中国韓国北朝鮮からのアクセスを禁止、SSHなど重要なポートへのアクセスを日本国内からのみに制限しつつ日本国内とその他の海外に対してウェブサイトを公開する設定例を紹介。Firewall機能を実装する各種攻撃対策も組み込み済み。
このスクリプト実行しとくだけでサーバーの侵入難易度が跳ね上がります。日本のボットサーバー削減にお役立てください。
最新版はGitHubで公開しています。
falsandtru/iptables-firewall · GitHub
大幅に改良した新バージョンをリリースしていますのでこちらをご利用ください。仕様を刷新しているためこのページ内容は最新版と互換性がありません。
iptablesにFirewallとしての機能を実装します。
設定
- 特定の外国からのアクセス拒否
- 特定の外国を除くすべての国からのHTTPポートへのアクセスを許可(海外からアクセスできるのはHTTPポートのみ)
- 日本国内からのみ特定のポートへのアクセスを許可
- サーバーへの攻撃を防御
国別フィルタ機能
- IPリストを自動更新
- 全体で拒否する国を設定可能
- 特定のポートにアクセス可能な国を別途制限可能
Firewall機能
- BruteForce攻撃対策
- PingOfDeath攻撃対策
- DoS攻撃対策(TCP/UDP/ICMP全対応)
- Spoofing攻撃対策
- Ingress攻撃対策
- ポートスキャン対策
- ステルススキャン対策
- ポートスキャントラップ
- ブロードキャスト通信を遮断
- マルチキャスト通信を遮断
- 断片化パケットを遮断
- NetBIOSとの通信を遮断
- 過剰なロギングを防止
防御機能はチェーンごとにモジュール化されているため自由に組み替え可能。
ポートスキャントラップ機能は1時間以上の長い間隔でのポートスキャンも追跡防御できます。
ブラックリストのIPからのアクセスを拒否
ブラックリスト、国別のIPによる制限から除外
厳格モード
ホワイトリストのIP以外からのアクセスを拒否
IDS/IPS防御連携
その他
$ sudo sh /var/iptables/rule.sh
iptables firewall
UPDATE: NO
NAMESERVER: XX.XX.XX.XX
NTPSERVER: XX.XX.XX.XX
FIREWALL: ANTI_SPY ACCEPT_FILTER
FIREWALL: DENY_BROADCAST INPUT
FIREWALL: DENY_BROADCAST FORWARD
FIREWALL: ANTI_INGRESS FORWARD
FIREWALL: ANTI_SPOOFING ACCEPT_FILTER
FIREWALL: DENY_NETBIOS ACCEPT_FILTER
FIREWALL: DENY_FRAGMENT ACCEPT_FILTER
FIREWALL: ANTI_STEALTHSCAN ACCEPT_FILTER
FIREWALL: ANTI_PINGDEATH ACCEPT_FILTER
FIREWALL: ANTI_SYNFLOOD ACCEPT_FILTER[TCP:80]
FIREWALL: ANTI_SYNFLOOD_SSL ACCEPT_FILTER[TCP:443]
FIREWALL: ANTI_UDPFLOOD ACCEPT_FILTER[UDP]
FIREWALL: ANTI_ICMPFLOOD ACCEPT_FILTER[ICMP]
FIREWALL: ANTI_BRUTEFORCE ACCEPT_FILTER[TCP]
IDS/IPS: DISABLE
REUSE: Chain COUNTRY_FILTER
REUSE: Chain DROP_FILTER
OPEN: HTTP[TCP:80]
OPEN: HTTPS[TCP:443]
FIREWALL: TRAP_PORTSCAN INPUT[TCP/UDP/ICMP]
FIREWALL: TRAP_PORTSCAN FORWARD[TCP/UDP/ICMP]
iptables: ファイアウォールのルールを /etc/sysconfig/iptable[ OK ]中:
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.eth1.accept_source_route = 0
net.ipv4.conf.eth2.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
complete
$ sudo vi /etc/sysconfig/iptables
...
TRAP_PORTSCAN - [0:0]
-A INPUT -i lo -j ACCEPT_FILTER
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT_FILTER
-A INPUT -s XX.XX.XX.XX/32 -p udp -m udp --dport 53 -j ACCEPT_FILTER
-A INPUT -s XX.XX.XX.XX/32 -p udp -m udp --dport 123 -j ACCEPT_FILTER
-A INPUT -j DROP_FILTER
-A INPUT -j FW_BROADCAST
-A INPUT -p icmp -m icmp --icmp-type 3 -j COUNTRY_FILTER
-A INPUT -p icmp -m icmp --icmp-type 4 -j COUNTRY_FILTER
-A INPUT -p icmp -m icmp --icmp-type 5 -j COUNTRY_FILTER
-A INPUT -p icmp -m icmp --icmp-type 11 -j COUNTRY_FILTER
-A INPUT -p icmp -m icmp --icmp-type 12 -j COUNTRY_FILTER
-A INPUT -p tcp -m multiport --dports 22 -j COUNTRY_FILTER
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT_FILTER
-A INPUT -p tcp -m tcp --dport 443 -j COUNTRY_FILTER
-A INPUT -j FW_PORTSCAN
-A FORWARD -i lo -j ACCEPT_FILTER
-A FORWARD -o lo -j ACCEPT_FILTER
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT_FILTER
-A FORWARD -s XX.XX.XX.XX/32 -p udp -m udp --dport 53 -j ACCEPT_FILTER
-A FORWARD -d XX.XX.XX.XX/32 -p udp -m udp --sport 53 -j ACCEPT_FILTER
-A FORWARD -s XX.XX.XX.XX/32 -p udp -m udp --dport 123 -j ACCEPT_FILTER
-A FORWARD -d XX.XX.XX.XX/32 -p udp -m udp --sport 123 -j ACCEPT_FILTER
-A FORWARD -j DROP_FILTER
-A FORWARD -j FW_BROADCAST
-A FORWARD -j FW_INGRESS
-A FORWARD -j FW_PORTSCAN
-A OUTPUT -o lo -j ACCEPT_FILTER
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT_FILTER
-A OUTPUT -d XX.XX.XX.XX/32 -p udp -m udp --sport 53 -j ACCEPT_FILTER
-A OUTPUT -d XX.XX.XX.XX/32 -p udp -m udp --sport 123 -j ACCEPT_FILTER
-A OUTPUT -j DROP_FILTER
-A ACCEPT_FILTER -j FW_SPY
-A ACCEPT_FILTER -j FW_SPOOFING
-A ACCEPT_FILTER -j FW_NETBIOS
-A ACCEPT_FILTER -j FW_FRAGMENT
-A ACCEPT_FILTER -j FW_STEALTHSCAN
-A ACCEPT_FILTER -j FW_PINGDEATH
-A ACCEPT_FILTER -j FW_SYNFLOOD
-A ACCEPT_FILTER -j FW_SYNFLOOD_SSL
-A ACCEPT_FILTER -j FW_UDPFLOOD
-A ACCEPT_FILTER -j FW_ICMPFLOOD
-A ACCEPT_FILTER -j FW_BRUTEFORCE
-A ACCEPT_FILTER -j ACCEPT
...
導入手順
$ sudo mkdir /var/cache/iptables
$ sudo touch /etc/cron.daily/iptables
$ sudo chmod 700 /etc/cron.daily/iptables
$ sudo vi /etc/cron.daily/iptables
$ sudo sh /etc/cron.daily/iptables
/etc/cron.daily/iptables
LOGIN=0
INTERVAL=7
LAN=eth0
IPS=
ACCEPT_COUNTRY_CODE="JP"
DROP_COUNTRY_CODE="CN|HK|MO|KR|KP"
BLACKLIST=
WHITELIST=
STRICT=false
LOG_LIMIT=6/m
LOG_LIMIT_BURST=10
IPTABLES=iptables
CACHE_DIR=/var/cache/iptables/
echo "iptables firewall"
[[ ! $LOGIN -gt 0 ]] && LOGIN=`cat /etc/ssh/sshd_config | grep '^Port ' | tail -n 1 | sed -e 's/^[^0-9]*\([0-9]\+\).*$/\1/'`
echo "LOGIN: $LOGIN"
if [ ! $IPS ] || [ $IPS != false ]; then
if [ `ps alx | grep -v grep | grep /snort | head -n 1 | cut -c1` ]; then
IPS=Snort
else
IPS=false
fi
fi
LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`
LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`
LOCALNET_ADDR=`netstat -rn|grep $LAN|grep $LOCALNET_MASK|cut -f1 -d' '`
LOCALNET=$LOCALNET_ADDR/$LOCALNET_MASK
NAMESERVERS=($(grep '^nameserver' /etc/resolv.conf | cut -d' ' -f2))
NTPSERVERS=($(grep '^server' /etc/ntp.conf | cut -d' ' -f2 | awk '{system("dig +short "$1)}'))
WGET="/usr/bin/wget -N --retr-symlinks -P ${CACHE_DIR}"
if [ $STRICT = true ] || [[ $(find ${CACHE_DIR} -name delegated-*-extended-latest -ctime -$INTERVAL 2>&1) ]]; then
UPDATE=0
echo "UPDATE: NO"
else
UPDATE=1
echo "UPDATE: YES"
$WGET ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
$WGET ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest
$WGET ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-extended-latest
$WGET ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest
$WGET ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-extended-latest
fi
if [ 0 -ne $UPDATE ] && [[ $(find ${CACHE_DIR} -name delegated-*-extended-latest -mtime -$INTERVAL 2>&1) ]]; then
RESET=1
else
RESET=0
fi
$IPTABLES -D DROP_FILTER -g WHITELIST 2>/dev/null
for CHAIN in `$IPTABLES -nL | grep ^Chain | cut -d " " -f 2`; do
if [ $RESET -ne 0 ]; then
echo "DELETE: All Chains"
$IPTABLES -F
$IPTABLES -X
break
fi
if [ $CHAIN != COUNTRY_FILTER ] && [ $CHAIN != DROP_FILTER ]; then
$IPTABLES -F $CHAIN
fi
done
for CHAIN in `$IPTABLES -nL | grep ^Chain | cut -d " " -f 2`; do
if [ $RESET -ne 0 ]; then
break
fi
if [ $CHAIN != COUNTRY_FILTER ] && [ $CHAIN != DROP_FILTER ] && [ $CHAIN != ACCEPT_FILTER ]; then
if [ $CHAIN != INPUT ] && [ $CHAIN != FORWARD ] && [ $CHAIN != OUTPUT ]; then
$IPTABLES -X $CHAIN
fi
fi
done
$IPTABLES -Z
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -N ACCEPT_FILTER 2>/dev/null
$IPTABLES -A ACCEPT_FILTER -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT_FILTER
$IPTABLES -A OUTPUT -o lo -j ACCEPT_FILTER
$IPTABLES -A FORWARD -i lo -j ACCEPT_FILTER
$IPTABLES -A FORWARD -o lo -j ACCEPT_FILTER
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT_FILTER
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT_FILTER
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT_FILTER
for nameserver in ${NAMESERVERS[@]}; do
$IPTABLES -A INPUT -s $nameserver -p udp --dport 53 -j ACCEPT_FILTER
$IPTABLES -A OUTPUT -d $nameserver -p udp --sport 53 -j ACCEPT_FILTER
$IPTABLES -A FORWARD -s $nameserver -p udp --dport 53 -j ACCEPT_FILTER
$IPTABLES -A FORWARD -d $nameserver -p udp --sport 53 -j ACCEPT_FILTER
echo "NAMESERVER: $nameserver"
done
for ntpserver in ${NTPSERVERS[@]}; do
$IPTABLES -A INPUT -s $ntpserver -p udp --dport 123 -j ACCEPT_FILTER
$IPTABLES -A OUTPUT -d $ntpserver -p udp --sport 123 -j ACCEPT_FILTER
$IPTABLES -A FORWARD -s $ntpserver -p udp --dport 123 -j ACCEPT_FILTER
$IPTABLES -A FORWARD -d $ntpserver -p udp --sport 123 -j ACCEPT_FILTER
echo "NTPSERVER: $ntpserver"
done
BUILD_COUNTRY(){
if [ ! -s $CACHE_DIR$1 ] || [ ! $2 ] || [ ! $3 ];then return;fi
echo "LOAD: $1"
for line in `cat $CACHE_DIR$1 | grep -E "\|($2|$3)\|ipv4\|"`
do
CODE=`echo $line | cut -d "|" -f 2`
ADDR=`echo $line | cut -d "|" -f 4`
TEMP=`echo $line | cut -d "|" -f 5`
CIDR=32
while [ $TEMP -ne 1 ]; do
TEMP=`expr "$TEMP" / 2`
CIDR=`expr "$CIDR" - 1`
done
if [ `echo $line | grep -E "\|($3)\|ipv4\|"` ]; then
$IPTABLES -A COUNTRY_FILTER -s $ADDR/$CIDR -j ACCEPT_FILTER
printf "%-10s%-4s%-20s%s\n" ACCEPT $CODE $ADDR/$CIDR $line
else
$IPTABLES -A DROP_FILTER -s $ADDR/$CIDR -j DROP
printf "%-10s%-4s%-20s%s\n" DROP $CODE $ADDR/$CIDR $line
fi
done
}
if [ $STRICT != true ]; then
if [ $RESET -ne 0 ] || [[ 3 > $($IPTABLES -nL COUNTRY_FILTER 2>/dev/null | awk 'END{print NR}') ]] || [[ 3 > $($IPTABLES -nL DROP_FILTER 2>/dev/null | awk 'END{print NR}') ]]; then
echo "BUILD: Chain COUNTRY_FILTER"
echo "BUILD: Chain DROP_FILTER"
$IPTABLES -F COUNTRY_FILTER 2>/dev/null
$IPTABLES -X COUNTRY_FILTER 2>/dev/null
$IPTABLES -N COUNTRY_FILTER 2>/dev/null
$IPTABLES -F DROP_FILTER 2>/dev/null
$IPTABLES -X DROP_FILTER 2>/dev/null
$IPTABLES -N DROP_FILTER 2>/dev/null
BUILD_COUNTRY "delegated-apnic-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE
BUILD_COUNTRY "delegated-arin-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE
BUILD_COUNTRY "delegated-ripencc-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE
BUILD_COUNTRY "delegated-lacnic-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE
BUILD_COUNTRY "delegated-afrinic-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE
$IPTABLES -A COUNTRY_FILTER -j DROP
else
echo "REUSE: Chain COUNTRY_FILTER"
echo "REUSE: Chain DROP_FILTER"
fi
$IPTABLES -A INPUT -j DROP_FILTER
$IPTABLES -A OUTPUT -j DROP_FILTER
$IPTABLES -A FORWARD -j DROP_FILTER
else
$IPTABLES -N COUNTRY_FILTER 2>/dev/null
$IPTABLES -N DROP_FILTER 2>/dev/null
$IPTABLES -A COUNTRY_FILTER -j ACCEPT_FILTER
fi
sed -i '/net.ipv4.conf.*.rp_filter/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.rp_filter=1 > /dev/null
echo "net.ipv4.conf.$dev.rp_filter=1" >> /etc/sysctl.conf
done
sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_redirects=0" >> /etc/sysctl.conf
done
sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_source_route=0" >> /etc/sysctl.conf
done
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf
sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -w net.ipv4.tcp_timestamps=1 > /dev/null
sed -i '/net.ipv4.tcp_timestamps/d' /etc/sysctl.conf
echo "net.ipv4.tcp_timestamps=1" >> /etc/sysctl.conf
$IPTABLES -N ANTI_SPY
$IPTABLES -A ANTI_SPY -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SPY] : '
$IPTABLES -A ANTI_SPY -j DROP
$IPTABLES -N FW_SPY
$IPTABLES -A FW_SPY -p tcp --dport 0:1023 -j RETURN
$IPTABLES -A FW_SPY -p tcp -m state --state ESTABLISHED,RELATED -j RETURN
$IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-rapid --update --rttl -j ANTI_SPY
$IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-fast --update --rttl -j ANTI_SPY
$IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-medium --update --rttl -j ANTI_SPY
$IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-slow --update --rttl -j ANTI_SPY
$IPTABLES -A ACCEPT_FILTER -j FW_SPY && echo "FIREWALL: ANTI_SPY ACCEPT_FILTER"
$IPTABLES -N ANTI_PROWLER_RAPID
$IPTABLES -A ANTI_PROWLER_RAPID -m recent --name spy-rapid --update --rttl -j DROP
$IPTABLES -A ANTI_PROWLER_RAPID -m recent --name spy-rapid --set -j DROP
$IPTABLES -N ANTI_PROWLER_FAST
$IPTABLES -A ANTI_PROWLER_FAST -m recent --name spy-fast --update --rttl -j DROP
$IPTABLES -A ANTI_PROWLER_FAST -m recent --name spy-fast --set -j DROP
$IPTABLES -N ANTI_PROWLER_MEDIUM
$IPTABLES -A ANTI_PROWLER_MEDIUM -m recent --name spy-medium --update --rttl -j DROP
$IPTABLES -A ANTI_PROWLER_MEDIUM -m recent --name spy-medium --set -j DROP
$IPTABLES -N ANTI_PROWLER_SLOW
$IPTABLES -A ANTI_PROWLER_SLOW -m recent --name spy-slow --update --rttl -j DROP
$IPTABLES -A ANTI_PROWLER_SLOW -m recent --name spy-slow --set -j DROP
$IPTABLES -N FW_PROWLER
$IPTABLES -A FW_PROWLER \
-m hashlimit \
--hashlimit-name prowler-limit \
--hashlimit-above 1/s \
--hashlimit-burst 1 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 800 \
-j DROP
$IPTABLES -N FW_PROWLER_LIMIT
$IPTABLES -A FW_PROWLER_LIMIT -m limit --limit 1000/s --limit-burst 10000 -j RETURN
$IPTABLES -A FW_PROWLER_LIMIT -j DROP
$IPTABLES -A FW_PROWLER -j FW_PROWLER_LIMIT
$IPTABLES -A FW_PROWLER \
-m hashlimit \
--hashlimit-name prowler-rapid \
--hashlimit-above 1/s \
--hashlimit-burst 1 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 1000 \
-j ANTI_PROWLER_RAPID
$IPTABLES -A FW_PROWLER -m recent --name spy-rapid --set
$IPTABLES -A FW_PROWLER \
-m hashlimit \
--hashlimit-name prowler-fast \
--hashlimit-above 1/h \
--hashlimit-burst 1 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 100000 \
-j ANTI_PROWLER_FAST
$IPTABLES -A FW_PROWLER -m recent --name spy-fast --set
$IPTABLES -A FW_PROWLER \
-m hashlimit \
--hashlimit-name prowler-medium \
--hashlimit-above 1/h \
--hashlimit-burst 1 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 1000000 \
-j ANTI_PROWLER_MEDIUM
$IPTABLES -A FW_PROWLER -m recent --name spy-medium --set
$IPTABLES -A FW_PROWLER \
-m hashlimit \
--hashlimit-name prowler-slow \
--hashlimit-above 1/d \
--hashlimit-burst 1 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 10000000 \
-j ANTI_PROWLER_SLOW
$IPTABLES -A FW_PROWLER -m recent --name spy-slow --set
$IPTABLES -A FW_PROWLER -j DROP
$IPTABLES -N DENY_BROADCAST
$IPTABLES -A DENY_BROADCAST -j DROP
$IPTABLES -N FW_BROADCAST
$IPTABLES -A FW_BROADCAST -m pkttype --pkt-type broadcast -j DENY_BROADCAST
$IPTABLES -A FW_BROADCAST -m pkttype --pkt-type multicast -j DENY_BROADCAST
$IPTABLES -A INPUT -j FW_BROADCAST && echo "FIREWALL: DENY_BROADCAST INPUT"
$IPTABLES -A FORWARD -j FW_BROADCAST && echo "FIREWALL: DENY_BROADCAST FORWARD"
$IPTABLES -N ANTI_INGRESS
$IPTABLES -A ANTI_INGRESS -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES INGRESS] : '
$IPTABLES -A ANTI_INGRESS -j FW_PROWLER
$IPTABLES -A ANTI_INGRESS -j DROP
$IPTABLES -N FW_INGRESS
$IPTABLES -A FW_INGRESS -i $LAN ! -s $LOCALNET -j ANTI_INGRESS
$IPTABLES -A FORWARD -j FW_INGRESS && echo "FIREWALL: ANTI_INGRESS FORWARD"
$IPTABLES -N ANTI_SPOOFING
$IPTABLES -A ANTI_SPOOFING -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SPOOFING] : '
$IPTABLES -A ANTI_SPOOFING -j FW_PROWLER
$IPTABLES -A ANTI_SPOOFING -j DROP
$IPTABLES -N FW_SPOOFING
$IPTABLES -A FW_SPOOFING -i eth+ -s 127.0.0.0/8 -j ANTI_SPOOFING
$IPTABLES -A FW_SPOOFING -i eth+ -s 10.0.0.0/8 -j ANTI_SPOOFING
$IPTABLES -A FW_SPOOFING -i eth+ -s 172.16.0.0/12 -j ANTI_SPOOFING
$IPTABLES -A FW_SPOOFING -i eth+ -s 192.168.0.0/16 -j ANTI_SPOOFING
$IPTABLES -A FW_SPOOFING -i ppp+ -s 127.0.0.0/8 -j ANTI_SPOOFING
$IPTABLES -A FW_SPOOFING -i ppp+ -s 10.0.0.0/8 -j ANTI_SPOOFING
$IPTABLES -A FW_SPOOFING -i ppp+ -s 172.16.0.0/12 -j ANTI_SPOOFING
$IPTABLES -A FW_SPOOFING -i ppp+ -s 192.168.0.0/16 -j ANTI_SPOOFING
$IPTABLES -A ACCEPT_FILTER -j FW_SPOOFING && echo "FIREWALL: ANTI_SPOOFING ACCEPT_FILTER"
$IPTABLES -N DENY_NETBIOS
$IPTABLES -A DENY_NETBIOS -j FW_PROWLER
$IPTABLES -A DENY_NETBIOS -j DROP
$IPTABLES -N FW_NETBIOS
$IPTABLES -A FW_NETBIOS -i eth+ -p tcp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A FW_NETBIOS -i eth+ -p udp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A FW_NETBIOS -o eth+ -p tcp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A FW_NETBIOS -o eth+ -p udp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A FW_NETBIOS -i ppp+ -p tcp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A FW_NETBIOS -i ppp+ -p udp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A FW_NETBIOS -o ppp+ -p tcp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A FW_NETBIOS -o ppp+ -p udp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS
$IPTABLES -A ACCEPT_FILTER -j FW_NETBIOS && echo "FIREWALL: DENY_NETBIOS ACCEPT_FILTER"
$IPTABLES -N DENY_FRAGMENT
$IPTABLES -A DENY_FRAGMENT -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES FRAGMENT] : '
$IPTABLES -A DENY_FRAGMENT -j FW_PROWLER
$IPTABLES -A DENY_FRAGMENT -j DROP
$IPTABLES -N FW_FRAGMENT
$IPTABLES -A FW_FRAGMENT -f -j DENY_FRAGMENT
$IPTABLES -A ACCEPT_FILTER -j FW_FRAGMENT && echo "FIREWALL: DENY_FRAGMENT ACCEPT_FILTER"
$IPTABLES -N DENY_INVALID
$IPTABLES -A DENY_INVALID -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES INVALID] : '
$IPTABLES -A DENY_INVALID -j DROP
$IPTABLES -N FW_INVALID
$IPTABLES -A FW_INVALID -m state --state INVALID -j DENY_INVALID
$IPTABLES -A ACCEPT_FILTER -j FW_INVALID && echo "FIREWALL: DENY_INVALID ACCEPT_FILTER"
$IPTABLES -N ANTI_STEALTHSCAN
$IPTABLES -A ANTI_STEALTHSCAN \
-m hashlimit \
--hashlimit-name scan \
--hashlimit 1/h \
--hashlimit-burst 3 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 960000 \
-j DROP
$IPTABLES -A ANTI_STEALTHSCAN -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES STEALTHSCAN] : '
$IPTABLES -A ANTI_STEALTHSCAN -j FW_PROWLER
$IPTABLES -A ANTI_STEALTHSCAN -j DROP
$IPTABLES -N FW_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -o lo -j RETURN
$IPTABLES -A FW_STEALTHSCAN -o eth+ -j RETURN
$IPTABLES -A FW_STEALTHSCAN -o ppp+ -j RETURN
$IPTABLES -A FW_STEALTHSCAN ! -p tcp -j RETURN
$IPTABLES -A FW_STEALTHSCAN -p tcp --dport 0:1023 -j RETURN
$IPTABLES -A FW_STEALTHSCAN -p tcp -m state ! --state NEW -j RETURN
$IPTABLES -A FW_STEALTHSCAN -p tcp -m state --state NEW --tcp-flags SYN,ACK SYN,ACK -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ACK,FIN FIN -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ACK,PSH PSH -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ACK,URG URG -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL ALL -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL NONE -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL FIN -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j ANTI_STEALTHSCAN
$IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG,PSH -j ANTI_STEALTHSCAN
$IPTABLES -A ACCEPT_FILTER -j FW_STEALTHSCAN && echo "FIREWALL: ANTI_STEALTHSCAN ACCEPT_FILTER"
$IPTABLES -N ANTI_PINGDEATH
$IPTABLES -A ANTI_PINGDEATH \
-m hashlimit \
--hashlimit-name scan \
--hashlimit 1/s \
--hashlimit-burst 4 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 1000 \
-j RETURN
$IPTABLES -A ANTI_PINGDEATH -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES PINGDEATH] : '
$IPTABLES -A ANTI_PINGDEATH -j FW_PROWLER
$IPTABLES -A ANTI_PINGDEATH -j DROP
$IPTABLES -N FW_PINGDEATH
$IPTABLES -A FW_PINGDEATH -i eth+ -p icmp --icmp-type echo-request -j ANTI_PINGDEATH
$IPTABLES -A FW_PINGDEATH -i ppp+ -p icmp --icmp-type echo-request -j ANTI_PINGDEATH
$IPTABLES -A ACCEPT_FILTER -j FW_PINGDEATH && echo "FIREWALL: ANTI_PINGDEATH ACCEPT_FILTER"
$IPTABLES -N ANTI_SYNFLOOD
$IPTABLES -A ANTI_SYNFLOOD \
-m hashlimit \
--hashlimit-name http \
--hashlimit 10/m \
--hashlimit-burst 60 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 60000 \
-j RETURN
$IPTABLES -A ANTI_SYNFLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SYNFLOOD] : '
$IPTABLES -A ANTI_SYNFLOOD -j DROP
$IPTABLES -N FW_SYNFLOOD
$IPTABLES -A FW_SYNFLOOD -i eth+ -p tcp --dport 80 -m state --state NEW -j ANTI_SYNFLOOD
$IPTABLES -A FW_SYNFLOOD -i ppp+ -p tcp --dport 80 -m state --state NEW -j ANTI_SYNFLOOD
$IPTABLES -A ACCEPT_FILTER -j FW_SYNFLOOD && echo "FIREWALL: ANTI_SYNFLOOD ACCEPT_FILTER[TCP:80]"
$IPTABLES -N ANTI_SYNFLOOD_SSL
$IPTABLES -A ANTI_SYNFLOOD_SSL \
-m hashlimit \
--hashlimit-name https \
--hashlimit 30/m \
--hashlimit-burst 60 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 60000 \
-j RETURN
$IPTABLES -A ANTI_SYNFLOOD_SSL -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SYNFLOOD(SSL)] : '
$IPTABLES -A ANTI_SYNFLOOD_SSL -j DROP
$IPTABLES -N FW_SYNFLOOD_SSL
$IPTABLES -A FW_SYNFLOOD_SSL -i eth+ -p tcp --dport 443 -m state --state NEW -j ANTI_SYNFLOOD_SSL
$IPTABLES -A FW_SYNFLOOD_SSL -i ppp+ -p tcp --dport 443 -m state --state NEW -j ANTI_SYNFLOOD_SSL
$IPTABLES -A ACCEPT_FILTER -j FW_SYNFLOOD_SSL && echo "FIREWALL: ANTI_SYNFLOOD_SSL ACCEPT_FILTER[TCP:443]"
$IPTABLES -N ANTI_UDPFLOOD
$IPTABLES -A ANTI_UDPFLOOD \
-m hashlimit \
--hashlimit-name udp \
--hashlimit 30/m \
--hashlimit-burst 60 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 60000 \
-j RETURN
$IPTABLES -A ANTI_UDPFLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES UDPFLOOD] : '
$IPTABLES -A ANTI_UDPFLOOD -j DROP
$IPTABLES -N FW_UDPFLOOD
$IPTABLES -A FW_UDPFLOOD -i eth+ -p udp -m state --state NEW -j ANTI_UDPFLOOD
$IPTABLES -A FW_UDPFLOOD -i ppp+ -p udp -m state --state NEW -j ANTI_UDPFLOOD
$IPTABLES -A ACCEPT_FILTER -j FW_UDPFLOOD && echo "FIREWALL: ANTI_UDPFLOOD ACCEPT_FILTER[UDP]"
$IPTABLES -N ANTI_ICMPFLOOD
$IPTABLES -A ANTI_ICMPFLOOD \
-m hashlimit \
--hashlimit-name icmp \
--hashlimit 30/m \
--hashlimit-burst 60 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 60000 \
-j RETURN
$IPTABLES -A ANTI_ICMPFLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES ICMPFLOOD] : '
$IPTABLES -A ANTI_ICMPFLOOD -j DROP
$IPTABLES -N FW_ICMPFLOOD
$IPTABLES -A FW_ICMPFLOOD -i eth+ -p icmp --icmp-type echo-request -j ANTI_ICMPFLOOD
$IPTABLES -A FW_ICMPFLOOD -i ppp+ -p icmp --icmp-type echo-request -j ANTI_ICMPFLOOD
$IPTABLES -A ACCEPT_FILTER -j FW_ICMPFLOOD && echo "FIREWALL: ANTI_ICMPFLOOD ACCEPT_FILTER[ICMP]"
$IPTABLES -N ANTI_BRUTEFORCE
$IPTABLES -A ANTI_BRUTEFORCE \
-m hashlimit \
--hashlimit-name bruteforce \
--hashlimit 1/m \
--hashlimit-burst 7 \
--hashlimit-mode srcip \
--hashlimit-htable-expire 180000 \
-j RETURN
$IPTABLES -A ANTI_BRUTEFORCE -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES BRUTEFORCE] : '
$IPTABLES -A ANTI_BRUTEFORCE -j DROP
$IPTABLES -N FW_BRUTEFORCE
$IPTABLES -A FW_BRUTEFORCE -i eth+ -p tcp -m multiport --dports $LOGIN -m state --syn --state NEW -j ANTI_BRUTEFORCE
$IPTABLES -A FW_BRUTEFORCE -i ppp+ -p tcp -m multiport --dports $LOGIN -m state --syn --state NEW -j ANTI_BRUTEFORCE
$IPTABLES -A ACCEPT_FILTER -j FW_BRUTEFORCE && echo "FIREWALL: ANTI_BRUTEFORCE ACCEPT_FILTER[TCP]"
if [ $BLACKLIST ] && [ -s $BLACKLIST ]; then
$IPTABLES -N BLACKLIST 2>/dev/null
for line in `cat $BLACKLIST | grep ^[0-9]`
do
$IPTABLES -A BLACKLIST -s $line -j DROP
done
$IPTABLES -A INPUT -j BLACKLIST
$IPTABLES -A FORWARD -j BLACKLIST
$IPTABLES -A OUTPUT -j BLACKLIST
fi
if [ $WHITELIST ] && [ -s $WHITELIST ]; then
$IPTABLES -N WHITELIST 2>/dev/null
for line in `cat $WHITELIST | grep ^[0-9]`
do
$IPTABLES -A WHITELIST -s $line -j RETURN
done
$IPTABLES -I BLACKLIST -g WHITELIST 2>/dev/null
$IPTABLES -I DROP_FILTER -g WHITELIST
if [ $STRICT = true ]; then
$IPTABLES -A WHITELIST -j DROP
$IPTABLES -A INPUT -j WHITELIST
$IPTABLES -A FORWARD -j WHITELIST
$IPTABLES -A OUTPUT -j WHITELIST
fi
fi
$IPTABLES -D ACCEPT_FILTER 1
if [ $IPS = Snort ]; then
$IPTABLES -A ACCEPT_FILTER -p icmp -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -p udp -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -i eth+ -p tcp -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -i ppp+ -p tcp -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -o eth+ -p tcp -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -o ppp+ -p tcp -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -i lo -p tcp --dport 9000 -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -o lo -p tcp --dport 9000 -j NFQUEUE --queue-num 2
$IPTABLES -A ACCEPT_FILTER -j ACCEPT
echo "IDS/IPS: Snort"
else
$IPTABLES -A ACCEPT_FILTER -j ACCEPT
echo "IDS/IPS: DISABLE"
fi
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j COUNTRY_FILTER
$IPTABLES -A INPUT -p icmp --icmp-type source-quench -j COUNTRY_FILTER
$IPTABLES -A INPUT -p icmp --icmp-type redirect -j COUNTRY_FILTER
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j COUNTRY_FILTER
$IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -j COUNTRY_FILTER
$IPTABLES -A INPUT -p tcp -m multiport --dports $LOGIN -j COUNTRY_FILTER
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT_FILTER && echo "OPEN: HTTP[TCP:80]"
$IPTABLES -A INPUT -p tcp --dport 443 -j COUNTRY_FILTER && echo "OPEN: HTTPS[TCP:443]"
$IPTABLES -N TRAP_PORTSCAN
$IPTABLES -A TRAP_PORTSCAN -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES PORTSCAN] : '
$IPTABLES -A TRAP_PORTSCAN -j FW_PROWLER
$IPTABLES -A TRAP_PORTSCAN -j DROP
$IPTABLES -N FW_PORTSCAN
$IPTABLES -A FW_PORTSCAN -j TRAP_PORTSCAN
$IPTABLES -A INPUT -j FW_PORTSCAN && echo "FIREWALL: TRAP_PORTSCAN INPUT[TCP/UDP/ICMP]"
$IPTABLES -A FORWARD -j FW_PORTSCAN && echo "FIREWALL: TRAP_PORTSCAN FORWARD[TCP/UDP/ICMP]"
service iptables save
sysctl -p 2>&1 | grep -v -E "^error:.*(ipv6|bridge-nf-call)"
service rsyslog restart
echo complete
BLACKLIST/WHITELIST
BLACKLIST=/etc/iptables/blacklist
WHITELIST=/etc/iptables/whitelist
STRICT=false
# BLACKLIST
1.2.3.0/24
# WHITELIST
1.2.3.4
STRICT
BLACKLIST=
WHITELIST=/etc/iptables/whitelist
STRICT=true
ログローテート
$ sudo vi /etc/rsyslog.conf
kern.=debug /var/log/iptables.log
$ sudo service rsyslog restart
$ sudo vi /etc/logrotate.d/iptables
/var/log/iptables.log {
rotate 14
daily
compress
missing ok
notifempty
postrotate
service rsyslog restart
endscript
}
$ sudo vi /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
$ sudo vi /etc/modprobe.d/disable-ipv6.conf
options ipv6 disable=1
$ sudo vi /etc/hosts
$ sudo chkconfig ip6tables off
$ sudo /sbin/sysctl -p
$ sudo service network restart
$ sudo reboot
$ ifconfig
$ netstat -an -A inet6
$ lsmod | grep ipv6
参考・引用