From 0f864e054ebdb2c6606721dc49db867fe93cb61e Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Tue, 24 Jan 2017 11:06:10 -0800 Subject: [PATCH 1/1] initial scripts --- .gitignore | 1 + common.sh | 22 ++++++++++++ firewall.sh | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++++ trusted.sh | 56 ++++++++++++++++++++++++++++++ xenophobe.sh | 76 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 252 insertions(+) create mode 100644 .gitignore create mode 100644 common.sh create mode 100755 firewall.sh create mode 100755 trusted.sh create mode 100755 xenophobe.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1f9edd0 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.cidr diff --git a/common.sh b/common.sh new file mode 100644 index 0000000..4bb66ff --- /dev/null +++ b/common.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +set -e + +IPTABLES=$(which iptables) +IP6TABLES=$(which ip6tables) +IPSET=$(which ipset) + +function decommentcat(){ + sed 's/\s*#.*$//;/^\s*$/d' "$@" +} + +function create_set(){ + local set_name="$1" + shift + if ! $IPSET list "${set_name}" >/dev/null 2>&1 + then + echo "creating set '${set_name}'" + $IPSET create "${set_name}" "$@" + fi +} + diff --git a/firewall.sh b/firewall.sh new file mode 100755 index 0000000..34184ee --- /dev/null +++ b/firewall.sh @@ -0,0 +1,97 @@ +#!/bin/sh + +set -e + +IPTABLES=$(which iptables) +IP6TABLES=$(which ip6tables) +IPSET=$(which ipset) + +debug=0 + +if [ ${debug} -ne 0 ] +then + IPTABLES="echo ${IPTABLES}" + IP6TABLES="echo ${IP6TABLES}" + IPSET="echo ${IPSET}" +fi + +if [ $# -lt 1 ] +then + echo "Usage: $(basename "$0") external_interface" 1>&2 + exit 64 +fi + +EXT_IF="$1" +if ! ip link show "${EXT_IF}" >/dev/null 2>&1 +then + echo "'${EXT_IF}' does not seem to be a valid interface" + exit 1 +fi + +$IPTABLES -F +$IPTABLES -F INPUT +$IPTABLES -X + +$IP6TABLES -F +$IP6TABLES -F INPUT +$IP6TABLES -X + +# default policies +$IPTABLES -P INPUT DROP +$IPTABLES -P OUTPUT ACCEPT + +$IP6TABLES -P INPUT DROP +$IP6TABLES -P OUTPUT ACCEPT + +# accept local traffic +$IPTABLES -A INPUT -i lo -j ACCEPT + +$IP6TABLES -A INPUT -i lo -j ACCEPT + +# accept ICMP +$IPTABLES -A INPUT -p icmp -j ACCEPT + +$IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT + +# drop source-route rh0 headery things +$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP + +# accept things we set up +$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +$IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# accept ipv6 link-local traffic +$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT + +# accept ipv6 multicast +$IP6TABLES -A INPUT -s ff00::/8 -j ACCEPT + +# log and drop invalid flag combinations +for flags in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN' +do + $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP +done + +$IPSET -exist create allowed_udp bitmap:port range 0-65535 +$IPSET -exist create allowed_tcp bitmap:port range 0-65535 +for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738 +do + $IPSET -exist add allowed_tcp ${p} +done +for p in 53 123 1194 64738 +do + $IPSET -exist add allowed_udp ${p} +done + +$IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT +$IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT +$IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT +$IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT + +# insert persistent-pest-blocker +./xenophobe.sh + +# insert trusted passes +./trusted.sh + diff --git a/trusted.sh b/trusted.sh new file mode 100755 index 0000000..9d15eaa --- /dev/null +++ b/trusted.sh @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +. ./common.sh + +set_name='trusted' + +if [ $# -eq 1 -a "x$1" = "xremove" ] +then + $IPTABLES -D INPUT -m set --match-set "${set_name}" src -j ACCEPT || echo "no rule '${set_name}' to remove" + $IP6TABLES -D INPUT -m set --match-set "${set_name}6" src -j ACCEPT || echo "no rule '${set_name}6' to remove" + $IPSET destroy "${set_name}" || echo "no set '${set_name}' to remove" + $IPSET destroy "${set_name}6" || echo "no set '${set_name}6' to remove" + exit 0 +fi + +create_set "${set_name}" hash:net +create_set "${set_name}" hash:net family inet6 + + +if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j ACCEPT >/dev/null 2>&1 +then + echo "initializing rule '${set_name}'" + $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j ACCEPT +fi + + +if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j ACCEPT >/dev/null 2>&1 +then + echo "initializing rule '${set_name}6'" + $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j ACCEPT +fi + +if [ -e "${set_name}.cidr" ] +then + echo "updating set '${set_name}'" + $IPSET create "${set_name}-tmp" hash:net + for s in $(decommentcat "${set_name}.cidr" | grep '\.') + do + $IPSET add "${set_name}-tmp" "${s}" + done + $IPSET swap "${set_name}-tmp" "${set_name}" + $IPSET destroy "${set_name}-tmp" + $IPSET list -t "${set_name}" + + echo "updating set '${set_name}6'" + $IPSET create "${set_name}6-tmp" hash:net family inet6 + for s in $(decommentcat "${set_name}.cidr" | grep '\:') + do + $IPSET add "${set_name}6-tmp" "${s}" + done + $IPSET swap "${set_name}6-tmp" "${set_name}6" + $IPSET destroy "${set_name}6-tmp" + $IPSET list -t "${set_name}6" +fi diff --git a/xenophobe.sh b/xenophobe.sh new file mode 100755 index 0000000..631c492 --- /dev/null +++ b/xenophobe.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +set -e + +. ./common.sh + +set_name='xenophobe' +chain="${set_name}" + +if [ $# -eq 1 -a "x$1" = "xremove" ] +then + $IPTABLES -D INPUT -m set --match-set "${set_name}" src -j "${chain}" || echo "no rule '${set_name}' to remove" + $IP6TABLES -D INPUT -m set --match-set "${set_name}6" src -j "${chain}" || echo "no rule '${set_name}6' to remove" + $IPSET destroy "${set_name}" || echo "no set '${set_name}' to remove" + $IPSET destroy "${set_name}6" || echo "no set '${set_name}6' to remove" + exit 0 +fi + +create_set "${set_name}" hash:net +create_set "${set_name}6" hash:net family inet6 + +# create or re-init chains +if ! $IPTABLES -L "${chain}" >/dev/null +then + echo "initializing chain '${chain}'" + $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}" + $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable + $IPTABLES -v -L "${chain}" +fi + +if ! $IP6TABLES -L "${chain}" >/dev/null +then + echo "initializing chain '${chain}' ipv6" + $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}" + $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable + $IP6TABLES -v -L "${chain}" +fi + +if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j "${chain}" >/dev/null 2>&1 +then + echo "initializing rule '${set_name}'" + $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j "${chain}" +fi + +if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j "${chain}" >/dev/null 2>&1 +then + echo "initializing rule '${set_name}6'" + $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j "${chain}" +fi + +# init new temporary set +if [ -e "${set_name}.cidr" ] +then + echo "updating set '${set_name}'" + $IPSET create "${set_name}-tmp" hash:net + for s in $(decommentcat "${set_name}.cidr" | grep '\.') + do + $IPSET add "${set_name}-tmp" "${s}" + done + $IPSET swap "${set_name}-tmp" "${set_name}" + $IPSET destroy "${set_name}-tmp" + $IPSET list -t "${set_name}" + + echo "updating set '${set_name}'" + $IPSET create "${set_name}6-tmp" hash:net family inet6 + for s in $(decommentcat "${set_name}.cidr" | grep '\:') + do + $IPSET add "${set_name}6-tmp" "${s}" + done + $IPSET swap "${set_name}6-tmp" "${set_name}6" + $IPSET destroy "${set_name}6-tmp" + $IPSET list -t "${set_name}6" +fi + -- 2.45.2