#!/bin/sh # IP-Masquerad & firewall setting # iptables # # EXTIF Internet interface(WAN) # INTIF Intranet interface(LAN) # # port # 21:ftp, 22:ssh, 23:telnet, 25:smtp, 53:DNS # , 80:http, 110:pop3, 113:auth, 123:NTP, 443:https # # 1863:MSN Messenger, 6891:6900:Mess-data # 6669:WinMx # 7743:Winny EXTIF=ppp0 INTIF=eth1 LOCAL="10.99.0.0/16" ANY="0.0.0.0/0" NS="210.130.232.1" UP_PORTS="1024:65535" TR_DST_PORTS="33434:33523" # 必要なモジュールを組み込む /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp ## 全てのチェインを空する。 iptables -F # 空になったユーザ定義チェインを削除して iptables -X # カウンターをリセットする。 iptables -Z ## 全てのポリシーをDROPにする。 iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Ping of death iptables -N ping-death iptables -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j ping-death iptables -A FORWARD -i $EXTIF -p icmp --icmp-type echo-request -j ping-death iptables -A ping-death -m limit --limit 1/sec --limit-burst 4 -j ACCEPT iptables -A ping-death -j DROP #Port scanner iptables -N port-scan iptables -A INPUT -i $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan iptables -A FORWARD -i $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan iptables -A port-scan -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A port-scan -j DROP #Spoofing iptables -N spoofing iptables -A INPUT -i $EXTIF -s 10.0.0.0/8 -j spoofing iptables -A INPUT -i $EXTIF -s 172.16.0.0/12 -j spoofing iptables -A INPUT -i $EXTIF -s 192.168.0.0/16 -j spoofing iptables -A INPUT -i $EXTIF -s 224.0.0.0/4 -j spoofing iptables -A INPUT -i $EXTIF -s 240.0.0.0/5 -j spoofing iptables -A INPUT -i $EXTIF -d 127.0.0.0/8 -j spoofing iptables -A FORWARD -i $EXTIF -s 10.0.0.0/8 -j spoofing iptables -A FORWARD -i $EXTIF -s 172.16.0.0/12 -j spoofing iptables -A FORWARD -i $EXTIF -s 192.168.0.0/16 -j spoofing iptables -A FORWARD -i $EXTIF -s 224.0.0.0/4 -j spoofing iptables -A FORWARD -i $EXTIF -s 240.0.0.0/5 -j spoofing iptables -A FORWARD -i $EXTIF -d 127.0.0.0/8 -j spoofing iptables -A spoofing -j DROP # SYN-flood iptables -N syn-flood iptables -A INPUT -i $EXTIF -p tcp --syn -j syn-flood iptables -A FORWARD -i $EXTIF -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP ## Loopback を許可する iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # 21:ftp iptables -A INPUT -i $EXTIF -p tcp --dport 21 -s $ANY -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn --sport 21 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --dport 1024: -s $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --sport 1024: -d $ANY -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --sport 21 -s $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 21 -s $ANY -j ACCEPT # ESTABLISHED RELATED for passive mode ftp # passiveモードでのFTP DATAパケットを通す。 iptables -A INPUT -i $EXTIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLISHED RELATED for data connection mode ftp iptables -A INPUT -i $EXTIF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # 22:ssh iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 22 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn --sport 22 -d $ANY -j ACCEPT # 25:smtp iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 25 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn --sport 25 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp ! --syn -s $ANY --sport 25 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 25 -d $ANY -j ACCEPT # 53:DNS iptables -A INPUT -i $EXTIF -p udp --dport 53 -s $ANY -j ACCEPT iptables -A OUTPUT -o $EXTIF -p udp --sport 53 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p udp --sport 53 -s $ANY -j ACCEPT iptables -A OUTPUT -o $EXTIF -p udp --dport 53 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp -s $NS --dport 53 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn --sport 53 -d $NS -j ACCEPT # 80:http iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 80 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn -m state --state NEW,ESTABLISHED,RELATED --sport 80 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 80 -j ACCEPT # 110:pop3 iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 110 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn --sport 110 -d $ANY -j ACCEPT # 113:auth iptables -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset iptables -A OUTPUT -o $EXTIF -p tcp --sport 113 --tcp-flags RST RST -j ACCEPT # 123:ntp iptables -A INPUT -i $EXTIF -p udp -s $ANY --dport 123 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p udp -m state --state NEW,ESTABLISHED,RELATED --sport 123 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p udp --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p udp --dport 123 -j ACCEPT # 1863:MSN Messenger iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 1863 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn -m state --state NEW,ESTABLISHED,RELATED --sport 1863 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --sport 1863 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 1863 -j ACCEPT # 6891:6900 :MSN Messedata iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 6891:6900 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn -m state --state NEW,ESTABLISHED,RELATED --sport 6891:6900 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --sport 6891:6900 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 6891:6900 -j ACCEPT # 6669:WinMx iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 6669 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn -m state --state NEW,ESTABLISHED,RELATED --sport 6669 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --sport 6669 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 6669 -j ACCEPT # 7743:Winny iptables -A INPUT -i $EXTIF -p tcp -s $ANY --dport 7743 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp ! --syn -m state --state NEW,ESTABLISHED,RELATED --sport 7743 -d $ANY -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --sport 7743 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --dport 7743 -j ACCEPT # 必須ICMPパケットの着信等を許可 iptables -A INPUT -i $EXTIF -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -i $EXTIF -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -i $EXTIF -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -i $EXTIF -p icmp --icmp-type parameter-problem -j ACCEPT # tracerouteの発信を許可 iptables -A OUTPUT -o $EXTIF -p udp --dport $TR_DST_PORTS -m state --state NEW -j ACCEPT # local 許可 iptables -A INPUT -i $INTIF -s $LOCAL -j ACCEPT iptables -A OUTPUT -o $INTIF -d $LOCAL -j ACCEPT # Do masquerading iptables -A FORWARD -s $LOCAL -j ACCEPT iptables -A FORWARD -d $LOCAL -j ACCEPT iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A INPUT -j LOG --log-level info --log-prefix 'iptables: ' iptables -A OUTPUT -j LOG --log-level info --log-prefix 'iptables: ' iptables -A FORWARD -j LOG --log-level info --log-prefix 'iptables: '