Untitled
unknown
plain_text
a year ago
14 kB
4
Indexable
Never
#!/usr/bin/bash FW6=/usr/sbin/ip6tables if [ -z $FW6 ]; then echo "ip6tables: Command not found" exit 1 fi SYSCTL=/sbin/sysctl if [ -z $SYSCTL ]; then echo "sysctl: Command not found" exit 1 fi PROBE=/sbin/modprobe if [ -z $PROBE ]; then echo "modprobe: Command not found" exit 1 fi ETH6="fe80::/10" NET="0/0" #LO6="::1" LO6="0:0:0:0:0:0:0:1" PA="1024:65535" set_policy() { # POLICY is DROP or ACCEPT local POLICY=$1 $FW6 -P INPUT $POLICY $FW6 -P OUTPUT $POLICY $FW6 -P FORWARD $POLICY } echo "Set policy ok" flush() { $FW6 -F $FW6 -F -t nat $FW6 -X $FW6 -X -t nat } echo "Flush ok" allow_loopback() { $FW6 -A INPUT -j ACCEPT -i lo -d $LO6 $FW6 -A OUTPUT -j ACCEPT -o lo -s $LO6 } echo "Allow loopback ok" allow_icmp() { # So my conclusion is that a web server ipv6 only needs types 1,2,3,4,128,135,136 # So my conclusion is that a router ipv6 only needs types (based on OpenWrt): # Allow-ICMPv6-Input 1,2,3,4/0,4/1,128,129,133,134,135,136 # Allow-ICMPv6-Forward 1,2,3,4/0,4/1,128,129 # Allow-MLD 130/0,131/0,132/0,143/0 $FW6 -N ALLOW_ICMP6 $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 1 -d $ETH6 #destination-unreachable [All codes] $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 2 -d $ETH6 #packet-too-big $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3 -d $ETH6 #Time Exceeded #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3/0 -d $ETH6 #ttl-zero-during-transit #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3/1 -d $ETH6 #ttl-zero-during-reassembly $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4 -d $ETH6 #parameter-problem $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/0 -d $ETH6 #bad-header $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/1 -d $ETH6 #unknown-header-type #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/2 -d $ETH6 #unknown-option $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 128 -d $ETH6 #Echo Request $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 129 -d $ETH6 #echo-reply $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 130/0 -d $ETH6 # $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 131/0 -d $ETH6 # $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 132/0 -d $ETH6 # $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 133 -d $ETH6 #Router Solicitation $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 134 -d $ETH6 #Router Advertisement $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 135 -d $ETH6 #Neighbor Solicitation $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 136 -d $ETH6 #Neighbor Advertisement #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 141 -d $ETH6 #Inverse Neighbor Discovery Solicitation #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 142 -d $ETH6 #Inverse Neighbor Discovery Advertisement #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 143 -d $ETH6 #Listener Report v2 $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 143/0 -d $ETH6 # #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 130 -d $ETH6 #Listener Query #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 131 -d $ETH6 #Listener Report #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 132 -d $ETH6 #Listener Done #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 148 -d $ETH6 #Certificate Path Solicitation #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 149 -d $ETH6 #Certificate Path Advertisement #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 151 -d $ETH6 #Multicast Router Advertisement #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 152 -d $ETH6 #Multicast Router Solicitation #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 153 -d $ETH6 #Multicast Router Termination $FW6 -A ALLOW_ICMP6 -j ACCEPT -m limit --limit 1/s $FW6 -A ALLOW_ICMP6 -j DROP $FW6 -A INPUT -j ALLOW_ICMP6 -p icmpv6 $FW6 -A OUTPUT -j ALLOW_ICMP6 -p icmpv6 $FW6 -A FORWARD -j ALLOW_ICMP6 -p icmpv6 } echo "Allow icmp ok" service_ports() { #Multiport ipv6 not working #$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET -m multiport --dport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 #$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET -m multiport --sport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 -d $ETH6 --dport $PA #$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET -m multiport --dport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 #$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET -m multiport --sport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 -d $ETH6 --dport $PA # Allow DHCPv6 $FW6 -A INPUT -j ALLOW_TCP6 -p udp -s $ETH6 --sport $PA -d $NET --dport 546 # Allow LAN to acess the firewall and the internet from ports ipv6 $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22 $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 80 $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 443 $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8080 $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8081 $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 5900 $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 80 -d $ETH6 --dport $PA $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 443 -d $ETH6 --dport $PA $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 8080 -d $ETH6 --dport $PA $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 8081 -d $ETH6 --dport $PA $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 5900 -d $ETH6 --dport $PA $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22 $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 80 $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 443 $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8080 $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8081 $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 5900 $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 80 -d $ETH6 --dport $PA $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 443 -d $ETH6 --dport $PA $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 8080 -d $ETH6 --dport $PA $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 8081 -d $ETH6 --dport $PA $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 5900 -d $ETH6 --dport $PA # Allow the firewall to access the internet from ports ipv6 $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -i eth0 --sport 80 --dport $PA $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -i eth0 --sport 443 --dport $PA $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -o eth0 --sport $PA --dport 80 $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -o eth0 --sport $PA --dport 443 } echo "Service ports ok" adm_ports() { $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22 $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA } echo "Admin ports ok" allow_tcp() { $FW6 -N ALLOW_TCP6 $FW6 -A ALLOW_TCP6 -j ACCEPT -p tcp --syn $FW6 -A ALLOW_TCP6 -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED #test ipv6 #$FW6 -A ALLOW_TCP -j ACCEPT -p tcp --syn #$FW6 -A ALLOW_TCP -j ACCEPT -p tcp -m conntrack --ctstate ESTABLISHED,RELATED # Drop undesirable packages TCP ipv6 - Not Working #$FW6 -A ALLOW_TCP -j LOG --log-prefix "IP6TABLES: NEW without syn: " -p tcp ! --syn -m state --state NEW #$FW6 -A ALLOW_TCP -j DROP -p tcp ! --syn -m state --state NEW # Drop packages TCP badly formed ipv6 #$FW6 -A ALLOW_TCP -j LOG --log-prefix "IP6TABLES: Badly formed: " -m unclean #$FW6 -A ALLOW_TCP -j DROP -m unclean $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,SYN $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,RST $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,URG,PSH $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL NONE $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL RST,URG $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL RST,PSH $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,RST $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,URG $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,PSH $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,URG,PSH $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,SYN $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,RST $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,URG,PSH $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL NONE $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL RST,URG $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL RST,PSH $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,RST $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,URG $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,PSH $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,URG,PSH $FW6 -A ALLOW_TCP6 -j DROP adm_ports service_ports # Logs ipv6 $FW6 -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES INPUT] : ' $FW6 -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES FORWARD] : ' $FW6 -A OUTPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES OUTPUT] : ' } echo "Allow tcp ok" accept_dns_conn() { # To resolv internal network $FW6 -A INPUT -j ACCEPT -p udp -s $ETH6 --sport $PA -d $NET --dport 53 $FW6 -A OUTPUT -j ACCEPT -p udp -s $NET --sport 53 -d $ETH6 --dport $PA $FW6 -A FORWARD -j ACCEPT -p udp -s $ETH6 --sport $PA -d $NET --dport 53 $FW6 -A FORWARD -j ACCEPT -p udp -s $NET --sport 53 -d $ETH6 --dport $PA } echo "Accept dns ok" #accept_proxy() { # $FW6 -t nat -A PREROUTING -j REDIRECT -p tcp -s $ETH6 --dport 80 -i eth1 --to-port 3128 #} #echo "Accept proxy ok" accept_internet() { $FW6 -t nat -A POSTROUTING -j MASQUERADE -s $ETH6 -o eth0 } echo "Accept internet ok" setup_kernel() { # Load Modules $PROBE ip_nat_ftp $PROBE ip_conntrack_ftp # Load Other Modules $PROBE iptable_nat $PROBE iptable_filter $PROBE ip_tables $PROBE ip_conntrack $PROBE ip_nat_pptp $PROBE ipt_MASQUERADE $PROBE ipt_LOG #$PROBE ip_queue $PROBE ipt_MARK #$PROBE ipt_MIRROR $PROBE ipt_REDIRECT $PROBE ipt_REJECT $PROBE ipt_TCPMSS $PROBE ipt_TOS $PROBE ipt_limit $PROBE ipt_mac $PROBE ipt_mark $PROBE ipt_MARK $PROBE ipt_multiport $PROBE ipt_owner $PROBE ipt_state $PROBE ipt_tcpmss $PROBE ipt_tos #$PROBE ipt_unclean $PROBE iptable_mangle #$PROBE ipt_layer7 #requer compilacao do kernel # Disable IP Spoofing attack # echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter $SYSCTL -w net.ipv4.conf.all.rp_filter=2 > /dev/null 2>&1 # Enable IP Forward # echo 1 > /proc/sys/net/ipv4/ip_forward $SYSCTL -w net.ipv4.ip_forward=1 > /dev/null 2>&1 # Kill Timestamps # echo 0 > /proc/sys/net/ipv4/tcp_timestamps $SYSCTL -w net.ipv4.tcp_timestamps=0 > /dev/null 2>&1 # Enable protection Cookie TCP syn $SYSCTL -w net.ipv4.tcp_syncookies=1 > /dev/null 2>&1 # Disable ICMP broadcast $SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null 2>&1 # Enable protection to bad error message $SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 > /dev/null 2>&1 # It certifys that packages routed in the origin had been discarded $SYSCTL -w net.ipv4.conf.all.accept_source_route=0 > /dev/null 2>&1 # Change TTL value $SYSCTL -w net.ipv4.ip_default_ttl=255 > /dev/null 2>&1 # Ratemask to ICMPs: 0 3 4 5 8 11 12 $SYSCTL -w net.ipv4.icmp_ratemask=6457 > /dev/null 2>&1 # Recommended values of datagram TCP thinking about DOS attack $SYSCTL -w net.ipv4.tcp_fin_timeout=30 > /dev/null 2>&1 $SYSCTL -w net.ipv4.tcp_keepalive_time=1800 > /dev/null 2>&1 $SYSCTL -w net.ipv4.tcp_window_scaling=0 > /dev/null 2>&1 $SYSCTL -w net.ipv4.tcp_sack=0 > /dev/null 2>&1 } echo "Setup kernel ok" start() { echo "Starting Firewall: " set_policy DROP allow_loopback allow_icmp allow_tcp accept_dns_conn #accept_proxy accept_internet setup_kernel } stop() { echo "Stopping Firewall: " set_policy ACCEPT flush } status() { echo ">> Showing table default: " $FW6 -L echo "" echo ">> Showing table nat: " $FW6 -L -t nat #echo "" #echo ">> Showing table --list: " #$FW6 --list -v } restart() { stop start } # Start of the firewall script case "$1" in start) start ;; stop) stop ;; restart) restart ;; status) status ;; internet) accept_internet ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac exit 0 echo "Firewall ok" #if you have problem to test the firewall. run the commands below: #Run following command in terminal #sed -i -e 's/\r$//' rc.firewall #Then try #./rc.firewall start #It should work.