2009年10月27日 星期二

my iptables rule

網路狀態: 電腦直接連中華電信小烏龜 ADSL 上網,沒有開任何服務,只有裝 openntpd 利用 time.stdtime.gov.tw校時,針對 port scan 作防範,對於 icmp 封包沒有設防,INPUT 預設 log後丟棄

Ref: packet-filtering-HOWTO酷學園翻譯鳥哥私房菜- Linux 防火牆與 NAT 主機
酷學園小州學長範例ArchWiki石牌國小防火牆設定ip-sysctl.txt

Updated 10/30:網路設定 pppoe-setup 時若有選擇防火牆 (Standalone 或 Masq) 也會影響 iptables 設定,記得重跑一次,選擇 None


#! /bin/sh
#
# Create iptables'rules, remember to move it to
# /etc/iptables , then modify /etc/conf.d/iptables
#
# Author : lefthaha (at) gmail {dot} com
# Last Modify : 2009 /10 / 26

# clean current rules
iptables -F
iptables -X
iptables -Z

# set Policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# accept traffic from loopback iterface
iptables -A INPUT -i lo -j ACCEPT
# accept ICMP messages
iptables -A INPUT -p ICMP -j ACCEPT
# accept establised packet
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# create new chain
iptables -N block
iptables -N open
iptables -A INPUT -p TCP -j block
iptables -A INPUT -j open

# log then reject packet for imitate default behaviour
iptables -A INPUT -j LOG
iptables -A INPUT -p TCP -j REJECT --reject-with tcp-reset
iptables -A INPUT -p UDP -j REJECT --reject-with icmp-port-unreachable

#################### block chain rules ###################
# from http://www.study-area.org/tips/iptables_def.htm and
# http://wiki.archlinux.org/index.php/Simple_stateful_firewall_HOWTO
# http://www.spps.tp.edu.tw/documents/memo/iptables/iptables.htm

# Force SYN packets check
iptables -A block -i ppp0 -p TCP ! --syn -m state --state NEW -j DROP
# NMAP FIN/URG/PSH
iptables -A block -i ppp0 -p TCP --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
iptables -A block -i ppp0 -p TCP --tcp-flags ALL ALL -j DROP
# another Xmas Tree
iptables -A block -i ppp0 -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-j DROP

# nmap-Xmas
iptables -A block -i ppp0 -p TCP --tcp-flags URG,PSH,FIN URG,PSH,FIN \
-j DROP

# Null Scan
iptables -A block -i ppp0 -p TCP --tcp-flags ALL NONE -j DROP
# SYN/RST
iptables -A block -i ppp0 -p TCP --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN
iptables -A block -i ppp0 -p TCP --tcp-flags SYN,FIN SYN,FIN -j DROP
# FIN
iptables -A block -i ppp0 -p TCP --tcp-flags ALL FIN -j DROP

#################### open chain rules ####################
# for opened services

# for the connection close FIN/ACK packet
iptables -A open -p TCP --tcp-flags ALL ACK,FIN --sport 80 \
--dport 1024: -j ACCEPT

iptables-save > my_firewall.rules

echo If No error message, use iptables -L -nv to check,
echo Next move ./my_firewall.rules to /etc/iptables
echo then modify /etc/conf.d/iptables to load the rules at boot

沒有留言: