Commit bc4af073 authored by Branko Mikić's avatar Branko Mikić
Browse files

A bash script for easily configuring iptables. See manual for details.

parents
#
# /proc/sys/net/ipv4:
# all/accept_source_route=0 default/accept_source_route=1
# eth0/accept_source_route=1 eth1/accept_source_route=1
# eth2/accept_source_route=1 lo/accept_source_route=1
# ppp0/accept_source_route=1 vboxnet0/accept_source_route=1
# all/accept_redirects=0 default/accept_redirects=0
# eth0/accept_redirects=0 eth1/accept_redirects=0
# eth2/accept_redirects=0 lo/accept_redirects=0
# ppp0/accept_redirects=0 vboxnet0/accept_redirects=0
# all/rp_filter=1 default/rp_filter=1
# eth0/rp_filter=1 eth1/rp_filter=1
# eth2/rp_filter=1 lo/rp_filter=1
# ppp0/rp_filter=1 vboxnet0/rp_filter=1
# ip_forward=1
#
# Kernel modules probed:
# ip_tables nf_conntrack
#
# reseting ruleset (/sbin/iptables)
# setting up base ruleset
# allowing subnets on eth0 link: 10.2.1.1 (broadcast)
# allowing service discovery on eth0 link.
# forwarding protectively 10.2.1.0/24 (eth0) to ppp0.
# masquerading 10.2.1.0/24 when leaving through ppp0.
# Generated by iptables-save v1.4.12 on Fri Oct 9 13:09:32 2015
*mangle
:PREROUTING ACCEPT [2:200]
:INPUT ACCEPT [2:200]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:200]
:POSTROUTING ACCEPT [2:200]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Oct 9 13:09:32 2015
# Generated by iptables-save v1.4.12 on Fri Oct 9 13:09:32 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.2.1.0/24 -o ppp0 -m comment --comment "MASQUERADE 10.2.1.0/24 to 0x" -j MASQUERADE
COMMIT
# Completed on Fri Oct 9 13:09:32 2015
# Generated by iptables-save v1.4.12 on Fri Oct 9 13:09:32 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:0A02010018-eth0-ppp0 - [0:0]
:0A02010018-ppp0-eth0 - [0:0]
:ANTI-FLOOD - [0:0]
:BLOCK - [0:0]
:ICMP - [0:0]
:LOCAL - [0:0]
:USER-IN - [0:0]
:USER-OUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ICMP
-A INPUT -m state --state INVALID -j BLOCK
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ANTI-FLOOD
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j ANTI-FLOOD
-A INPUT -p udp -m udp --sport 67 --dport 68 -m comment --comment bootp -j ACCEPT
-A INPUT -j LOCAL
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment ssh -j ACCEPT
-A INPUT -m comment --comment "add your custom INPUT rules in the USER-IN chain!" -j USER-IN
-A INPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[IN-DROP] "
-A FORWARD -s 10.2.1.0/24 -i eth0 -o ppp0 -m comment --comment "FORWARD_SUBNET_PROTECTIVE 10.2.1.0/24 among eth0 and ppp0" -j 0A02010018-eth0-ppp0
-A FORWARD -d 10.2.1.0/24 -i ppp0 -o eth0 -m comment --comment "FORWARD_SUBNET_PROTECTIVE 10.2.1.0/24 among eth0 and ppp0" -j 0A02010018-ppp0-eth0
-A FORWARD -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[FWD-DROP] "
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m comment --comment "add your custom OUTPUT rules in the USER-OUT chain!" -j USER-OUT
-A OUTPUT -m state --state NEW -j ACCEPT
-A OUTPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[OUT-DROP] "
-A 0A02010018-eth0-ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A 0A02010018-eth0-ppp0 -m state --state NEW -j ACCEPT
-A 0A02010018-eth0-ppp0 -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
-A 0A02010018-ppp0-eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A 0A02010018-ppp0-eth0 -p icmp -j ICMP
-A 0A02010018-ppp0-eth0 -m state --state INVALID -j BLOCK
-A 0A02010018-ppp0-eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ANTI-FLOOD
-A 0A02010018-ppp0-eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j ANTI-FLOOD
-A ANTI-FLOOD -m limit --limit 2/sec -j RETURN
-A ANTI-FLOOD -j LOG --log-prefix "[BLOCK] (ANTIFLOOD) "
-A ANTI-FLOOD -j DROP
-A BLOCK -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] "
-A BLOCK -j DROP
-A ICMP -p icmp -m icmp --icmp-type 3 -m comment --comment destination-unreachable -j ACCEPT
-A ICMP -p icmp -m icmp --icmp-type 4 -m comment --comment source-quench -j ACCEPT
-A ICMP -p icmp -m icmp --icmp-type 8 -m comment --comment "echo-request: Ping of death" -j ANTI-FLOOD
-A ICMP -p icmp -m icmp --icmp-type 8 -m comment --comment echo-request -j ACCEPT
-A ICMP -p icmp -m icmp --icmp-type 11 -m comment --comment time-exceeded -j ACCEPT
-A ICMP -p icmp -m icmp --icmp-type 12 -m comment --comment parameter-problem -j ACCEPT
-A LOCAL -m addrtype --dst-type LOCAL -j RETURN
-A LOCAL -m addrtype --dst-type MULTICAST -j RETURN
-A LOCAL -m addrtype --dst-type BROADCAST -j RETURN
-A LOCAL -j BLOCK
-A USER-IN -s 10.2.1.0/24 -i eth0 -m comment --comment "ALLOW_SUBNETS on 0x50e549399da8" -j ACCEPT
-A USER-IN -i eth0 -m pkttype --pkt-type broadcast -m comment --comment "ALLOW_SUBNETS on 0x50e549399da8 (broadcast)" -j ACCEPT
-A USER-IN -d 224.0.0.251/32 -i eth0 -p udp -m udp --dport 5353 -m comment --comment "ALLOW_SERVICE_DISCOVERY on 0x50e549399da8 (multicast mDNS)" -j ACCEPT
-A USER-IN -d 239.255.255.250/32 -i eth0 -p udp -m udp --dport 1900 -m comment --comment "ALLOW_SERVICE_DISCOVERY on 0x50e549399da8 (multicast UPnP)" -j ACCEPT
-A USER-OUT -s 10.2.1.1/32 -d 10.2.1.0/24 -o eth0 -m comment --comment "ALLOW_SUBNETS on 0x50e549399da8" -j ACCEPT
COMMIT
# Completed on Fri Oct 9 13:09:32 2015
#~~~ created by ipturntables.sh
#
# /proc/sys/net/ipv6:
# all/accept_source_route=0 default/accept_source_route=0
# eth0/accept_source_route=0 eth1/accept_source_route=0
# eth2/accept_source_route=0 lo/accept_source_route=0
# ppp0/accept_source_route=0
# all/accept_redirects=0 default/accept_redirects=0
# eth0/accept_redirects=1 eth1/accept_redirects=1
# eth2/accept_redirects=1 lo/accept_redirects=1
# ppp0/accept_redirects=0
# all/accept_ra=1 default/accept_ra=1
# eth0/accept_ra=1 eth1/accept_ra=1
# eth2/accept_ra=1 lo/accept_ra=1
# ppp0/accept_ra=2
# all/forwarding=1 default/forwarding=1
# eth0/forwarding=1 eth1/forwarding=1
# eth2/forwarding=1 lo/forwarding=1
# ppp0/forwarding=1
#
# Kernel modules probed:
# ip6_tables nf_conntrack
#
# reseting ruleset (/sbin/ip6tables)
# setting up base ruleset
# allowing service discovery on eth0 link.
# allowing subnets on eth0 link: (broadcast) fe80::52e5:49ff:fe39:9da8
# allowing DHCPv6 client requests on 'ppp0'.
# Generated by ip6tables-save v1.4.12 on Wed Apr 8 08:09:35 2015
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 8 08:09:35 2015
# Generated by ip6tables-save v1.4.12 on Wed Apr 8 08:09:35 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ANTI-FLOOD - [0:0]
:BLOCK - [0:0]
:ICMP - [0:0]
:USER-IN - [0:0]
:USER-OUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m comment --comment "echo-reply allowed on link local" -j ACCEPT
-A INPUT -p ipv6-icmp -j ICMP
-A INPUT -m state --state INVALID -j BLOCK
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ANTI-FLOOD
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j ANTI-FLOOD
-A INPUT -p udp -m udp --sport 67 --dport 68 -m comment --comment bootp -j ACCEPT
-A INPUT -m comment --comment "add your custom INPUT rules in the USER-IN chain!" -j USER-IN
-A INPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[IN-DROP] "
-A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A FORWARD -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[FWD-DROP] "
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m comment --comment "add your custom OUTPUT rules in the USER-OUT chain!" -j USER-OUT
-A OUTPUT -m state --state NEW -j ACCEPT
-A OUTPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[OUT-DROP] "
-A ANTI-FLOOD -m limit --limit 2/sec -j RETURN
-A ANTI-FLOOD -j LOG --log-prefix "[BLOCK] (ANTIFLOOD) "
-A ANTI-FLOOD -j DROP
-A BLOCK -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] "
-A BLOCK -j DROP
-A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m comment --comment "destination unreachable" -j ACCEPT
-A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m comment --comment "packet too big" -j ACCEPT
-A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m comment --comment "time exceeded" -j ACCEPT
-A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 4 -m comment --comment "parameter problem" -j ACCEPT
-A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m comment --comment "echo-request: Ping of death" -j ANTI-FLOOD
-A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m comment --comment echo-request -j ACCEPT
-A USER-IN -d ff02::fb/128 -i eth0 -p udp -m udp --dport 5353 -m comment --comment "ALLOW_SERVICE_DISCOVERY on 0x50e549399da8 (multicast mDNS)" -j ACCEPT
-A USER-IN -d ff02::f/128 -i eth0 -p udp -m udp --dport 1900 -m comment --comment "ALLOW_SERVICE_DISCOVERY on 0x50e549399da8 (multicast UPnP)" -j ACCEPT
-A USER-IN -i eth0 -m pkttype --pkt-type broadcast -m comment --comment "ALLOW_SUBNETS on 0x50e549399da8 (broadcast)" -j ACCEPT
-A USER-IN -s fe80::/10 -d fe80::/10 -i ppp0 -p udp -m udp --sport 547 --dport 546 -m comment --comment "ALLOW_DHCPV6_CLIENT on 0x" -j ACCEPT
-A USER-OUT -s fe80::52e5:49ff:fe39:9da8/128 -o eth0 -m comment --comment "ALLOW_SUBNETS on 0x50e549399da8 (outbound from link-local)" -j ACCEPT
COMMIT
# Completed on Wed Apr 8 08:09:35 2015
#~~~ created by ipturntables.sh
#!/usr/bin/make
# accept_source_route:
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
# accept_redirects:
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
# rp_filter:
# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the network
# interface they're arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
all: IPv4.rules IPv6.rules
IPv4.rules:
./ipturntables.sh -4 \
KERNEL_PARAMS accept_source_route,accept_redirects,rp_filter,ip_forward \
PROBE_KERNEL_MODS ip_tables,nf_conntrack \
RESET \
BASE_RULE_SET \
ALLOW_SUBNETS eth0 \
ALLOW_SERVICE_DISCOVERY eth0 \
FORWARD_SUBNET_PROTECTIVE $(SUBNET) ppp0 \
POSTROUTING_MASQUERADE $(SUBNET) ppp0 \
>IPv4.rules
cat IPv4.rules
IPv6.rules:
./ipturntables.sh -6 \
KERNEL_PARAMS accept_source_route,accept_redirects,accept_ra,forwarding \
PROBE_KERNEL_MODS ip6_tables,nf_conntrack \
RESET \
BASE_RULE_SET \
ALLOW_SUBNETS eth0 \
ALLOW_SERVICE_DISCOVERY eth0 \
ALLOW_DHCPV6_CLIENT ppp0 \
>IPv6.rules
cat IPv6.rules
debug.rules:
./ipturntables.sh -4 \
DEBUG_CHAIN INPUT
DEBUG_CHAIN OUTPUT
DEBUG_CHAIN FORWARD
./ipturntables.sh -6 \
DEBUG_CHAIN INPUT
DEBUG_CHAIN OUTPUT
DEBUG_CHAIN FORWARD
clean:
rm *.rules
#!/bin/sh
#
#############################################################################
#
# File: iptables.sh
#
# Purpose: To build a basic iptables policy with default log and drop rules.
# This script was written for the book "Linux Firewalls: Attack
# Detection and Response" published by No Starch Press.
#
# Copyright (C) 2006-2012 Michael Rash (mbr@cipherdyne.org)
#
# License (GNU Public License):
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
#
#
#############################################################################
#
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
MODPROBE=/sbin/modprobe
INT_NET=192.168.10.0/24
INT_INTF=eth1
EXT_INTF=eth0
### flush existing rules and set chain policy setting to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
### this policy does not handle IPv6 traffic except to drop it.
#
echo "[+] Disabling IPv6 traffic..."
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
### load connection-tracking modules
#
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
###### INPUT chain ######
#
echo "[+] Setting up INPUT chain..."
### state tracking rules
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### anti-spoofing rules
$IPTABLES -A INPUT -i $INT_INTF ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i $INT_INTF ! -s $INT_NET -j DROP
### ACCEPT rules
$IPTABLES -A INPUT -i $INT_INTF -p tcp -s $INT_NET --dport 22 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
### make sure that loopback traffic is accepted
$IPTABLES -A INPUT -i lo -j ACCEPT
###### OUTPUT chain ######
#
echo "[+] Setting up OUTPUT chain..."
### state tracking rules
$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
### default OUTPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
### make sure that loopback traffic is accepted
$IPTABLES -A OUTPUT -o lo -j ACCEPT
###### FORWARD chain ######
#
echo "[+] Setting up FORWARD chain..."
### state tracking rules
$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### anti-spoofing rules
$IPTABLES -A FORWARD -i $INT_INTF ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A FORWARD -i $INT_INTF ! -s $INT_NET -j DROP
### ACCEPT rules
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 21 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 22 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 25 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 43 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 4321 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
### default LOG rule
$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
###### NAT rules ######
#
echo "[+] Setting up NAT rules..."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i $EXT_INTF -j DNAT --to 192.168.10.3:80
$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i $EXT_INTF -j DNAT --to 192.168.10.3:443
$IPTABLES -t nat -A PREROUTING -p udp --dport 53 -i $EXT_INTF -j DNAT --to 192.168.10.4:53
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o $EXT_INTF -j MASQUERADE
###### forwarding ######
#
echo "[+] Enabling IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward
exit
### EOF ###
#!/bin/sh
#
# Test your ipv6 firewall rule set using:
# http://ipv6.chappell-family.com/ipv6tcptest/index.php
# Thank you Tim for providing this test tool.
#
# Ver. 2.0 (RHO and Logging, speciall ICMP Blocking)
# 29.12.2012
#
# Definitions
IP6TABLES='/usr/sbin/ip6tables'
# change LAN and IPv6 WAN interface name according your requirements
WAN_IF='sixxs'
LAN_IF='br0'
SUBNETPREFIX='<subnet-prefix::>/48'
MYTUNNEL='Your IP'
SIXXSTUNNEL='Pop IP'
# First Flush and delete all:
$IP6TABLES -F INPUT
$IP6TABLES -F OUTPUT
$IP6TABLES -F FORWARD
$IP6TABLES -F
$IP6TABLES -X
# DROP all incomming traffic
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
# Filter all packets that have RH0 headers:
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP
# Allow anything on the local link
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT
# Allow anything out on the internet
$IP6TABLES -A OUTPUT -o $WAN_IF -j ACCEPT
# Allow established, related packets back in
$IP6TABLES -A INPUT -i $WAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow the localnet access us:
$IP6TABLES -A INPUT -i $LAN_IF -j ACCEPT
$IP6TABLES -A OUTPUT -o $LAN_IF -j ACCEPT
# Allow Link-Local addresses
$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
$IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT
$IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT
# Paranoia setting on ipv6 interface
$IP6TABLES -I INPUT -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I INPUT -i $WAN_IF -p udp -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p udp -j DROP
# Allow forwarding on ipv6 interface
$IP6TABLES -A FORWARD -m state --state NEW -i $LAN_IF -o $WAN_IF -s $SUBNETPREFIX -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow dedicated ICMPv6 packettypes, do this in an extra chain because we need it everywhere
$IP6TABLES -N AllowICMPs
# Destination unreachable
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
#
# Only the sixxs POP is allowed to ping us (read FAQ this is a requirement)
#
$IP6TABLES -A INPUT -p icmpv6 -s $SIXXSTUNNEL -d $MYTUNNEL -j AllowICMPs
# Log
$IP6TABLES -A INPUT -j LOG --log-prefix "INPUT-v6:"
$IP6TABLES -A FORWARD -j LOG --log-prefix "FORWARD-v6:"
$IP6TABLES -A OUTPUT -j LOG --log-prefix "OUTPUT-v6:"
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
-A ufw-user-input -s 10.0.0.0/8 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw6-after-forward
-N ufw6-after-input
-N ufw6-after-logging-forward
-N ufw6-after-logging-input
-N ufw6-after-logging-output
-N ufw6-after-output
-N ufw6-before-forward
-N ufw6-before-input
-N ufw6-before-logging-forward
-N ufw6-before-logging-input
-N ufw6-before-logging-output
-N ufw6-before-output
-N ufw6-logging-allow
-N ufw6-logging-deny
-N ufw6-reject-forward
-N ufw6-reject-input
-N ufw6-reject-output
-N ufw6-skip-to-policy-forward
-N ufw6-skip-to-policy-input
-N ufw6-skip-to-policy-output
-N ufw6-track-input
-N ufw6-track-output
-N ufw6-user-forward
-N ufw6-user-input
-N ufw6-user-limit
-N ufw6-user-limit-accept
-N ufw6-user-logging-forward
-N ufw6-user-logging-input
-N ufw6-user-logging-output
-N ufw6-user-output
-A INPUT -j ufw6-before-logging-input