From 1f90ace7ffdcc6c98775dfed13d4af10e69627fe Mon Sep 17 00:00:00 2001 From: Matthias Blankertz Date: Sat, 5 Apr 2014 17:34:58 +0200 Subject: [PATCH] Various fixes to firewall script --- overlay/etc/firewall.sh | 40 +++++++++++++++------------------------- 1 file changed, 15 insertions(+), 25 deletions(-) diff --git a/overlay/etc/firewall.sh b/overlay/etc/firewall.sh index 7971a5f..b763612 100755 --- a/overlay/etc/firewall.sh +++ b/overlay/etc/firewall.sh @@ -50,6 +50,7 @@ iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j DROP iptables -A INPUT -i $LANIF -s 172.16.0.0/12 -j Antispoof_172 iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j DROP iptables -A Antispoof_172 -i $LANIF -s 172.20.0.0/16 -j RETURN +iptables -A Antispoof_172 -j LOG --log-prefix "ANTISPOOFIN " iptables -A Antispoof_172 -j DROP # Block outgoing NetBios (if you have windows machines running @@ -63,7 +64,16 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o $LANIF -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o $LANIF -j DROP # Check source address validity on packets going out to network -iptables -A OUTPUT -s $PRIVATE -o $LANIF -j DROP +iptables -N SourceAddr +iptables -A OUTPUT -s $PRIVATE -o $LANIF -j SourceAddr +iptables -A SourceAddr -j LOG --log-prefix "SOURCEADDR " +iptables -A SourceAddr -j DROP + +# Keep state of connections from local machine and private subnets +iptables -A OUTPUT -m state --state NEW -o $LANIF -j ACCEPT +iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -m state --state NEW -o $LANIF -j ACCEPT +iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT @@ -82,23 +92,7 @@ iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT # Allow services such as ssh (can be disabled) -iptables -A INPUT -p tcp --dport ssh -j ACCEPT - -# Allow incoming OpenVPN packets -# Duplicate the line below for each -# OpenVPN tunnel, changing --dport n -# to match the OpenVPN UDP port. -# -# In OpenVPN, the port number is -# controlled by the --port n option. -# If you put this option in the config -# file, you can remove the leading '--' -# -# If you taking the stateful firewall -# approach (see the OpenVPN HOWTO), -# then comment out the line below. - -iptables -A INPUT -p tcp --dport 1194 -j ACCEPT +iptables -A INPUT -p tcp -m multiport --dports ssh,1194 -j ACCEPT -m state --state NEW # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, @@ -112,14 +106,10 @@ iptables -A INPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT -#iptables -A INPUT -i tap+ -j ACCEPT -#iptables -A FORWARD -i tap+ -j ACCEPT -# Keep state of connections from local machine and private subnets -iptables -A OUTPUT -m state --state NEW -o $LANIF -j ACCEPT -iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -A FORWARD -m state --state NEW -o $LANIF -j ACCEPT -iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT +# Catchall +iptables -A INPUT -j LOG --log-prefix "CATCHALL " +iptables -A FORWARD -j LOG --log-prefix "CATCHALL " # Masquerade local subnet iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE