lhubert
/
lfirewall


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429
							#!/bin/bash
### BEGIN INIT INFO
# Provides:          firewall.sh
# Required-Start:    $syslog $network
# Required-Stop:     $syslog $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start firewall daemon at boot time
# Description:       Custom Firewall scrip.
### END INIT INFO

#
# Light Firewall configuration.
#
# Original author : Nicolargo
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates the firewall at boot time
#

set -euo pipefail

help_message_lfirewall(){
cat <<-EOF
  Light Firewall configuration script.

  $(basename ${0}) [OPTIONS...] COMMAND

	COMMANDS

		start : starts the firewall
		clear : stops the firewall (removes all IPTABLES rules and let all connections work)
		stop  : stops all network connections (USE with CAUTION)
		test	: tests the existing rules for 30 seconds

	OPTIONS
		-v --verbose	: verbose mode
		-h --help			: display this help message
		-l --logging	: enables logging (prefix: iptables-logging)

	AUTHOR
		Original author: Nicolargo
		Modified by: Laurent Hubert
EOF
}

options=$(getopt -l "help,verbose,logging" -o "hvl" -- "$@")

if [[ $? != 0 ]] ; then
	help_message_lfirewall
	exit 1
fi

eval set -- "$options"

IT_INPUT=INPUT
IT_INPUT_LOG=LOGINPUT
IT_OUTPUT=OUTPUT
IT_OUTPUT_LOG=LOGOUTPUT

verbose=0
logging=" "

while :
do
	if [[ ${verbose} = "1" ]] ; then
		echo "$@"
	fi

	case "$1" in
		-h|--help)
			help_message_lfirewall
			exit 0
			;;
		-v|--verbose)
			verbose=$(( verbose + 1 ))
			if [[ ${verbose} -gt 1 ]]
			then
				set -x
			fi
			if [[ ${verbose} -gt 2 ]]
			then
				set -v
			fi
			;;
		-l|--logging)
			logging="-j LOG --log-prefix 'iptables-logging'"
			IT_INPUT=${IT_INPUT_LOG}
			IT_OUTPUT=${IT_OUTPUT_LOG}
			;;
		--)
			shift
			break
			;;
	esac
	shift
done

PATH=/bin:/sbin:/usr/bin:/usr/sbin

#Defautl network interface
NETWORK_IF=eth0

# Services that the system will offer to the network
TCP_SERVICES="22" # SSH only
UDP_SERVICES=""
# Services the system will use from the network
REMOTE_TCP_SERVICES="80 443" # web browsing
REMOTE_UDP_SERVICES="53" # DNS


# Network that will be used for remote mgmt
# (if undefined, no rules will be setup)
# NETWORK_MGMT=192.168.0.0/24

# Port used for the SSH service, define this is you have setup a
# management network but remove it from TCP_SERVICES
SSH_PORT="22"

# Default IP_TABLES command path
IP_TABLES="/sbin/iptables"

CONFIGURATION_FILE=/etc/lfirewall/lfirewall.conf
if [ -f $CONFIGURATION_FILE ] ; then
	set +u
	. $CONFIGURATION_FILE
	set -u
fi

if ! [ -x $IP_TABLES ]; then
	echo "$IP_TABLES is not executable or not present" >&2
	exit 1
fi

if ! /usr/sbin/ifup --no-act $NETWORK_IF
then
	echo "Network interface '$NETWORK_IF' is not present or configured" >&2
	exit 2
fi

do_action=do_exec

IPTABLES_CHECK=__iptables_check_action
IPTABLES_ADD=__iptable_add_action
IPTABLES_SET_POLICY=__iptable_set_policy_action

do_exec () {
	case $1 in
		__iptable_add_action)
			shift
			iptables_option=-A
		;;
		__iptable_set_policy_action)
			shift
			iptables_option=-P
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac
	if [[ ${verbose} -ge 1 ]] ; then
		echo $IP_TABLES $iptables_option $*
	fi
	$IP_TABLES $iptables_option $*	
}

do_check () {
	the_action=$1
	shift
	case $the_action in
		__iptable_add_action)
			iptables_option=-A
		;;
		__iptable_set_policy_action)
			return 0
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac
	default_option=-C
	if [[ ${verbose} -ge 1 ]] ; then
		echo $do_log "$the_action:" $IP_TABLES -C $*
		echo $IP_TABLES -C $*
	fi
	$do_log "$the_action:" $IP_TABLES -C $*
	$IP_TABLES -C $*
	global_status=$((global_status+$?))
}

log_action () {
	echo $*
}

do_not_log_action () {
	return 0
}

do_log=do_not_log_action

##########################
# Start the Firewall rules
##########################

fw_start () {
	#**************************************************************************#
	# Input traffic:
	#**************************************************************************#

	### Keep existing connections
	$do_action $IPTABLES_ADD $IT_INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	# Services
	if [ -n "$TCP_SERVICES" ] ; then
		for PORT in $TCP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${PORT} -j ACCEPT
		done
	fi
	if [ -n "$UDP_SERVICES" ] ; then
		for PORT in $UDP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_INPUT -p udp --dport ${PORT} -j ACCEPT
		done
	fi
	# Remote management
	if [ "${NETWORK_MGMT:=UNBOUND_VARIABLE}" != "UNBOUND_VARIABLE" ] ; then
		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
	else
		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
	fi

	#**************************************************************************#
	# NGINX
	#**************************************************************************#
	$do_action $IPTABLES_ADD $IT_INPUT -i lo -s localhost -d localhost -j ACCEPT
	$do_action $IPTABLES_ADD $IT_OUTPUT -o lo -s localhost -d localhost -j ACCEPT
	$do_action $IPTABLES_ADD $IT_INPUT  -p tcp --dport http -j ACCEPT
	$do_action $IPTABLES_ADD $IT_INPUT  -p tcp --dport https -j ACCEPT


	# Remote testing
	### Allows PING
	$do_action $IPTABLES_ADD $IT_INPUT -p icmp -j ACCEPT

	### Allows LOOPBACK
	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT

	$IP_TABLES -P $IT_INPUT DROP
	$do_action $IPTABLES_ADD $IT_INPUT -j LOG

	#**************************************************************************#
	# Output:
	#**************************************************************************#
	### Allows LOOPBACK
	$do_action $IPTABLES_ADD $IT_OUTPUT -j ACCEPT -o lo

	###
	$do_action $IPTABLES_ADD $IT_OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# ICMP is permitted:
	### Allows ping:
	$do_action $IPTABLES_ADD $IT_OUTPUT -p icmp -j ACCEPT

	# As well as the services we have defined:
	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
		for PORT in $REMOTE_TCP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_OUTPUT -p tcp --dport ${PORT} -j ACCEPT
		done
	fi
	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
		for PORT in $REMOTE_UDP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_OUTPUT -p udp --dport ${PORT} -j ACCEPT
		done
	fi
	# All other connections are registered in syslog
	$do_action $IPTABLES_ADD $IT_OUTPUT -j LOG
	$do_action $IPTABLES_ADD $IT_OUTPUT -j REJECT
	$do_action $IPTABLES_SET_POLICY $IT_OUTPUT DROP

	$do_action $IPTABLES_ADD FORWARD -j LOG

	#**************************************************************************#
	# DOS attack protection
	#**************************************************************************#
	# See http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
	#
	$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
	$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP

	#**************************************************************************#
	# Other network protections
	# (some will only work with some kernel versions)
	#**************************************************************************#
	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
	if [[ "${ALLOW_IP_FORWARDING}" = 0 ]]
	then
		echo 0 > /proc/sys/net/ipv4/ip_forward
	else
		echo 1 > /proc/sys/net/ipv4/ip_forward
	fi
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

	iptables -t filter -A $IT_OUTPUT -p tcp --dport 22 -j ACCEPT
	iptables -t filter -A $IT_INPUT -p tcp --dport 22 -j ACCEPT
}

do_this(){
    if [[ ${verbose} -ge 1 ]] ; then
      echo $*
    fi
    $*
}

##########################
# Stop the Firewall rules
##########################

fw_stop () {
	do_this $IP_TABLES -F
	do_this $IP_TABLES -t nat -F
	do_this $IP_TABLES -t mangle -F
	do_this $IP_TABLES -P $IT_INPUT DROP
	do_this $IP_TABLES -P FORWARD DROP
	do_this $IP_TABLES -P $IT_OUTPUT ACCEPT
}

##########################
# Clear the Firewall rules
##########################

fw_clear () {
	do_this $IP_TABLES -F
	do_this $IP_TABLES -t nat -F
	do_this $IP_TABLES -t mangle -F
	do_this $IP_TABLES -P $IT_INPUT ACCEPT
	do_this $IP_TABLES -P FORWARD ACCEPT
	do_this $IP_TABLES -P $IT_OUTPUT ACCEPT
	do_this $IP_TABLES -X
}

##########################
# Test the Firewall rules
##########################

fw_save () {
  if [[ ${verbose} -ge 1 ]] ; then
    echo "$IP_TABLES-save > /etc/iptables.backup"
  fi

	$IP_TABLES-save > /etc/iptables.backup
}

fw_restore () {
	if [ -e /etc/iptables.backup ]; then
	  if [[ ${verbose} -ge 1 ]] ; then
	    echo "$IP_TABLES-save > /etc/iptables.backup"
	  fi

		$IP_TABLES-restore < /etc/iptables.backup
	fi
}

fw_test () {
	fw_save
	sleep 30 && echo "Restore previous Firewall rules..." && fw_restore &
	fw_stop
	fw_start
}

case "$1" in
	start|restart)
		echo -n "Starting firewall.."
		fw_stop
		fw_start
		echo "done."
	;;
	stop)
		echo "###############################################################"
		echo "I do not stop for now."
		echo "Use 'clear' to remove all firewall blocking rules."
		echo "Use 'dropall' to stop any traffic and block everything."
		echo "###############################################################"
	;;
	clear)
		echo -n "Clearing firewall rules.."
		fw_clear
		echo "done."
	;;
	dropall)
		echo -n "Droping all connections !!!"
		fw_stop
		echo "done."
	;;
	test)
		echo -n "Test Firewall rules..."
		fw_test
		echo -n "Previous configuration will be restore in 30 seconds"
	;;
	status)
		do_action=do_check
		global_status=0
		if [ "$2" = "-v" ] ; then
			do_log=log_action
		fi
		# Start will not really start but exec the "check" action
		fw_start
		if [ 0 -eq "$global_status" ] ; then
			echo "Firewall rules match configuration"
			exit 0
		else
			echo "Some firewall rules are not set correctly"
			exit $global_status
		fi
	;;
	*)
		echo "Usage: $0 {start|dropall|stop|restart|clear|test}"
		echo "###############################################################"
		echo "# Be aware that 'stop' drop all incoming/outgoing traffic !!! #"
		echo "###############################################################"
		echo "Use clear option to allow all traffic."
		exit 1
	;;
esac
exit 0