3 ### Initialization and finishing touches for firewall scripts
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 ###--------------------------------------------------------------------------
26 ### Clear existing firewall rules.
28 ## The main chains: set policy to drop, and then clear the rules. For a
29 ## while, incoming packets will be silently dropped, but we should have got
30 ## everything going before anyone actually hits a timeout.
32 ## We don't control some of the chains, so we should preserve them. This
33 ## introduces a whole bunch of problems.
35 ## Chains we're meant to preserve
36 preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
38 ## Take the various IP versions in turn.
41 for table in $(cat /proc/net/${ip}_tables_names); do
43 ## Step 1: clear out the builtin chains.
44 ${ip}tables -nL -t $table |
45 sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
51 run ${ip}tables -t $table -P $chain $policy
52 run ${ip}tables -t $table -F $chain
55 ## Step 2: clear out user chains. Unfortunately, we can only clear
56 ## chains which have no references to them, so work through picking off
57 ## unreferenced chains which aren't meant to be preserved until there are
61 ${ip}tables -nL -t $table |
62 sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \
63 >/var/run/firewall-chains.tmp
66 for pat in $preserve_chains; do
67 case "$table:$chain" in $pat) match=t ;; esac
71 run ${ip}tables -t $table -F $chain
72 run ${ip}tables -t $table -X $chain
76 done </var/run/firewall-chains.tmp
77 case $progress in nil) break ;; esac
80 ## Step 3: report on uncleared user chains. This means that there's a
82 ${ip}tables -nL -t $table |
83 sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \
84 >/var/run/firewall-chains.tmp
85 while read chain refs; do
87 for pat in $preserve_chains; do
88 case "$table:$chain" in $pat) match=t ;; esac
92 echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'"
96 done </var/run/firewall-chains.tmp
99 rm -f /var/run/firewall-chains.tmp
100 case $unref in t) exit 1 ;; esac
103 ###--------------------------------------------------------------------------
104 ### Set safe IP options.
106 ## Set forwarding options. Apparently setting ip_forward clobbers other
107 ## settings, so put this first.
108 case $host_type_<::>FWHOST in
109 router) forward=1 host=0 ;;
110 server) forward=0 host=0 ;;
111 client) forward=0 host=1 ;;
113 setopt ip_forward $forward
114 setdevopt forwarding $forward
116 accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen
121 0) inchains="INPUT" ;;
122 1) inchains="INPUT FORWARD" ;;
125 ## Set dynamic port allocation.
126 setopt ip_local_port_range $open_port_min $open_port_max
128 ## Deploy SYN-cookies if necessary.
129 setopt tcp_syncookies 1
131 ## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
132 setopt icmp_echo_ignore_broadcasts 0
134 ## Turn off iptables filtering for bridges. We'll use ebtables if we need
135 ## to; but right now the model is that we do filtering at the borders, and
136 ## are tolerant of things which are local.
137 if [ -x /sbin/brctl ]; then
139 if [ -d /proc/sys/net/bridge ]; then
140 for filter in arptables iptables ip6tables; do
141 run sysctl -q net.bridge.bridge-nf-call-$filter=0
146 ## Turn off the reverse-path filter. It's basically useless: the filter does
147 ## nothing at all for single-homed hosts; and multi-homed hosts tend to have
148 ## routing aysmmetries if there's any kind of cycle.
149 setdevopt rp_filter 0
150 setdevopt log_martians 0
152 ## Turn off things which can mess with our routing decisions.
153 setdevopt accept_source_route 0
154 setdevopt accept_redirects 0
156 ## If we're maent to stop the firewall, then now is the time to do it.
160 ###--------------------------------------------------------------------------
161 ### Establish error chains.
163 errorchain forbidden REJECT
164 ## Generic `not allowed' chain.
166 errorchain tcp-fragment REJECT
167 ## Chain for logging fragmented TCP segements.
169 errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
170 ## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset.
172 errorchain mangle:bad-source-address DROP
173 errorchain bad-source-address DROP
174 ## Packet arrived on wrong interface for its source address. Drops the
175 ## packet, since there's nowhere sensible to send an error.
177 errorchain bad-destination-address REJECT
178 ## Packet arrived on non-loopback interface with loopback destination.
180 errorchain interesting ACCEPT
181 ## Not an error, just log interesting packets.
184 ###--------------------------------------------------------------------------
185 ### Standard filtering.
187 ## Don't clobber local traffic
188 run ip46tables -A INPUT -i lo -j ACCEPT
190 ## We really shouldn't see packets destined for localhost on any interface
191 ## other than the loopback.
192 run iptables -A INPUT -g bad-destination-address \
194 run ip6tables -A INPUT -g bad-destination-address \
197 ## We shouldn't be asked to forward things with link-local addresses.
200 run iptables -A FORWARD -g bad-source-address \
202 run iptables -A FORWARD -g bad-destination-address \
204 run ip6tables -A FORWARD -g bad-source-address \
206 run ip6tables -A FORWARD -g bad-destination-address \
211 ## Also, don't forward link-local broadcast or multicast.
214 run iptables -A FORWARD -g bad-destination-address \
216 run iptables -A FORWARD -g bad-destination-address \
217 -m addrtype --dst-type BROADCAST
218 run iptables -A FORWARD -g bad-destination-address \
220 clearchain check-fwd-multi
221 for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
222 run ip6tables -A check-fwd-multi -g bad-destination-address \
225 ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
229 ## Add a hook for fail2ban.
231 run ip46tables -A INPUT -j fail2ban
234 ###--------------------------------------------------------------------------
235 ### Finishing touches.
238 ## Locally generated packets are all OK.
239 run ip46tables -P OUTPUT ACCEPT
241 ## Other incoming things are forbidden.
242 for chain in INPUT FORWARD; do
243 run ip46tables -A $chain -g forbidden
246 ## Allow stuff through unknown tables.
248 for table in $(cat /proc/net/${ip}_tables_names); do
249 case $table in mangle | filter) continue ;; esac
250 ${ip}tables -nL -t $table |
251 sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
253 run ${ip}tables -t $table -P $chain ACCEPT
258 ## Dump the resulting configuration.
259 if [ "$FW_DEBUG" ]; then
261 for table in mangle filter; do
262 echo "----- $ip $table -----"
264 ${ip}tables -t $table -nvL
271 ###----- That's all, folks --------------------------------------------------