Added: firewall files

Makefile

@@ -0,0 +1,10 @@
+
+CP=/bin/cp
+MKDIR=/bin/mkdir
+FIREWALL_ETC_DIR=/etc/firewall
+FIREWALL_CONF=firewall.conf
+
+firewall:
+	$(CP) scripts/firewall /etc/init.d/firewall
+	$(MKDIR) -p $(FIREWALL_ETC_DIR)
+	$(CP) etc/firewall/$(FIREWALL_CONF) $(FIREWALL_ETC_DIR)/

etc/firewall.conf

@@ -0,0 +1,36 @@
+# Firewall configuration file
+# Uncomment the services you need there
+
+#################################
+# Services that the system will #
+# offer to the network          #
+#################################
+
+# SSH
+TCP_SERVICES="22"
+
+# SAMBA
+#SAMBA_PORTS="137 138 139"
+#TCP_SERVICES="$TCP_SERVICES $SAMBA_PORTS"
+
+# SAMBA: if you are using Active Directory
+#TCP_SERVICES="$TCP_SERVICES 445"
+
+#TCP_SERVICES=$TCP_SERVICES" 10021 10023:10999" # vsFTP
+
+UDP_SERVICES=""
+
+#################################
+# Services the system will use  #
+# from the network              #
+#################################
+# These services will not be accessible from the current
+# server until they are allowed
+REMOTE_TCP_SERVICES="80 443" # Web browsing
+REMOTE_TCP_SERVICES="22 $REMOTE_TCP_SERVICES" # SSH
+REMOTE_TCP_SERVICES="20 $REMOTE_TCP_SERVICES" # FTP
+
+REMOTE_TCP_SERVICES="$REMOTE_TCP_SERVICES $SAMBA_PORTS"
+
+REMOTE_UDP_SERVICES="53" # DNS
+

scripts/firewall

@@ -0,0 +1,249 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          firewall.sh
+# Required-Start:    $syslog $network
+# Required-Stop:     $syslog $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start firewall daemon at boot time
+# Description:       Custom Firewall scrip.
+### END INIT INFO
+ 
+#
+# Simple Firewall configuration.
+#
+# Original author : Nicolargo
+#
+# chkconfig: 2345 9 91
+# description: Activates/Deactivates the firewall at boot time
+#
+
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+
+# Services that the system will offer to the network
+TCP_SERVICES="22" # SSH only
+UDP_SERVICES=""
+# Services the system will use from the network
+REMOTE_TCP_SERVICES="80 443" # web browsing
+REMOTE_UDP_SERVICES="53" # DNS
+
+# Network that will be used for remote mgmt
+# (if undefined, no rules will be setup)
+# NETWORK_MGMT=192.168.0.0/24
+
+# Port used for the SSH service, define this is you have setup a
+# management network but remove it from TCP_SERVICES
+SSH_PORT="22"
+
+CONFIGURATION_FILE=/etc/firewall/firewall.conf
+if [ -f $CONFIGURATION_FILE ] ; then
+	. $CONFIGURATION_FILE
+fi
+
+IP_TABLES="/sbin/iptables"
+ 
+if ! [ -x $IP_TABLES ]; then
+	exit 0
+fi
+ 
+##########################
+# Start the Firewall rules
+##########################
+ 
+fw_start () {
+	#**************************************************************************#
+	# Input traffic:
+	#**************************************************************************#
+	
+	### Keep existing connections
+	$IP_TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+	# Services
+	if [ -n "$TCP_SERVICES" ] ; then
+		for PORT in $TCP_SERVICES; do
+			$IP_TABLES -A INPUT -p tcp --dport ${PORT} -j ACCEPT
+		done
+	fi
+	if [ -n "$UDP_SERVICES" ] ; then
+		for PORT in $UDP_SERVICES; do
+			$IP_TABLES -A INPUT -p udp --dport ${PORT} -j ACCEPT
+		done
+	fi
+	# Remote management
+	if [ -n "$NETWORK_MGMT" ] ; then
+		$IP_TABLES -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
+	else
+		$IP_TABLES -A INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
+	fi
+	
+	#**************************************************************************#
+	# NGINX
+	#**************************************************************************#
+	$IP_TABLES -A INPUT -i lo -s localhost -d localhost -j ACCEPT
+	$IP_TABLES -A OUTPUT -o lo -s localhost -d localhost -j ACCEPT
+	$IP_TABLES -A INPUT  -p tcp --dport http -j ACCEPT
+        $IP_TABLES -A INPUT  -p tcp --dport https -j ACCEPT
+	
+	
+	# Remote testing
+	### Allows PING 
+	$IP_TABLES -A INPUT -p icmp -j ACCEPT
+	### Allows LOOPBACK 
+	$IP_TABLES -A INPUT -i lo -j ACCEPT
+	
+	$IP_TABLES -P INPUT DROP
+	$IP_TABLES -A INPUT -j LOG
+	 
+	#**************************************************************************#
+	# Output:
+	#**************************************************************************#
+	### Allows LOOPBACK 
+	$IP_TABLES -A OUTPUT -j ACCEPT -o lo
+	
+	###  
+	$IP_TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+	
+	# ICMP is permitted:
+	### Allows ping: 
+	$IP_TABLES -A OUTPUT -p icmp -j ACCEPT
+	
+	# So are security package updates:
+	# Note: You can hardcode the IP address here to prevent DNS spoofing
+	# and to setup the rules even if DNS does not work but then you
+	# will not "see" IP changes for this service:
+	$IP_TABLES -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
+	$IP_TABLES -A OUTPUT -p tcp -d www.dokuwiki.org --dport 80 -j ACCEPT
+	
+	# As well as the services we have defined:
+	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
+		for PORT in $REMOTE_TCP_SERVICES; do
+			$IP_TABLES -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
+		done
+	fi
+	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
+		for PORT in $REMOTE_UDP_SERVICES; do
+			$IP_TABLES -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
+		done
+	fi
+	# All other connections are registered in syslog
+	$IP_TABLES -A OUTPUT -j LOG
+	$IP_TABLES -A OUTPUT -j REJECT
+	$IP_TABLES -P OUTPUT DROP
+	
+	$IP_TABLES -A FORWARD -j LOG
+		
+
+
+
+	#**************************************************************************#
+	# DOS attack protection
+	#**************************************************************************#
+	# Voir http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
+	# 
+	$IP_TABLES -I INPUT -p tcp --dport 80 -i venet0 -m state --state NEW -m recent --set
+	$IP_TABLES -I INPUT -p tcp --dport 80 -i venet0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+	$IP_TABLES -I INPUT -p tcp --dport 443 -i venet0 -m state --state NEW -m recent --set
+	$IP_TABLES -I INPUT -p tcp --dport 443 -i venet0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+
+	#**************************************************************************#
+	# Other network protections
+	# (some will only work with some kernel versions)
+	#**************************************************************************#
+	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+	echo 0 > /proc/sys/net/ipv4/ip_forward
+	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
+	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+	 
+	iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT  
+	iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT  
+}
+ 
+##########################
+# Stop the Firewall rules
+##########################
+ 
+fw_stop () {
+	$IP_TABLES -F
+	$IP_TABLES -t nat -F
+	$IP_TABLES -t mangle -F
+	$IP_TABLES -P INPUT DROP
+	$IP_TABLES -P FORWARD DROP
+	$IP_TABLES -P OUTPUT ACCEPT
+}
+ 
+##########################
+# Clear the Firewall rules
+##########################
+ 
+fw_clear () {
+	$IP_TABLES -F
+	$IP_TABLES -t nat -F
+	$IP_TABLES -t mangle -F
+	$IP_TABLES -P INPUT ACCEPT
+	$IP_TABLES -P FORWARD ACCEPT
+	$IP_TABLES -P OUTPUT ACCEPT
+}
+ 
+##########################
+# Test the Firewall rules
+##########################
+ 
+fw_save () {
+	$IP_TABLES-save > /etc/iptables.backup
+}
+ 
+fw_restore () {
+	if [ -e /etc/iptables.backup ]; then
+		$IP_TABLES-restore < /etc/iptables.backup
+	fi
+}
+ 
+fw_test () {
+	fw_save
+	sleep 30 && echo "Restore previous Firewall rules..." && fw_restore &
+	fw_stop
+	fw_start
+}
+ 
+case "$1" in
+	start|restart)
+		echo -n "Starting firewall.."
+		fw_stop
+		fw_start
+		echo "done."
+	;;
+	stop)
+		echo "###############################################################"
+		echo "I do not stop for now."
+		echo "Use 'clear' to remove all firewall blocking rules."
+		echo "Use 'dropall' to remove all firewall blocking rules."
+		echo "###############################################################"
+	;;
+	clear)
+		echo -n "Clearing firewall rules.."
+		fw_clear
+		echo "done."
+	;;
+	dropall)
+		echo -n "Droping all connections !!!"
+		fw_stop
+		echo "done."
+	;;
+	test)
+		echo -n "Test Firewall rules..."
+		fw_test
+		echo -n "Previous configuration will be restore in 30 seconds"
+	;;
+	*)
+		echo "Usage: $0 {start|dropall|stop|restart|clear|test}"
+		echo "###############################################################"
+		echo "# Be aware that 'stop' drop all incoming/outgoing traffic !!! #"
+		echo "###############################################################"
+		echo "Use clear option to allow all traffic."
+		exit 1
+	;;
+esac
+exit 0