Ky eshte nje skript bash per iptables i cili gjeneron nje ser rregullash duke krijuar nje firewall te tipit "Stateful", eshte testuar kunder pjeses me te madhe te sulmeve me nmap dhe i bllokon, perveē nese dergohet vetem 1 packet SYN ne 1 port, pra nese skanohen me shume se 3 porta (gje shume normale ne nje skamin stealth) te bllokon. SYN nuk e bllokon sepse nese do bllokonte dhe ate ne porten 80 psh do te thote te bllkonte ē'do lloj lidhjeje.
Normalisht bllokon dhe skanimet e tipit Xmas, Null, FIN, etj etj, gjithashtu eshte testuar edhe kunder --scanflags (skanime te personalizuara duke zgjedhur vet Flamurin TCP), bllokon sulmet spoofing duke ndryshuar direkt ne "core" rregullin e ndryshon ne netfilter.
Ah, diēka qe eshte prerekuizit, kerneli duhet te jete i kompiluar me supportin conntrack , ndryshe rregullat kunder nmap nuk do funksionojn.
Eshte versioni 1.1, keshtu qe do kete shume per te ndryshuar dhe shume per tu permirsuar, gjithsesi eshte goxha i konsoliduar si skript.
Ne perfundim , skripti eshte ne anglisht sepse edhe faqa eshte ne periudh tranzicioni e do kaloj ne anglisht.
Nese dikush merr inisiativen ta perkthej, faleminderit.
Kodi:#!/bin/sh #***************************************************************** #AlbanianWizard Iptables Firewall Script v 1.1 [connection bug fix] #Tested against most nmap personalised scans, #To Do : portbunny/unicornscan/ping3 scanning [next versions] #Author : Arditi #License : GPLv3 #Contact : arditi[nospam]hush.ai #WARNINGS: You must be root to run this, # This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters # Dont change the chain/rule-set order #Technologies for building this mini-firewall: # a) Static rule based policies (not to be confused with a "static firewall") # b) Connection based stateful policies # c) Sanity based policies #***************************************************************** #Variables, please check the correct location of iptables #whereis iptables ; whereis ip6tables #***************************************************************** IPT=/sbin/iptables IPT6=/sbin/ip6tables MP=/sbin/modprobe INET=192.168.1.0/8 IF=eth0 echo $USER is setting up AW iptables firewall on $HOSTNAME #***************************************************************** #Setting up Connection Tracking Modules echo * [+] Setting up Connection Tracking Modules $MP ip_conntrack $MP iptable_nat $MP ip_conntrack_ftp $MP ip_nat_ftp $MP nfnetlink_log #***************************************************************** #Initial Setup echo * [+] Setting up Chains $IPT -F $IPT -X $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box $IPT -N FLOOD_CHAIN $IPT -N BAD_CHAIN $IPT -N TCP_CHAIN $IPT -N ICMP_CHAIN $IPT -N UDP_CHAIN $IPT -A INPUT -j FLOOD_CHAIN $IPT -A INPUT -j BAD_CHAIN $IPT -A INPUT -j TCP_CHAIN $IPT -A INPUT -j ICMP_CHAIN $IPT -A INPUT -j UDP_CHAIN #***************************************************************** #Blocking IPV6 traffic echo * [+] Blocking all IPV6 Traffic $IPT6 -P INPUT DROP $IPT6 -P FORWARD DROP $IPT6 -P OUTPUT DROP #***************************************************************** #Setting up the Rules echo * [+] Setting up the rules #Good things :) $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i lo -j ACCEPT #Accept loopback traffic #Bad things are normal :) #against -sO IP Protocol Scan (for supported protocols) $IPT -A INPUT -p sctp -j DROP $IPT -A INPUT -p gre -j DROP echo * [+] Setting up the FLOOD_CHAIN #This will only get better the situation, in real life you should use Reactive Address Blocking (RAB) #This will work for UDPTCPICMP floods sending more than 1 packet/s and also try to block nmap -sS scan. $IPT -A FLOOD_CHAIN -i $IF -m limit --limit 6/s --limit-burst 6 -j RETURN #Accept only 6 packet/sec and we match only the first 6 packet. $IPT -A FLOOD_CHAIN -i $IF -j LOG --log-level 7 --log-prefix "# Syn Flood #" $IPT -A FLOOD_CHAIN -i $IF -j DROP #***********THE BAD CHAINS ***************************************** echo * [+] Setting up the BAD_CHAIN #$IPT -A BAD_CHAIN -p tcp ! --syn -m state --state NEW -j DROP #Force --syn packet check for NEW connections, if not DROP IT! $IPT -A BAD_CHAIN -m conntrack --ctstate INVALID -j DROP #Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc.. #Throw away fragmentation attacks $IPT -A BAD_CHAIN -f -j DROP #nmap scans not blocked by "INVALID" state $IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,PSH -j DROP $IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,URG -j DROP $IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL NONE -j DROP #Anti-spoofing echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection #****************************************************************** echo * [+] Setting up the TCP_CHAIN #WEB-SERVER $IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT $IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl $IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing $IPT -A TCP_CHAIN -p tcp -i $IF -j DROP echo * [+] Setting up the UDP_CHAIN #UDP_CHAIN #$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT if you want some DNS server $IPT -A UDP_CHAIN -p udp -i $IF -j DROP echo * [+] Setting up the ICMP_CHAIN #ICMP_CHAIN #allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged] $IPT -A ICMP_CHAIN -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT $IPT -A ICMP_CHAIN -p icmp -i $IF -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT $IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP #Logging dropping things $IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "DROP: " --log-level 7 #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°# #Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with #Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other #application designed for performing layer 7 application checks. #Yes, iptalbes can do this stuff but it is to mutch resource consuming #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°# #print the configuration #$IPT -nvL
Krijoni Kontakt