Alles over netwerken en security.
 Menu:


 
 Forum  Documentatie
 Forum  Diensten
 Forum  ADSL providers
 CCIE Blog  CCIE BLOG


Standaard firewall script LINUX

Op basis van iptables



Onderstaand script is een standaard firewall script van een linux firewall. Deze is volledig aantepassen naar behoefte.

# waar iptables staat
IPTABLES="/sbin/iptables"

# Interfaces
LOOPBACK_INTERFACE="lo"
INTERNAL_INTERFACE="eth1"
EXTERNAL_INTERFACE="eth0"

# Ipadressen
IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep inet | awk '{print $2}' | sed -e "s/[adr:]//g"`
LAN_IPADDR="a.b.c.d" #### Vul hier je LAN IP adres in ####

# netwerken
LAN="192.168.1.0/24"
ANYWHERE="0.0.0.0/0"
LOOPBACK="127.0.0.1"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"


# poorten
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"


# flush en clear alle rules en zet de tellers op 0
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t mangle -Z

# set de default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

## Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

## Enable IP-spoofing beveiliging
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $f
done

## Disable ICMP redirect acceptatie
for f in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
echo 0 > $f
done

## Disable ICMP send_redirects
for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do
echo 0 > $f
done

## Source routed pakketten niet accepteren
for f in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $f
done

## Log spoofed pakketten, source routed pakketten en redirected pakketten
for f in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $f
done

## Enable TCP SYN cookie beveiliging
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

## Enable ICMP broadcasting protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## Enable ICMP dead error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

## Enable dynamic TCP/IP address hacking
echo 1 > /proc/sys/net/ipv4/ip_dynaddr


## Weiger (en log) alle gefragmenteerde pakketten
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -f -j LOG --log-prefix "FRAGMENT! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -f -j DROP

## Weiger alles van privenetwerken op externe iface
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK -j LOG --log-prefix "SPOOFING! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j LOG --log-prefix "CLASS A ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j LOG --log-prefix "CLASS B ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j LOG --log-prefix "CLASS C ADDRESS! "
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j DROP

## Onbeperkt verkeer op lo toestaan
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

## Onbeperkt verkeer op interne interface toestaan
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_INTERFACE -j ACCEPT

# IP NAT
$IPTABLES -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -s $LAN -d ! $LAN -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_INTERFACE -i $EXTERNAL_INTERFACE -d $LAN -s ! $LAN -j ACCEPT

## Een aantal typen ICMP pakketten accepteren
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 0 -s $ANYWHERE -d $IPADDR -m limit --limit 2/s -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 3 -s $ANYWHERE -d $IPADDR -m limit --limit 2/s -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 5 -s $ANYWHERE -d $IPADDR -m limit --limit 2/s -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 8 -s $ANYWHERE -d $IPADDR -m limit --limit 2/s -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 11 -s $ANYWHERE -d $IPADDR -m limit --limit 10/s -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp --icmp-type 3 -s $IPADDR -d $ANYWHERE -m limit --limit 2/s -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp --icmp-type 8 -s $IPADDR -d $ANYWHERE -m limit --limit 2/s -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp --icmp-type 0 -s $IPADDR -d $ANYWHERE -m limit --limit 2/s -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp --icmp-type 11 -s $IPADDR -d $ANYWHERE -m limit --limit 10/s -j ACCEPT


# Established IP traffic
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -m state --state ESTABLISHED,RELATED -s $IPADDR -d $ANYWHERE -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp -m state --state ESTABLISHED,RELATED -s $ANYWHERE -d $IPADDR -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --tcp-flags ACK,SYN SYN -s $IPADDR -d $ANYWHERE -j ACCEPT


## dns aanvragen toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE -d $IPADDR --source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR -d $ANYWHERE --source-port $UNPRIVPORTS --destination-port 53 -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -d $IPADDR --source-port $UNPRIVPORTS --destination-port 53 -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR -d $ANYWHERE --source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE -d $IPADDR --source-port $UNPRIVPORTS --destination-port 53 -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR -d $ANYWHERE --source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT


## traceroute toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE -d $IPADDR --source-port 32769:65535 --destination-port 33434:33523 -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR -d $ANYWHERE --source-port 32769:65535 --destination-port 33434:33523 -j ACCEPT

## time toestaan
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE -d $IPADDR --source-port 37 --destination-port $UNPRIVPORTS -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR -d $ANYWHERE --source-port $UNPRIVPORTS --destination-port 37 -j ACCEPT

## auth aanvragen accepteren (voorkomt timeouts)
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -d $IPADDR --source-port $UNPRIVPORTS --destination-port 113 -j ACCEPT

## http server openstellen voor buitenwereld
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -d $IPADDR --source-port $UNPRIVPORTS --destination-port 80 -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR -d $ANYWHERE --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT








2004 - Frizone webdesign