Untitled

mail@pastecode.io avatar
unknown
plain_text
a year ago
14 kB
4
Indexable
Never
#!/usr/bin/bash

FW6=/usr/sbin/ip6tables

if [ -z $FW6 ]; then
  echo "ip6tables: Command not found"
  exit 1
fi

SYSCTL=/sbin/sysctl

if [ -z $SYSCTL ]; then
  echo "sysctl: Command not found"
  exit 1
fi

PROBE=/sbin/modprobe

if [ -z $PROBE ]; then
  echo "modprobe: Command not found"
  exit 1
fi

ETH6="fe80::/10"
NET="0/0"
#LO6="::1"
LO6="0:0:0:0:0:0:0:1"
PA="1024:65535"

set_policy() {
  # POLICY is DROP or ACCEPT
  local POLICY=$1
  
  $FW6 -P INPUT $POLICY
  $FW6 -P OUTPUT $POLICY
  $FW6 -P FORWARD $POLICY
}

echo "Set policy ok"

flush() {
  $FW6 -F
  $FW6 -F -t nat
  $FW6 -X
  $FW6 -X -t nat
}
echo "Flush ok"

allow_loopback() {
  $FW6 -A INPUT -j ACCEPT -i lo -d $LO6
  $FW6 -A OUTPUT -j ACCEPT -o lo -s $LO6
}
echo "Allow loopback ok"

allow_icmp() {
  # So my conclusion is that a web server ipv6 only needs types 1,2,3,4,128,135,136
  # So my conclusion is that a router ipv6 only needs types (based on OpenWrt):
  # Allow-ICMPv6-Input 1,2,3,4/0,4/1,128,129,133,134,135,136
  # Allow-ICMPv6-Forward 1,2,3,4/0,4/1,128,129
  # Allow-MLD 130/0,131/0,132/0,143/0
  $FW6 -N ALLOW_ICMP6
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 1 -d $ETH6      #destination-unreachable [All codes]
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 2 -d $ETH6      #packet-too-big
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3 -d $ETH6      #Time Exceeded
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3/0 -d $ETH6    #ttl-zero-during-transit
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3/1 -d $ETH6    #ttl-zero-during-reassembly
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4 -d $ETH6      #parameter-problem
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/0 -d $ETH6    #bad-header
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/1 -d $ETH6    #unknown-header-type
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/2 -d $ETH6    #unknown-option
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 128 -d $ETH6    #Echo Request
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 129 -d $ETH6    #echo-reply
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 130/0 -d $ETH6	#
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 131/0 -d $ETH6	#
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 132/0 -d $ETH6	#
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 133 -d $ETH6    #Router Solicitation
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 134 -d $ETH6    #Router Advertisement
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 135 -d $ETH6    #Neighbor Solicitation
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 136 -d $ETH6    #Neighbor Advertisement
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 141 -d $ETH6    #Inverse Neighbor Discovery Solicitation
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 142 -d $ETH6    #Inverse Neighbor Discovery Advertisement
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 143 -d $ETH6    #Listener Report v2
  $FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 143/0 -d $ETH6	#
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 130 -d $ETH6    #Listener Query
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 131 -d $ETH6    #Listener Report
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 132 -d $ETH6    #Listener Done
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 148 -d $ETH6    #Certificate Path Solicitation
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 149 -d $ETH6    #Certificate Path Advertisement
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 151 -d $ETH6    #Multicast Router Advertisement
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 152 -d $ETH6    #Multicast Router Solicitation
  #$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 153 -d $ETH6    #Multicast Router Termination


  $FW6 -A ALLOW_ICMP6 -j ACCEPT -m limit --limit 1/s
  $FW6 -A ALLOW_ICMP6 -j DROP

  $FW6 -A INPUT -j ALLOW_ICMP6 -p icmpv6
  $FW6 -A OUTPUT -j ALLOW_ICMP6 -p icmpv6
  $FW6 -A FORWARD -j ALLOW_ICMP6 -p icmpv6

}
echo "Allow icmp ok"

service_ports() {

   #Multiport ipv6 not working
   #$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET -m multiport --dport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081
   #$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET -m multiport --sport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 -d $ETH6 --dport $PA
   #$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET -m multiport --dport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081
   #$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET -m multiport --sport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 -d $ETH6 --dport $PA
   
   # Allow DHCPv6
   $FW6 -A INPUT -j ALLOW_TCP6 -p udp -s $ETH6 --sport $PA -d $NET --dport 546

   # Allow LAN to acess the firewall and the internet from ports ipv6
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 80
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 443
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8080
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8081
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 5900

   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA
   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 80 -d $ETH6 --dport $PA
   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 443 -d $ETH6 --dport $PA
   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 8080 -d $ETH6 --dport $PA
   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 8081 -d $ETH6 --dport $PA
   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 5900 -d $ETH6 --dport $PA

   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 80
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 443
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8080
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8081
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 5900

   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 80 -d $ETH6 --dport $PA
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 443 -d $ETH6 --dport $PA
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 8080 -d $ETH6 --dport $PA
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 8081 -d $ETH6 --dport $PA
   $FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 5900 -d $ETH6 --dport $PA

   # Allow the firewall to access the internet from ports ipv6
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -i eth0 --sport 80 --dport $PA
   $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -i eth0 --sport 443 --dport $PA
   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -o eth0 --sport $PA --dport 80
   $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -o eth0 --sport $PA --dport 443

}

echo "Service ports ok"

adm_ports() {
    $FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22
    $FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA

}

echo "Admin ports ok"

allow_tcp() {
  $FW6 -N ALLOW_TCP6

  $FW6 -A ALLOW_TCP6 -j ACCEPT -p tcp --syn
  $FW6 -A ALLOW_TCP6 -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED

  #test ipv6
  #$FW6 -A ALLOW_TCP -j ACCEPT -p tcp --syn
  #$FW6 -A ALLOW_TCP -j ACCEPT -p tcp -m conntrack --ctstate ESTABLISHED,RELATED

  # Drop undesirable packages TCP ipv6 - Not Working
  #$FW6 -A ALLOW_TCP -j LOG --log-prefix "IP6TABLES: NEW without syn: " -p tcp ! --syn -m state --state NEW
  #$FW6 -A ALLOW_TCP -j DROP -p tcp ! --syn -m state --state NEW

  # Drop packages TCP badly formed ipv6
  #$FW6 -A ALLOW_TCP -j LOG --log-prefix "IP6TABLES: Badly formed: " -m unclean
  #$FW6 -A ALLOW_TCP -j DROP -m unclean

  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,SYN
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,RST
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,URG,PSH
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL NONE
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL RST,URG
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL RST,PSH
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,RST
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,URG
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,PSH
  $FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,URG,PSH
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,SYN
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,RST
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,URG,PSH
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL NONE
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL RST,URG
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL RST,PSH
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,RST
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,URG
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,PSH
  $FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,URG,PSH

  $FW6 -A ALLOW_TCP6 -j DROP

  adm_ports
  service_ports
  
  # Logs ipv6
  $FW6 -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES INPUT] : '
  $FW6 -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES FORWARD] : '
  $FW6 -A OUTPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES OUTPUT] : '

}

echo "Allow tcp ok"

accept_dns_conn() {
  # To resolv internal network
  $FW6 -A INPUT -j ACCEPT -p udp -s $ETH6 --sport $PA -d $NET --dport 53
  $FW6 -A OUTPUT -j ACCEPT -p udp -s $NET --sport 53 -d $ETH6 --dport $PA
  $FW6 -A FORWARD -j ACCEPT -p udp -s $ETH6 --sport $PA -d $NET --dport 53
  $FW6 -A FORWARD -j ACCEPT -p udp -s $NET --sport 53 -d $ETH6 --dport $PA
}

echo "Accept dns ok"

#accept_proxy() {
#  $FW6 -t nat -A PREROUTING -j REDIRECT -p tcp -s $ETH6 --dport 80 -i eth1 --to-port 3128
#}

#echo "Accept proxy ok"

accept_internet() {
  $FW6 -t nat -A POSTROUTING -j MASQUERADE -s $ETH6 -o eth0
}

echo "Accept internet ok"

setup_kernel() {
  # Load Modules
  $PROBE ip_nat_ftp
  $PROBE ip_conntrack_ftp

  # Load Other Modules
  $PROBE iptable_nat
  $PROBE iptable_filter
  $PROBE ip_tables
  $PROBE ip_conntrack
  $PROBE ip_nat_pptp
  $PROBE ipt_MASQUERADE
  $PROBE ipt_LOG
  #$PROBE ip_queue
  $PROBE ipt_MARK
  #$PROBE ipt_MIRROR
  $PROBE ipt_REDIRECT
  $PROBE ipt_REJECT
  $PROBE ipt_TCPMSS
  $PROBE ipt_TOS
  $PROBE ipt_limit
  $PROBE ipt_mac
  $PROBE ipt_mark
  $PROBE ipt_MARK
  $PROBE ipt_multiport
  $PROBE ipt_owner
  $PROBE ipt_state
  $PROBE ipt_tcpmss
  $PROBE ipt_tos
  #$PROBE ipt_unclean
  $PROBE iptable_mangle
  #$PROBE ipt_layer7 #requer compilacao do kernel

  # Disable IP Spoofing attack
  # echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
  $SYSCTL -w net.ipv4.conf.all.rp_filter=2 > /dev/null 2>&1

  # Enable IP Forward
  # echo 1 > /proc/sys/net/ipv4/ip_forward
  $SYSCTL -w net.ipv4.ip_forward=1 > /dev/null 2>&1

  # Kill Timestamps
  # echo 0 > /proc/sys/net/ipv4/tcp_timestamps
  $SYSCTL -w net.ipv4.tcp_timestamps=0 > /dev/null 2>&1

  # Enable protection Cookie TCP syn
  $SYSCTL -w net.ipv4.tcp_syncookies=1 > /dev/null 2>&1

  # Disable ICMP broadcast
  $SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null 2>&1

  # Enable protection to bad error message
  $SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 > /dev/null 2>&1

  # It certifys that packages routed in the origin had been discarded
  $SYSCTL -w net.ipv4.conf.all.accept_source_route=0 > /dev/null 2>&1

  # Change TTL value
  $SYSCTL -w net.ipv4.ip_default_ttl=255 > /dev/null 2>&1

  # Ratemask to ICMPs: 0 3 4 5 8 11 12
  $SYSCTL -w net.ipv4.icmp_ratemask=6457 > /dev/null 2>&1

  # Recommended values of datagram TCP thinking about DOS attack
  $SYSCTL -w net.ipv4.tcp_fin_timeout=30 > /dev/null 2>&1
  $SYSCTL -w net.ipv4.tcp_keepalive_time=1800 > /dev/null 2>&1
  $SYSCTL -w net.ipv4.tcp_window_scaling=0 > /dev/null 2>&1
  $SYSCTL -w net.ipv4.tcp_sack=0 > /dev/null 2>&1
}

echo "Setup kernel ok"

start() {
  echo "Starting Firewall: "
  set_policy DROP
  allow_loopback
  allow_icmp
  allow_tcp
  accept_dns_conn
  #accept_proxy
  accept_internet
  setup_kernel
}

stop() {
  echo "Stopping Firewall: "
  set_policy ACCEPT
  flush
}

status() {
  echo ">> Showing table default: "
  $FW6 -L
  echo ""
  echo ">> Showing table nat: "
  $FW6 -L -t nat
  #echo ""
  #echo ">> Showing table --list: "
  #$FW6 --list -v
}

restart() {
  stop
  start
}

# Start of the firewall script
case "$1" in

  start)
    start
  ;;

  stop)
    stop
  ;;

  restart)
    restart
  ;;

  status)
    status
  ;;

  internet)
    accept_internet
  ;;

  *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
  ;;

esac

exit 0

echo "Firewall ok"

#if you have problem to test the firewall. run the commands below:
#Run following command in terminal
#sed -i -e 's/\r$//' rc.firewall
#Then try
#./rc.firewall start
#It should work.