{{page>:menu}}


====== Firewall ======
  * [[http://www.fwbuilder.org/archives/cat_news.html|Firewall Builder]] -- WIN aplikace generující Iptable skript
  * firewall na základě scriptu [[http://www.petricek.cz/mpfw/|M.Petříčka]]
  * jednotlivé díly na publikované na [[http://www.root.cz|ROOT]]u: [[http://www.root.cz/clanek.phtml?id=980|1]], [[http://www.root.cz/clanek.phtml?id=990|2]],[[http://www.root.cz/clanek.phtml?id=995|3]]


===== Petříček =====
<code bash>
#!/bin/sh
#
# chkconfig: 2345 08 92
# description:	Firewall

# Vase IP adresa a vnejsi rozhrani
INET_IP="<vnitrni IP>"
INET_IFACE="eth0"

# IP a broadcast adresa a rozhrani vnitrni site
LAN1_IP="10.10.1.5/32"
LAN1_BCAST="10.10.255.255/32"
LAN1_IFACE="eth1"

# Lokalni loopback rozhrani
LO_IFACE="lo"
LO_IP="127.0.0.1/32"

# Cesta k programu iptables
IPTABLES="/sbin/iptables"

# Inicializace databaze modulu
/sbin/depmod -a

# Zavedeme moduly pro nestandardni cile
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

# Modul pro FTP prenosy
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

# Zapneme routovani paketu
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# rp_filter na zamezeni IP spoofovani
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo "1" > ${interface}
done

# smazat vsechna stara pravidla
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

# Implicitni politikou je zahazovat nepovolene pakety
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


##################################
# Retezec PREROUTING v NAT tabulce
#

# Odchozi HTTP pozadavky (na port 80 s vyjimkou lokalniho serveru) 
# budou presmerovany na lokalniho squida (na portu 3128) ve funkci 
#transparentni proxy cache.
####$IPTABLES -t nat -A PREROUTING -p tcp -i ! $INET_IFACE -d ! $INET_IP --dport 80 -j REDIRECT --to-port 3128 

# Presmerujeme ruzne porty na port stanice uvnitr site + povolit take v pravidlu FORWARD!
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 80 -j DNAT --to 10.10.1.30:80
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 8080 -j DNAT --to 10.10.1.85:80
# presmerovani GRE paketu na server M$
#$IPTABLES -t nat -A PREROUTING -p 47 -d $INET_IP -j DNAT --to 10.10.1.34
#$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 1723 -j DNAT --to 10.10.1.34:1723


######################################################################
# Retezec POSTROUTING v NAT tabulce
#

# IP maskarada - SNAT
# NATujeme 
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP


#
# Pridavne retezce pro snazsi kontrolu na rezervovane adresy
#

# Zahazovat a logovat (max. 5 x 3 pakety za hod)
$IPTABLES -N logdrop
$IPTABLES -A logdrop -m limit --limit 5/h --limit-burst 3 -j LOG --log-prefix "Rezervovana adresa: "
$IPTABLES -A logdrop -j DROP


# V tomto retezci se kontroluje, zda prichozi pakety nemaji nesmyslnou IP adresu
$IPTABLES -N IN_FW
$IPTABLES -A IN_FW -s 192.168.0.0/16 -j logdrop # rezervovano podle RFC1918
$IPTABLES -A IN_FW -s 10.0.0.0/8 -j logdrop     #   ---- dtto ----
$IPTABLES -A IN_FW -s 172.16.0.0/12 -j logdrop  #   ---- dtto ----  
$IPTABLES -A IN_FW -s 96.0.0.0/4 -j logdrop     # rezervovano podle IANA
# ... dalsi rezervovane adresy mozno doplnit podle 
#       http://www.iana.com/assignments/ipv4-address-space


# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput


######################################################################
# Retezec FORWARD
#

# Navazovani spojeni ala Microsoft -
# Paket navazuje spojeni, ale nema nastaveny priznak SYN, pryc s nim
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP

# Nechceme rezervovane adresy na internetovem rozhrani
$IPTABLES -A FORWARD -i $INET_IFACE -j IN_FW

# Umoznit presmerovani portu na stanici dovnitr site viz PREROUTING
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d 10.10.1.30 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d 10.10.1.85 --dport 8080 -j ACCEPT
# povolit presmerovani GRE protokolu vcetne portu 1723 TCP pro navazovani spojeni
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p 47 -d 10.10.1.34 -j ACCEPT # povolit GRE dovnitr site
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d 10.10.1.34 --dport 1723 -j ACCEPT # PPTP

# Routing zevnitr site ven neomezujeme
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT

# Routing zvenku dovnitr pouze pro navazana spojeni (stavovy firewall)
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Ostatni pakety budou zahozeny, tak je budeme logovat (12 x 5 pkt/hod)
$IPTABLES -A FORWARD -m limit --limit 12/h -j LOG --log-prefix "forward drop: "


######################################################################
# Retezec INPUT
#

# Navazovani spojeni ala Microsoft -
# Paket navazuje spojeni, ale nema nastaveny priznak SYN, pryc s nim
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Portscan s nastavenym SYN,FIN
$IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
$IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP

# Nejprve se zbavime nezadoucich adres
$IPTABLES -A INPUT -i $INET_IFACE -j IN_FW

# Pravidla pro povolene sluzby 
###$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 21 -j ACCEPT  #FTP server
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 22 -j ACCEPT  #SSH server
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 25 -j ACCEPT  #SMTP server
###$IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport 53 -j ACCEPT  #DNS server UDP
###$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 53 -j ACCEPT  #DNS server TCP
###$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 80 -j ACCEPT  #WWW server
###$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 110 -j ACCEPT #POP3 server
###$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 143 -j ACCEPT #IMAP server
###$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 443 -j ACCEPT #HTTPS server
###$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 873 -j ACCEPT #rsync server

# Sluzbu AUTH neni dobre filtrovat pomoci DROP, protoze to muze
# vest k prodlevam pri navazovani nekterych spojeni. Proto jej
# sice zamitneme, ale tak, aby nedoslo k nezadoucim prodlevam.
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -m limit --limit 12/h -j LOG
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server

# Propoustime pouze ICMP ping
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j ACCEPT

# Loopback neni radno omezovat
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

# Stejne jako pakety z lokalni site, jsou-li urceny pro nas
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $INET_IP -j ACCEPT

# Broadcasty na lokalnim rozhrani jsou take nase
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT

# MS klienti maji chybu v implementaci DHCP
$IPTABLES -A INPUT -i $LAN1_IFACE -p udp --dport 67 -j ACCEPT

# Pakety od navazanych spojeni jsou v poradku
$IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Vsechno ostatni je zakazano - tedy logujeme, maxim. 12x5 pkt/hod 
$IPTABLES -A INPUT -m limit --limit 12/h -j LOG --log-prefix "INPUT drop: "

######################################################################
# Retezec OUTPUT
#

# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $INET_IFACE -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput

# Povolime odchozi pakety, ktere maji nase IP adresy
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT

# Povolime DHCP broadcasty na LAN rozhrani
$IPTABLES -A OUTPUT -o $LAN1_IFACE -p UDP --dport 68 --sport 67 -j ACCEPT

# Ostatni pakety logujeme (nemely by byt zadne takove)
$IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT drop: "
</code>


===== Dynamický blacklist =====
  *dynamický blacklist pro SSH spojení - http://olivier.sessink.nl/publications/blacklisting/index.html
<code bash>
### Dynamic blacklist for SSH connection
# create properREJECT chain that does different rejects for tcp/udp
$IPTABLES -N properREJECT
$IPTABLES -A properREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A properREJECT -j REJECT --reject-with icmp-port-unreachable
#
$IPTABLES -N blacklistdrop
$IPTABLES -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: "
$IPTABLES -A blacklistdrop -m recent --name BLACKLIST --set -j DROP
#
#
# on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 30 seconds
# this rule drops *any* packet if the IP is in the blacklist
# icmp 'destination-unreachable' packets should not update BLACKLIST, because
# they are generated by our own REJECT rule in the extern_out chain
$IPTABLES -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP
#
# all *established* ssh connections simply continue
$IPTABLES -A extern_in  -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# *new* ssh connections are all put into a list 'sshconn', and if there are 3 such packets in 30 seconds
# we send the package to chain 'blacklistdrop' which puts the IP in the blacklist
$IPTABLES -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 30 --hitcount 3 -j blacklistdrop
#
# if we have seen less then 3 such packets in the last 30 seconds we accept
$IPTABLES -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT
#
# if the destination address is in the blacklist, we REJECT *any* packet
$IPTABLES -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT
#
# outgoing we accept all ssh traffic, with connection tracking
$IPTABLES -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
</code>

===== Odkazy =====
  * http://firewall-jay.sourceforge.net/ - generátor IP tables
  * http://phpfwgen.sourceforge.net/
  * http://m0n0.ch/wall/
  * http://www.freesco.org
  * http://www.ipcop.org/
  * http://www.gege.org/iptables/ - analyzátor logů



===== /etc/sysconfig/iptables =====
<code>
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

######################################################################
# Retezec LOGOVANI
#

-N logIN
-A logIN -j LOG -m limit --limit 10/minute --log-level 4  --log-prefix "INPUT RULE 2 -- DROP "
-A logIN -j RETURN

-N logPS
-A logPS -j LOG -m limit --limit 10/minute --log-level 4  --log-prefix "PORTSCAN RULE 3 -- DROP "
-A logPS -j RETURN


######################################################################
# Retezec INPUT
#

# Navazovani spojeni ala Microsoft -
# Paket navazuje spojeni, ale nema nastaveny priznak SYN, pryc s nim
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Portscan s nastavenym SYN,FIN
-A INPUT -p tcp -i eth0 --tcp-flags SYN,FIN SYN,FIN -j logPS
-A INPUT -p tcp -i eth0 --tcp-flags SYN,FIN SYN,FIN -j DROP

# navazana spojeni
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loopback neomezovat
-A INPUT -i lo -j ACCEPT

# Ping
-A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

## --- Sluzby pro vsechny ---
# FTP
-A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
# passivni prenos pro FTP
-A INPUT -i eth0 -p tcp --dport 49160:49170 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

## --- Omezeny pristup na sluzby ---
# Datron DMZ
-A INPUT -s 212.158.133.128/255.255.255.224 -p tcp -m multiport --destination-port 22,3306 -j ACCEPT
# Klfree
-A INPUT -s 81.201.48.0/255.255.255.192 -p tcp --dport 22 -j ACCEPT
# z domova
-A INPUT -s 86.63.200.73 -p tcp --dport 22 -j ACCEPT


# Broadcasty na lokalnim rozhrani jsou take nase
#-A INPUT -i eth1 -d 10.10.255.255 -j ACCEPT

# Stejne jako pakety z lokalni site, jsou-li urceny pro nas
#-A INPUT -i eth1 -d 10.10.30.23 -j ACCEPT

# MS klienti maji chybu v implementaci DHCP - nechceme DHCP - dropujeme
-A INPUT -i eth0 -p udp --dport 67 -j DROP
-A INPUT -i eth1 -p udp --dport 67 -j DROP

# Ostatni pakety mimo nasi DMZ pred zahozenim logujeme
-A INPUT -s ! 212.158.133.128/27 -j logIN




######################################################################
# Retezec OUTPUT
#

# TOS flagy slouzi k optimalizaci datovych cest
-t mangle -A OUTPUT -o eth0 -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
-t mangle -A OUTPUT -o eth0 -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
-t mangle -A OUTPUT -o eth0 -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
-t mangle -A OUTPUT -o eth0 -p tcp --dport ftp -j TOS --set-tos Minimize-Delay
-t mangle -A OUTPUT -o eth0 -p tcp --dport telnet -j TOS --set-tos Minimize-Delay
-t mangle -A OUTPUT -o eth0 -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput


# odchozi pakety veschny
-A OUTPUT -s 212.158.133.135  -j ACCEPT
-A OUTPUT -s 10.10.30.23  -j ACCEPT

## --- Povolime DHCP broadcasty na LAN rozhrani ---
#-A OUTPUT -o eth1 -p UDP --dport 68 --sport 67 -j ACCEPT

# Ostatni pakety logujeme (nemely by byt zadne takove)
-A OUTPUT -j LOG --log-prefix "OUTPUT RULE 1 -- DROP "

COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
</code>



====== Firewall pro Windows ======
  * http://wipfw.sourceforge.net
<code>
# ---------------------------------------------------------------------
# Tento soubor povoluje pristup k nejzakladnejsim sluzbam na internetu,
# vsechny ostatni zakazuje.
# V opacnem smeru je zakazano vse, mimo M$ sdileni a term.sluzeb.
# ---------------------------------------------------------------------

# smazat vsechna predchozi nastaveni
	-f flush
# loopback
	add allow ip from any to any via lo0

# jiz navazana spojeni z venku - priznak RST nebo ACK
	add allow tcp from any to any established

# ICMP
	add allow icmp from any to any
# UDP
	add allow udp from any to any	
# WWW
	add 10000 allow tcp from any to any 80,81,82,83,443,3128,8000,8080,8088 setup out
# FTP
	add allow tcp from any to any 21 setup out
	add allow tcp from any 20 to any setup in
# SSH
	add allow tcp from any to any 22 setup out
# ICQ
	add allow tcp from any to any 5190 setup out
# MAIL
	add allow tcp from any to any 25,110,143 setup out
# NEWS
	add allow tcp from any to any 119 setup out
# IRC
	add allow tcp from any to any 6667 setup out
# M$ terminal
	add allow tcp from any to any 3389 setup
# VNC: in/out
	add allow tcp from any to any 5800,5900 setup
# VPN: PPTP a GRE
	add allow tcp from any to any 1723 setup out
	add allow 47 from any to any
# Hamachi
	add allow 2 from any to any
	add allow tcp from any to any 12975 setup out
# M$ Netbios - sdileni: in/out
	add allow tcp from any to any 135,139,445
	add allow tcp from any 135,139,445 to any
	# port 80 musi byt povolen - M$ "feature" :o(
	add allow tcp from any to any 80 setup
# MS Exchange	
	add allow tcp from any to any 1266,1223,1324,1600 setup out
	
### zakazat vse ostatni a logovat
	add deny log all from any to any
</code>