#!/bin/sh # # Startup script to implement /etc/sysconfig/iptables pre-defined rules. # # chkconfig: 2345 99 7 # # description: Automates a packet filtering firewall with iptables. # # by bero@redhat.com, based on the ipchains script: # Script Author: Joshua Jensen # -- hacked up by gafton with help from notting # modified by Anton Altaparmakov : # modified by Nils Philippsen # # config: /etc/sysconfig/iptables # ### BEGIN INIT INFO # Provides: iptables firewall # Default-Start: 2 3 4 5 # Short-Description: iptables packet filtering # Description: Automates a packet filtering firewall with iptables, # using /etc/sysconfig/iptables pre-defined rules. ### END INIT INFO # Source 'em up . /etc/init.d/functions IPTABLES_CONFIG=/etc/sysconfig/iptables if [ ! -x /sbin/iptables ]; then exit 0 fi KERNELMAJ=`uname -r | sed -e 's,\..*,,'` KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` if [ "$KERNELMAJ" -lt 2 ] ; then exit 0 fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then exit 0 fi if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then # Don't do both exit 0 fi iftable() { if fgrep -qsx $1 /proc/net/ip_tables_names; then iptables -t "$@" fi } check() { if [ -n "$1" ]; then rm -f /lib/iptables ln -s /lib/iptables.d/${1} /lib/iptables iftable nat -N __T__${1##*-}__ >/dev/null 2>&1 iftable nat -A __T__${1##*-}__ -j MASQUERADE >/dev/null 2>&1 res=$? iftable nat -F __T__${1##*-}__ >/dev/null 2>&1 iftable nat -X __T__${1##*-}__ >/dev/null 2>&1 return $res else /sbin/modprobe ipt_MASQUERADE >/dev/null 2>&1 kmajor=`uname -r` kminor=${kmajor#*.} kminor=${kminor%%.*} kmajor=${kmajor%%.*} for i in /lib/iptables.d/linux-$kmajor.$kminor-*; do check ${i##*/} && break done /sbin/modprobe -r ipt_MASQUERADE >/dev/null 2>&1 fi } fastwall_on() { # # @(#)fastwall-on.sh 1.0.0 15/07/2008 Copyright 2008 Robert M. Stockmann # stock@stokkie.net # # This firewall is based on the philosophy of # # "Hardening a Linux Server in 10 Minutes" # http://rudd-o.com/archives/2006/02/27/hardening-a-linux-server-in-10-minutes/ # # It computes from the shorewall rules and 'netstat -ltunp' the TCP # and UDP ports which need to be closed on the NETWORKS which aren't # local. This may seem like a hack, but it sure makes life easier # with getting some complicated application working. It's in # particular handy if your Linux PC is NOT the router but only doing # the fire-walling. # # Mode of operation : # Figure out which udp and tcp ports need to be opened for public # Internet use, like HTTP port 80 or SMTP port 25. Make sure these # udp and tcp ports are listed inside /etc/shorewall/rules.drakx .. : # example : # # [mail:root]:(~)# cat /etc/shorewall/rules.drakx # ACCEPT net fw udp 53,110,1194 - # ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,110 - # [mail:root]:(~)# # # Next run fastwall-on.sh after which you check from the Internet # with nmap if the desired result is obtained : # nmap -v -sT -O # IPTABLES=/sbin/iptables RULES=/etc/shorewall/rules.drakx TCPACCEPT=`cat $RULES | grep tcp | awk '{print $5}' | sed 's/,/ /g'` UDPACCEPT=`cat $RULES | grep udp | awk '{print $5}' | sed 's/,/ /g'` TCPLISTEN=`netstat -ltunp | grep "^tcp" | awk '{print $4}' |\ awk -F":" '{print $2}' | sed '/^$/d' | uniq | sort -n` UDPLISTEN=`netstat -ltunp | grep "^udp" | awk '{print $4}' |\ awk -F":" '{print $2}' | sed '/^$/d' | uniq | sort -n` LOCALNET="127.0.0.1 192.168.2.0/24" gprintf "Applying fastwall rules:" echo # # Compute TCP ACCEPT # gprintf "Fastwalling TCP ACCEPT:" for tcp in $TCPLISTEN do FOO=`echo "$TCPACCEPT" | grep "$tcp"` if [ "$FOO" == "" ]; then for net in $LOCALNET do $IPTABLES -A INPUT --protocol tcp \ --destination-port $tcp -s $net -j ACCEPT done fi done && \ success "Fastwalling TCP ACCEPT:" || \ failure "Fastwalling TCP ACCEPT:" echo # # Compute UDP ACCEPT # gprintf "Fastwalling UDP ACCEPT:" for udp in $UDPLISTEN do FOO=`echo "$UDPACCEPT" | grep "$udp"` if [ "$FOO" == "" ]; then for net in $LOCALNET do $IPTABLES -A INPUT --protocol udp \ --destination-port $udp -s $net -j ACCEPT done fi done && \ success "Fastwalling UDP ACCEPT:" || \ failure "Fastwalling UDP ACCEPT:" echo # # Compute TCP REJECT # gprintf "Fastwalling TCP REJECT:" for tcp in $TCPLISTEN do FOO=`echo "$TCPACCEPT" | grep "$tcp"` if [ "$FOO" == "" ]; then $IPTABLES -A INPUT --protocol tcp \ --destination-port $tcp -j REJECT fi done && \ success "Fastwalling TCP REJECT:" || \ failure "Fastwalling TCP REJECT:" echo # # Compute UDP REJECT # gprintf "Fastwalling UDP REJECT:" for udp in $UDPLISTEN do FOO=`echo "$UDPACCEPT" | grep "$udp"` if [ "$FOO" == "" ]; then $IPTABLES -A INPUT --protocol udp \ --destination-port $udp -j REJECT fi done && \ success "Fastwalling UDP REJECT:" || \ failure "Fastwalling UDP REJECT:" echo touch /var/lock/subsys/fastwall } stop() { chains=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $chains; do iptables -t $i -F; done && \ success "Flushing all chains:" || \ failure "Flushing all chains:" for i in $chains; do iptables -t $i -X; done && \ success "Removing user defined chains:" || \ failure "Removing user defined chains:" gprintf "Resetting built-in chains to the default ACCEPT policy:" iftable filter -P INPUT ACCEPT && \ iftable filter -P OUTPUT ACCEPT && \ iftable filter -P FORWARD ACCEPT && \ iftable nat -P PREROUTING ACCEPT && \ iftable nat -P POSTROUTING ACCEPT && \ iftable nat -P OUTPUT ACCEPT && \ iftable mangle -P PREROUTING ACCEPT && \ iftable mangle -P OUTPUT ACCEPT && \ success "Resetting built-in chains to the default ACCEPT policy" || \ failure "Resetting built-in chains to the default ACCEPT policy" echo rm -f /var/lock/subsys/fastwall } case "$1" in start) check fastwall_on ;; stop) stop ;; status) tables=`cat /proc/net/ip_tables_names 2>/dev/null` for table in $tables; do gprintf "Table: %s\n" "$table" iptables -t $table --list done ;; *) gprintf "Usage: %s {start|stop|status}\n" "$0" exit 1 esac exit 0