#!/bin/sh FWVER=0.25 # # doug_firewall 2011.02.10 Ver:0.25. # O.K. the ip_conntrack_tcp_loose setting of 0 results # in leakage packets again. So, this version will go back # to using the INVALID TCP packet check in the FORWARD # chain as per version 0.23. However, it will also # use a default policy of ACCEPT rahter than DROP for the # OUTPUT chain so that the REJECT packet with the RST flag # set can get through. It is the local network that we are # trying to keep in order here. All we are wanting to do # is get the local client to not keep sending these # INVALID packets many times for each occurance of this # condition. One needs to be certain that no undesired # packets will get through the OUTPUT chain with the # ACCEPT policy. The other option is to leave the default # policy as DROP and not bother trying to REJECT the # INVALID TCP packets, but just DROP them. The local clients # eventually do give up sending the INVALID TCP packets. # Also remove temporary rule introduced in version 0.21. # # doug_firewall 2011.02.09 Ver:0.24. # While the INVALID TCP packet check is working fine, # and has eliminated the packet leakage issue, # the REJECT packets (which contain a TCP RST) are being # trapped by the OUTPUT chain rules which DROPs them. # This version will try the ip_conntrack_tcp_loose=0 method # (which will be persistantly set outside of this file) # # doug_firewall 2011.02.05 Ver:0.23. # Still have packet leakage. # move INVALID TCP check to forward chain. # # doug_firewall 2011.02.04 Ver:0.22. # More TCP rules in an attempt to cover strange # states that end up in packet leakage. # # doug_firewall 2011.01.30 Ver:0.21. # Temporary, until I can fix it at the source, # trap and DROP escaping netbios-ns stuff (port 137). # # doug_firewall 2011.01.29 Ver:0.20. # NEW TCP SYN rule is still not giving expects results. # This edits will only look at eth0. # Add site specific rule to drop all packets # from the wireless router gateway, which is configured # as a switch, but I can not get it to shutup. # See 192.168.111.57 rule. # # doug_firewall 2011.01.28 Ver:0.19 Fix NEW TCP SYN rule. # # doug_firewall 2011.01.27 Ver:0.18 Changes to POSTROUTING. # Switch back to "stronger" form of POSTROUTING from # the "more liberal" switched to in version 0.17. # The "more liberal" form had the same rogue packet issue. # I think the rogue packets are due to incorrect # handling of what the server thinks is a NEW TCP # connection and the local client thinks is an existing # connection. In such cases, the SYN bit is not set, # therefore add a rule to check for it and drop such packets # so that they do not escape to internet. # # doug_firewall 2011.01.26 Ver:0.17 Changes to OUTPUT chain. # Note: Version 0.16 was retracted. It was an attempt # to make the output sanity check actually work. It turns # out to not be possible to do a complete sanity check # on output packets as we not have access to the after # NAT IP address. RFC1918 packets are still escaping. # Sometimes NAT seems to forget the translation and some packets # go through with the original (192.168.111.100, for example) # IP address as the source. # Specifically, this edit will eliminate some output rules that # didn't work anyhow and change to try the "more liberal" form # of NAT (using MASQUERADE) rather than the stonger form # (using SNAT). # # doug_firewall 2010.12.28 Ver:0.15 INPUT chain addition: # Specifically drop bad source MAC. # # doug_firewall 2010.12.26 Ver:0.14 Complete the sanity checks. # Use the IPv4 reserved and private allocation master references. # # doug_firewall 2010.12.26 Ver:0.13 Sanity checks. Some RFC1918 packets # are escaping. # Similiarly, look for RFC1918 voilations on incoming packets. # Temporarily add log-n-drop user chain. I prefer direct drop, but # am having difficulty tracing all of tracffic. # # doug_firewall 2010.12.21 Ver:0.12 Duhhh... Enable e-mail port. # # doug_firewall 2010.12.19 Ver:0.11 Expand basic nat to include firewall. # There is not a lot left over from the old server firewall. # # doug_nat 2010.12.19 Ver: 0.10 Setup IP forwarding and masquerading. # Among other references, see: # http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html # The above refernece has many many comments within it's # example script. # # Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels # using IPTABLES. # echo "Loading doug_firewall version $FWVER..\n" # The location of the iptables and kernel module programs # IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces and addresses for the network # EXTIF="eth1" INTIF="eth0" EXTIP="209.121.28.192" INTNET="192.168.111.0/24" INTIP="192.168.111.1/32" UNIVERSE="0.0.0.0/0" echo " External Interface: $EXTIF Internal Interface: $INTIF External IP: $EXTIP Internal Network: $INTNET Internal IP: $INTIP" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo loading modules: # Need to verify that all modules have all required dependencies # echo "Verifying that all kernel modules are ok..." $DEPMOD -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo ip_tables, $MODPROBE ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo ip_conntrack, $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo ip_conntrack_ftp, $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo ip_conntrack_irc, $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo iptable_nat, $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo ip_nat_ftp, $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # #echo ip_nat_irc #$MODPROBE ip_nat_irc # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded. # -------------------------------------------------------------------- # # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # # -- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # echo Done loading modules. #CRITICAL: Enable IP forwarding since it is disabled by default since # echo Enabling forwarding... echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # # Smythies: I get my adress via DHCP, but it is a static address. # Smythies: I wonder if I need this? # Smythies: Action: Try without it. echo Enabling DynamicAddr... echo "1" > /proc/sys/net/ipv4/ip_dynaddr # By default, this is turned on. # I have not figured out where is gets turned on. It is not in # sysctl.conf # see "sysctl -w net.ipv4.ip_conntrack_loose = 0" #echo Disable loose TCP in conntrack #echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose # Enable simple IP forwarding and Masquerading # #Clearing any previous configuration # echo " Clearing any existing rules and setting default policy to DROP.." $IPTABLES -P INPUT DROP $IPTABLES -F INPUT # Ver:0.25: will use a default policy of ACCEPT for the OUTPUT chain #$IPTABLES -P OUTPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD #$IPTABLES -F -t nat $IPTABLES -t nat -F # Otherwise, I can not seem to delete it later on $IPTABLES -F log-n-drop $IPTABLES -F log-n-drop-syn $IPTABLES -F log-n-reject # Delete user defined chains $IPTABLES -X # Smythies: While my references do not have it, I think this is needed. #$IPTABLES -t nat -X #echo debug flag 02 #$IPTABLES -X log-n-drop #$IPTABLES -X log-n-drop-syn #$IPTABLES -X log-n-reject # Reset all IPTABLES counters $IPTABLES -Z # Smythies: While my references do not have it, I think this is needed. $IPTABLES -t nat -Z ####################################################################### # USER DEFINED CHAIN SUBROUTINES: # # log-n-drop # I only use this when I am having troubles and want more details. # Normally, I just DROP packets at the earliest determination of that # ultimate corse of action. $IPTABLES -N log-n-drop $IPTABLES -A log-n-drop -j LOG --log-level info $IPTABLES -A log-n-drop -j DROP # # log-n-drop-syn # TCP SYN flag not set upon new connection. # Note: it might make more sense to make this REJECT instead of DROP as # things are clearly confused. $IPTABLES -N log-n-drop-syn $IPTABLES -A log-n-drop-syn -j LOG --log-prefix "NEW TCP but no SYN:" --log-level debug $IPTABLES -A log-n-drop-syn -j DROP # # log-n-reject # TCP INVALID state. # It remains to be seen if this will ocver all the remaining leakage conditions, # or if it will cover any. # We are trying to get the client to realize it is in error, so send TCP RESET. # The only way to get to this routine is if the packet is TCP, the check is required # to prevent iptables from complaining and not implementing the rule. $IPTABLES -N log-n-reject $IPTABLES -A log-n-reject -j LOG --log-prefix "INVALID TCP state:" --log-level debug echo Flag: Next is reject statement $IPTABLES -A log-n-reject -p tcp -j REJECT --reject-with tcp-reset echo Flag: Previous is reject statement ####################################################################### # INPUT: Incoming traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interfaces are valid. # $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # A very site specific rule: Will 192.168.111.57 please shutup. # Action: try to eliminate this rule in future. # Action: try more global rules to prevent all bad ports and addresses from escaping. (can not recall reference at the moment.) # $IPTABLES -A INPUT -i $INTIF -s 192.168.111.57 -j DROP # Note for iptables_notes.html on internet: This section is incorrect. Please ignore or see the more recent version of this file. # A NEW TCP connection requires SYN bit set. # Un-NAT'ed packets go out to internet without this rule. # Sending RFC1918 packets to internet is considered poor form, by me anyhow. # Does not work: (Ver: 0.18) (Reqires no SYN, and FIN, ACK, and RST) #$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j log-n-drop-syn # Does not work: (Ver: 0.19) (Requires no SYN <<< which should be the only criteria ??) #$IPTABLES -A INPUT -p tcp ! --tcp-flags syn syn -m state --state NEW -j log-n-drop-syn # Works: (Ver: 0.20) (Only look at INTIF)(was it only from re-bbot?) (There are other leakage conditions.) $IPTABLES -A INPUT -i $INTIF -p tcp ! --tcp-flags syn syn -m state --state NEW -j log-n-drop-syn # At this point local interface, local machines, going anywhere is valid # $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, RFC 1918, private internet packets # $IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j log-n-drop $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j log-n-drop $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j log-n-drop $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j log-n-drop $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j log-n-drop $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j log-n-drop # external interface, from any source, for ICMP traffic is valid # $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # remote interface, any source, going to the MASQ servers IP address is valid # # ENABLE this line if you want ALL Internet traffic to connect to your # the various servers running on the MASQ server. This includes # web servers, ssh servers, dns servers, etc. # # I DON'T recommend you enable this rule. Instead, only enable specific # access to select server ports under the "OPTIONAL INPUT Section". # An example of enabling HTTP (WWW) has been given below: # # #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in. # # STATEFULLY TRACKED # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # ----- Begin OPTIONAL INPUT Section ----- # # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server # # Smythies: Is not only the udp line required? There will never be tcp for this. # Smythies: Action: Consider to delete the tcp one in a future edit. $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # Secure Shell on port 22. # # Dynamic Badguy List. Detect and DROP idiots that do password attacks on SSH. # Once they are on the BADGUY list then DROP all packets from them. $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT # HTTPd - Enable the following lines if you run an EXTERNAL WWW server # echo Allowing EXTERNAL access to the WWW server $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT # E-mail on port 25. Enable the following lines if you run an EXTERNAL e-mail server. # echo Allowing EXTERNAL access to e-mail $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT # Just for my own interest, specifically identify if source MAC address is the ISP gateway (209.121.28.254 in my current case) # echo Debug: 1st MAC line follows... $IPTABLES -A INPUT -i $EXTIF -m mac --mac-source 00:90:1A:A0:FD:73 -j log-n-drop echo Debug: 1st MAC line preceeds... # Again, just for my own interest, specifically identify if source MAC address is my other IP address MAC (209.121.28.186 in my current case) # It is completely not clear to me how someone would come to know that MAC. # $IPTABLES -A INPUT -i $EXTIF -m mac --mac-source 00:14:BF:BC:25:EE -j log-n-drop echo Debug: 2nd MAC line preceeds... # ----- End OPTIONAL INPUT Section ----- # Catch all rule, all other incoming is denied. # $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j log-n-drop # --------------------------------------------------------------------- echo Loading OUTPUT rulesets... ####################################################################### # OUTPUT: Outgoing traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # Sanity check 1: RFC 1918 check: (Ver: 0.17: Does not work, but # only commented out, for now) # # Smythies: Why doesn't this work? #$IPTABLES -A OUTPUT -o $EXTIF -s BLACKHOLE -d $UNIVERSE -j DROP # #$IPTABLES -A OUTPUT -o $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j log-n-drop #$IPTABLES -A OUTPUT -o $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j log-n-drop #$IPTABLES -A OUTPUT -o $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j log-n-drop #$IPTABLES -A OUTPUT -o $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j log-n-drop #$IPTABLES -A OUTPUT -o $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j log-n-drop #$IPTABLES -A OUTPUT -o $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j log-n-drop # Workaround bug in netfilter # See http://www.netfilter.org/security/2002-04-02-icmp-dnat.html # Smythies: I wonder if this is still required?? As far as I can determine, # it seems to be deleting some valid ICMP packets. # $IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j log-n-drop # loopback interface is valid. # $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, MASQ server source going to the local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j log-n-drop # anything else outgoing on remote interface is valid # $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # ----- Begin OPTIONAL OUTPUT Section ----- # # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server # - Remove BOTH #s all the #s if you need this functionality. # # Ver: 0.17: This is never executed. Comment out for now. #$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT #$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT # # ----- End OPTIONAL OUTPUT Section ----- # Catch all rule, all other outgoing is denied. # Ver: 0.25. No. allow to fall through to the default policy. #$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j log-n-drop echo Loading FORWARD rulesets... ####################################################################### # FORWARD: Enable Forwarding and thus IPMASQ # # ----- Begin OPTIONAL FORWARD Section ----- # # Put PORTFW commands here # There seem to be many abuses of TCP session termination handshaking that results in # packet leakage to the internet with untranslated IP addresses. The problem occurs from # the MACbook, the IPod Touch, the PS3, the Windows 7, vista, and XP machines. # This rule is an attempt to elimiate the issue (in addition to the next rule). # We want to use REJECT in this case so that the client will, hopefully, clue in. # Should this go in the INPUT chain or the FORWARD chain? # Does not Works: (Ver: 0.22) #$IPTABLES -A INPUT -i $INTIF -p tcp -m state --state INVALID -j log-n-reject # Works: (Ver:023) Moved to forward chain. But the REJECT gets DROPped in the OUTPUT section # For version 0.24 this is commented out and ip_conntrack_tcp_loose=0 is used instead. # For version 0.25 this rule is used again, as ip_conntrack_tcp_loose=0 does not prevent # packet leakage. $IPTABLES -A FORWARD -i $INTIF -p tcp -m state --state INVALID -j log-n-reject # # ----- End OPTIONAL FORWARD Section ----- echo "FWD: Allow all connections OUT and only existing/related IN..." $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged. # $IPTABLES -A FORWARD -j log-n-drop echo "NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF..." # #More liberal form (Ver: 0.17: Try this method instead. Does it solve the problem? No.) #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # #Stricter form (Used before (and after) Ver: 0.17, but RFC1918 packets are being sent out) $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP ####################################################################### echo doug_firewall $FWVER done.