Firewallscript zum blocken von FTP-Bruteforce-Attacken, IP-Spoofing und Stealth-Scans

Aus wiki.shutdown-system.de
Wechseln zu: Navigation, Suche

So. Hier ist nun das neue Script. Vorgehensweise ist die gleiche wie bei der älteren Version.


\\

  #!/bin/sh
  # description: Enable IPTABLES Firewalling
  #               
  # processname: iptables
  #
 
  # SET FWDEBUG=0 TO MAKE IT WORK!
  FWDEBUG=1
 
  NAME=iptables
  DESC="stateful firewall"
  TABLES="filter nat"
 
  # where is iptables?
  IPT=/sbin/iptables
 
  # where is modprobe
  IM=/sbin/modprobe
 
  # where is rmmod
  RMM=/sbin/rmmod
 
  # your main interface
  MAIN_IF="eth0"
 
  # an trusted network
  TRUSTED="213.95.21.6"
 
  # an example for monitoring
  MONITOR="62.128.1.61 62.128.1.60"
 
  # insert your local ip here
  LOCALIP="192.168.1.3"
 
  # uncomment this for loadbalancing
  #LB_PORTS="80 443"      # Loadbalanced ports
  #V_HOST="xx.xx.xx.xx"   # Loadbalancer virtual ipaddress
 
  if [ "$FWDEBUG" = "1" ]; then
          IPT="echo $IPT"
          IM="echo $IM"
          RMM="echo $RMM"
  fi
 
 
  case "$1" in
    start)
      [ "$FWDEBUG" = "1" ] && \
          echo "NOT Starting $DESC. The following rules would be applied:" || \
          echo -n "Starting $DESC: "  
 
      # zusaetzliche kernelmodule laden
      $IM ip_tables
      $IM ip_conntrack_ftp
      $IM ip_conntrack
 
      # proc stuff
      echo 0 > /proc/sys/net/ipv4/ip_forward
 
      # alles flushen und defaultpolicy setzen
      $IPT -P FORWARD DROP
      $IPT -P INPUT DROP
      $IPT -P OUTPUT ACCEPT
      for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
 
      # new chains
      $IPT -N clean
      $IPT -N in_main
      $IPT -N FTP_CHECK
 
      # clean reject
      $IPT -A clean -p udp --dport 135:139 -j DROP
      $IPT -A clean -j LOG --log-prefix "rejected " -m limit --limit 1/sec
      $IPT -A clean -p tcp -j REJECT --reject-with tcp-reset
      $IPT -A clean -p udp -j REJECT --reject-with icmp-port-unreachable
      $IPT -A clean -j DROP
 
      # INPUT sortieren und filtern
      $IPT -A INPUT -j DROP -m state --state INVALID
      $IPT -A INPUT -p tcp --dport ftp -m state --state NEW -j FTP_CHECK
      $IPT -A INPUT -j ACCEPT -i lo
      $IPT -A INPUT -j in_main -i $MAIN_IF
 
      # main chain
      $IPT -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED
      $IPT -A in_main -j ACCEPT -p icmp ! --icmp-type redir
 
      # nrpe, snmp von MONITOR und TRUSTED erlauben
      for host in $MONITOR $TRUSTED
          do $IPT -A in_main -j ACCEPT -p tcp --dport ssh -s $host
          $IPT -A in_main -j ACCEPT -p udp --dport snmp -s $host
          $IPT -A in_main -j ACCEPT -p tcp --dport nrpe -s $host
      done
 
      # Block ftp-Bruteforce
      $IPT -A FTP_CHECK -m recent --set --name FTP
      $IPT -A FTP_CHECK -m recent --update --seconds 60 --hitcount 3 --name FTP -j LOG --log-prefix "FTP_Brute_Force: "
      $IPT -A FTP_CHECK -m recent --update --seconds 60 --hitcount 3 --name FTP -j DROP
 
      # wir hassen ip-spoofing
      $IPT -A in_main -s 255.0.0.0/8 -j LOG --log-prefix "Gefaelschte Source-IP "
      $IPT -A in_main -s 255.0.0.0/8 -j DROP
      $IPT -A in_main -s 0.0.0.0/8 -j LOG --log-prefix "Gefaelschte Source-IP "
      $IPT -A in_main -s 0.0.0.0/8 -j DROP
      $IPT -A in_main -s 127.0.0.0/8 -j LOG --log-prefix "Gefaelschte Source-IP "
      $IPT -A in_main -s 127.0.0.0/8 -j DROP
 
      # darf nicht im internet geroutet werden also auch spoofing
      $IPT -A in_main -s 192.168.0.0/16 -j LOG --log-prefix "Gefaelschte Source-IP "
      $IPT -A in_main -s 192.168.0.0/16 -j DROP
      $IPT -A in_main -s 172.16.0.0/16 -j LOG --log-prefix "Gefaelschte Source-IP "
      $IPT -A in_main -s 172.16.0.0/16 -j DROP
      $IPT -A in_main -s 10.0.0.0/8 -j LOG --log-prefix "Gefaelschte Source-IP "
      $IPT -A in_main -s 10.0.0.0/8 -j DROP
      $IPT -A in_main -s $LOCALIP -j LOG --log-prefix "Gefaelschte Source-IP "
      $IPT -A in_main -s $LOCALIP -j DROP
 
      # stealth-scans sind boese
      $IPT -A in_main -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth Scan detected "
      $IPT -A in_main -p tcp ! --syn -m state --state NEW -j DROP
 
      # Rules
      $IPT -A in_main -j ACCEPT -p tcp --dport ftp
      $IPT -A in_main -j ACCEPT -p tcp --dport ssh
      $IPT -A in_main -j ACCEPT -p tcp --dport smtp
      $IPT -A in_main -j ACCEPT -p tcp --dport domain
      $IPT -A in_main -j ACCEPT -p udp --dport domain
      $IPT -A in_main -j ACCEPT -p tcp --dport http
      $IPT -A in_main -j ACCEPT -p tcp --dport https
      $IPT -A in_main -j ACCEPT -p udp --dport ntp
      $IPT -A in_main -j ACCEPT -p tcp --dport imap2
      $IPT -A in_main -j ACCEPT -p tcp --dport imaps
      $IPT -A in_main -j ACCEPT -p tcp --dport pop3
      $IPT -A in_main -j ACCEPT -p tcp --dport pop3s
      $IPT -A in_main -j ACCEPT -p tcp --dport nrpe
 
      # chain terminieren
      $IPT -A in_main -j clean
 
         ## PREROUTING (needed for Loadbalancing using DSR)
  #    for port in $LB_PORTS; do
  #       $IPT -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports $port -d $V_HOST --dport $port
  #    done
 
      ## ende der filterregeln
 
      [ "$FWDEBUG" = "1" ] && echo "PLEASE MODIFY $0" || \
          echo "$NAME."
    ;;
 
    stop)
      echo -n "Stopping $DESC: "
      $IPT -P INPUT ACCEPT
      $IPT -P OUTPUT ACCEPT
      $IPT -P FORWARD ACCEPT
      for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
 
      echo "$NAME."
    ;;
 
    restart)
      $0 stop
      $0 start
    ;;
 
    status)
      for tbl in $TABLES; do
      echo "Statistics for table: $tbl"
      $IPT -t $tbl -nvL
      done
    ;;
 
    *)
      echo "Usage: $0 {start|stop|restart|status}" >&2
      exit 1
    ;;
  esac
  exit 0

Meine Werkzeuge