firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changing rules for protection against several ddos attacks.

Browse Source
This commit is contained in:
Christoph
2020-10-28 20:57:08 +01:00
parent 498b34741c
commit bcdee40228
7 changed files with 494 additions and 276 deletions
Download Patch File Download Diff File Expand all files Collapse all files

354
ip6t-firewall-server
View File

@ -522,131 +522,265 @@ fi
# --- Protections against several attacks / unwanted packages
# -------------
echo
echononl "\tProtections against several attacks / unwanted packages.."
echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m"
# ---
# - Drop invalid packets
# ---
echononl "\tDrop invalid packets"
if $log_invalid_packets || $log_all ; then
$ip6t -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:"
fi
$ip6t -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
echo_done
# ---
# Drop TCP packets that are new and are not SYN
# ---
echononl "\tDrop TCP packets that are new and are not SYN"
if $log_new_not_sync || $log_all ; then
$ip6t -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
fi
$ip6t -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
echo_done
# ---
# - Drop SYN packets with suspicious MSS value
# ---
echononl "\tDrop SYN packets with suspicious MSS value"
if $log_syn_with_suspicious_mss || $log_all ; then
$ip6t -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:"
fi
$ip6t -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
echo_done
# ---
# - Block packets with bogus TCP flags
# ---
echononl "\tBlock packets with bogus TCP flags"
if $log_invalid_flags || $log_all ; then
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
fi
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
echo_done
# ---
# - Block spoofed (own ip) packets
# ---
echononl "\tBlock spoofed (own ip) packets"
if $log_spoofed || $log_all ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
done
fi
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP
done
echo_done
# ---
# - Block spoofed (private/reserved) packets
# ---
echononl "\tBlock spoofed (private/reserved) packets"
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (Link Local Unicast): "
$ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Multicast: "
fi
done
if $log_spoofed || $log_all ; then
$ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix Loopback: "
fi
for _dev in ${ext_if_arr[@]} ; do
$ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j DROP
$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j DROP
$ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j DROP
done
$ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j DROP
echo_done
# ---
# - Drop ICMP all ICMP traffic (you usually don't need this protocol)
# ---
echononl "\tDrop all ICMP traffic.."
if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
if $log_rejected || $log_all ; then
$ip6t -t mangle -A PREROUTING -p ipv6-icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
fi
$ip6t -t mangle -A PREROUTING -p ipv6-icmp -j DROP
echo_done
fi
echo_skipped
# ---
# - Don't allow spoofing out from this server
# ---
echo ""
echononl "\tDon't allow spoofing out from this server"
if $log_spoofed_out || $log_all ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
fi
done
fi
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j DROP
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j DROP
$ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j DROP
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
fi
done
echo_done
# ---
# - Protection against syn-flooding
# ---
echo
echononl "\tProtection against syn-flooding"
$ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
fi
$ip6t -A syn-flood -j DROP
# ---
# - drop new packages without syn flag
# ---
if $log_new_not_sync || $log_all ; then
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
fi
fi
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
fi
# ---
# - drop invalid packages
# ---
if $log_invalid_state || $log_all ; then
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
fi
fi
$ip6t -A INPUT -m state --state INVALID -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j DROP
fi
# ---
# - ungewöhnliche Flags verwerfen
# ---
for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
fi
fi
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
fi
done
# ---
# - Refuse private addresses on extern interfaces
# ---
# - Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
fi
done
fi
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
if $kernel_forward_between_interfaces ; then
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
fi
done
# - private Adressen auf externen interface verwerfen
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi
fi
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
fi
# Don't allow spoofing from that server
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
fi
done
echo_done
# ---
# - Protection against port scanning
# ---
echononl "\tProtection against port scanning"
$ip6t -N port-scanning
$ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
if $log_port_scanning || $log_all ; then
$ip6t -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
fi
$ip6t -A port-scanning -j DROP
echo_done
# ---
# - Protection against SSH brute-force attacks
# ---
echononl "\tProtection against SSH brute-force attacks"
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
if $log_ssh_brute_force || $log_all ; then
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
fi
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo_done
# ---
# - Limit connections per source IP
# ---
echononl "\tLimit connections per source IP"
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
fi
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
echo_done
# ---
# - Limit RST packets
# ---
echononl "\tLimit RST packets"
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
fi
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done
# ---
# - Limit new TCP connections per second per source IP
# ---
echononl "\tLimit new TCP connections per second per source IP"
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
fi
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
echo_done
# ---
# - Use SYNPROXY on all ports (disables connection limiting rule)
# ---
#echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)"
#$ip6t -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
#$ip6t -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
#$ip6t -A INPUT -m conntrack --ctstate INVALID -j DROP
#echo_done
# -------------
# ------------- Stopping firewall here if requested (parameter stop)