projects / firewall-squeep / blob
? search:


34184eefcdaa2091b669dcca60a0c6e2cfda0697
[firewall-squeep] / firewall.sh
1 #!/bin/sh
2
3 set -e
4
5 IPTABLES=$(which iptables)
6 IP6TABLES=$(which ip6tables)
7 IPSET=$(which ipset)
8
9 debug=0
10
11 if [ ${debug} -ne 0 ]
12 then
13 IPTABLES="echo ${IPTABLES}"
14 IP6TABLES="echo ${IP6TABLES}"
15 IPSET="echo ${IPSET}"
16 fi
17
18 if [ $# -lt 1 ]
19 then
20 echo "Usage: $(basename "$0") external_interface" 1>&2
21 exit 64
22 fi
23
24 EXT_IF="$1"
25 if ! ip link show "${EXT_IF}" >/dev/null 2>&1
26 then
27 echo "'${EXT_IF}' does not seem to be a valid interface"
28 exit 1
29 fi
30
31 $IPTABLES -F
32 $IPTABLES -F INPUT
33 $IPTABLES -X
34
35 $IP6TABLES -F
36 $IP6TABLES -F INPUT
37 $IP6TABLES -X
38
39 # default policies
40 $IPTABLES -P INPUT DROP
41 $IPTABLES -P OUTPUT ACCEPT
42
43 $IP6TABLES -P INPUT DROP
44 $IP6TABLES -P OUTPUT ACCEPT
45
46 # accept local traffic
47 $IPTABLES -A INPUT -i lo -j ACCEPT
48
49 $IP6TABLES -A INPUT -i lo -j ACCEPT
50
51 # accept ICMP
52 $IPTABLES -A INPUT -p icmp -j ACCEPT
53
54 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
55
56 # drop source-route rh0 headery things
57 $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
58
59 # accept things we set up
60 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
61
62 $IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
63
64 # accept ipv6 link-local traffic
65 $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
66
67 # accept ipv6 multicast
68 $IP6TABLES -A INPUT -s ff00::/8 -j ACCEPT
69
70 # log and drop invalid flag combinations
71 for flags in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
72 do
73 $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
74 done
75
76 $IPSET -exist create allowed_udp bitmap:port range 0-65535
77 $IPSET -exist create allowed_tcp bitmap:port range 0-65535
78 for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
79 do
80 $IPSET -exist add allowed_tcp ${p}
81 done
82 for p in 53 123 1194 64738
83 do
84 $IPSET -exist add allowed_udp ${p}
85 done
86
87 $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
88 $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
89 $IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
90 $IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
91
92 # insert persistent-pest-blocker
93 ./xenophobe.sh
94
95 # insert trusted passes
96 ./trusted.sh
97
squeep firewall skeleton - very basic initialization scripts for edge servers