forked from endwall2/endwall
-
Notifications
You must be signed in to change notification settings - Fork 0
/
endwall.sh
executable file
·1325 lines (1198 loc) · 78.6 KB
/
endwall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/sh
###############################################################################################################################################################
# HEADER AND INSTRUCTIONS
###############################################################################################################################################################
# Program: endwall.sh
# Type: Bourne shell script
# Creation Date: Jan 1 2013
# Branch: wired
# Current Version: 1.42
# Revision Date: July 6, 2022
# Previous Version: 1.41, July 25, 2022
# Author: THE ENDWARE DEVELOPMENT TEAM
# Copyright: THE ENDWARE DEVELOPMENT TEAM, 2016
#
# Changes: - Update EULA, fix typo in if statement to loop over interfaces, add client_out_internal() function
# - fixed unfinished call to --open in code (bug fix)
# - Added --version flag, updated acknowledgements
# - Loop over interfaces check that ip is picked up
# - Removed duplicate entry for DNS + Added DHCPv6 client output + Aesthetics
# - Added functions and rewrote firewall using functions
# - Surpress output for sysctl to clean up
# - Updated EULA
# - Added annotations Beginning/End of Program
# - Fixed tor for DNSport 9053
# - Added gopher lo + client rules
# - Added a PASS chain
# - Pass PASS rules through PASS chain
#
#
# Instructions: make directory,copy the file and change name to endwall.sh
# make whitelists,blacklist text files, edit the endwall.sh file
# change permisions to make endwall.sh executable, run the file.
#
# Notes: - uncomment the macchanger lines if you want random mac address.
# - requires macchanger (optional)
# - comment out lines starting at 1335 for alternate distributions you don't use
#
# $ mkdir ~/endwall
# $ cp endwall_v1xx.sh endwall.sh
# $ nano endwall.sh # go to the section below labeled GLOBAL VARIABLES
# edit the variables client1_ip,client1_mac,client1_ip,client2_mac
# so that they match your needs and save. ^X
# # uncomment the macchanger lines to use machanger
# # comment out save rules on line 1335 for distributions not used
# $ chmod u+rwx endwall.sh # changer permisions to allow script execution
# $ su # become root
# # ./endwall.sh # execute/run the file
# OPTIONAL
# # ./endlists.sh # Loads traditional blacklists and whitelists into iptables rules
# # ./endsets.sh # Requires ipset, loads advanced kernel packet filtering blacklists
#
#
# If the firewall fails (bad interface pickup or bad ipv4 pickup) then run ./endwall.sh --open to return to open policies
# $ ./endwall.sh --open
# Then manually set the interface ipv4 for ip1 and ip2 or play with the assignments of the internal variables (Switch 1 to 2 and retry etc)
#
############################################################################################################################################################################
# Note that ip6tables is not enabled by default on some distributions
# for systemd enable and start iptables/ip6tables as follows:
# # systemctl enable iptables
# # systemctl enable ip6tables
# # systemctl enable iptables.service
# # systemctl enable ip6tables.service
# # systemctl start iptables
# # systemctl start ip6tables
# # systemctl restart iptables
# # systemctl restart ip6tables
#
#########################################################################
#############################################################################################################################################################################
# ACKNOWLEDGMENTS
#############################################################################################################################################################################
# The Endware Development Team would like to acknowledge the work and efforts of OdiliTime, Balrog and SnakeDude who graciously hosted and promoted this software project.
# We would also like to acknowledge the work and efforts of Stephen Lynx, the creator and maintainer of LynxChan.
# Without their efforts and their wonderful web site www.endchan.xyz, The Endware Suite would not exist in the public domain at all in any form.
#
# So thanks to OdiliTime, Balrog, SnakeDude, and Stephen Lynx for inspiring this work and for hosting and promoting it.
#
# The Endware Suite including Endwall,Endsets,Endlists,Endtools,Endloads and Endtube are named in honor of Endchan.
#
# The Endware Suite is available for download at the following locations:
# https://gitgud.io/Endwall/ , https://github.com/endwall2/, https://www.endchan.xyz/os/, http://42xlyaqlurifvvtq.onion,
#
# Special thanks to the designer of the current EndWare logo which replaces the previous logo. It looks great!
# Thank you also to early beta testers including a@a, and to other contributors including Joshua Moon (for user_agents.txt split and other good suggestions)
# as well as to the detractors who helped to critique this work and to ultimately improve it.
#
# We also acknowledge paste.debian.net, ix.io, gitgud and github for their hosting services,
# without which distribution would be limited, so thank you.
#
# https://www.endchan.xyz, http://paste.debian.net, https://gitgud.io, https://github.com, http://ix.io
#
# We salute you!
#
# In the end, may it all end well.
#
# The Endware Development Team
##############################################################################################################################################################################
##############################################################################################################################################################################
# LICENSE AGREEMENT
##############################################################################################################################################################################
# BEGINNING OF LICENSE AGREEMENT
# TITLE: THE ENDWARE END USER LICENSE AGREEMENT (EULA)
# CREATION DATE: MARCH 19, 2016
# VERSION: 1.19
# VERSION DATE: JUNE 23, 2022
# COPYRIGHT: THE ENDWARE DEVELOPMENT TEAM, 2016-2018
# ALL RIGHTS RESERVED
#
# WHAT CONSTITUTES "USE"? WHAT IS A "USER"?
# 0) a) Use of this program means the ability to study, possess, run, copy, modify, publish, distribute and sell the code as included in all lines of this file,
# in text format or as a binary file constituting this particular program or its compiled binary machine code form, as well as the the performance
# of these aforementioned actions and activities.
# 0) b) A user of this program is any individual who has been granted use as defined in section 0) a) of the LICENSE AGREEMENT, and is granted to those individuals listed in section 1.
# WHO MAY USE THIS PROGRAM ?
# 1) a) This program may be used by any living human being, any person, any corporation, any company, and by any sentient individual with the willingness and ability to do so.
# 1) b) This program may be used by any citizen or resident of any country, and by any human being without citizenship or residency.
# 1) c) This program may be used by any civilian, military officer, government agent, private citizen, government official, sovereign, monarch, head of state,
# dignitary, ambassador, legislator,congressional representative, member of parliament, senator, judicial official, judge, prosecutor, lawyer, law enforcement officer,
# police constable, noble, commoner, clergy, laity, and generally all classes and ranks of people, persons, and human beings mentioned and those not mentioned.
# 1) d) This program may be used by any human being of any sex or gender, including men, women, or any other sex, or gender not mentioned.
# 1) e) This program may be used by any human being of any affiliation, political viewpoint, political affiliation, religious belief, religious affiliation, and by those of non-belief or non affiliation.
# 1) f) This program may be used by any human being of any race, ethnicity, identity, origin, genetic makeup, physical appearance, mental ability, and by those of any other physical
# or non physical characteristics of differentiation.
# 1) g) This program may be used by any human being of any sexual orientation, including heterosexual, homosexual, bisexual, asexual, or any other sexual orientation not mentioned.
# 1) h) This program may be used by all business classes and business entities, including corporations, limited liability companies, sole proprietorships, partnerships, joint venture companies, private companies, publicly owned companies, and any other business class not specifically mentioned.
# 1) i) This program may be used by anyone.
# WHERE MAY A USER USE THIS PROGRAM ?
# 2) a) This program may be used in any country, in any geographic location of the planet Earth, in any marine or maritime environment, at sea, sub-sea, in a submarine, underground,
# in the air, in an airplane, dirigible, blimp, or balloon, in a car, bus, motor vehicle, train, armored transport vehicle, and at any distance from the surface of the planet Earth, including in orbit about the Earth, the Moon, or the planet Mars,
# on a satellite orbiting about the Earth, the Moon, the planet Mars, and about any Solar System planet and its moons, on any space transport vehicle, and anywhere in the Solar System including the Moon, Mars, and all other Solar System planets not listed.
# 2) b) This program may be used in any residential, commercial, business, and governmental property or location and in all public and private spaces.
# 2) c) This program may be used anywhere.
# IN WHAT CONTEXT OR CIRCUMSTANCES MAY A USER USE THIS PROGRAM?
# 3) This program may be used by any person, human being or sentient individual for any purpose and in any context and in any setting including for personal use, academic use,
# business use, commercial use, government use, non-governmental organization use, non-profit organization use, military use, civilian use, and generally any other use
# not specifically mentioned.
# WHAT MAY A "USER" DO WITH THIS PROGRAM ?
# 4) Any user of this program is granted the freedom to read and study the code.
# 5) a) Any user of this program is granted the freedom to distribute, publish, and share the code with any recipient of their choice electronically or by any other method of transmission.
# 5) b) The LICENCSE AGREEMENT, ACKNOWLEDGMENTS, Header and Instructions must remain attached to the code in their entirety when re-distributed.
# 5) c) Any user of this program is granted the freedom to sell this software as distributed or to bundle it with other software or saleable goods.
# 6) a) Any user of this program is granted the freedom to modify the code.
# 6) b) When modified, any user of this program is granted the freedom of re-distribution of their modified code if and only if the user attatchs the LICENSE AGREEMENT
# in its entirety to their modified code before re-distribution.
# 6) c) Any user of this software is granted the freedom to sell their modified copy of this software or to bundle their modified copy with other software or saleable goods.
# 6) d) Any modified code shall be sublicensed by the modifier and distributor only under the original terms of the Endware End User License Agreement as presented in this LICENSE AGREEMENT.
# 6) e) Any user of this software agrees that any derivative works produced as a result of user modification will be sublicensed when re-distributed under the original terms of this LICENSE AGREEMENT exactly as presented.
# 7) a) Any user of this program is granted the freedom to run this code on any computer of their choice.
# 7) b) Any user of this program is granted the freedom to run as many simultaneous instances of this code, on as many computers as they are able to and desire, and for as long as they desire and are
# able to do so with any degree of simultaneity in use.
# WHAT MUST A "USER" NOT DO WITH THIS PROGRAM ?
# 8) Any user of this program is not granted the freedom to procure a patent for the methods presented in this software, and agrees not to do so.
# 9) Any user of this program is not granted the freedom to arbitrarily procure a copyright on this software as presented, and agrees not to do so.
# 10) Any user of this program is not granted the freedom to obtain or retain intellectual property rights on this software as presented and agrees not to do so.
# 11) a) Any user of this program may use this software as part of a patented process, as a substitutable input into the process; however the user agrees not to attempt to patent this software as part of their patented process.
# 11) b) This software is a tool, like a hammer, and may be used in a process which applies for and gains a patent, as a substitutable input into the process;
# however the software tool itself may not be included in the patent or covered by the patent as a novel invention, and the user agrees not to do this and not to attempt to do this.
# 12) a) Any user of this program is not granted the freedom to remove, replace, alter or modify the LICENSE AGREEMENT, ACKNOWLEDGMENTS, or the Header and Instructions from the file, if being distributed without modification of the program code.
# The LICENSE AGREEMENT, ACKKNWLEGEMENTS and Header and Instructions sections must remain attached to the code in their entirety when re-distributed without modification.
# b) If the code is moodified, by a user, as permitted and allowed under section 6) a),b),c),d),e) of this LICENSE AGREEMENT, then
# the user of this program who made the program code modifications may modify or alter the ACKNKOWLEGEMENTS, or the Header and Instructions sections to document these new modifications and their authorship, and to acknowledge any asistance in doing so,
# however, these user modifiers are not granted the freedom to removem, replace, alter or modify the LICENSE AGREEMENT which must remain attached to the code in their entirety when re-distributed without modification.
# WHO GRANTS THESE FREEDOMS ?
# 13) The creators of this software are the original developer,"Endwall", and anyone listed as being a member of "The Endware Development Team" by "Endwall", as well as ancillary contributors, and user modifiers and developers of the software.
# 14) The aforementioned freedoms of use listed in sections 4),5),6),and 7) are granted by the creators of this software and the Endware Development Team to any qualifying user listed in section 1) and
# comporting with any restrictions and qualifications mentioned in sections 2), 3), 8), 9), 10) and 11) of this LICENSE AGREEMENT.
# WHAT RELATIONSHIP DO THE USERS HAVE WITH THE CREATORS OF THE SOFTWARE ?
# 15) This software is distributed "AS IS" without any warranty and without any guaranty and the creators do not imply anything about its usefulness or efficacy.
# 16) If the user suffers or sustains financial loss, informational loss, material loss, physical loss or data loss as a result of using, running, or modifying this software
# the user agrees that they will hold the creators of this software, "The Endware Development Team", "Endwall", and the programmers involved in its creation, free from prosecution,
# free from indemnity, and free from liability, and will not attempt to seek restitution, compensation, or payment for any such loss real or imagined.
# 17) If a user makes a significant improvement to this software, and if this improvement is included in a release, the user agrees not to seek remuneration or payment
# from the creators of this software or from Endwall or from the Endware Development Team, for any such work contribution performed, and the user understands
# that there will be no such remuneration or payment rendered to them for any such contribution.
# END OF LICENSE AGREEMENT
##################################################################################################################################################################################
# ADDITIONAL NOTES:
# 18) If a user finds a significant flaw or makes a significant improvement to this software, please feel free to notify the original developers so that we may also
# include your user improvement in the next release; users are not obligated to do this, but we would enjoy this courtesy tremendously.
#
# 19) Sections 0) a) 0) b) and 1) a) are sufficient for use; however sections 1) b) through 1) i) are presented to clarify 1 a) and to enforce non-discrimination and non-exclusion of use.
# For example some people may choose to redefine the meaning of the words "person" "human being" or "sentient individual" to exclude certain types of people.
# This would be deemed unacceptable and is specifically rejected by the enumeration presented. If the wording presented is problematic please contact us and suggest a change,
# and it will be taken into consideration.
#################################################################################################################################################################################
################################################ BEGINNING OF PROGRAM ##################################################################################
####################################################################################################
# INPUT ARGUMENTS
###################################################################################################
version="1.42"
branch="wired"
rev_date="07/07/2022"
state="closed"
for arg in "$@"
do
if [ "$arg" = "--help" ]
then
echo "USAGE: ./endwall --help ## displays usage statements"
echo "USAGE: ./endwall --version ## displays version statements"
echo "USAGE: ./endwall --open ## opens firewall to default open policies"
echo "USAGE: ./endwall ## enable endwall firewall system"
shift
exit 0
elif [ "$arg" = "--version" ]
then
echo "ENDWALL version:"$version", branch:"$branch", revision date:"$rev_date" "
echo "Copyright: THE ENDWARE DEVELOPMENT TEAM, 2016"
shift
exit 0
elif [ "$arg" = "--open" ]
then
state="open"
shift
else
state="closed"
fi
done
####################################################################################################
# GLOBAL VARIABLES
####################################################################################################
iptables="/sbin/iptables"
ip6tables="/sbin/ip6tables"
# Grab interface name from ip link and parse
int_if1=$(ip link | grep -a "state " | awk -F: '{ if (FNR==2) print $2}')
int_if2=$(ip link | grep -a "state " | awk -F: '{ if (FNR==3) print $2}')
# Grab Gateway Information
gateway_ip=$(ip route | awk '/via/ {print $3}')
#gateway_mac=$( arp | awk '/gateway/ {print $3}')
gateway_mac=$( nmap -sS "$gateway_ip" -p 53| grep -a "MAC Address:" | awk '{print $3}')
# RUN MAC CHANGER on INTERFACES
#macchanger -A $int_if
#macchanger -A "$int_if2"
# grab host mac addresses from ip link
host_mac1=$(ip link | grep -a "ether" | awk ' {if (FNR==1) print $2}')
host_mac2=$(ip link | grep -a "ether" | awk ' {if (FNR==2) print $2}')
# grab the ip addresses from the interfaces
host_ip1=$(ip addr | grep -a "scope global"|awk 'BEGIN {FS="/"} {if (FNR==1) print $1}'| awk '{print $2}')
host_ip2=$(ip addr | grep -a "scope global"|awk 'BEGIN {FS="/"} {if (FNR==2) print $1}'| awk '{print $2}')
# grab the ipv6 addresses frrom the interfaces
host_ip1v6=$(ip addr | grep -a "inet6"| awk 'BEGIN {FS="/"} {if (FNR==2) print $1}'| awk '{print $2}')
host_ip2v6=$(ip addr | grep -a "inet6"| awk 'BEGIN {FS="/"} {if (FNR==3) print $1}'| awk '{print $2}')
############################ CLIENTS ################################################
# change these values but dont leave them blank
# add more clients as you need them use $ arp or $ nmap -sS client_ip to determine values
#client1_mac=00:00:00:00:00:00 # change to be the mac address of client 1
#client2_mac=00:00:00:00:00:00 # change to be the mac address of client 2
#client1_ip=192.168.0.161 # change to be the static ip of your first internal client
#client2_ip=192.168.0.162 # change to be the static ip of your second internal client
########################### INTERNAL VARIABLES ##################################
int_mac1="$host_mac1" # internal mac address of interface 1
int_mac2="$host_mac2" # internal mac address of interface 2
int_ip1="$host_ip1" # internal ip address of interface 1
int_ip2="$host_ip2" # internal ip address of interface 2
int_ip1v6="$host_ip1v6" # internal ipv6 address of interface 1
int_ip2v6="$host_ip2v6" # internal ipv6 address of interface 2
###################################################################################################################################
# LINUX SECURITY BOOLEANS
###################################################################################################################################
echo "LOADING SYSCTL SECURITY BOOLEANS"
############### KERNEL #############################################################################################
sysctl -w -q kernel.sysrq=0
sysctl -w -q kernel.core_uses_pid=1
sysctl -w -q kernel.randomize_va_space=1
#sysctl -w -q kernel.pid_max=65536
#sysctl -w -q kernel.exec-shield=1
############### IPv4 #############################################################################################
sysctl -w -q net.ipv4.tcp_syncookies=1 # enable tcp syn cookies (prevent against the common 'syn flood attack')
sysctl -w -q net.ipv4.ip_forward=0 # disable Packet forwarding between interfaces
# Disable Source Routed Packets,Redirect Acceptance, Redirect Sends, Log all Martian IP addresses
for f in $(ls /proc/sys/net/ipv4/conf/); do
sysctl -w -q net.ipv4.conf.$f.rp_filter=1 # do source validation by reversed path (Recommended option for single homed hosts)
sysctl -w -q net.ipv4.conf.$f.accept_source_route=0 # Disable source routed packets redirects
sysctl -w -q net.ipv4.conf.$f.accept_redirects=0 # don't accept redirects
sysctl -w -q net.ipv4.conf.$f.send_redirects=0 # don't send redirects
sysctl -w -q net.ipv4.conf.$f.log_martians=1 # log packets with impossible addresses to kernel log
done
sysctl -w -q net.ipv4.icmp_echo_ignore_broadcasts=1 # ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
sysctl -w -q net.ipv4.icmp_ignore_bogus_error_responses=1 # disable logging of bogus responses to broadcast frames
################## IPv6 ##############################################################################################
for f in $(ls /proc/sys/net/ipv6/conf/); do
sysctl -w -q net.ipv6.conf.$f.accept_source_route=0
sysctl -w -q net.ipv6.conf.$f.accept_redirects=0
sysctl -w -q net.ipv6.conf.$f.router_solicitations=0
sysctl -w -q net.ipv6.conf.$f.accept_ra_rtr_pref=0
sysctl -w -q net.ipv6.conf.$f.accept_ra_pinfo=0
sysctl -w -q net.ipv6.conf.$f.accept_ra_defrtr=0
sysctl -w -q net.ipv6.conf.$f.autoconf=0
sysctl -w -q net.ipv6.conf.$f.dad_transmits=0
sysctl -w -q net.ipv6.conf.$f.max_addresses=1
done
##################### OTHER ##################################################################################################
#setsebool httpd_can_network_connect on #needed for squirelmail if you are on selinux
#setsebool httpd_can_sendmail on #needed for squirelmail send if you are on selinux
sysctl -p # load settings
echo "SYSCTL SECURITY BOOLEANS LOADED"
###########################################################################################################################
###################### FLUSH OLD RULES #####################################################################
iptables -F # Flush Rules
iptables -F -t mangle # Flush table mangle
iptables -X -t mangle # Delete table mangle from chains
iptables -F -t filter # Flush table filter
iptables -X -t filter # Delete table filter from chains
iptables -F -t nat # Flush table nat
iptables -X -t nat # Delete chain table raw
iptables -F -t raw # Flush table raw
iptables -X -t raw # Delete chain table nat
iptables -F -t security # Flush table security
iptables -X -t security # Delete chain table security
iptables -X # Delete chains
iptables -Z # Reset counter
ip6tables -F # Flush Rules
ip6tables -F -t mangle # Flush table mangle
ip6tables -X -t mangle # Delete table mangle from chains
ip6tables -F -t filter # Flush table filter
ip6tables -X -t filter # Delete table filter from chains
ip6tables -F -t raw # Flush table raw
ip6tables -X -t raw # Delete table raw from chains
ip6tables -F -t security # Flush table security
ip6tables -X -t security # Delete table security from chains
ip6tables -X # Delete Chains
ip6tables -Z # Reset Counter
# Disable firewall if --open flag
if [ "$state" = "open" ];
then
################################ DISABLE THE FIREWALL #################################################################
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
############################### SAVE RULES ##############################################################
echo SAVING RULES
# comment out distribution rules that you are not using
#ARCH/PARABOLA
#iptables-save > /etc/iptables/iptables.rules
#ip6tables-save > /etc/iptables/ip6tables.rules
#DEBIAN/UBUNTU
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# RHEL/CENTOS/FEDORA
#iptables-save > /etc/iptables/iptables
#ip6tables-save > /etc/iptables/ip6tables
# Parabola / Gentoo OpenRC
# /etc/init.d/iptables save
echo "ENDWALL DISABLED"
############################## PRINT RULES ################################################################
#list the rules
iptables -L -v
ip6tables -L -v
############################# PRINT ADDRESSES ########################################################################
echo "GATEWAY : MAC:"$gateway_mac" IPv4:"$gateway_ip" "
echo "INTERFACE_1: "$int_if1" MAC:"$int_mac1" IPv4:"$int_ip1" IPv6:"$int_ip1v6" "
echo "INTERFACE_2: "$int_if2" MAC:"$int_mac2" IPv4:"$int_ip2" IPv6:"$int_ip2v6" "
# print the time the script finishes
date
exit 0
fi
## OTHERWISE continue with the firewall implementation
############################ DEFUALT POLICY ####################################################################
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
############################ DEFINE CUSTOM CHAINS #####################################################################
iptables -N LnD # Define custom DROP chain
iptables -A LnD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP drop] "
iptables -A LnD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP drop] "
iptables -A LnD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP drop] "
iptables -A LnD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG drop] "
iptables -A LnD -j DROP
iptables -N LnR # Define custom REJECT chain
iptables -A LnR -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP reject] "
iptables -A LnR -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP reject] "
iptables -A LnR -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP reject] "
iptables -A LnR -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG reject] "
iptables -A LnR -j REJECT
iptables -N PASS # Define PASS chain
iptables -A PASS -p tcp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PASS -p tcp -m conntrack --ctstate INVALID -j DROP
iptables -A PASS -p udp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PASS -p udp -m conntrack --ctstate INVALID -j DROP
iptables -A PASS -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PASS -p icmp -m conntrack --ctstate INVALID -j DROP
iptables -A PASS -j DROP
ip6tables -N LnD # Define custom DROP chain
ip6tables -A LnD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP drop] "
ip6tables -A LnD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP drop] "
ip6tables -A LnD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP drop] "
ip6tables -A LnD -j DROP
ip6tables -N LnR # Define custom REJECT chain
ip6tables -A LnR -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP reject] "
ip6tables -A LnR -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP reject] "
ip6tables -A LnR -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP reject] "
ip6tables -A LnR -j REJECT
ip6tables -N PASS # Define PASS chain
ip6tables -A PASS -p tcp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A PASS -p tcp -m conntrack --ctstate INVALID -j DROP
ip6tables -A PASS -p udp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A PASS -p udp -m conntrack --ctstate INVALID -j DROP
ip6tables -A PASS -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A PASS -p icmp -m conntrack --ctstate INVALID -j DROP
ip6tables -A PASS -j DROP
#######################################################################################################################
# BASIC FIRST LINE SECURITY
#######################################################################################################################
echo "LOADING FIRST LINE SECURITY"
################ DROP BAD FLAG COMBINATIONS ###########################################################################
iptables -A INPUT -p tcp -m conntrack --ctstate INVALID -j LnD
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN,RST,ACK,SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK,SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p tcp -m conntrack --ctstate INVALID -j LnD
ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,ACK,SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,SYN,RST,ACK,SYN -m state --state NEW -j REJECT --reject-with tcp-reset
###################### XMAS ################################################################################
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LnD
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LnD
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LnD
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LnD
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LnD
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LnD
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j LnD
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LnD
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LnD
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j LnD
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LnD
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LnD
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j LnD
###############
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j LnD
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j LnD
ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LnD
ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LnD
ip6tables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LnD
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LnD
ip6tables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j LnD
ip6tables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LnD
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LnD
ip6tables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j LnD
ip6tables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LnD
ip6tables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LnD
ip6tables -A INPUT -p tcp --tcp-flags ACK,URG URG -j LnD
###################### SYN FLOOD ########################################################
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
###################### Prevent DoS attack ####################################################
#iptables -A INPUT -p tcp --dport 25 -m limit --limit 40/minute --limit-burst 80 -j PASS
#ip6tables -A INPUT -p tcp --dport 25 -m limit --limit 40/minute --limit-burst 80 -j PASS
#################### DROP MULTICAST/BROADCAST ################################################
iptables -A INPUT -s 224.0.0.0/4 -j LnD
iptables -A OUTPUT -d 224.0.0.0/4 -j LnD
iptables -A INPUT -s 240.0.0.0/4 -j LnD
iptables -A OUTPUT -d 240.0.0.0/4 -j LnD
# comment out if you want to accept multicast or broadcast
################# DROP BROADCAST #######################################################
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 192.168.255.255 -j DROP
iptables -A INPUT -d 192.168.0.255 -j DROP
iptables -A INPUT -d 153.122.255.255 -j DROP
iptables -A INPUT -d 153.122.1.255 -j DROP
iptables -A INPUT -d 172.2.255.255 -j DROP
iptables -A INPUT -d 172.2.1.255 -j DROP
# comment out if you want to accept broadcast from your router
##################### DROP ASSUMED ATTACKERS #####################################################
iptables -A INPUT -m recent --rcheck --seconds 60 -m limit --limit 10/second -j LOG --log-prefix "BG "
iptables -A INPUT -m recent --update --seconds 60 -j DROP
ip6tables -A INPUT -m recent --rcheck --seconds 60 -m limit --limit 10/second -j LOG --log-prefix "BG "
ip6tables -A INPUT -m recent --update --seconds 60 -j DROP
# this rule places any input source ip making over 10 connections/second into a watch list
# if this ip is still in the watch list after 60 seconds then it is dropped
###################### DROP OTHER LAN SPOOFING ############################################
# comment these lines out if they cause a problem
####################### DROP INTERNAL HOST IP INPUT SPOOFING ####################################
#iptables -A INPUT -i $int_if1 -s "$int_ip1" -m recent --set -j LnD
#iptables -A FORWARD -i $int_if1 -s "$int_ip1" -m recent --set -j LnD
#iptables -A INPUT -i $int_if2 -s "$int_ip2" -m recent --set -j LnD
#iptables -A FORWARD -i $int_if2 -s "$int_ip2" -m recent --set -j LnD
### this rule may prevent you from seeing your own hosted website from the same computer
### comment these lines out if this affects your ability to see your own website from the host.
#######################################################################################################################
# DROP RESTRICTED SPECIAL USE IPv4 NETWORKS / IP SPOOFING
#######################################################################################################################
############################# DROP LINK-LOCAL ADDRESSES ###############################################################
iptables -A INPUT -s 169.254.0.0/16 -j LnD
iptables -A INPUT -d 169.254.0.0/16 -j LnD
############################### DROP OUTBOUND BROADCAST ###############################################################
iptables -A OUTPUT -d 255.255.255.255 -j LnD
##################### DROP PRIVATE LAN INPUT OF WRONG CLASS/TYPE ################################################
#iptables -A INPUT -s 10.0.0.0/8 -j LnD
#iptables -A INPUT -s 172.16.0.0/12 -j LnD
#iptables -A INPUT -s 192.168.0.0/16 -j LnD
# uncomment private lan network classss that are not not applicable to your network to drop them
# use an if statement to check gateway ip against 10,172,192 (not implemented currently)
echo "FIRST LINE SECURITY LOADED"
#################################################################################################################################
###################################### FUNCTIONS ####################################################################
lo_open()
{
proto=$1
ports=$2
iptables -A INPUT -i lo -p "$proto" -m multiport --dports "$ports" -j PASS
iptables -A INPUT -i lo -p "$proto" -m multiport --sports "$ports" -j PASS
iptables -A OUTPUT -o lo -p "$proto" -m multiport --dports "$ports" -j PASS
iptables -A OUTPUT -o lo -p "$proto" -m multiport --sports "$ports" -j PASS
}
lo6_open()
{
proto=$1
ports=$2
ip6tables -A INPUT -i lo -p "$proto" -m multiport --dports "$ports" -j PASS
ip6tables -A INPUT -i lo -p "$proto" -m multiport --sports "$ports" -j PASS
ip6tables -A OUTPUT -o lo -p "$proto" -m multiport --dports "$ports" -j PASS
ip6tables -A OUTPUT -o lo -p "$proto" -m multiport --sports "$ports" -j PASS
}
client_out()
{
proto=$1
ports=$2
iptables -A OUTPUT -o $int_if -s "$int_ip" -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -d "$int_ip" -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -s "$int_ip" -p "$proto" -m multiport --sports "$ports" -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -d "$int_ip" -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
client_out_lim()
{
proto=$1
ports=$2
limrate=$3
limburst=$4
iptables -A OUTPUT -o $int_if -s "$int_ip" -p "$proto" -m multiport --dports "$ports" -m limit --limit "$limrate"/s --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -d "$int_ip" -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -s "$int_ip" -p "$proto" -m multiport --sports "$ports" -m limit --limit "$limrate"/s --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -d "$int_ip" -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
client_out_rel()
{
proto=$1
ports=$2
iptables -A OUTPUT -o $int_if -s "$int_ip" -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED,RELATED -j PASS
iptables -A INPUT -i $int_if -d "$int_ip" -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED,RELATED -j PASS
iptables -A OUTPUT -o $int_if -s "$int_ip" -p "$proto" -m multiport --sports "$ports" -m state --state NEW,ESTABLISHED,RELATED -j PASS
iptables -A INPUT -i $int_if -d "$int_ip" -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED,RELATED -j PASS
}
client_out_internal_1p()
{
proto=$1
port=$2
client_ip=$3
client_mac=$4
iptables -A OUTPUT -o $int_if -p $proto -s $int_ip1 -d $client_ip --dport $port -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p $proto -d $int_ip1 -s $client_ip --sport $port -m mac --mac-source $client_mac -m state --state ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p $proto -s $int_ip1 -d $client_ip --sport $port -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p $proto -d $int_ip1 -s $client_ip --dport $port -m mac --mac-source $client_mac -m state --state ESTABLISHED -j PASS
}
client_out_internal_mp()
{
proto=$1
ports=$2
client_ip=$3
client_mac=$4
iptables -A OUTPUT -o $int_if -p $proto -s $int_ip1 -d $client_ip -m multiport --dports $ports -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p $proto -d $int_ip1 -s $client_ip -m multiport --sports $ports -m mac --mac-source $client_mac -m state --state ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p $proto -s $int_ip1 -d $client_ip -m multiport --sports $ports -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p $proto -d $int_ip1 -s $client_ip -m multiport --dports $ports -m mac --mac-source $client_mac -m state --state ESTABLISHED -j PASS
}
client_out_internal_2p()
{
proto=$1
port1=$2
port2=$3
client_ip=$4
client_mac=$5
iptables -A OUTPUT -o $int_if -p $proto -s $int_ip1 -d $client_ip --dport $port1 --sport $port2 -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p $proto -d $int_ip1 -s $client_ip --sport $port1 --dport $port2 -m mac --mac-source $client_mac -m state --state ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p $proto -s $int_ip1 -d $client_ip --sport $port1 --dport $port2 -m state --state NEW,ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p $proto -d $int_ip1 -s $client_ip --dport $port1 --sport $port2 -m mac --mac-source $client_mac -m state --state ESTABLISHED -j PASS
}
client6_out()
{
proto=$1
ports=$2
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
client6_out_rel()
{
proto=$1
ports=$2
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED,RELATED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED,RELATED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state NEW,ESTABLISHED,RELATED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED,RELATED -j PASS
}
client6_out_lim()
{
proto=$1
ports=$2
limrate=$3
limburst=$4
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -m limit --limit "$limrate"/second --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m limit --limit "$limrate"/second --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
server_in()
{
proto=$1
ports=$2
iptables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
}
server_in_x()
{
proto=$1
ports=$2
iptables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
server_in_xlim()
{
proto=$1
ports=$2
limrate=$3
limburst=$4
iptables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m limit --limit "$limrate"/s --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -m limit --limit "$limrate"/s --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
server6_in()
{
proto=$1
ports=$2
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
}
server6_in_x()
{
proto=$1
ports=$2
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
server6_in_xlim()
{
proto=$1
ports=$2
limrate=$3
limburst=$4
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -m limit --limit "$limrate"/s --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -m state --state ESTABLISHED -j PASS
ip6tables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -m limit --limit "$limrate"/s --limit-burst "$limburst" -m state --state NEW,ESTABLISHED -j PASS
ip6tables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -m state --state ESTABLISHED -j PASS
}
server_internal_1way()
{
ports=$1
client_ip=$2
client_mac=$3
iptables -A INPUT -i $int_if -p udp -m multiport --dports "$ports" -d "$int_ip" -s "$client_ip" -m mac --mac-source "$client_mac" -m state --state NEW,ESTABLISHED -j PASS
}
server_internal_1p()
{
proto=$1
port=$2
client_ip=$3
client_mac=$4
iptables -A INPUT -i $int_if -p "$proto" --dport "$port" -d "$int_ip" -s "$client_ip" -m mac --mac-source "$client_mac" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" --sport "$port" -s "$int_ip" -d "$client_ip" -m state --state ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p "$proto" --sport "$port" -s "$client_ip" -d "$int_ip" -m mac --mac-source "$client_mac" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" --dport "$port" -d "$client_ip" -s "$int_ip" -m state --state ESTABLISHED -j PASS
}
server_internal_mp()
{
proto=$1
ports=$2
client_ip=$3
client_mac=$4
iptables -A INPUT -i $int_if -p "$proto" -m multiport --dports "$ports" -d "$int_ip" -s "$client_ip" -m mac --mac-source "$client_mac" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" -m multiport --sports "$ports" -s "$int_ip" -d "$client_ip" -m state --state ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p "$proto" -m multiport --sports "$ports" -s "$client_ip" -d "$int_ip" -m mac --mac-source "$client_mac" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" -m multiport --dports "$ports" -d "$client_ip" -s "$int_ip" -m state --state ESTABLISHED -j PASS
}
server_internal_2p()
{
proto=$1
port1=$2
port2=$3
client_ip=$4
client_mac=$5
iptables -A INPUT -i $int_if -p "$proto" --sport "$port1" --dport "$port2" -d "$int_ip" -s "$client_ip" -m mac --mac-source "$client_mac" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" --dport "$port1" --sport "$port2" -s "$int_ip" -d "$client_ip" -m state --state ESTABLISHED -j PASS
iptables -A INPUT -i $int_if -p "$proto" --dport "$port1" --sport "$port2" -s "$client_ip" -d "$int_ip" -m mac --mac-source "$client_mac" -m state --state NEW,ESTABLISHED -j PASS
iptables -A OUTPUT -o $int_if -p "$proto" --sport "$port1" --dport "$port2" -d "$client_ip" -s "$int_ip" -m state --state ESTABLISHED -j PASS
}
#####################################################################################################################################################
#####################################################################################################################################################
# LOCAL HOST RULES
#############################################################################################
echo "LOADING LOCALHOST RULES"
##################################### BOOTP ############################################
lo_open udp 67,68
##################################### DHCPv6 ###########################################
lo6_open tcp 546,547
lo6_open udp 546,547
################################## DNS ###################################################
lo_open udp 53,953
lo_open tcp 53,953
lo6_open udp 53,953
lo6_open tcp 53,953
########################### TELNET SSH #####################################################
lo_open tcp 22,23
########################### SMTP ############################################################
lo_open tcp 25,587,465
lo6_open tcp 25,587,465
############################ FTP ############################################################
lo_open tcp 20,21,989,990,2121
lo_open udp 20,21,989,990,2121
# 50000-55663
lo_open tcp 50000:55663
lo_open udp 50000:55663
lo_open tcp 60000:60100
lo_open udp 60000:60100
########################### HTTP,HTTPS ######################################################
lo_open tcp 80,443
lo6_open tcp 80,443
########################### GOPHER ##########################################################
lo_open tcp 70
lo_open udp 70
lo6_open tcp 70
lo6_open udp 70
############################ IMAP,IMAPS #####################################################
lo_open tcp 143,993
################################ POP3,POP3S ################################################
lo_open tcp 110,995
############################# SPAM ASSASSIN #################################################
# lo_open tcp 783
#################################### IRC ########################################
lo_open tcp 6667,6668,6669,6697,9999
#################################### XMPP MSN ICQ AOL #######################################
lo_open tcp 1863,5190,5222,5269,5280,5281,5298,5582,8010
lo_open udp 5298,5222
############################### NNTP ########################################################
lo_open tcp 119,563
lo_open udp 119,563
################################### HKP PGP ################################################
lo_open tcp 11371
#################################### TOR ###################################################
lo_open tcp 9030,9040,9050,9051,9053,9150,9151,9001
lo_open udp 9053
################################### LDAP ##################################################
lo_open tcp 389
lo_open udp 389
###################################### BIT TORRENT ##########################################
lo_open tcp 6880,6881,6882,6883,6884,6885,6969,6886,6887,6888,6889,6890
lo_open udp 6880,6881,6882,6883,6884,6885,6969,6886,6887,6888,6889,6890
lo_open tcp 6891,6892,6893,6894,6895,6896,6897,6898,6899,6900,6901
lo_open udp 6891,6892,6893,6894,6895,6896,6897,6898,6899,6900,6901
################################### BIT TORRENT TRACKERS ####################################
lo_open tcp 2710,7000,58846
lo_open udp 3000,4444,6969,1337,2710,80,30301
#################################### SQUID HTTP ALTERNATE ###################################
lo_open tcp 3128,8000,8080,8082,8445,8123,8443
#################################### SOCKS 4/5 #############################################
lo_open tcp 1080,1085
################################## NETBIOS #################################################
#lo_open tcp 135,137,138,139
#lo_open udp 135,137,138,139
################################### SMB SAMBA ###############################################
#lo_open tcp 445
############################## PULSE AUDIO SERVER #########################################
#lo_open tcp 4713
############################### CUPS #######################################################
lo_open tcp 631
lo_open udp 631
################################### GIT HUB #################################################
lo_open tcp 9418
############################## SYSLOG #######################################################
lo_open tcp 514
lo_open udp 514
############################## RELP LOG #####################################################
#lo_open tcp 2514
#lo_open udp 2514
############################### NTP #########################################################
lo_open tcp 123
lo_open udp 123
################################ RCP ######################################################
#lo_open tcp 111
#lo_open udp 111
################################ RSYNC ####################################################
lo_open tcp 873
lo_open udp 873
################################ NFS ######################################################
#lo_open tcp 2049
#lo_open udp 2049
################################ FREENET ##################################################
#lo_open tcp 8888
#lo_open udp 12701,29732
################################ GNU NET ##################################################
#lo_open tcp 2086,2087,2088,2089,2090,2091,2092,2093,2094,2095,2096,2097,4433,5724,7777
#lo_open udp 2086,2087,2088,2089,2090,2091,2092,2093,2094,2095,2096,2097,4433,5724,7777
#lo_open tcp 2053
#lo_open udp 2053
################################ I2P ######################################################
#lo_open tcp 2827,4444,4445,7652,7653,7654,7656,7657,7658,7659,7660,19648
#lo_open udp 7655,19648
################################ OPEN VPN ##################################################
lo_open tcp 1194,943
lo_open udp 1194,943
############################### IPsec #######################################################
lo_open udp 500,4500
################################ SIP ######################################################
#lo_open tcp 5060,5061
#lo_open udp 5060
################################ BITMESSAGE ################################################
#lo_open tcp 8444
################################ BITCOIN ###################################################
lo_open tcp 8332,8333
################################ LITECOIN ##################################################
#lo_open tcp 9332,9333
################################ GOOGLE TALK ###############################################
#lo_open tcp 19294
#lo_open udp 19295,19302
################################ SKYPE #####################################################
#lo_open tcp 23399
#lo_open udp 23399
################################ MYSQL #####################################################
#lo_open tcp 25565
#lo_open udp 25565
######################## ICMP ###############################################################
iptables -A INPUT -i lo -p icmp --icmp-type ping -m limit --limit 1/second -j PASS
iptables -A OUTPUT -o lo -p icmp --icmp-type ping -m limit --limit 2/second -j PASS
iptables -A INPUT -i lo -p icmp --icmp-type 0 -m limit --limit 1/second -j PASS
iptables -A OUTPUT -o lo -p icmp --icmp-type 0 -m limit --limit 2/second -j PASS
iptables -A INPUT -i lo -p icmp --icmp-type 3 -m limit --limit 1/second -j PASS
iptables -A OUTPUT -o lo -p icmp --icmp-type 3 -m limit --limit 2/second -j PASS
iptables -A INPUT -i lo -p icmp --icmp-type 8 -m limit --limit 1/second -j PASS
iptables -A OUTPUT -o lo -p icmp --icmp-type 8 -m limit --limit 2/second -j PASS
iptables -A INPUT -i lo -p icmp --icmp-type 11 -m limit --limit 1/second -j PASS
iptables -A OUTPUT -o lo -p icmp --icmp-type 11 -m limit --limit 2/second -j PASS
ip6tables -A INPUT -i lo -p icmp -m limit --limit 1/second -j PASS
ip6tables -A OUTPUT -o lo -p icmp -m limit --limit 2/second -j PASS
############################ LOCAL HOST DROP ##############################################
# NO FURTHER INPUT/OUTPUT FROM LOCALHOST / SOURCE HOSTS
iptables -A INPUT -s 127.0.0.0/8 -j LnD
iptables -A OUTPUT -d 127.0.0.0/8 -j LnD
iptables -A INPUT -s 0.0.0.0/8 -j LnD
iptables -A OUTPUT -d 0.0.0.0/8 -j LnD
iptables -A INPUT -i lo -j LnD
iptables -A OUTPUT -o lo -j LnD
iptables -A FORWARD -i lo -j LnD
iptables -A FORWARD -o lo -j LnD
ip6tables -A INPUT -i lo -j LnD
ip6tables -A OUTPUT -o lo -j LnD
ip6tables -A FORWARD -i lo -j LnD
ip6tables -A FORWARD -o lo -j LnD
####################################################################################################
echo "LOCALHOST RULES LOADED"
####################################################################################################
####################################################################################################
# Router and Internal Network Rules
####################################################################################################
#
# REMOVED /ADD YOUR OWN according to your needs sshd etc
#
####################################################################################################
## Loop over interfaces check if ip is defined
for int_if in "$int_if1" "$int_if2"
do
if [ "$int_if" = "$int_if1" ]
then
int_mac="$int_mac1"
int_ip="$int_ip1"
int_ipv6="$int_ip1v6"
elif [ "$int_if" = "$int_if2" ]
then
int_mac="$int_mac2"
int_ip="$int_ip2"
int_ipv6="$int_ip2v6"
fi
if [ "$int_ip" != "" ]
then
######################################################################################################################################################
# Application and Port Specific Rules for INTERNET
######################################################################################################################################################
# PUBLIC OUTPUT
######################################################################################################################################################
echo "LOADING PUBLIC OUTPUT CLIENTS"
############################################# DNS Client ##############################################################################
client_out udp 53,953
client_out tcp 53,953
client6_out udp 53,953