Index: TipAndDoc/iptables/setfilter =================================================================== --- TipAndDoc/iptables/setfilter (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setfilter (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,105 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: setfilter +# Required-Start: ufw +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: set network filters with iptables +### END INIT INFO + +PATH="/sbin:/bin:/usr/sbin:/usr/bin" + +. /lib/lsb/init-functions + +if [ -s /etc/ufw/ufw.conf ]; then + . /etc/ufw/ufw.conf +else + log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)" + exit 1 +fi + +RULES_PATH="/etc/ufw" + +case "$1" in +start) + if iptables -L LOG_ICMP -t raw -n >/dev/null 2>&1 ; then + # if firewall loaded, tell to reload instead + log_action_msg "Network filter already started, use 'force-reload'" + exit 0 + fi + if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then + log_action_begin_msg "Setting network filter" + error="" + + tables="raw mangle nat" + for table in $tables + do + RULES="$RULES_PATH/$table.rules" + + #flush the chains + iptables -F -t $table || error="yes" + iptables -X -t $table || error="yes" + + if [ -s "$RULES" ]; then + if ! iptables-restore -n < $RULES ; then + log_action_cont_msg "Problem running '$RULES'" + error="yes" + fi + else + log_action_cont_msg "Couldn't find '$RULES'" + fi + done + + if [ "$error" = "yes" ]; then + log_action_end_msg 1 + exit 1 + else + log_action_end_msg 0 + fi + else + log_action_begin_msg "Skipping network filter (not enabled)" + log_action_end_msg 0 + fi + ;; +stop) + if [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then + log_action_begin_msg "Skipping network filter (not enabled)" + log_action_end_msg 0 + exit 0 + fi + + log_action_begin_msg "Stopping network filter" + error="" + + tables="raw mangle nat" + for table in $tables + do + iptables -F -t $table || error="yes" + iptables -X -t $table || error="yes" + done + + if [ "$error" = "yes" ]; then + log_action_end_msg 1 + exit 1 + else + log_action_end_msg 0 + fi + ;; +restart|force-reload) + if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then + $0 stop + $0 start + else + log_warning_msg "Skipping $1 (not enabled)" + fi + ;; +*) + echo "Usage: /etc/init.d/setfilter {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 + Index: TipAndDoc/iptables/setlan2wan.sh =================================================================== --- TipAndDoc/iptables/setlan2wan.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setlan2wan.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,35 @@ +#!/bin/sh + +# enable access to WAN device on router node from LAN clients +# + +set -x + +## INTERFACES(5) +# IFACE physical name of the interface being processed +# METHOD method of the interface (e.g., static) +# MODE start if run from ifup, stop if run from ifdown +# PHASE as per MODE, but with finer granularity, distinguishing the pre- +# up, post-up, pre-down and post-down phases. + +LANIF="${1:?"usage: $0 "}" +LANIP="${2:?"usage: $0 "}" + +WANIP=`/sbin/ip addr show dev ${IFACE} | grep -w inet | tr -s ' ' | cut -d ' ' -f 3 | cut -d / -f 1` + +if [ "${PHASE}" = "pre-down" ]; then + # delete rule and exit + /sbin/iptables -t nat -D PREROUTING -i ${LANIF} -d ${WANIP} -j DNAT --to-destination ${LANIP} + echo "remove rule for access to WAN device on router node from LAN clients" + exit +fi + + +# set rule +( +sleep 60 + +/sbin/iptables -t nat -A PREROUTING -i ${LANIF} -d ${WANIP} -j DNAT --to-destination ${LANIP} +echo "set rule for access to WAN device on router node from LAN clients" + +) & Index: TipAndDoc/iptables/setmasq.sh =================================================================== --- TipAndDoc/iptables/setmasq.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setmasq.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,26 @@ +#!/bin/sh + +# set IP MASQUERADE with post-up command in INTERFACES(5) + + +set -x + +## INTERFACES(5) +# IFACE physical name of the interface being processed +# METHOD method of the interface (e.g., static) +# MODE start if run from ifup, stop if run from ifdown +# PHASE as per MODE, but with finer granularity, distinguishing the pre- +# up, post-up, pre-down and post-down phases. + +# optional argument to set default gateway devices connected to WAN manually +# (try each of them in order) + +if [ "${PHASE}" = "post-down" ]; then + # remove MASQUERADE rule and exit + /sbin/iptables -t nat -D POSTROUTING -o ${IFACE} -j MASQUERADE + exit +fi + + +# set MASQUERADE rule +/sbin/iptables -t nat -A POSTROUTING -o ${IFACE} -j MASQUERADE Index: TipAndDoc/iptables/setnapt.sh =================================================================== --- TipAndDoc/iptables/setnapt.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setnapt.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,54 @@ +#!/bin/sh + +# set IP MASQUERADE for listed devices +# this script must be set on the LAN gateway device + + +set -x + +## INTERFACES(5) +# IFACE physical name of the interface being processed +# METHOD method of the interface (e.g., static) +# MODE start if run from ifup, stop if run from ifdown +# PHASE as per MODE, but with finer granularity, distinguishing the pre- +# up, post-up, pre-down and post-down phases. + +# optional argument to set default gateway devices connected to WAN manually +# (try each of them in order) +GATEWAYS="$@" + +if [ "${PHASE}" = "post-down" ]; then + # flush POSTROUTING chain and exit + /sbin/iptables -t nat -F POSTROUTING + exit +fi + + +( + +# wait for initialization of WAN device with DHCPd +sleep 60 + +if [ -z "${GATEWAYS}" ]; then + GATEWAYS=`/sbin/ip route show table main | grep -w default | tr -s ' ' | cut -d ' ' -f 5` +fi + +for GW in ${GATEWAYS}; do + if [ ${GW} = ${IFACE} ]; then + # skip if device is the LAN gateway + continue + fi + + IPADDR=`/sbin/ip addr show dev ${GW} | grep -w inet | tr -s ' ' | cut -d ' ' -f 3 | cut -d / -f 1` + if [ -z "${IPADDR}" ]; then + # device doesn't seem to have an IP address + continue + fi + + ## set masquerade rule to all devices + # because there is no way to know which one is default gateway + # without manual specification + /sbin/iptables -t nat -A POSTROUTING -o ${GW} -j MASQUERADE +done + +) & Index: TipAndDoc/iptables/ufw/after.rules =================================================================== --- TipAndDoc/iptables/ufw/after.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/after.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,37 @@ +# +# rules.input-after +# +# Rules that should be run after the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-after-input +# ufw-after-output +# ufw-after-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-after-input - [0:0] +:ufw-after-output - [0:0] +:ufw-after-forward - [0:0] +# End required lines + +## allow connections to the local services from WAN +# ssh 22/tcp +-A ufw-after-input -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT +# https 443/tcp +-A ufw-after-input -p tcp --syn -m state --state NEW --dport 443 -j ACCEPT + +# don't log noisy services by default +-A ufw-after-input -p udp --dport 137 -j RETURN +-A ufw-after-input -p udp --dport 138 -j RETURN +-A ufw-after-input -p tcp --dport 139 -j RETURN +-A ufw-after-input -p tcp --dport 445 -j RETURN +-A ufw-after-input -p udp --dport 67 -j RETURN +-A ufw-after-input -p udp --dport 68 -j RETURN + +# catchall for logging +-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err +-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT Index: TipAndDoc/iptables/ufw/before.rules =================================================================== --- TipAndDoc/iptables/ufw/before.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/before.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,90 @@ +# +# rules.before +# +# Rules that should be run before the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-before-input +# ufw-before-output +# ufw-before-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-before-input - [0:0] +:ufw-before-output - [0:0] +:ufw-before-forward - [0:0] +:ufw-not-local - [0:0] +# End required lines + + +# allow all on loopback +-A ufw-before-input -i lo -j ACCEPT +-A ufw-before-output -i lo -j ACCEPT + +# connection tracking rules +-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# drop INVALID packets +# uncomment to log INVALID packets +-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + +## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>) +-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP + +## DROP CIFS(Samba) access from/to WAN(eth1) +-A ufw-before-input -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-input -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-output -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-output -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP + +## Access from LAN +-A ufw-before-input -i eth0 -j ACCEPT +-A ufw-before-forward -i eth0 -j ACCEPT + +# connection tracking for outbound +-A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# ok icmp codes +-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT +-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT +-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT +-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT + +# allow dhcp client to work +-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT + +# +# ufw-not-local +# +-A ufw-before-input -j ufw-not-local + +# if LOCAL, RETURN +-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN + +# if MULTICAST, RETURN +-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN + +# if BROADCAST, RETURN +-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN + +-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err + +# all other non-local packets are dropped +-A ufw-not-local -j DROP + +# allow MULTICAST, be sure the MULTICAST line above is uncommented +-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT +-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT + + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT Index: TipAndDoc/iptables/ufw/mangle.rules =================================================================== --- TipAndDoc/iptables/ufw/mangle.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/mangle.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,12 @@ +# +# This file is used by /etc/init.d/setfilter +# +# Rules that should be stored in mangle table. + + +*mangle +# to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets +# see iptables(8) +-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +COMMIT Index: TipAndDoc/iptables/ufw/nat.rules =================================================================== --- TipAndDoc/iptables/ufw/nat.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/nat.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,18 @@ +# +# This file is used by /etc/init.d/setfilter +# +# Rules that should be stored in nat table. +# These are mainly used to IP MASQUERADE and REDIRECT. + + +*nat + +## port REDIRECT to local services +# 8443/tcp -> 443/tcp +-A PREROUTING -p tcp --dport 8443 -j REDIRECT --to-port 443 +# WAN 8000/tcp -> 443/tcp +-A PREROUTING -p tcp -i eth1 --dport 8000 -j REDIRECT --to-port 443 +# LAN 8000/tcp -> 22/tcp +-A PREROUTING -p tcp -i eth0 --dport 8000 -j REDIRECT --to-port 22 + +COMMIT Index: TipAndDoc/iptables/ufw/raw.rules =================================================================== --- TipAndDoc/iptables/ufw/raw.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/raw.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,33 @@ +# +# This file is used by /etc/init.d/setfilter +# +# Rules that should be stored in raw table. +# These are mainly used to filter evil or wrong packets. + + +*raw +:LOG_ICMP - [0:0] +:LOG_SPOOF - [0:0] + +## LOG and DROP fragmented packets (not head fragments) +-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A PREROUTING --fragment -j DROP + +## LOG and DROP strange icmp packets +-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A LOG_ICMP -j DROP +# Too large icmp requests +-A PREROUTING -p icmp --icmp-type echo-request -m length --length 128: -j LOG_ICMP +# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec) +-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT +-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP + +## LOG and DROP IP spoofing (eth1:WAN) +-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A LOG_SPOOF -j DROP +-A PREROUTING -i eth1 -s 127.0.0.0/8 -j LOG_SPOOF +-A PREROUTING -i eth1 -s 10.0.0.0/8 -j LOG_SPOOF +-A PREROUTING -i eth1 -s 172.16.0.0/12 -j LOG_SPOOF +-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF + +COMMIT