Declaration of interpreter and iptables binary location
#!/bin/bashIPFW="/sbin/iptables"
Declaration of LAN, Core Server, Corporate LAN and their subnets
# Network declearationCORE_SERVER="A.B.C.D/subnet"
LAN="L.A.N.S/subnet"
CORPORATE_LAN="A.B.C.D/subnet"
RAC_IPS="A.B.C.D/subnet \
M.N.O.P/subnet \
ME="I.J.K.L"
Port Declaration, list all the port that host will serve
# Port declearationSSH_PORT="22"
SNMP_PORT="161"
ORACLE_PORT="1521"
DNS_PORT="53"
HTTP_PORT="80"
HTTPS_PORT="443"
EM_PORT="1158"
RSYNC_PORT="873"
MYSQL_PORT="3306"
SMTP_PORT="25"
NTP_PORT="123"
RADIUS_PORTS="1645 1646"
Hosts and the subnets that the above mentioned service are allowed
# Service Allowed IPSSSH_ALLOWS="$LAN $RAC_IP"
SNMP_ALLOWS="E.F.G.H/subnet"
HTTP_ALLOWS="E.F.G.H/subnet \
I.J.K.L"
ORACLE_ALLOWS="E.F.G.H/subnet \
I.J.K.L $RAC_IPS"
RADIUS_ALLOWS="A.B.C.D/subnet M.N.O.P/subnet"
IPs and Subnets of server that the host will connect to
DNS_SERVERS="D.N.S.1 D.N.S.2 D.N.S.3"RSYNC_SERVERS="S.Y.N.C R.S.Y.N/subnet"
MYSQL_SERVERS="M.S.Q.L/subnet"
SMTP_SERVERS="S.M.T.P/subnet"
NTP_SERVERS="N.T.P.S/subnet"
SSH_SERVERS="S.S.H.D/subnet"
Turning on native Kernel IPv4 parameters at runtime
echo "[+] Turning on native Kernel IPv4 protection"# disable Packet forwarning between interfaces
echo 0 > /proc/sys/net/ipv4/ip_forward
# ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# log packets with impossible addresses to kernel log
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# disable logging of bogus responses to broadcast frames
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# do source validation by reversed path (Recommended option for single homed hosts)
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# don't send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# don't accept packets with SRR option
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
Flush all the chains in the table
echo "[+] Flushing iptables rules"${IPFW} -F
Set the policy for the INPUT, OUTPUT and FORWARD chain
### Default Policy ACCEPT${IPFW} -P INPUT ACCEPT
${IPFW} -P OUTPUT ACCEPT
${IPFW} -P FORWARD ACCEPT
Setting iptables rules for state match
echo "[+] Setting up INPUT-OUTPUT chain for state"${IPFW} -A INPUT -m state --state INVALID -j DROP
${IPFW} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPFW} -A OUTPUT -m state --state INVALID -j DROP
${IPFW} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Setting iptables rules for services
echo "[+] Setting up INPUT-OUTPUT chain for ssh service"for SSH_ALLOW in ${SSH_ALLOWS}
{
${IPFW} -A INPUT -p tcp -s $SSH_ALLOW --dport $SSH_PORT -j ACCEPT
${IPFW} -A OUTPUT -p tcp -d $SSH_ALLOW --sport $SSH_PORT -j ACCEPT
}
echo "[+] Setting up INPUT-OUTPUT chain for snmp service"
for SNMP_ALLOW in ${SNMP_ALLOWS}
{
${IPFW} -A INPUT -s $SNMP_ALLOW -p udp --dport $SNMP_PORT -j ACCEPT
${IPFW} -A INPUT -d $SNMP_ALLOW -p udp --sport $SNMP_PORT -j ACCEPT
}
echo "[+] Setting up INPUT-OUTPUT chain for iBill auth acct port"
for RADIUS_ALLOW in ${RADIUS_ALLOWS}
{
for RADIUS_PORT in ${RADIUS_PORTS}
{
${IPFW} -A INPUT -p udp -s $RADIUS_ALLOW --dport $RADIUS_PORT -j ACCEPT
${IPFW} -A OUTPUT -p udp -d $RADIUS_ALLOW --sport $RADIUS_PORT -j ACCEPT
}
}
for ORACLE_ALLOW in ${ORACLE_ALLOWS}
{
${IPFW} -A INPUT -p tcp -s $ORACLE_ALLOW --dport $ORACLE_PORT -j ACCEPT
${IPFW} -A OUTPUT -p tcp -d $ORACLE_ALLOW --sport $ORACLE_PORT -j ACCEPT
}
Setting iptables rules for servers
for ORACLE_SERVER in ${ORACLE_SERVERS}{
${IPFW} -A INPUT -p tcp -s $ORACLE_SERVER --sport $ORACLE_PORT -j ACCEPT
${IPFW} -A OUTPUT -p tcp -d $ORACLE_SERVER --dport $ORACLE_PORT -j ACCEPT
}
echo "[+] Setting up INPUT-OUTPUT chain for dns servers"
for DNS_SERVER in ${DNS_SERVERS}
{
${IPFW} -A INPUT -p udp -s $DNS_SERVER --sport $DNS_PORT -j ACCEPT
${IPFW} -A OUTPUT -p udp -d $DNS_SERVER --dport $DNS_PORT -j ACCEPT
}
echo "[+] Setting up INPUT-OUTPUT chain for mysql servers"
for MYSQL_SERVER in ${MYSQL_SERVERS}
{
${IPFW} -A INPUT -p tcp -s $MYSQL_SERVER --sport $MYSQL_PORT -j ACCEPT
${IPFW} -A OUTPUT -p tcp -d $MYSQL_SERVER --dport $MYSQL_PORT -j ACCEPT
}
for RSYNC_SERVER in ${RSYNC_SERVERS}
{
${IPFW} -A INPUT -p tcp -s $RSYNC_SERVER --sport $RSYNC_PORT -j ACCEPT
${IPFW} -A OUTPUT -p tcp -d $RSYNC_SERVER --dport $RSYNC_PORT -j ACCEPT
}
for SMTP_SERVER in ${SMTP_SERVERS}
{
${IPFW} -A INPUT -p tcp -s $SMTP_SERVER --sport $SMTP_PORT -j ACCEPT
${IPFW} -A OUTPUT -p tcp -d $SMTP_SERVER --dport $SMTP_PORT -j ACCEPT
}
for NTP_SERVER in ${NTP_SERVERS}
{
${IPFW} -A INPUT -p udp -s $NTP_SERVER --sport $NTP_PORT -j ACCEPT
${IPFW} -A OUTPUT -p udp -d $NTP_SERVER --dport $NTP_PORT -j ACCEPT
}
for SSH_SERVER in ${SSH_SERVERS}
{
${IPFW} -A INPUT -p tcp -s $SSH_SERVER --sport SSH_PORT -j ACCEPT
${IPFW} -A OUTPUT -p tcp -d $SSH_SERVER --dport SSH_PORT -j ACCEPT
}
Setting iptables rules for icmp protocol
echo "[+] Setting up INPUT-OUTPUT chain for icmp"${IPFW} -A INPUT -s $CORE_SERVER -p icmp -j ACCEPT
${IPFW} -A OUTPUT -p icmp -j ACCEPT
Setting iptables rules for localhost
echo "[+] Setting up INPUT-OUTPUT chain for localhost"${IPFW} -A INPUT -d 127.0.0.1 -j ACCEPT
${IPFW} -A OUTPUT -s 127.0.0.1 -j ACCEPT
Setting iptables rules for blacklisted ports as netbios
# Drop All blacklisted port${IPFW} -A INPUT -p tcp --dport 135:139 -j DROP
${IPFW} -A INPUT -p tcp --dport 4444 -j DROP
${IPFW} -A INPUT -p tcp --dport 445 -j DROP
${IPFW} -A INPUT -p tcp --dport 1900 -j DROP
${IPFW} -A INPUT -p udp --dport 135:139 -j DROP
${IPFW} -A INPUT -p udp --dport 4444 -j DROP
${IPFW} -A INPUT -p udp --dport 445 -j DROP
${IPFW} -A INPUT -p udp --dport 1900 -j DROP
Logging all remaining packets for further diagnosis
echo "[+] Setting up Logging all remaining packets"${IPFW} -A INPUT -p tcp -j LOG
${IPFW} -A OUTPUT -p tcp -j LOG
${IPFW} -A INPUT -p udp -j LOG
${IPFW} -A OUTPUT -p udp -j LOG
Setting default policy to DROP
echo "[+] Setting up DEFAULT policy to DROP"### Default Policy ACCEPT
${IPFW} -P INPUT DROP
${IPFW} -P OUTPUT DROP
${IPFW} -P FORWARD DROP
No comments:
Post a Comment