IPTABLES

Материал из Artem Aleksashkin's Wiki
Перейти к навигации Перейти к поиску

notables.sh

#!/bin/bash

echo [iptables] Reset tables

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Save Iptables
echo [iptables] Saving state
iptables-save

iptables.sh

#!/bin/bash

echo [iptables] Reset tables

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

echo [iptables] Politics

# SSHGUARD
# iptables -N sshguard
# Politics
ip6tables -P INPUT DROP
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A FORWARD -i docker0 -j ACCEPT
iptables -A FORWARD -o docker0 -j ACCEPT

ip6tables -A FORWARD -i docker0 -j ACCEPT
ip6tables -A FORWARD -o docker0 -j ACCEPT



# iptables -N sshguard
# iptables -A INPUT -j sshguard
# iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

RULE_DROP_BAD=1
RULE_KERNEL=0

if [[ "${RULE_DROP_BAD}" == "1" ]]; then
	echo [iptables] Drop bad packets
	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,PSH SYN,PSH -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,URG SYN,URG -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
	iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
	iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
	iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

	iptables -A INPUT  -p icmp -m icmp --icmp-type address-mask-request -j DROP
	iptables -A INPUT  -p icmp -m icmp --icmp-type timestamp-request -j DROP
	iptables -A OUTPUT -p icmp -m icmp --icmp-type timestamp-reply -j DROP

	iptables -A INPUT   -m state --state INVALID -j DROP
	iptables -A FORWARD -m state --state INVALID -j DROP
	iptables -A OUTPUT  -m state --state INVALID -j DROP

	iptables -A INPUT -p udp --dport 0 -j DROP
fi


if [[ "${RULE_KERNEL}" == "1" ]]; then
	echo [iptables] Kernel settings
	# Kernel settings
	echo 1 > /proc/sys/net/ipv4/ip_forward
	for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
	sysctl net.ipv4.ip_forward=1
	sysctl net.ipv4.conf.default.rp_filter=1
	sysctl net.ipv4.ip_dynaddr=1
fi


echo [iptables] Allow

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
## Ban list
iptables -A INPUT -s 81.95.137.135 -j DROP
iptables -A INPUT -s 95.213.163.163 -j DROP
iptables -A INPUT -s 138.201.136.42 -j DROP

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -s ::1 -j ACCEPT
# Allow only:
# PING
echo "- PING"
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS
echo "- DNS"
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
echo "- HTTP"
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
echo "- HTTPS"
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# SSH
echo "- SSH"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# SQUID
echo "- SQUID"
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT

# iptables -A INPUT -p tcp --dport 8084 -j ACCEPT

echo [iptables] Router virbr0 to eth0
#iptables -I FORWARD -i virbr0 -d 192.168.122.0/24 -j DROP
#iptables -A FORWARD -i virbr0 -s 192.168.122.0/24 -j ACCEPT
#iptables -A FORWARD -i eth0 -d 192.168.122.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
iptables -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
iptables -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
iptables -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
iptables -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
iptables -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

iptables -A INPUT -i virbr0 -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -i virbr0 -p udp --dport 111 -j ACCEPT

iptables -A INPUT -i virbr0 -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -i virbr0 -p udp --dport 2049 -j ACCEPT

iptables -A INPUT -i virbr0 -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -i virbr0 -p udp --dport 123 -j ACCEPT

echo [iptables] Router docker to eth0
bridges=( `ifconfig | grep -A 1 'br-' | grep 'br-' | awk '{print $1}'` )
networks=( `ifconfig | grep -A 1 'br-' | grep 'addr\:' | awk '{print $2}' | awk -F\: '{print $2}'` )
broadcasts=( `ifconfig | grep -A 1 'br-' | grep 'addr\:' | awk '{print $4}' | awk -F\: '{print $2}'` )

docker_iface="docker0"

iptables -N DOCKER
iptables -t nat -N DOCKER
iptables -t filter -N DOCKER-USER
# iptables -t filter -F DOCKER
# iptables -t filter -X DOCKER
iptables -t filter -N DOCKER-ISOLATION-STAGE-1
iptables -t filter -N DOCKER-ISOLATION-STAGE-2
# iptables -t filter -F DOCKER-ISOLATION-STAGE-1
# iptables -t filter -X DOCKER-ISOLATION-STAGE-1
# iptables -t filter -F DOCKER-ISOLATION-STAGE-2
# iptables -t filter -X DOCKER-ISOLATION-STAGE-2

iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o ${docker_iface} -j MASQUERADE
for i in "${!bridges[@]}"; do
	iptables -t nat -A POSTROUTING -s ${networks[$i]}/${broadcasts[$i]} ! -o ${bridges[$i]} -j MASQUERADE
done;
iptables -t nat -A DOCKER -i ${docker_iface} -j RETURN
for i in "${!bridges[@]}"; do
	iptables -t nat -A DOCKER -i ${bridges[$i]} -j RETURN
done;
iptables -A FORWARD -j DOCKER-USER
iptables -A FORWARD -j DOCKER-ISOLATION-STAGE-1
iptables -A FORWARD -o ${docker_iface} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ${docker_iface} -j DOCKER
iptables -A FORWARD -i ${docker_iface} ! -o ${docker_iface} -j ACCEPT
iptables -A FORWARD -i ${docker_iface} -o ${docker_iface} -j ACCEPT
for i in "${!bridges[@]}"; do
	iptables -A FORWARD -o ${bridges[$i]} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -o ${bridges[$i]} -j DOCKER
	iptables -A FORWARD -i ${bridges[$i]} ! -o ${bridges[$i]} -j ACCEPT
	iptables -A FORWARD -i ${bridges[$i]} -o ${bridges[$i]} -j ACCEPT
done;


iptables -A DOCKER-ISOLATION-STAGE-1 -i ${docker_iface} ! -o ${docker_iface} -j DOCKER-ISOLATION-STAGE-2
for i in "${!bridges[@]}"; do
	iptables -A DOCKER-ISOLATION-STAGE-1 -i ${bridges[$i]} ! -o ${bridges[$i]} -j DOCKER-ISOLATION-STAGE-2
done;
iptables -A DOCKER-ISOLATION-STAGE-1 -j RETURN
iptables -A DOCKER-ISOLATION-STAGE-2 -o ${docker_iface} -j DROP
for i in "${!bridges[@]}"; do
	iptables -A DOCKER-ISOLATION-STAGE-2 -o ${bridges[$i]} -j DROP
done;
iptables -A DOCKER-ISOLATION-STAGE-2 -j RETURN
iptables -A DOCKER-USER -j RETURN


# Save Iptables
echo [iptables] Saving state
iptables-save > /etc/iptables.rules


#!/usr/bin/env bash

echo [iptables] Reset tables

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

echo [iptables] Politics

# SSHGUARD
# iptables -N sshguard
# Politics
ip6tables -P INPUT DROP
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A FORWARD -i docker0 -j ACCEPT
iptables -A FORWARD -o docker0 -j ACCEPT

ip6tables -A FORWARD -i docker0 -j ACCEPT
ip6tables -A FORWARD -o docker0 -j ACCEPT



# iptables -N sshguard
# iptables -A INPUT -j sshguard
# iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

RULE_DROP_BAD=1
RULE_KERNEL=0

if [[ "${RULE_DROP_BAD}" == "1" ]]; then
	echo [iptables] Drop bad packets
	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,PSH SYN,PSH -j DROP
	iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,URG SYN,URG -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
	iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
	iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
	iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	#- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

	iptables -A INPUT  -p icmp -m icmp --icmp-type address-mask-request -j DROP
	iptables -A INPUT  -p icmp -m icmp --icmp-type timestamp-request -j DROP
	iptables -A OUTPUT -p icmp -m icmp --icmp-type timestamp-reply -j DROP

	iptables -A INPUT   -m state --state INVALID -j DROP
	iptables -A FORWARD -m state --state INVALID -j DROP
	iptables -A OUTPUT  -m state --state INVALID -j DROP

	iptables -A INPUT -p udp --dport 0 -j DROP
fi


if [[ "${RULE_KERNEL}" == "1" ]]; then
	echo [iptables] Kernel settings
	# Kernel settings
	echo 1 > /proc/sys/net/ipv4/ip_forward
	for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
	sysctl net.ipv4.ip_forward=1
	sysctl net.ipv4.conf.default.rp_filter=1
	sysctl net.ipv4.ip_dynaddr=1
fi


echo [iptables] Allow

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
## Ban list
iptables -A INPUT -s 81.95.137.135 -j DROP
iptables -A INPUT -s 95.213.163.163 -j DROP
iptables -A INPUT -s 138.201.136.42 -j DROP

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -s ::1 -j ACCEPT
# Allow only:
# PING
echo "- PING"
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS
echo "- DNS"
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
echo "- HTTP"
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
echo "- HTTPS"
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# SSH
echo "- SSH"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

echo [iptables] Router docker to eth0
bridges=( `ifconfig | grep -A 1 'br-' | grep 'br-' | awk '{print $1}' | awk -F\: '{print $1}'` )
networks=( `ifconfig | grep -A 1 'br-' | grep 'inet ' | awk '{print $2}'` )
broadcasts=( `ifconfig | grep -A 1 'br-' | grep 'inet ' | awk '{print $6}'` )

docker_iface="docker0"

iptables -N DOCKER
iptables -t nat -N DOCKER
iptables -t filter -N DOCKER-USER
# iptables -t filter -F DOCKER
# iptables -t filter -X DOCKER
iptables -t filter -N DOCKER-ISOLATION-STAGE-1
iptables -t filter -N DOCKER-ISOLATION-STAGE-2
# iptables -t filter -F DOCKER-ISOLATION-STAGE-1
# iptables -t filter -X DOCKER-ISOLATION-STAGE-1
# iptables -t filter -F DOCKER-ISOLATION-STAGE-2
# iptables -t filter -X DOCKER-ISOLATION-STAGE-2

iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o ${docker_iface} -j MASQUERADE
for i in "${!bridges[@]}"; do
	iptables -t nat -A POSTROUTING -s ${networks[$i]}/${broadcasts[$i]} ! -o ${bridges[$i]} -j MASQUERADE
done;
iptables -t nat -A DOCKER -i ${docker_iface} -j RETURN
for i in "${!bridges[@]}"; do
	iptables -t nat -A DOCKER -i ${bridges[$i]} -j RETURN
done;
iptables -A FORWARD -j DOCKER-USER
iptables -A FORWARD -j DOCKER-ISOLATION-STAGE-1
iptables -A FORWARD -o ${docker_iface} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ${docker_iface} -j DOCKER
iptables -A FORWARD -i ${docker_iface} ! -o ${docker_iface} -j ACCEPT
iptables -A FORWARD -i ${docker_iface} -o ${docker_iface} -j ACCEPT
for i in "${!bridges[@]}"; do
	iptables -A FORWARD -o ${bridges[$i]} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -o ${bridges[$i]} -j DOCKER
	iptables -A FORWARD -i ${bridges[$i]} ! -o ${bridges[$i]} -j ACCEPT
	iptables -A FORWARD -i ${bridges[$i]} -o ${bridges[$i]} -j ACCEPT
done;


iptables -A DOCKER-ISOLATION-STAGE-1 -i ${docker_iface} ! -o ${docker_iface} -j DOCKER-ISOLATION-STAGE-2
for i in "${!bridges[@]}"; do
	iptables -A DOCKER-ISOLATION-STAGE-1 -i ${bridges[$i]} ! -o ${bridges[$i]} -j DOCKER-ISOLATION-STAGE-2
done;
iptables -A DOCKER-ISOLATION-STAGE-1 -j RETURN
iptables -A DOCKER-ISOLATION-STAGE-2 -o ${docker_iface} -j DROP
for i in "${!bridges[@]}"; do
	iptables -A DOCKER-ISOLATION-STAGE-2 -o ${bridges[$i]} -j DROP
done;
iptables -A DOCKER-ISOLATION-STAGE-2 -j RETURN
iptables -A DOCKER-USER -j RETURN


# Save Iptables
echo [iptables] Saving state
iptables-save > /etc/iptables.rules