Firewall.sh

[alexander]

So this is still nothing too crazy, but i've been working on a firewall script. Basically its up to whoever to configure it, but some things i've come to learn the hard way save someone time. This will most likely evolve in the future and have a lot more services and rules, but this is what i have for now, and while i'm waiting on this darn DRAC to serve me a simple webpage, i figure'd i'd post what i got so far :)

 

#!/bin/sh

if [ -z "`ps | grep screen`" ]; 
then 
   while :
   do
   echo "You should really consider running this in screen! Continue? [n]:";
   read yn;
   case $yn in
       "y" ) break;;
       "Y" ) break;;
       * ) exit 0;;
   esac
   done
fi

# firewall.sh v1.4
echo "Flushing previous config"

# Flush rules but keep policies

iptables -F

iptables -X CentOS-1-INPUT


echo "Setting up new chain"

## Firstly lets create our own rule set, and forward the default rule sets to it :hyper: ###

iptables -N CentOS-1-INPUT

iptables -A INPUT -j CentOS-1-INPUT

iptables -A FORWARD -j CentOS-1-INPUT



echo "Propagating new rule set"

## Inbound Rule Set

# accept our own traffic

#iptables -A CentOS-1-INPUT -i lo -s 127.0.0.0/8 -j ACCEPT

# accept multicast DNS traffic

#iptables -A CentOS-1-INPUT -m udp -p udp --dport 5353 -s 224.0.0.251 -j ACCEPT

# SSH, very important

#iptables -A CentOS-1-INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# MySQL

# iptables -A CentOS-1-INPUT -p tcp -m state --state NEW --dport 3306 -j ACCEPT

# SNMP
#iptables -A CentOS-1-INPUT -p udp -s 192.168.1.5 -m state --state NEW --dport 161:162 -j ACCEPT

# HTTP
#iptables -A CentOS-1-INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

# Restrict ICMP to ECHO type only, also limit that to no more then 3 packets a second so noone drowns us

#iptables -A CentOS-1-INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT

# this closes the possiblity that could disclose the system's internal time which is at the root of most crypto keys

#iptables -A CentOS-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

# lets also procect from syn floods a little bit

#iptables -A CentOS-1-INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT

# Samba ports that might need to be opened

#iptables -A CentOS-1-INPUT -p udp -s 192.0.0.0/8 -m multiport --dports 137,138 -j ACCEPT
#iptables -A CentOS-1-INPUT -p tcp -s 192.0.0.0/8 -m multiport --dports 139,445 -j ACCEPT
#iptables -A CentOS-1-INPUT -p udp -m multiport --dports 137,138 -j DROP
#iptables -A CentOS-1-INPUT -p tcp -m multiport --dports 139,445 -j DROP

# DNS often goes over established or related states, this is preferable to have                                                                               
#iptables -A CentOS-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Bottom line is reject all

#iptables -A CentOS-1-INPUT -j REJECT --reject-with icmp-host-prohibited


## Now lets create a set of outbound rules



# Allow our own traffic to ourselves

#iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT

# drop icmp timestamp

#iptables -A OUTPUT -p icmp -m icmp --icmp-type timestamp-reply -j DROP

#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT

# lets just allow established and related treaffic out

#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH

#iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# HTTP

#iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

# HTTPS

#iptables -A OUTPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT

# DNS

#iptables -A OUTPUT -p UDP --dport 53 -m state --state NEW -j ACCEPT

# DNS (TCP fallback)

#iptables -A OUTPUT -p TCP --dport 53 -m state --state NEW -j ACCEPT

# FTP

#iptables -A OUTPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT

# NTP

#iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

# AD stuff

#iptables -A OUTPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT

#iptables -A OUTPUT -p tcp -m multiport --dports 139,445 -m state --state NEW -j ACCEPT

# Reject the rest

#iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited

# This will save your butt, so dont coment it out
echo "Creating and running a save-your-butt-script"
# create and run the recovery script, just in case
echo -e "#!/bin/shnsleep 180niptables -Fn" > save_your_butt.sh
/bin/sh save_your_butt.sh &
echo -e "The rules are properly set up, you should kill the saving scriptnnkillall /bin/sh && rm save_your_butt.shn"

 

 

Please note that i commented all the rules out, this is to prevent someone from accidentally from applying the rules.

 

 

The screen portion on the top is the reason i havent been able to reach these 2 servers i've been working on in the past 2 hours, and the part on the bottom, it saves your butt if you mess up the config somehow. Basically other then that, the script is also a good intro to iptables :eek:

 

 

I should say that there are many benefits to using a script like this. Most distributions will not automatically save IPTables config, CentOS for example, in order to save configuration you use /etc/init.d/iptables save or alternatively iptables-save > /etc/sysconfig/iptables This is done so that if you bork your config, a reboot (that on servers you can do remotely sometimes) will restore iptables to previous working state. Managing a script like this, you can always update your firewall configuration. Also this script, if ran in screen will generate a script that will cancel all your changes in 3 minutes, this reduces the need to reboot, but it wont save your butt if you don't run it in screen (personal experience supports that claim too) :D

 

 

Anyways, i think that DRAC is finally loaded (perhaps)... time to fix my mistakes :cup: