Iptables (1.4)/firewall.sh

1. !/bin/bash
2. This is a generic version of the script I use to protect my servers.
4. It's a bit more powerful, and a bit more intelligent. A lot of stuff,
5. like the INVALID state, does not operate with quite the finesse that
6. we were led to believe. Likewise, overly restricting traffic in
7. general tends to throttle a lot of good - if malformed - traffic, for
8. relatively little gain, and takes resources away from handling more
9. serious issues. It is a bit larger, despite being more efficient.
11. This script has undergone several revisions. I was originally
12. tarpitting telnet attempts to port 25, for example, thus TARPORTS.
13. I no longer do this for several reasons, but haven't bothered with
14. fully purging the code yet.
16. This script was developed by Vekseid, hosted at
17. http://hexwiki.com/wiki/Iptables_(1.4)/firewall.sh?action=raw
18. Discussed at http://hexwiki.com/wiki/Iptables_(1.4)
19. - vek@vekseid.com
20. This script would not have been possible without Oskar Andreasson's
21. IPTables Tutorial, found at:
22. http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
23. I additionally made use of a good amount of the information in Jan
24. Engelhardt's "Detecting and deceiving network scans", found here:
25. http://jengelh.medozas.de/documents/Chaostables.pdf

2. Define variables to make for easy tuning.
3. IPT - Location of the iptables binary
4. SELFIPS - The server's allocated IP addresses
5. WHITELIST - My own personal IPs, separated by spaces, CIDR style
6. for address blocks e.g. 127.0.0.0/8
7. TRUSTEDFACES - Interfaces we trust, typically lo but could also have
8. e.g. eth1 in a two-server setup. Space separated
9. BLACKLIST - Hated IPs. Functions as whitelist.
10. SSHIP - IP address for SSH
11. SAFEIPS - Won't tarpit on this IP/mask
12. SERVIPS - Running SERVPORTS on this IP/mask
13. SSHPORT - The port I have SSH set to. This does not provide
14. much added security, but it makes logs less noisy.
15. I reccoment picking a number and using it for all of
16. your servers.
17. TARPORTS - Ports we are going to tarpit when they get hit
18. improperly. Default to 25 (SMTP) to trap spambots.
19. SERVPORTS - Ports only open on the service IP
20. OPENPORTS - Chosen ports to open on all IPs.
21. UDPIPS - Space-separated list of IP addresses/masks to permit
22. UDP on.
23. UDPPORTS - Comma-separated list of ports to allow UDP.
24. ALLOWPING - Whether or not to allow public pings. I often have to
25. diagnose problems for my members so sure, why not : )
26. USELOG - Whether to use the basic log. Nothing in these logs
27. are fully reliable so I want to make them easy to
28. disable.

export IPT=/sbin/iptables export SELFIPS="198.51.100.80/28 192.0.2.184/30 203.0.113.88" export WHITELIST="203.0.113.32/28 203.0.113.45" export TRUSTEDFACES="lo" export BLACKLIST="" export SSHIP="198.51.100.83" export SSHPORT=23728 export SAFEIPS="198.51.100.82 198.51.100.187" export SERVIPS="198.51.100.82" export TARPORTS=25 export SERVPORTS="587,993" export OPENPORTS="80,443,25565" export UDPIPS="" export UDPPORTS="" export ALLOWPING=1 export USELOG=1

2. Ended up dropping this... IMO this is the responsibility of your
3. host. Or if you are your own host, this is not done on your end
4. machines.
6. Retained solely to point out that people do this. However, keep in
7. mind that each additional rule is more computing power for every
8. connection.
9. export DROPLIST="/etc/iptables/spamhausdrop.dat"

2. The following are 'more advanced' variables.
4. CONNREPORT - While the limit is initially far higher, we want to
5. be reporting far before then, to see how many
6. legitimate users a blanket cutoff may restrict in
7. the event of an attack.
8. CONNLIMIT - The connlimit match declaration - it declares how
9. many tcp connections may exist for a given IP block.
10. LOGLEVEL - Logging line for basic logging.
11. LOGCON - Logs more serious incidents - connection flooding and
12. so on, that we want more reliable data for.

export CONNREPORT="-m connlimit --connlimit-above 256 --connlimit-mask 24" export CONNLIMIT="-m connlimit --connlimit-above 512 --connlimit-mask 24" export LOGLEVEL="--log-level debug --log-ip-options" export LOGCON="--log-level debug --log-ip-options --log-tcp-sequence --log-tcp-options"

2. The documentation on hashlimit could certainly use refinement. Worse,
3. many examples might trick someone into using limit where a well-tuned
4. hashlimit is really what they want - if they really want to take the
5. performance hit at all.
7. The following comes from reading the kernel module source, not the
8. documentation : ) The man pages are not very helpful and the tutorial
9. is extremely misleading on this match.
11. Note that, this is from reading the source back in 2009. Things may
12. have changed.
14. --hashlimit-htable-gcinterval is always set to three seconds in these
15. examples, except for ping, but you may wish to slow this down if
16. you find your system cpu usage getting high under heavy loads.
17. Your load is going to be based loosely off of htable-size divided
18. by gcinterval. The default is 1000 (one second).
19. --hashlimit-htable-expire is an easy one to calculate - just pick the
20. time when the hashlimit-upto/above will fill up your bucket, maybe
21. add a bit extra, or less if you don't care about occasional
22. overages. The default is 10000 (ten seconds).
23. --hashlimit-htable-max to quote the current kernel source:
24. /* FIXME: do something. question is what.. */
25. It currently fires a kernel warning if the hash table is allowed
26. to grow beyond this size. It defaults to 8 times the htable-size,
27. and has a floor of htable-size if set to a low value.
28. There's no actual limit, however. I'm not convinced that the
29. hashlimit algorithm is all it could be >_>
30. I set this to htable-size since if somehow eight thousand
31. connections are open I rather want to be warned about it.
32. --hashlimit-htable-size is the size of the hash index. A hash of
33. log(htable-size) is computed for whatever was given in mode/mask.
34. If two objects end up with the same hash, they get placed in a
35. chain which is iteratively searched.
36. DO NOT SET THIS LOW EXPECTING IT WILL THROTTLE A DDOS. In theory,
37. that is what htable-max is for. But only in theory.
38. It has a bit of a messy default:
39. num_physpages * page_size / 16384, with a cap of 8192 and a minimum
40. of 16. Pretty much anyone with 256mb+ of RAM is going to reach the
41. cap.
42. In addition to the basic memory for the table itself, you will
43. allocate pointer_bytes * 2 * htable-size in bytes for the table.
44. More memory gets allocated in other functions and I haven't fully
45. gone through the source, but for an amd64 machine that means 16
46. bytes per bucket.
47. Since this is the size of the full index and I have RAM to spare, I
48. set all of the tables to 8k. The main thing to worry about here is
49. the garbage collection interval, since this means it's checking
50. eight thousand -linked lists- every interval.
51. --hashlimit-srcmask is probably best set to /29 for IPv4 in most
52. situations where srcip is used for the mask. Not only does this
53. help reduce collision rates, /29's are often the same family or
54. local organization. It works fine to treat them in this manner.
55. The default for this and dstmask is 32 for IPv4 and 128 for IPv6.
56. If using IPv6, if you do not set this to at least as low as /64 you
57. are insane.
58. --hashlimit-mode is a fairly straightforward setting. I would suggest
59. using separate hashes for different ports and destination ips for
60. most scenarios.
61. --hashlimit-burst defaults to five. This determines the maximum size
62. of the bucket which gets filled by upto/above.
64. HASHLOG - The hashlimit declaration for basic logging. It's rather
65. heavily limited in order to keep us from flooding.
66. HASHCON - Log mass connection attempts
67. HASHSSH - Not needed with this current setup, it exists more to
68. limit getting my auth log slammed than anything.
69. HASHPING - Originally for pings, now for related/established ICMP
70. messages in general. To permit ICMP traceroutes, we're
71. fairly generous.

export HASHPING="-m hashlimit --hashlimit-upto 5/second --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-srcmask 29 --hashlimit-name icmp --hashlimit-htable-size 8192 --hashlimit-htable-max 8192 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 2000" export HASHSSH="-m hashlimit --hashlimit-upto 3/minute --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-srcmask 29 --hashlimit-name ssh --hashlimit-htable-size 8192 --hashlimit-htable-max 8192 --hashlimit-htable-gcinterval 3000 --hashlimit-htable-expire 60000" export HASHLOG="-m hashlimit --hashlimit-upto 2/minute --hashlimit-burst 240 --hashlimit-mode srcip --hashlimit-srcmask 24 --hashlimit-name log --hashlimit-htable-size 8192 --hashlimit-htable-max 8192 --hashlimit-htable-gcinterval 3000 --hashlimit-htable-expire 120000" export HASHCON="-m hashlimit --hashlimit-upto 2/minute --hashlimit-burst 240 --hashlimit-mode srcip --hashlimit-srcmask 24 --hashlimit-name con --hashlimit-htable-size 8192 --hashlimit-htable-max 8192 --hashlimit-htable-gcinterval 3000 --hashlimit-htable-expire 120000"

2. Here we set some variables that are not 'user modified'.

export DROPTARGET=DROP

1. For awhile I logged all dropped packets, thus the following, but it's
2. all noise and no signal. I prefer to log actual incidents.
3. if [ $USELOG -eq 1 ] ; then
4. export DROPTARGET=DRP
5. fi

2. Flush current rules and reset policies.

$IPT -F $IPT -X $IPT -t raw -F $IPT -t raw -X $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT

2. Give the system some time to rest. Can be important if it's been
3. tracking a lot.

sleep 3

2. Interfaces we trust get a free pass. Don't even track, just accept.

for i in $TRUSTEDFACES do

 $IPT -t raw -A PREROUTING -i $i -j NOTRACK
 $IPT -A INPUT -i $i -j ACCEPT

done

2. Logging all dropped packets is 99.9% noise, but left in for debugging
3. potential.
4. if [ $USELOG -eq 1 ] ; then

 #####################################################################
 # Log dropped packets. Only make the chain if logging is on.
 # This is only really useful to determine if you are under a serious
 # attack of some sort.
 #####################################################################
# $IPT -N DRP
# $IPT -A DRP $HASHLOG -j LOG $LOGLEVEL --log-prefix "IPTables: Dropped: "
# $IPT -A DRP -j DROP
 #####################################################################

1. fi

2. Accept from related connections, non-icmp established connections,
3. related connections, and our chosen whitelist. Drop invalid sources
4. and non-unicast packets/sources outright, as well as killing funny
5. business.

1. Iterate through whitelist entries

for i in $WHITELIST do

 $IPT -A INPUT -p tcp -s $i -j ACCEPT

done

1. Iterate through blacklist entries

for i in $BLACKLIST do

 $IPT -A INPUT -s $i -j $DROPTARGET

done

1. Iterate through Spamhaus DROP list, if we're using that.
2. for i in $(cat $DROPLIST | grep -i SBL | cut -f 1 -d ';' )
3. do
4. $IPT -A INPUT -s $i -j DROP
5. done

1. Iterate through our own ips - drop spoofed entries.

for i in $SELFIPS do

 $IPT -A INPUT -s $i -j $DROPTARGET

done

2. I used to split out tcp traffic and rate limit that. It really only
3. caught exceptionally bad ISPs with legitimate users and aggressive
4. web spiders. DDOS attempts are best mitigated with connlimit and
5. possibly checking for lots of very small packets.
7. I've found that the INVALID state actually spends most of its time
8. dropping legitimate traffic. I can't really recommend it. You can
9. do just as well by being picky with what you accept for NEW
10. connections.
12. Somewhere along the line, pings make established connections now.
13. Annoying, but only minor changes needed to segregate established
14. ICMP traffic. For sure, permit related traffic.

$IPT -A INPUT -m state --state RELATED -j ACCEPT $IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT $IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT

1. Drop garbage sources and destinations.

$IPT -A INPUT -m pkttype ! --pkt-type unicast -j $DROPTARGET $IPT -A INPUT -m addrtype ! --src-type UNICAST -j $DROPTARGET $IPT -A INPUT -m addrtype --dst-type BROADCAST -j $DROPTARGET

2. TCPMESS is our version of the CHAOS target.
3. The primary purpose of this is not even to deceive, but simply to
4. increase the cost of portscanning. This is more of a nuisance than
5. actual security.

$IPT -N TCPMESS

1. $IPT -A TCPMESS -p tcp -m statistic --mode random --probability 0.03 -j DELUDE

$IPT -A TCPMESS -p tcp -m statistic --mode random --probability 0.0208 -j REJECT --reject-with tcp-reset $IPT -A TCPMESS -p tcp -m statistic --mode random --probability 0.0211 -j REJECT --reject-with host-unreach $IPT -A TCPMESS -j DROP

2. New TCP Traffic going to valid ports gets sent here.
3. Check connlimit, check new connection rates, log nonsense.

$IPT -N TCPIN $IPT -A TCPIN -m recent --update --seconds 900 --hitcount 1 --name flooders -j DROP $IPT -A TCPIN -p tcp $CONNREPORT $HASHCON -j LOG $LOGCON --log-prefix "Hackers: Many Connections: " $IPT -A TCPIN -p tcp $CONNREPORT $HASHCON -m state --state INVALID -j $DROPTARGET $IPT -A TCPIN -p tcp $CONNLIMIT -m recent --set --name flooders $IPT -A TCPIN -p tcp $CONNLIMIT -j LOG $LOGCON --log-prefix "Hackers: Connection Overlimit: " $IPT -A TCPIN -p tcp $CONNLIMIT -j REJECT --reject-with tcp-reset $IPT -A TCPIN -p tcp --tcp-flags SYN,FIN,RST,PSH,URG SYN -j ACCEPT

2. Sometimes we see new connections from legitimate peoples that
3. somehow escaped proper connection tracking. These are most
4. frequently ACK, followed by RST, followed distantly by ACK PSH.

$IPT -A TCPIN -p tcp --tcp-flags SYN,ACK,RST,URG ACK -j ACCEPT $IPT -A TCPIN -p tcp --tcp-flags SYN,FIN,RST,PSH,URG RST -j ACCEPT if [ $USELOG -eq 1 ] ; then

 $IPT -A TCPIN $HASHLOG -j LOG $LOGLEVEL --log-prefix "IPTables: Invalid Connect: "

fi $IPT -A TCPIN -j DROP

2. TCP traffic for our standard ports are not hindered for the purposes
3. of automated blocking of general hijinks.
5. We accept things on open ports, except for our secret (in this case,
6. our SSH port), and we shut people poking around for a few hours.
8. $TARPORTS still gets used here to drop spammers, regardless.

$IPT -A INPUT -p tcp -m multiport --dports $OPENPORTS -j TCPIN for i in $SERVIPS do

 $IPT -A INPUT -p tcp -d $i -m multiport --dports $SERVPORTS -j TCPIN

done

1. $IPT -A INPUT -p tcp ! -d $SAFEIP -m multiport --dports $TARPORTS -j TARPIT

for i in $SAFEIPS do

 $IPT -A INPUT -p tcp -d $i -m multiport --dports $TARPORTS -j TCPIN

done $IPT -A INPUT -p tcp -m multiport --dports $TARPORTS -j DROP

$IPT -A INPUT -p tcp -m recent --update --seconds 3600 --hitcount 1 --name scanners -j TCPMESS $IPT -A INPUT -p tcp -d $SSHIP --dport $SSHPORT $HASHSSH -j ACCEPT $IPT -A INPUT -p tcp -d $SSHIP --dport $SSHPORT $HASHCON -j LOG $LOGCON --log-prefix "Hackers: SSH Flood: " $IPT -A INPUT -p tcp -m recent --set --name scanners $IPT -A INPUT -p tcp -d $SSHIP --dport $SSHPORT -j TCPMESS if [ $USELOG -eq 1 ] ; then

 $IPT -A INPUT -p tcp $HASHLOG -j LOG $LOGLEVEL --log-prefix "IPTables: Scanner: "

fi $IPT -A INPUT -p tcp -j TCPMESS

2. Overall ICMP Rules

if [ $ALLOWPING -eq 1 ] ; then

 #####################################################################
 # ICMP Incoming Chain. This looks like it's blocking more than it
 # actually is - a lot of incoming ICMP messages are RELATED.
 #####################################################################
 $IPT -N ICMP
 if [ $USELOG -eq 1 ] ; then
   $IPT -A ICMP -p icmp --fragment $HASHLOG -j LOG $LOGLEVEL --log-prefix "IPTables: ICMP Fragment: "
 fi
 $IPT -A ICMP -p icmp --fragment -j DROP
 $IPT -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
 # These generally get through first via accepting RELATED
 # connections, this is simply to be certain.
 $IPT -A ICMP -p icmp --icmp-type 3 -j ACCEPT
 $IPT -A ICMP -p icmp --icmp-type 4 -j ACCEPT
 if [ $USELOG -eq 1 ] ; then
   $IPT -A ICMP -p icmp $HASHLOG -j LOG $LOGLEVEL --log-prefix "IPTables: ICMP Bad: "
 fi
 #####################################################################

 #####################################################################
 # Allow icmp packets at the rate given in HASHPING.
 # You tend not to see ping floods these days, but it may be
 # interesting enough to log.
 #####################################################################
 $IPT -A INPUT -p icmp -m state --state NEW,ESTABLISHED $HASHPING -j ICMP
 if [ $USELOG -eq 1 ] ; then
   $IPT -A INPUT -p icmp -m state --state NEW,ESTABLISHED $HASHLOG -j LOG $LOGLEVEL --log-prefix "IPTables: ICMP Flood: "
 fi
 $IPT -A INPUT -p icmp -j DROP
 #####################################################################

fi

2. UDP Rules.
4. Not running DNS, so, let's mess with scanners!
5. Probability in the .03-.04 range is apparently ideal.
6. If you are more concerned about confusing scans of your network as
7. opposed to scans of a single IP, using proto-unreach liberally can
8. confuse protocol scans.
10. Note, this blocks standard traceroutes. ICMP traceroutes work,
11. however, which Windows falls back on and *nix can use via the -I
12. switch.

$IPT -N UDPFUN

1. Logging this is mostly noise.
2. if [ $USELOG -eq 1 ] ; then
3. $IPT -A UDPFUN $HASHLOG -j LOG $LOGLEVEL --log-prefix "IPTables: UDP: "
4. fi

$IPT -A UDPFUN -m statistic --mode random --probability 0.02 -j REJECT --reject-with proto-unreach $IPT -A UDPFUN -m statistic --mode random --probability 0.0202 -j REJECT --reject-with host-unreach $IPT -A UDPFUN -j DROP

2. UDP rules -must- come after dropping spoofed addresses.

for i in $UDPIPS do

 $IPT -A INPUT -p udp -d $i -m multiport --dports $UDPPORTS -j ACCEPT

done $IPT -A INPUT -p udp -j UDPFUN

2. This script was developed by Vekseid at
3. http://hexwiki.com/wiki/Iptables_(1.4)/firewall.sh?action=raw
4. - vek@vekseid.com