AW iptables firewall bash script 1.0 personal edition

AW iptables firewall bash script 1.0 personal edition

Hi there,

Update, now bug fix release 1.1, the firewall was to restrictive and doesn’t allow fast internet browsint, fixed :)

First of all , from now on this website will be in english language, if some one from the staff wold like to translate, i can add a subdomain with a new installation of wordpress.
So, this is a simple bash script which creates  an stateful iptables firewall designed for blocking most common attacks at layer 3 & for on personal box’s.[not for gateways]
Implemented:
# a) Static rule based policies (not to be confused with a “static firewall”)
# b) Connection based stateful policies
# c) Sanity based policies
I have tested it and it blocks most nmap port-scans, syn floods, spoofing attacks and filter all ports , even open ones if the nmap sends more than 1 packet /s (very normal). I wanted to block also IPV6 traffic.
Here is the link ,
Enjoy:

[cc lang="bash" tabsize="4"]

#!/bin/sh
#*****************************************************************
#AlbanianWizard Iptables Firewall Script v 1.1 [connection bug fix]
#Tested against most nmap personalised scans,
#To Do : portbunny/unicornscan/ping3 scanning [next versions]
#Author : Arditi
#License : GPLv3
#Contact : arditi[nospam]hush.ai
#WARNINGS: You must be root to run this,
#      This script is designed only for personal pclaptopbox’s it is not for Gatewaysrouters
#          Dont change the chain/rule-set order
#Technologies for building this mini-firewall:
# a) Static rule based policies (not to be confused with a “static firewall”)
# b) Connection based stateful policies
# c) Sanity based policies
#*****************************************************************
#Variables, please check the correct location of iptables
#whereis iptables ; whereis ip6tables
#*****************************************************************
IPT=/usr/sbin/iptables
IPT6=/usr/sbin/ip6tables
MP=/sbin/modprobe
INET=192.168.1.0/8
IF=wlan0
echo $USER is setting up AW iptables firewall on $HOSTNAME
#*****************************************************************
#Setting up Connection Tracking Modules
echo \* [+] Setting up Connection Tracking Modules
$MP ip_conntrack
$MP iptable_nat
$MP ip_conntrack_ftp
$MP ip_nat_ftp
$MP nfnetlink_log
#*****************************************************************
#Initial Setup
echo \* [+] Setting up Chains
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
$IPT -N FLOOD_CHAIN
$IPT -N BAD_CHAIN
$IPT -N TCP_CHAIN
$IPT -N ICMP_CHAIN
$IPT -N UDP_CHAIN
$IPT -A INPUT -j FLOOD_CHAIN
$IPT -A INPUT -j BAD_CHAIN
$IPT -A INPUT -j TCP_CHAIN
$IPT -A INPUT -j ICMP_CHAIN
$IPT -A INPUT -j UDP_CHAIN
#*****************************************************************
#Blocking IPV6 traffic
echo \* [+] Blocking all IPV6 Traffic
$IPT6 -P INPUT DROP
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT DROP
#*****************************************************************
#Setting up the Rules
echo \* [+] Setting up the rules
#Good things :)
$IPT -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT #Accept loopback traffic
#Bad things are normal :)
#against -sO IP Protocol Scan (for supported protocols)
$IPT -A INPUT -p sctp -j DROP
$IPT -A INPUT -p 47 -j DROP
echo \* [+] Setting up the FLOOD_CHAIN
#This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
#This will work for UDPTCPICMP floods sending more than 1 packet/s and also try to block nmap -sS scan.
$IPT -A FLOOD_CHAIN -i $IF -m limit –limit 150/s –limit-burst 150 -j RETURN #Accept only 150 packet/sec and we match only the first 150 packet.
$IPT -A FLOOD_CHAIN -i $IF -j LOG –log-level 7 –log-prefix “# Syn Flood #”
$IPT -A FLOOD_CHAIN -i $IF -j DROP
#***********THE BAD CHAINS *****************************************
echo \* [+] Setting up the BAD_CHAIN
#$IPT -A BAD_CHAIN -p tcp ! –syn -m state –state NEW -j DROP #Force –syn packet check for NEW connections, if not DROP IT!
$IPT -A BAD_CHAIN -m conntrack –ctstate INVALID -j DROP #Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
#Throw away fragmentation attacks
$IPT -A BAD_CHAIN -f -j DROP
#nmap scans not blocked by “INVALID” state
$IPT -A BAD_CHAIN -p tcp -i $IF –tcp-flags ALL SYN,PSH -j DROP
$IPT -A BAD_CHAIN -p tcp -i $IF –tcp-flags ALL SYN,URG -j DROP
$IPT -A BAD_CHAIN -p tcp -i $IF –tcp-flags ALL NONE -j DROP
#Anti-spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
#******************************************************************
echo \* [+] Setting up the TCP_CHAIN
#WEB-SERVER
$IPT -A TCP_CHAIN -p tcp -i $IF –dport 80 –syn -m state –state NEW -j ACCEPT
$IPT -A TCP_CHAIN -p tcp -i $IF –dport 443 –syn -m state –state NEW -j ACCEPT #ssl
$IPT -A TCP_CHAIN -m conntrack -i $IF –ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing
$IPT -A TCP_CHAIN -p tcp -i $IF -j DROP
echo \* [+] Setting up the UDP_CHAIN
#UDP_CHAIN
#$IPT -A UDP_CHAIN -p udp –dport 53 -j ACCEPT  if you want some DNS server
$IPT -A UDP_CHAIN -p udp -i $IF -j DROP
echo \* [+] Setting up the ICMP_CHAIN
#ICMP_CHAIN
#allow ping | Currently you can ping others but others can’t ping you :D [uncomment below if you want to be pinged]
$IPT -A ICMP_CHAIN -p icmp -m hashlimit –hashlimit 3/sec –hashlimit-mode srcip,dstip –hashlimit-name xticmp -m icmp –icmp-type 8 -j ACCEPT
$IPT -A ICMP_CHAIN -p icmp -i $IF -m hashlimit –hashlimit 3/sec –hashlimit-mode srcip,dstip –hashlimit-name xticmp -m icmp –icmp-type 30 -j ACCEPT
$IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
#Logging dropping things
$IPT -A INPUT -m limit –limit 5/min -j LOG –log-prefix “DROP: ” –log-level 7

#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
#Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
#application designed for performing layer 7 application checks.
#Yes, iptalbes can do this stuff but it is to mutch resource consuming
#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#print the configuration
#$IPT -nvL
[/cc]

Save it as firewall.sh than execute it as root with sh firewall.sh and it will print the rules :)
GPLv3.

Revisions

Tags: , , , ,

2 Responses to “AW iptables firewall bash script 1.0 personal edition”

  1. arditi October 16, 2010 at 7:50 pm #

    I’m currently fixing other problems with it, it’s in deed very restrictive and with downloads have some issues, but I think now it’s fine.

    Please suggest any problems if you test it.

    Reply

Trackbacks/Pingbacks

  1. IPTables Command Reference short command reference | AlbanianWizard - October 15, 2010

    [...] or for a “real life” situation please check my simple (home) iptables firewall at : http://albanianwizard.org/aw-iptables-firewall-bash-script-1-0-personal-edition.albanianwizard it’s great and tested, an also anti-NMAP proof. iptables command reference, iptables list [...]

Leave a Reply