - - -# --- -# - Refuse private addresses on extern interfaces -# --- - -# - Refuse spoofed packets pretending to be from your IP address. -if $log_spoofed || $log_all ; then - for _ip in ${ext_ip_arr[@]} ; do - $ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " - fi - done -fi -for _ip in ${ext_ip_arr[@]} ; do - $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP - if $kernel_forward_between_interfaces ; then - $ipi6t -A FORWARD -s $_ip -d $_ip -j DROP - fi -done - - -# - private Adressen auf externen interface verwerfen -for _dev in ${ext_if_arr[@]} ; do - if $log_spoofed || $log_all ; then - $ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " - $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " - $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " - fi - fi - $ip6t -A INPUT -i $_dev -s $ula_block -j DROP - $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP - $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP - fi - - # Don't allow spoofing from that server - $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP - $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP - $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP - fi -done - echo_done +# --- +# - Protection against port scanning +# --- + +echononl "\tProtection against port scanning" +$ip6t -N port-scanning +$ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN +if $log_port_scanning || $log_all ; then + $ip6t -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:" +fi +$ip6t -A port-scanning -j DROP +echo_done + + +# --- +# - Protection against SSH brute-force attacks +# --- + +echononl "\tProtection against SSH brute-force attacks" +$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set +if $log_ssh_brute_force || $log_all ; then + $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" +fi +$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP +echo_done + + +# --- +# - Limit connections per source IP +# --- + +echononl "\tLimit connections per source IP" +if $log_rejected || $log_all ; then + $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: " +fi +$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset +echo_done + + +# --- +# - Limit RST packets +# --- + +echononl "\tLimit RST packets" +$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT +if $log_rejected || $log_all ; then + $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " +fi +$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP +echo_done + + +# --- +# - Limit new TCP connections per second per source IP +# --- + +echononl "\tLimit new TCP connections per second per source IP" +$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT +if $log_rejected || $log_all ; then + $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " +fi +$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP +echo_done + + +# --- +# - Use SYNPROXY on all ports (disables connection limiting rule) +# --- + +#echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)" +#$ip6t -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack +#$ip6t -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 +#$ip6t -A INPUT -m conntrack --ctstate INVALID -j DROP +#echo_done + + # ------------- # ------------- Stopping firewall here if requested (parameter stop) diff --git a/ipt-firewall-server b/ipt-firewall-server index 53826a5..2e48013 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -647,243 +647,298 @@ fi # --- Protections against several attacks / unwanted packages # ------------- echo -echononl "\tProtections against several attacks / unwanted packages.." +echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m" # --- -# - Protection against syn-flooding +# - Drop invalid packets # --- -$ipt -N syn-flood -$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN -if $log_syn_flood || $log_all ; then - $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:" +echononl "\tDrop invalid packets" +if $log_invalid_packets|| $log_all ; then + $ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:" fi -$ipt -A syn-flood -j DROP +$ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP +echo_done # --- -# - Drop Fragments -# --- - -# I have to say that fragments scare me more than anything. -# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" -# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such -# fragments is very OS-dependent (see this paper for details). -# I am not going to trust any fragments. -# Log fragments just to see if we get any, and deny them too - -for _dev in ${ext_if_arr[@]} ; do - if $log_fragments || $log_all ; then - $ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:" - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:" - fi - fi - $ipt -A INPUT -i $_dev -f -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -f -j DROP - fi -done - - -# --- -# - drop new packages without syn flag +# Drop TCP packets that are new and are not SYN # --- +echononl "\tDrop TCP packets that are new and are not SYN" if $log_new_not_sync || $log_all ; then - $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" - $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" - fi + $ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" fi -$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP -if $kernel_activate_forwarding ; then - $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP +$ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP +echo_done + + +# --- +# - Drop SYN packets with suspicious MSS value +# --- + +echononl "\tDrop SYN packets with suspicious MSS value" +if $log_syn_with_suspicious_mss || $log_all ; then + $ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:" fi +$ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP +echo_done # --- -# - drop invalid packages +# - Block packets with bogus TCP flags # --- -if $log_invalid_state || $log_all ; then - $ipt -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:" - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:" - fi -fi -$ipt -A INPUT -m state --state INVALID -j DROP -if $kernel_activate_forwarding ; then - $ipt -A FORWARD -m state --state INVALID -j DROP +echononl "\tBlock packets with bogus TCP flags" +if $log_invalid_flags || $log_all ; then + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" fi +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP +$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +echo_done # --- -# - ungewöhnliche Flags verwerfen +# - Block spoofed (own ip) packets # --- -for _dev in ${ext_if_arr[@]} ; do - if $log_invalid_flags || $log_all ; then - $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - fi - fi - $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - fi -done - - -# --- -# - Refuse private addresses on extern interfaces -# --- - -# Refuse spoofed packets pretending to be from your IP address. +echononl "\tBlock spoofed (own ip) packets" if $log_spoofed || $log_all ; then - # input for _ip in ${ext_ip_arr[@]} ; do - $ipt -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):" - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):" - fi + $ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " done fi for _ip in ${ext_ip_arr[@]} ; do - $ipt -A INPUT -s $_ip -d $_ip -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -s $_ip -d $_ip -j DROP - fi + $ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP done +echo_done -# Refuse packets claiming to be from a -# Class A private network -# Class B private network -# Class C private network -# loopback interface -# Class D multicast address -# Class E reserved IP address -# broadcast address +# --- +# - Block spoofed (private/reserved) packets +# --- + +echononl "\tBlock spoofed (private/reserved) packets" for _dev in ${ext_if_arr[@]} ; do if $log_spoofed || $log_all ; then - $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:" - $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:" - $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:" - $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:" - $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:" - $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:" - #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:" - # - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:" - $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:" - $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:" - $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:" - $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:" - $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:" - #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:" - fi - fi - # Refuse packets claiming to be from a Class A private network. - $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP - # Refuse packets claiming to be from a Class B private network. - $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP - # Retfuse packets claiming to be from a Class C private network. - $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP - # Refuse packets claiming to be from loopback interface. - $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP - # Refuse Class D multicast addresses. Multicast is illegal as a source address. - $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP - # Refuse Class E reserved IP addresses. - $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP - # Refuse broadcast address packets. - #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP - if $kernel_activate_forwarding ; then - # Refuse packets claiming to be from a Class A private network. - $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP - # Refuse packets claiming to be from a Class B private network. - $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP - # Refuse packets claiming to be from a Class C private network. - $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP - # Refuse packets claiming to be from loopback interface. - $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP - # Refuse Class D multicast addresses. Multicast is illegal as a source address. - $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP - # Refuse Class E reserved IP addresses. - $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP - # Refuse broadcast address packets. - #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix link local block: " + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix TEST-NET-1: " + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix THIS NET: " + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " fi done +if $log_spoofed || $log_all ; then + /sbin/iptables -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " +fi -# --- -# - Refuse packets claiming to be to the loopback interface. -# --- - -# Refusing packets claiming to be to the loopback interface protects against -# source quench, whereby a machine can be told to slow itself down by an icmp source -# quench to the loopback. for _dev in ${ext_if_arr[@]} ; do - if $log_to_lo || $log_all ; then - $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:" - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:" - fi - fi - $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP - fi + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j DROP + /sbin/iptables -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j DROP done +/sbin/iptables -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j DROP +echo_done + + +# --- +# - Drop fragments in all chains +# --- + +echononl "\tDrop fragments in all chains" +if $log_fragments || $log_all ; then + /sbin/iptables -t mangle -A PREROUTING -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:" +fi +/sbin/iptables -t mangle -A PREROUTING -f -j DROP +echo_done + + +# --- +# - Drop ICMP all ICMP traffic (you usually don't need this protocol) +# --- + +echononl "\tDrop all ICMP traffic.." +if [[ -n "$drop_icmp" ]] && $drop_icmp ; then + if $log_rejected || $log_all ; then + $ipt -t mangle -A PREROUTING -p icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: " + fi + $ipt -t mangle -A PREROUTING -p icmp -j DROP + echo_done +fi +echo_skipped # --- # - Don't allow spoofing from that server # --- +echo "" +echononl "\tDon't allow spoofing out from this server" for _dev in ${ext_if_arr[@]} ; do if $log_spoofed_out || $log_all ; then $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" + $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:" + $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:" + $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:" $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" $ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" $ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" + $ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:" + $ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:" + $ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:" $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" fi fi $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP + $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j DROP + $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j DROP + $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j DROP $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP $ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP $ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP + $ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j DROP + $ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j DROP + $ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j DROP $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP fi done - echo_done +# --- +# - Protection against syn-flooding +# --- + +echo +echononl "\tProtection against syn-flooding" +$ipt -N syn-flood +$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN +if $log_syn_flood || $log_all ; then + $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:" +fi +$ipt -A syn-flood -j DROP +echo_done + + +# --- +# - Protection against port scanning +# --- + +echononl "\tProtection against port scanning" +$ipt -N port-scanning +$ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN +if $log_port_scanning || $log_all ; then + $ipt -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:" +fi +$ipt -A port-scanning -j DROP +echo_done + + +# --- +# - Protection against SSH brute-force attacks +# --- + +echononl "\tProtection against SSH brute-force attacks" +$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set +if $log_ssh_brute_force || $log_all ; then + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" +fi +$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP +echo_done + + +# --- +# - Limit connections per source IP +# --- + +echononl "\tLimit connections per source IP" +if $log_rejected || $log_all ; then + $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" +fi +$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset +echo_done + + +# --- +# - Limit RST packets +# --- + +echononl "\tLimit RST packets" +$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT +if $log_rejected || $log_all ; then + $ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " +fi +$ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP +echo_done + + +# --- +# - Limit new TCP connections per second per source IP +# --- + +echononl "\tLimit new TCP connections per second per source IP" +$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT +if $log_rejected || $log_all ; then + $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " +fi +$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP +echo_done + + +# --- +# - Use SYNPROXY on all ports (disables connection limiting rule) +# --- + +#echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)" +#$ipt -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack +#$ipt -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 +#$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP +#echo_done + + + # ------------- # ------------- Stopping firewall here if requested (parameter stop) # ------------- @@ -2447,11 +2502,11 @@ if $log_rejected || $log_all ; then #$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" #$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" - $ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" - $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" + $ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" + $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" if $kernel_activate_forwarding ; then #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" - $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" + $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" fi echo_done else