├── LICENCE ├── Makefile ├── _config.yml ├── custom-examples ├── all-new-limit.sh ├── all-overall-limit.sh ├── fullaccess-hosts.sh ├── http-new-limit.sh ├── http-overall-limit ├── openvpn.sh ├── ssh-new-limit.sh └── ssh-overall-limit.sh ├── etc └── firewall │ ├── firewall.conf │ ├── ip-blacklist.conf │ ├── ip-whitelist.conf │ └── services.conf ├── firewall └── readme.md /LICENCE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | Copyright © Bernhard Mäser (http://bmaeser.io) and contributors 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy 5 | of this software and associated documentation files (the “Software”), to deal 6 | in the Software without restriction, including without limitation the rights 7 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | copies of the Software, and to permit persons to whom the Software is 9 | furnished to do so, subject to the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included in 12 | all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 17 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 20 | THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: install 2 | install: all 3 | 4 | all: 5 | @mkdir /etc/firewall 6 | @mkdir /etc/firewall/custom 7 | @echo "etc folder created" 8 | @install -m 755 firewall /etc/init.d/firewall 9 | @echo "Program added to init directory" 10 | @cp etc/firewall/*.conf /etc/firewall 11 | @update-rc.d firewall defaults 12 | @echo "The program is successfully installed" 13 | 14 | .PHONY: uninstall 15 | uninstall: 16 | @rm -rf /etc/firewall 17 | @echo "Removed /etc/firewall" 18 | @rm -rf /etc/init.d/firewall 19 | @echo "Removed /etc/init.d/firewall" 20 | @update-rc.d firewall remove 21 | @echo "The program is successfully uninstalled" 22 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker -------------------------------------------------------------------------------- /custom-examples/all-new-limit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Limit the amount of NEW connections 4 | ## to a maximum of $CONNECTIONS per $SECONDS per remote-ip 5 | ## this is usefull, if someone tries to DOS or synflood your box 6 | ## and helps to prevent dictonary-attacks 7 | 8 | ## hint: if you get messages like "xt_recent: hitcount (120) is larger than packets to be remembered (20)" 9 | ## the xt_recent kernel module (called ipt_recent on some systems) is set to remeber only 20 connections 10 | ## see: https://github.com/bmaeser/iptables-boilerplate/issues/1#issuecomment-8935056 11 | 12 | 13 | ## we allow at max 120 new connections per minute 14 | CONNECTIONS=120 15 | SECONDS=60 16 | 17 | 18 | IPTABLES=/sbin/iptables 19 | 20 | $IPTABLES -A INPUT -p tcp -m state --state NEW -m recent --set 21 | $IPTABLES -A INPUT -p tcp -m state --state NEW -m recent --update --seconds $SECONDS --hitcount $CONNECTIONS -j DROP -------------------------------------------------------------------------------- /custom-examples/all-overall-limit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Limit the amount of connections on per remote-ip 4 | 5 | CONNECTIONS=30 6 | 7 | IPTABLES=/sbin/iptables 8 | 9 | $IPTABLES -A INPUT -p tcp --syn -m connlimit --connlimit-above $CONNECTIONS -j REJECT -------------------------------------------------------------------------------- /custom-examples/fullaccess-hosts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Allow some hosts fullaccess to this box. 4 | ## good for hosts like the sysadmins workstation or a monitoring-box 5 | 6 | ## configuration: 7 | ## add the hashtag #fullaccess to host's line in /etc/hosts 8 | 9 | ## example: 10 | 11 | # 192.168.20.55 admin-workstation.example.com admin-workstation #fullaccess 12 | 13 | # hint: you could use the whitelist configfile to achieve the same goal 14 | 15 | IPTABLES=/sbin/iptables 16 | 17 | for d in `cat /etc/hosts | grep "#fullaccess" | awk '{ print $1 }'`; do 18 | $IPTABLES -A INPUT -s $d -m state --state NEW -j ACCEPT 19 | done; 20 | -------------------------------------------------------------------------------- /custom-examples/http-new-limit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Limit the amount of NEW connections on port 80 4 | ## to a maximum of $CONNECTIONS per $SECONDS per remote-ip 5 | ## this is usefull, if someone tries to DOS or synflood your box 6 | ## and helps to prevent dictonary-attacks 7 | 8 | ## this rule does NOT open port 80. it just drops "too many attempts" on port 80 9 | 10 | ## hint: if you get messages like "xt_recent: hitcount (120) is larger than packets to be remembered (20)" 11 | ## the xt_recent kernel module (called ipt_recent on some systems) is set to remeber only 20 connections 12 | ## see: https://github.com/bmaeser/iptables-boilerplate/issues/1#issuecomment-8935056 13 | 14 | 15 | ## we allow at max 8 new connections per second 16 | CONNECTIONS=8 17 | SECONDS=1 18 | 19 | 20 | IPTABLES=/sbin/iptables 21 | 22 | $IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set 23 | $IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds $SECONDS --hitcount $CONNECTIONS -j DROP 24 | -------------------------------------------------------------------------------- /custom-examples/http-overall-limit: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Limit the amount of connections on port 80 per remote-ip 4 | 5 | ## this rule does NOT open port 80. it just drops "too many connections" on port 80 6 | 7 | CONNECTIONS=20 8 | 9 | IPTABLES=/sbin/iptables 10 | 11 | $IPTABLES -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above $CONNECTIONS -j REJECT -------------------------------------------------------------------------------- /custom-examples/openvpn.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## allow openvpn clients to relay their internet-connection over this host 4 | 5 | ## note: 6 | 7 | # ipv4 forwarding has to be enabled! 8 | # clients have to be able to connect to udp-port 1194 9 | 10 | 11 | IPTABLES=/sbin/iptables 12 | 13 | $IPTABLES -t nat -A POSTROUTING -s 10.8.0.1/2 -o eth0 -j MASQUERADE 14 | -------------------------------------------------------------------------------- /custom-examples/ssh-new-limit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Limit the amount of NEW connections on port 22 4 | ## to a maximum of $CONNECTIONS per $SECONDS per remote-ip 5 | ## this is usefull, if someone tries to DOS or synflood your box 6 | ## and helps to prevent dictonary-attacks 7 | 8 | ## this rule does NOT open port 22. it just drops "too many attempts" on port 22 9 | 10 | ## hint: if you get messages like "xt_recent: hitcount (120) is larger than packets to be remembered (20)" 11 | ## the xt_recent kernel module (called ipt_recent on some systems) is set to remeber only 20 connections 12 | ## see: https://github.com/bmaeser/iptables-boilerplate/issues/1#issuecomment-8935056 13 | 14 | 15 | ## we allow at max 5 new connections per minute 16 | CONNECTIONS=5 17 | SECONDS=60 18 | 19 | 20 | IPTABLES=/sbin/iptables 21 | 22 | $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 23 | $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds $SECONDS --hitcount $CONNECTIONS -j DROP -------------------------------------------------------------------------------- /custom-examples/ssh-overall-limit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Limit the amount of connections on port 22 per remote-ip 4 | 5 | ## this rule does NOT open port 22. it just drops "too many connections" on port 22 6 | 7 | CONNECTIONS=5 8 | 9 | IPTABLES=/sbin/iptables 10 | 11 | $IPTABLES -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above $CONNECTIONS -j REJECT -------------------------------------------------------------------------------- /etc/firewall/firewall.conf: -------------------------------------------------------------------------------- 1 | # 2 | # main firewall configfile. 3 | # all settings are on sane defaults. you *really* should know what you 4 | # do if you change them 5 | # 6 | # please read the readme-file or head over to: 7 | # https://github.com/bmaeser/iptables-boilerplate 8 | 9 | ################################################################## 10 | # IPv4 settings 11 | ################################################################## 12 | # set to 'true' if you want to enable ipv4 forwarden 13 | # if set to false this setting overwrites sysctl settings 14 | ipv4_forwarding=false 15 | 16 | # set to 'true' (default) if you want to drop and log invalid packages 17 | drop_invalid=true 18 | 19 | # set to 'true' (default) if you want to drop broadcast and multicast 20 | drop_broadcast=true 21 | 22 | # set to 'true' (default) if you want the firewall to 23 | # detect portscans and drop+log them 24 | drop_portscan=true 25 | 26 | # set to 'true' (default) if you want to allow ICMP redirects only from 27 | # our own gateway 28 | secure_redirects=true 29 | 30 | # set to 'true' (default) if you want to block ICMP redirects 31 | block_redirects=true 32 | 33 | # set to 'true' (default) if you want to ignore broadcast/multicast ICMP 34 | # this prevents from smurf-attacks 35 | ignore_broadcast_icmp=true 36 | 37 | # set to 'true' (default) if you want to ignore bogues error responses 38 | ignore_bogus_errors=true 39 | 40 | # set to 'true' (default) if you want to block source route packages 41 | block_source_route_packages=true 42 | 43 | # set to 'true' (default) if you dont want to proxy arp-packages 44 | block_proxy_arp=true 45 | 46 | # set to 'true' (default) to enable syn-cookies. 47 | # this prevents from syn-flood-attacks 48 | enable_syn_cookies=true 49 | 50 | # set to 'true' (default) to enable reverse path filter (RFC1812) 51 | # prevents from spoofing attacks 52 | enable_reverse_path=true 53 | 54 | # set to 'true' (default) to disable relaying of bootp 55 | disable_bootp_relay=true 56 | 57 | # set to 'true' (default) to disable logging of martian packages 58 | disable_martian_loging=true 59 | 60 | # set to 'true' (default) to disable acceptance of source route packages 61 | disable_srr=true 62 | 63 | # set to 'true' (default) to enable SACK 64 | enable_sack=true 65 | 66 | ################################################################## 67 | ### IPv6 settings 68 | ################################################################## 69 | 70 | # set to 'true' (default) to allow ipv6 traffic on the loopback interface 71 | ipv6_loopback_ok=true 72 | 73 | # set to 'true' (default) to drop all other ipv6 traffic 74 | ipv6_drop_all=true 75 | 76 | # set to 'true' if you want to enable ipv6 forwarden 77 | # if set to false this setting overwrites sysctl settings 78 | ipv6_forwarding=false 79 | 80 | # set this to 'true' if you want to disable ipv6 at all 81 | ipv6_disabled=false 82 | -------------------------------------------------------------------------------- /etc/firewall/ip-blacklist.conf: -------------------------------------------------------------------------------- 1 | ## ADD ALL SOURCE IPs YOU WANT TO COMPLETELY BLOCK 2 | ## ONLY ONE IP PER LINE 3 | 4 | ## SYNTAX: 5 | ## n.n.n.n/m.m.m.m - Where n.n.n.n is the IP address range and m.m.m.m is the netmask. 6 | ## n.n.n.n/m - Where n.n.n.n is the IP address range and m is the bitmask. 7 | 8 | ## EXAMPLEs: 9 | #192.168.0.1 10 | #192.168.1.0/8 11 | #192.168.55.0/255.255.255.148 12 | ################################################################# -------------------------------------------------------------------------------- /etc/firewall/ip-whitelist.conf: -------------------------------------------------------------------------------- 1 | ## ADD ALL SOURCE IPs YOU WANT TO HAVE FULL ACCESS TO THIS HOST 2 | ## ONLY ONE IP PER LINE 3 | 4 | ## SYNTAX: 5 | ## n.n.n.n/m.m.m.m - Where n.n.n.n is the IP address range and m.m.m.m is the netmask. 6 | ## n.n.n.n/m - Where n.n.n.n is the IP address range and m is the bitmask. 7 | 8 | ## EXAMPLEs: 9 | #192.168.0.1 10 | #192.168.1.0/8 11 | #192.168.55.0/255.255.255.148 12 | ################################################################# 13 | -------------------------------------------------------------------------------- /etc/firewall/services.conf: -------------------------------------------------------------------------------- 1 | ## ADD ALL PORTS YOU WANT TO OPEN ON THE FIREWALL 2 | ## ONLY ONE PORT PER LINE 3 | 4 | ## SYNTAX: 5 | ## PORT/PROTOCOLL SOURCE 6 | ## where SOURCE is the source ip or network 7 | ## n.n.n.n/m - Where n.n.n.n is the IP address range and m is the bitmask. 8 | ## if SOURCE is empty it defaults to 0.0.0.0/0 (which is any IP) 9 | 10 | ## EXAMPLEs: 11 | 12 | ## opens ports for SSH for IP 192.168.0.1 13 | # 22/tcp 192.168.0.1 14 | # 22/udp 192.168.0.1 15 | 16 | ## opens ports for HTTP for any IP 17 | # 80/tcp 0.0.0.0/0 18 | 19 | ## opens ports for HTTPS for any IP 20 | # 443/tcp 21 | 22 | ################################################################# 23 | 24 | 25 | ## SSH open by default 26 | 22/tcp 27 | 22/udp 28 | 29 | ## HTTP 30 | #80/tcp 31 | 32 | ## HTTPS 33 | #443/tcp 34 | #443/udp 35 | 36 | ## HTTP - ALT 37 | #8080/tcp 38 | #8080/udp 39 | 40 | ## FTP / FTP-DATA 41 | #21/tcp 42 | #20/tcp 43 | 44 | ## FTPS / FTPS-DATA 45 | #989/tcp 46 | #990/tcp 47 | 48 | ## IMAP 49 | #143/tcp 50 | #143/udp 51 | 52 | ## IMAPS 53 | #993/tcp 54 | #993/upd 55 | 56 | ## POP3 57 | #110/tcp 58 | #110/udp 59 | 60 | ## POP3S 61 | #995/tcp 62 | #995/udp 63 | 64 | ## SMTP 65 | #25/tcp 66 | 67 | ## SMTPS OLD 68 | #465/tcp 69 | 70 | ## SMTPS STARTTLS 71 | #587/tcp 72 | 73 | ## MySQL 74 | #3306/tcp 75 | 76 | ## PostgreSQL 77 | #5432/tcp 78 | 79 | ## OPENVPN 80 | #1194/udp 81 | -------------------------------------------------------------------------------- /firewall: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ### BEGIN INIT INFO 4 | # Provides: firewall 5 | # Required-Start: $local_fs $remote_fs $network 6 | # Required-Stop: $local_fs $remote_fs $network 7 | # Default-Start: 2 3 4 5 8 | # Default-Stop: 0 1 6 9 | # Short-Description: start/stop iptables-firewall 10 | ### END INIT INFO 11 | 12 | # Author: Bernhard Mäser 13 | 14 | ################################################################# 15 | 16 | ## PLACE THIS FILE at /etc/init.d/firewall 17 | ## MAKE SURE ITS EXECUTABLE (chmod 755 /etc/init.d/firewall) 18 | ## UPDATE YOUR RC (update-rc.d firewall defaults) 19 | 20 | 21 | ################################################################# 22 | ## BEWARE: 23 | ## WE ALLOW ALL --OUTPUT-- IPv4 TRAFFIC BY DEFAULT 24 | ################################################################# 25 | 26 | IPTABLES=/sbin/iptables 27 | IP6TABLES=/sbin/ip6tables 28 | 29 | case "$1" in 30 | start) 31 | 32 | ################################################################# 33 | # source configuration 34 | ################################################################# 35 | if [ -f /etc/firewall/firewall.conf ] ; then 36 | source /etc/firewall/firewall.conf 37 | else 38 | echo "no configuration-file found in /etc/firewall/firewall.conf" 39 | echo "aborting, firewall NOT startet" 40 | exit 1 41 | fi 42 | 43 | echo "starting firewall..." 44 | 45 | ## DELETE OLD RULES 46 | $IPTABLES -F 47 | $IPTABLES -X 48 | 49 | ################################################################# 50 | # DEFAULT POLICIES 51 | ################################################################# 52 | 53 | $IPTABLES -P INPUT DROP 54 | $IPTABLES -P OUTPUT ACCEPT 55 | 56 | ################################################################# 57 | # CUSTOM CHAINS 58 | ################################################################# 59 | 60 | ## portscan drop 61 | $IPTABLES -N portscan_drop 62 | $IPTABLES -A portscan_drop -m limit --limit 60/m -j LOG --log-prefix "PORTSCAN DETECTED" 63 | $IPTABLES -A portscan_drop -j DROP 64 | 65 | ## invalid drop 66 | $IPTABLES -N invalid_drop 67 | $IPTABLES -A invalid_drop -m state --state INVALID -m limit --limit 60/m -j LOG --log-prefix "INVALID PACKAGE" 68 | $IPTABLES -A invalid_drop -m state --state INVALID -j DROP 69 | 70 | ################################################################# 71 | # IPv4 FORWARDING 72 | ################################################################# 73 | 74 | if $ipv4_forwarding ; then 75 | $IPTABLES -P FORWARD ACCEPT 76 | ## enable IPv4 forwarding ( ! overwrites sysctl settings ! ) 77 | echo 1 > /proc/sys/net/ipv4/ip_forward 78 | else 79 | ## drop IPv4 forwarding 80 | $IPTABLES -P FORWARD DROP 81 | ## disable IPv4 forwarding ( ! overwrites sysctl settings ! ) 82 | echo 0 > /proc/sys/net/ipv4/ip_forward 83 | echo 0 > /proc/sys/net/ipv4/conf/all/forwarding 84 | echo 0 > /proc/sys/net/ipv4/conf/default/forwarding 85 | fi 86 | 87 | ################################################################# 88 | # ALLOW DEFAULTS 89 | ################################################################# 90 | 91 | ## allow anything on loopback 92 | $IPTABLES -A INPUT -i lo -j ACCEPT 93 | $IPTABLES -A OUTPUT -o lo -j ACCEPT 94 | 95 | ## allow ICMP 96 | $IPTABLES -A INPUT -p icmp -j ACCEPT 97 | 98 | ## allow all packets that already have a connection 99 | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 100 | $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 101 | 102 | ################################################################## 103 | # EXTERNAL CONFIGS 104 | ################################################################## 105 | 106 | ## ACCEPT ALL CONNECTIONS FROM WHITELIST FILE /etc/firewall/ip-whitelist.conf 107 | for IP in `cat /etc/firewall/ip-whitelist.conf | sed 's/\s/_/g' | grep -v "^#"`; do 108 | $IPTABLES -A INPUT -s $IP -m state --state NEW -j ACCEPT 109 | done; 110 | 111 | ## DROP ALL CONNECTIONS FROM BLACKLIST FILE /etc/firewall/ip-blacklist.conf 112 | for IP in `cat /etc/firewall/ip-blacklist.conf | sed 's/\s/_/g' | grep -v "^#"`; do 113 | $IPTABLES -A INPUT -s $IP -m state --state NEW -j DROP 114 | done; 115 | 116 | # EXECUTE ALL CUSTOM SCRIPTS IN /etc/firewall/custom 117 | if [ "$(ls -A /etc/firewall/custom)" ]; then 118 | for F in /etc/firewall/custom/*; do 119 | . $F 120 | done; 121 | fi 122 | 123 | # ALLOWED PORTS/PROTOCOLS FROM /etc/firewall/services.conf 124 | cat /etc/firewall/services.conf | grep -v "^#" | while read line; do 125 | [ -z "$line" ] && continue 126 | 127 | # INITIALIZE 128 | PORT="" 129 | PROTO="" 130 | IP="0.0.0.0/0" 131 | while IFS=' ' read -ra SERVICES; do 132 | PORT=`echo ${SERVICES[0]} | cut -d"/" -f1` 133 | PROTO=`echo ${SERVICES[0]} | cut -d"/" -f2` 134 | if [ ${#SERVICES[@]} == 2 ]; then 135 | IP=${SERVICES[1]} 136 | fi; 137 | $IPTABLES -A INPUT -p $PROTO -s $IP --dport $PORT -m state --state NEW -j ACCEPT 138 | done <<< "$line" 139 | done; 140 | 141 | ################################################################# 142 | # drop and log invalid packages 143 | ################################################################# 144 | 145 | if $drop_invalid ; then 146 | $IPTABLES -A INPUT -m state --state INVALID -j invalid_drop 147 | $IPTABLES -A OUTPUT -m state --state INVALID -j invalid_drop 148 | fi 149 | 150 | ################################################################## 151 | # BROADCAST AND MULTICAST 152 | ################################################################## 153 | 154 | if $drop_broadcast ; then 155 | $IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP 156 | $IPTABLES -A INPUT -m pkttype --pkt-type multicast -j DROP 157 | fi 158 | 159 | ################################################################## 160 | # PORTSCAN DETECTION 161 | ################################################################## 162 | 163 | if $drop_portscan ; then 164 | ## nmap Null scans / no flags 165 | $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j portscan_drop 166 | ## nmap FIN stealth scan 167 | $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j portscan_drop 168 | ## SYN + FIN 169 | $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j portscan_drop 170 | ## SYN + RST 171 | $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j portscan_drop 172 | ## FIN + RST 173 | $IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j portscan_drop 174 | ## FIN + URG + PSH 175 | $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j portscan_drop 176 | ## XMAS 177 | $IPTABLES -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j portscan_drop 178 | ## ALL 179 | $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j portscan_drop 180 | ## FIN/PSH/URG without ACK 181 | $IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j portscan_drop 182 | $IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j portscan_drop 183 | $IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j portscan_drop 184 | fi 185 | 186 | ################################################################## 187 | # USEFULL OPTIONS ( ! overwrites sysctl settings ! ) 188 | ################################################################## 189 | 190 | if $secure_redirects ; then 191 | ## allow only ICMP redirects from our own gateway 192 | echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects 193 | echo 1 > /proc/sys/net/ipv4/conf/default/secure_redirects 194 | fi 195 | 196 | if $block_redirects ; then 197 | ## dont accept ICMP redirects 198 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 199 | echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects 200 | ## dont sent ICMP redirects 201 | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 202 | echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 203 | fi 204 | 205 | if $ignore_broadcast_icmp ; then 206 | ## ignore broadcast/multicast ICMP // smurf-attack prevention 207 | echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 208 | fi 209 | 210 | if $ignore_bogus_errors ; then 211 | ## ignore bogus error responses 212 | echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 213 | fi 214 | 215 | ## dont ignore pings 216 | echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all 217 | 218 | if $block_source_route_packages ; then 219 | ## allow no source route packages 220 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 221 | echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 222 | fi 223 | 224 | if $block_proxy_arp ; then 225 | ## we dont want to proxy arp 226 | echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp 227 | echo 0 > /proc/sys/net/ipv4/conf/default/proxy_arp 228 | fi 229 | 230 | if $enable_syn_cookies ; then 231 | ## enable syn-cookies // syn-flood prevention 232 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies 233 | echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog 234 | echo 5 > /proc/sys/net/ipv4/tcp_syn_retries 235 | echo 5 > /proc/sys/net/ipv4/tcp_synack_retries 236 | fi 237 | 238 | if $enable_reverse_path ; then 239 | ## enable reverse path filter // RFC1812 // spoofing attack prevention 240 | echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 241 | echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 242 | fi 243 | 244 | if $disable_bootp_relay ; then 245 | ## no relaying of bootp 246 | echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay 247 | echo 0 > /proc/sys/net/ipv4/conf/default/bootp_relay 248 | fi 249 | 250 | if $disable_martian_loging ; then 251 | ## do not log martian packets 252 | echo 0 > /proc/sys/net/ipv4/conf/all/log_martians 253 | echo 0 > /proc/sys/net/ipv4/conf/default/log_martians 254 | fi 255 | 256 | if $disable_srr ; then 257 | ## dont allow SRR 258 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 259 | echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 260 | fi 261 | 262 | if $enable_sack ; then 263 | ## enable enable_sack 264 | echo 1 > /proc/sys/net/ipv4/tcp_sack 265 | echo 1 > /proc/sys/net/ipv4/tcp_dsack 266 | echo 1 > /proc/sys/net/ipv4/tcp_fack 267 | fi 268 | 269 | ################################################################# 270 | # IPv6 271 | ################################################################# 272 | 273 | if $ipv6_loopback_ok ; then 274 | ## allow on loopback 275 | $IP6TABLES -A INPUT -i lo -j ACCEPT 276 | $IP6TABLES -A OUTPUT -o lo -j ACCEPT 277 | fi 278 | 279 | if $ipv6_drop_all ; then 280 | ## drop all ip IPv6 traffic 281 | $IP6TABLES -P INPUT DROP 282 | $IP6TABLES -P OUTPUT DROP 283 | fi 284 | 285 | if $ipv6_forwarding ; then 286 | $IP6TABLES -P FORWARD ACCEPT 287 | else 288 | ## drop IPv6 forwarding 289 | $IP6TABLES -P FORWARD DROP 290 | ## disable IPv6 forwarding ( ! overwrites sysctl settings ! ) 291 | echo 0 > /proc/sys/net/ipv6/conf/all/forwarding 292 | echo 0 > /proc/sys/net/ipv6/conf/default/forwarding 293 | fi 294 | 295 | if $ipv6_disabled ; then 296 | ## disable IPv6 ( ! overwrites sysctl settings ! ) 297 | echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 298 | echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6 299 | fi 300 | 301 | ################################################################## 302 | # FINAL RULES 303 | ################################################################## 304 | 305 | ## log all other packages and reject them 306 | $IPTABLES -A INPUT -j LOG 307 | $IPTABLES -A INPUT -j REJECT 308 | 309 | echo "firewall started" 310 | ;; 311 | 312 | stop) 313 | echo "stopping firewall..." 314 | 315 | ## delete old rules 316 | $IPTABLES -F 317 | $IPTABLES -X 318 | 319 | ## allow anything 320 | $IPTABLES -P INPUT ACCEPT 321 | $IPTABLES -P OUTPUT ACCEPT 322 | $IPTABLES -P FORWARD ACCEPT 323 | 324 | ## allow all ip IPv6 traffic 325 | $IP6TABLES -P INPUT ACCEPT 326 | $IP6TABLES -P OUTPUT ACCEPT 327 | $IP6TABLES -P FORWARD ACCEPT 328 | 329 | echo "firewall stopped" 330 | ;; 331 | 332 | status) 333 | echo "##################################################################" 334 | echo "## FILTER" 335 | echo "##################################################################" 336 | $IPTABLES -L -vn 337 | echo "##################################################################" 338 | echo "## NAT" 339 | echo "##################################################################" 340 | $IPTABLES -t nat -L -vn 341 | echo "##################################################################" 342 | echo "## MANGLE" 343 | echo "##################################################################" 344 | $IPTABLES -t mangle -L -vn 345 | ;; 346 | 347 | version) 348 | echo "Version: 1.1.1" 349 | ;; 350 | 351 | restart|reload|force-reload) 352 | $0 stop 353 | sleep 1 354 | $0 start 355 | ;; 356 | 357 | *) 358 | echo "Your are doing it wrong." 359 | echo "Syntax: $0 {start|stop|restart|reload|force-reload|status|version}" 360 | exit 1 361 | ;; 362 | 363 | esac 364 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # project unmaintained! 2 | 3 | use with caution 4 | 5 | # iptables-boilerplate 6 | rock solid default firewall-rules for webhosts 7 | 8 | ## What is this? 9 | iptables-boilerplate is a set of predefined firewall rules that are typically used on "webhosts". 10 | its not a set of rules, designed to secure your home or office-network or to setup a router or gatweay. 11 | think of "lamp"-servers. 12 | 13 | #### iptables-boilerplate is tested on 14 | * Debian 7.0 / Wheezy 15 | * Debian 8.0 / Jessie 16 | * Debian 9.0 / Stretch 17 | * Ubuntu 14.04 LTS / Trusty 18 | * Ubuntu 16.04 LTS / Xenial 19 | 20 | we will support every LTS (Ubuntu) and stable (Debian) version. 21 | 22 | #### Features 23 | * rock solid defaults 24 | * easy extendable 25 | * one-line opening ports 26 | * one line whitelisting ips 27 | * one line blacklisting ips 28 | * extensively documented (inline comments) 29 | 30 | ## Installation 31 | 32 | ### Easy Install 33 | On Ubuntu and Debain you can use `make` to install or uninstall. 34 | 35 | Make sure `make` is installed: 36 | 37 | sudo apt-get install make 38 | 39 | And follow these steps to install: 40 | 41 | git clone git://github.com/bmaeser/iptables-boilerplate.git 42 | cd iptables-boilerplate 43 | sudo make 44 | 45 | To uninstall run: 46 | 47 | sudo make uninstall 48 | 49 | ### On other systems 50 | 51 | create necessary directories first 52 | 53 | sudo mkdir /etc/firewall 54 | sudo mkdir /etc/firewall/custom 55 | 56 | checkout the github repo and install the files 57 | 58 | git clone git://github.com/bmaeser/iptables-boilerplate.git 59 | cd iptables-boilerplate 60 | sudo cp firewall /etc/init.d/firewall 61 | cd etc/firewall/ 62 | sudo cp *.conf /etc/firewall/ 63 | 64 | make sure firewall is executable and update runnlevels 65 | 66 | sudo chmod 755 /etc/init.d/firewall 67 | sudo update-rc.d firewall defaults 68 | 69 | ## Configuration 70 | 71 | All configuration-files are to be found at /etc/firewall/ 72 | 73 | Feel free to read the firewall-script itself and comment/uncomment what you like or dislike. 74 | 75 | #### firewall.conf 76 | Main firewall configfile. All settings are on sane defaults, you really should know what you do 77 | if you change them. 78 | 79 | #### services.conf 80 | This file is used to open ports for services like ssh or http(s) in your firewall. 81 | 82 | ###### SYNTAX: 83 | 84 | PORT/PROTOCOLL SOURCE 85 | where SOURCE is the source ip or network 86 | 87 | n.n.n.n/m - Where n.n.n.n is the IP address range and m is the bitmask. 88 | 89 | if SOURCE is empty it defaults to 0.0.0.0/0 (which is any IP) 90 | 91 | ###### EXAMPLEs: 92 | 93 | opens ports for SSH for IP 192.168.0.1: 94 | 95 | 22/tcp 192.168.0.1 96 | 22/udp 192.168.0.1 97 | 98 | opens ports for HTTP for any IP 99 | 100 | 80/tcp 0.0.0.0/0 101 | 102 | opens ports for HTTPS for any IP 103 | 104 | 443/tcp 105 | 106 | #### ip-whitelist.conf: 107 | Add all source IPs you want to have full access to this host. 108 | One IP per line 109 | 110 | ###### SYNTAX: 111 | 112 | n.n.n.n/m.m.m.m - Where n.n.n.n is the IP address range and m.m.m.m is the netmask. 113 | 114 | n.n.n.n/m - Where n.n.n.n is the IP address range and m is the bitmask. 115 | 116 | ###### EXAMPLEs: 117 | 118 | 192.168.0.1 119 | 192.168.1.0/8 120 | 192.168.55.0/255.255.255.148 121 | 122 | #### ip-blacklist.conf: 123 | Add all source IPs you want to COMPLETELY BLOCK 124 | One IP per line 125 | 126 | ###### SYNTAX: 127 | 128 | n.n.n.n/m.m.m.m - Where n.n.n.n is the IP address range and m.m.m.m is the netmask. 129 | 130 | n.n.n.n/m - Where n.n.n.n is the IP address range and m is the bitmask. 131 | 132 | ###### EXAMPLEs: 133 | 134 | 192.168.0.1 135 | 192.168.1.0/8 136 | 192.168.55.0/255.255.255.148 137 | 138 | #### custom/*: 139 | Every file/script you place here will be executed during firewall-start. 140 | Place your custom rules in here. 141 | 142 | There are some usefull examples in ./custom-examples/ that limit the ammount of new and overall connections. 143 | 144 | ## Usage 145 | If you updated your runlevels, the firewall starts every time you boot your system. 146 | However, you can manually start/stop/restart, e.g. to update changed settings. 147 | 148 | /etc/init.d/firewall (start|stop|restart|reload|force-reload|status) 149 | 150 | * start: starts the firewall 151 | * stop: stops the firewall 152 | * restart, reload, force-reload: restarts the firewall (all three the same) 153 | * status: print out the status of the firewall, shows all entries in iptables 154 | * version: print out the version of iptables-boilerplate 155 | 156 | ## How to contribute 157 | fork + hack + pull request please :-) 158 | 159 | thx 160 | 161 | 162 | ## Licence 163 | The MIT License (MIT) 164 | Copyright © Bernhard Mäser(http://bmaeser.io) and contributors 165 | 166 | Permission is hereby granted, free of charge, to any person obtaining a copy 167 | of this software and associated documentation files (the “Software”), to deal 168 | in the Software without restriction, including without limitation the rights 169 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 170 | copies of the Software, and to permit persons to whom the Software is 171 | furnished to do so, subject to the following conditions: 172 | 173 | The above copyright notice and this permission notice shall be included in 174 | all copies or substantial portions of the Software. 175 | 176 | THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 177 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 178 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 179 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 180 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 181 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 182 | THE SOFTWARE. 183 | --------------------------------------------------------------------------------