iptables.rules.sh
# ------------------------------------------------------------------------------------------
# --
# ------------------------------------------------------------------------------------------
IPT=/usr/sbin/iptables
EXTINT=eth3
EXTIP=130.88.zyx.wvu
# ------------------------------------------------------------------------------------------
# -- SECTION 0.3 :: :
# ------------------------------------------------------------------------------------------
. /root/etc/iptables.rules.functions.sh
# ------------------------------------------------------------------------------------------
# --
# ------------------------------------------------------------------------------------------
if [ "$1" == "--restart-ssh-service" ] ; then
restart_chain_ssh_service
exit
elif [ "$1" == "--restart-total" ] ; then
echo -e "\nTotal restart..."
else
echo -e "\nDoing nothing."
echo -e "\nUsage:"
echo -e " --restart-ssh-service"
echo -e " --restart-total [--no-revert]"
echo -e "\n"
exit
fi
# ------------------------------------------------------------------------------------------
# -- SECTION 0.1 :: Start by cleaning the bath :
# ------------------------------------------------------------------------------------------
for i in filter nat mangle
do
$IPT -t $i -F
$IPT -t $i -X
done
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
#
# ...these are changed to DROP at the bottom...
#
# ------------------------------------------------------------------------------------------
# -- SECTION 0.2 :: DEBUG :
# ------------------------------------------------------------------------------------------
# ...just in case we get it horribly wrong, here are some liferafts for the sysadmins...
for host in 130.88.pqr.aaa 130.88.pqr.aab
do
$IPT -t filter -i $EXTINT -A INPUT -p tcp -s $host -j ACCEPT
$IPT -t filter -o $EXTINT -A OUTPUT -p tcp -d $host -j ACCEPT
done
# ------------------------------------------------------------------------------------------
# --
# ------------------------------------------------------------------------------------------
# -- allow traffic from an existing connection:
#
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ------------------------------------------------------------------------------------------
# -- Safety net: revert to last saved rule set after a few minutes unless state otherwise :
# ------------------------------------------------------------------------------------------
Q_REV=""
REVERT_TIME="2 minutes"
if [ "$2" == "--no-revert" ] ; then
echo -e "\nNot reverting..."
until [ "$Q_REV" == "NOREVERT" ] ; do
echo -e " ...enter NOREVERT to confirm or Ctrl-C to exit..."
read Q_REV
done
echo -e "Confirmed --- NOT reverting..."
else
echo -e "\nWill revert to saved set in $REVERT_TIME..."
sleep 1
AT_CMD="at -m -f /root/etc/iptables.load_active.sh now + $REVERT_TIME"
echo -e "\nReverting using:"
echo -e " $AT_CMD\n"
$AT_CMD
echo -e "\nIssuing remaining firewall commands..."
fi
# ------------------------------------------------------------------------------------------
# -- SECTION 0.4 ::
# ------------------------------------------------------------------------------------------
#
# -- somethings like to seem to send externally-addressed traffic over any and
# all interfaces :
#
$IPT -t filter -A INPUT -s $EXTIP -j ACCEPT
$IPT -t filter -A OUTPUT -d $EXTIP -j ACCEPT
#
# **NOT**: $IPT -t filter -A INPUT -d $EXTIP -j ACCEPT **NO!!!**
# **NOT**: $IPT -t filter -A OUTPUT -s $EXTIP -j ACCEPT **NO!!!**
#
# ------------------------------------------------------------------------------------------
# -- SECTION 0.5 :: Other interfaces :
# ------------------------------------------------------------------------------------------
$IPT -t filter -i eth0 -A INPUT -j ACCEPT
$IPT -t filter -o eth0 -A OUTPUT -j ACCEPT
$IPT -t filter -i eth1 -A INPUT -j ACCEPT
$IPT -t filter -o eth1 -A OUTPUT -j ACCEPT
$IPT -t filter -i eth2 -A INPUT -j ACCEPT
$IPT -t filter -o eth2 -A OUTPUT -j ACCEPT
# ------------------------------------------------------------------------------------------
# -- SECTION 0.6 :: Local Interface :
# ------------------------------------------------------------------------------------------
local_interface_rules "LO_SPOOF"
# ==========================================================================================
# == SECTION 1 :: TRUSTED HOSTS :
# ==========================================================================================
# ...trusted host stuff is the first major section...
# ...trusted host stuff is the first major section...
$IPT -N TRUSTED_HOST
$IPT -A TRUSTED_HOST -j ACCEPT
# ------------------------------------------------------------------------------------------
# -- Backups :
# ------------------------------------------------------------------------------------------
$IPT -N BACKUPS
for host in tbu.abc tbu.abd
do
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -s 130.88.$host -j BACKUPS
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -d 130.88.$host -j BACKUPS
done
$IPT -A BACKUPS -j TRUSTED_HOST
# ------------------------------------------------------------------------------------------
# -- Patching :
# ------------------------------------------------------------------------------------------
$IPT -N PATCHING
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -d www.vendor.country -j PATCHING
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -s www.vendor.country -j PATCHING
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -d mirror.dom -j PATCHING
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -s mirror.dom -j PATCHING
$IPT -A PATCHING -j TRUSTED_HOST
# ==========================================================================================
# == SECTION 2 :: PINHOLE LOOKUPS and OUTBOUND CONNECTIONS :
# ==========================================================================================
# ------------------------------------------------------------------------------------------
# -- DNS :
# ------------------------------------------------------------------------------------------
# ...we want to talk to our local DNS servers...
$IPT -N DNS_LOOKUPS
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p udp --dport 53 -j DNS_LOOKUPS
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -p udp --sport 53 -j DNS_LOOKUPS
allow_udp_out DNS_LOOKUPS 130.88.ac.efg 130.88.ac.efh 130.88.baa.ghi
$IPT -t filter -A DNS_LOOKUPS -j LOG --log-prefix " **DNS_LOOKUPS DROP** "
$IPT -t filter -A DNS_LOOKUPS -j DROP
#
# -- Pinhole chain:
# -- default-log-and-drop;
# -- we should use only trusted DNS servers, else nothing is secure!
#
# ------------------------------------------------------------------------------------------
# -- SysLog :
# ------------------------------------------------------------------------------------------
# ...allow out UDP packets to our remote syslog servers...
$IPT -N SYSLOG_OUT
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p udp --dport 514 -j SYSLOG_OUT
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -p udp --sport 514 -j SYSLOG_OUT
allow_udp_out SYSLOG_OUT syslogone.manc.ac.uk syslogtwo.manc.ac.uk
$IPT -t filter -A SYSLOG_OUT -j LOG --log-prefix " **SYSLOG_OUT DROP** "
$IPT -t filter -A SYSLOG_OUT -j DROP
#
# -- Pinhole chain:
# -- default-log-and-drop;
# -- we should copy syslogs to only trusted syslog servers...
#
# ------------------------------------------------------------------------------------------
# -- SMTP :
# ------------------------------------------------------------------------------------------
# ...allow out email to given router (e.g., "your job has finished..."), but no
# connection inward...
$IPT -N SMTP_OUT
$IPT -t filter -A OUTPUT -o $EXTINT -p tcp --dport 25 -s $EXTIP -j SMTP_OUT
$IPT -t filter -A INPUT -i $EXTINT -p tcp --sport 25 -d $EXTIP -j SMTP_OUT
allow_tcp_out SMTP_OUT relay.manc.ac.uk
$IPT -t filter -A SMTP_OUT -j LOG --log-prefix " **SMTP_OUT DROP** "
$IPT -t filter -A SMTP_OUT -j DROP
#
# -- Pinhole chain:
# -- default-log-and-drop;
# -- we should be using the UoM SMTP relay for everything.
#
# ------------------------------------------------------------------------------------------
# -- NTP (Pub Int) :
# ------------------------------------------------------------------------------------------
# ...we want to talk to our local NTP servers...
$IPT -N NTP_LOOKUPS
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p udp --dport 123 -j NTP_LOOKUPS
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -p udp --sport 123 -j NTP_LOOKUPS
allow_udp_out NTP_LOOKUPS ntpone.manc.ac.uk ntptwo.manc.ac.uk
$IPT -t filter -A NTP_LOOKUPS -j LOG --log-prefix " **NTP_LOOKUPS DROP** "
$IPT -t filter -A NTP_LOOKUPS -j DROP
#
# -- Pinhole chain:
# -- default-log-and-drop:
# -- getting time right is important for security , so use only
# trusted NTP boxen.
#
# ==========================================================================================
# == SECTION 3 :: SERVICES ON LOW-NUMBERED PORTS :
# ==========================================================================================
# ------------------------------------------------------------------------------------------
# -- Web Service :
# ------------------------------------------------------------------------------------------
$IPT -N WEB_SERVICE
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -p tcp -m multiport --sports 80,443 -j WEB_SERVICE
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p tcp -m multiport --sports 80,443 -j WEB_SERVICE
allow_tcp_in WEB_SERVICE 130.88.0.0/16
$IPT -t filter -A WEB_SERVICE -j LOG --log-prefix " **WEB_SERVICE DROP** "
$IPT -t filter -A WEB_SERVICE -j DROP
#
# -- Pinhole chain for service on low-numbered port:
# -- default-log-and-drop;
# -- should be no other traffic to/from our port 80;
#
# ------------------------------------------------------------------------------------------
# -- SSH Service :
# ------------------------------------------------------------------------------------------
$IPT -N SSH_SERVICE
$IPT -t filter -A INPUT -i $EXTINT -p tcp --dport 22 -d $EXTIP -j SSH_SERVICE
$IPT -t filter -A OUTPUT -o $EXTINT -p tcp --sport 22 -s $EXTIP -j SSH_SERVICE
restart_chain_ssh_service
# ==========================================================================================
# == SECTION 4 :: SERVICES USING HIGH-NUMBERED PORTS :
# ==========================================================================================
# ------------------------------------------------------------------------------------------
# -- Ganglia "Service" :
# ------------------------------------------------------------------------------------------
# ...allow Man4 to talk to our Ganglia-related daemons...
$IPT -N GANGLIA_SERVICE
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -p tcp -m multiport --dports 8443,8649,8651,8652 -j GANGLIA_SERVICE
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p tcp -m multiport --sports 8443,8649,8651,8652 -j GANGLIA_SERVICE
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -p udp -m multiport --dports 8443,8649,8651,8652 -j GANGLIA_SERVICE
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p udp -m multiport --sports 8443,8649,8651,8652 -j GANGLIA_SERVICE
allow_tcp_in GANGLIA_SERVICE ganglia.manc.ac.uk
allow_udp_in GANGLIA_SERVICE ganglia.manc.ac.uk
#
# -- Service on high-numbered ports:
#
# -- assuming a daemon is bound to all these ports, there should be no traffic
# other than that ACCEPTed above, so we should be able to default-DROP;
#
# -- but it's possible that not all the above are in use, so we will DROP only NEW DEVEL DEVEL !!!!!
# incoming packets and LOG the rest (which will, e.g., allow 8443 as the source
# port for an out-going connection) : DEVEL DEVEL !!!!!
#
$IPT -t filter -A GANGLIA_SERVICE -i $EXTINT -d $EXTIP -m state --state NEW -j LOG --log-prefix " **GANGLIA_SERVICE: DROP** "
$IPT -t filter -A GANGLIA_SERVICE -i $EXTINT -d $EXTIP -m state --state NEW -j DROP
$IPT -t filter -A GANGLIA_SERVICE -j LOG --log-prefix " **GANGLIA_SERVICE: LOG** "
# ==========================================================================================
# == SECTION 5 :: OUTREACH :
# ==========================================================================================
# ------------------------------------------------------------------------------------------
# -- SSH outwards :
# ------------------------------------------------------------------------------------------
$IPT -N SSH_FROM_US
$IPT -t filter -A OUTPUT -o $EXTINT -p tcp --dport 22 -s $EXTIP -j SSH_FROM_US
$IPT -t filter -A INPUT -i $EXTINT -p tcp --sport 22 -d $EXTIP -j SSH_FROM_US
allow_tcp_out SSH_FROM_US sysadminone.manc.ac.uk sysadmintwo.manc.ac.uk
$IPT -t filter -A SSH_FROM_US -j LOG --log-prefix " **SSH_FROM_US DROP** "
$IPT -t filter -A SSH_FROM_US -j DROP
#
# -- default-log-and-drop as for SSH outbound:
# -- this is really mean...
#
# ------------------------------------------------------------------------------------------
# -- Web Out :
# ------------------------------------------------------------------------------------------
# ...Bruno.Harbulot@manchester.ac.uk would to talk to squid1/2 and pulsar...
## Does Bruno still need this? pulsar.vidar.ngs.manchester.ac.uk 80
## Does Bruno still need this? pulsar.vidar.ngs.manchester.ac.uk 80
$IPT -N WEB_PROXY_OUT
$IPT -t filter -A OUTPUT -o $EXTINT -s $EXTIP -p tcp --dport 3128 -j WEB_PROXY_OUT
$IPT -t filter -A INPUT -i $EXTINT -d $EXTIP -p tcp --sport 3128 -j WEB_PROXY_OUT
allow_tcp_out WEB_PROXY_OUT proxyone.manc.ac.uk proxytwo.manc.ac.uk
$IPT -t filter -A WEB_PROXY_OUT -j LOG --log-prefix " **WEB_PROXY_OUT DROP** "
$IPT -t filter -A WEB_PROXY_OUT -j DROP
#
# -- default-log-and-drop as we don't trust other Web Proxies --- they may forward
# us to faked/phishing sites for example...
#
# ==========================================================================================
# == SECTION 6 :: FORWARDS/MASQUERADES/NAT :
# ==========================================================================================
# -- tweak that kernel :
#
echo 1 > /proc/sys/net/ipv4/ip_forward
# ...recall that INPUT/OUTPUT rules do NOT affect traffic from 10.2.64.0/24 destined to be FORWARDed via 10.2.64.25\0, so we need
# addition block/allow rules here to filter storage and the compute nodes (see ascii-art diagram in the IPTables\ HOWTO)...
# -- forward stuff from 192.168.104.0/24, the headnode-facing interface of the compute-nodes :
#
# -- DNS :
#
$IPT -A FORWARD -p udp -i eth0 -o eth3 -s 192.168.104.0/24 -d 130.88.ac.efg -j ACCEPT
$IPT -A FORWARD -p udp -i eth0 -o eth3 -s 192.168.104.0/24 -d 130.88.ac.efh -j ACCEPT
$IPT -A FORWARD -p udp -i eth0 -o eth3 -s 192.168.104.0/24 -d 130.88.baa.ghi -j ACCEPT
# -- forward anything related/established :
#
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# -- default don't forward :
#
$IPT -A FORWARD -j LOG --log-prefix " FORWARD-DROP "
$IPT -A FORWARD -j DROP
# -- we're going to a ball :
#
$IPT -t nat -A POSTROUTING -s 192.168.104.0/24 -j MASQUERADE
# ==========================================================================================
# == SECTION 7 :: TMP :
# ==========================================================================================
# -- for testing Gold stuff :
#
$IPT -t filter -A INPUT -s ddd.rst.manchester.ac.uk -j ACCEPT
$IPT -t filter -A OUTPUT -d ddd.rst.manchester.ac.uk -j ACCEPT
# ==========================================================================================
# == SECTION 8 :: DEFAULTS :
# ==========================================================================================
## ...Silently drop the junkmail deluge :
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 137 --dport 137 -j DROP # ...Windoze...
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 138 --dport 138 -j DROP # ...Windoze...
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 520 --dport 520 -j DROP # ...??????
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 631 --dport 631 -j DROP # ...IPP...
$IPT -t filter -i $EXTINT -A INPUT -p udp -m multiport --destination-ports 1026,1027,1028,1029 -j DROP # ...Windoze...
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 4500 --dport 4500 -j DROP # ...??????
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 4501 --dport 4501 -j DROP # ...??????
$IPT -t filter -i $EXTINT -A INPUT -p udp --sport 4502 --dport 4502 -j DROP # ...??????
$IPT -t filter -i $EXTINT -A INPUT -s 130.88.zxy.250 -d 224.0.0.1 -j DROP # ...all hosts multicast from router...
## ...Log everything else...
$IPT -t filter -i $EXTINT -A INPUT -m limit --limit 5/minute --limit-burst 10 -j LOG --log-level warn --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-prefix " **INPUT DEFAULT** "
$IPT -t filter -o $EXTINT -A OUTPUT -m limit --limit 5/minute --limit-burst 10 -j LOG --log-level warn --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-prefix " **OUTPUT DEFAULT** "
## ...then drop it :
$IPT -t filter -i $EXTINT -A INPUT -j DROP
$IPT -t filter -o $EXTINT -A OUTPUT -j DROP
# ==========================================================================================
# == SECTION 9 :: POLICY :
# ==========================================================================================
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t filter -P FORWARD DROP
# ==========================================================================================
# == Time for a nice mug of tea.
# ==========================================================================================