3
# this file maintained using arch at http://arch.gna.org/uruk/
5
# Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org
6
# Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/
7
# Copyright (C) 2003, 2004 Joost van Baal
9
# This file is part of Uruk. Uruk is free software; you can redistribute
10
# it and/or modify it under the terms of the GNU GPL, see the file named
15
# peeksheet: iptables predefined chains:
17
# - INPUT - - localhost - - OUTPUT -
19
# PREROUTING - - - - - - - - FORWARD - - - - - - - - POSTROUTING
22
iptables=${URUK_IPTABLES:-/sbin/iptables}
24
# By default, we don't do any /sbin/ip6tables calls. This will change
25
# once Uruk's IPv6 support is blessed mature.
26
ip6tables=${URUK_IP6TABLES:-":"}
30
# ip6tables=${URUK_IP6TABLES:-/sbin/ip6tables}
36
# to /etc/default/uruk if you'd like to play with IPv6 support in Uruk
38
# New variables used: ip6_<...>, sources6_<...>, ip6tables.
41
etcdir="@SYSCONF_PATH@/@PACKAGE_TARNAME@"
43
config=${URUK_CONFIG:-${etcdir}/rc}
46
echo >&2 "No readable rc file $config found. Please create one." && exit 1
53
if test "$version" -lt 20040210
56
Uruk rc file $config claims to be pre-20040210 format. That's likely not
57
supported. Please read the Uruk README file for upgrade instructions.
64
$iptables -A INPUT -j LOG --log-level debug --log-prefix 'iptables: ' $@
65
$ip6tables -A INPUT -j LOG --log-level debug --log-prefix 'ip6tables: ' $@
69
# bootstrap these rules
72
# 40 < 60 ( 50) medium: log denied non-broadcasts (default)
73
test -z "$loglevel" && loglevel=50
75
test -r "$rc_a" && . "$rc_a"
77
if test $loglevel -ge 80
79
# 80 < 99 ( 90) fascist: log all packets
83
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
85
# ip6tables has no connection tracking support.
86
$ip6tables -A INPUT --protocol tcp ! --syn --destination-port 1024: -j ACCEPT
87
$ip6tables -A INPUT --protocol udp --destination-port 1024: -j ACCEPT
90
test -r "$rc_b" && . "$rc_b"
93
# protect interfaces_public agains spoofing
96
for iface in ${interfaces}
99
# don't allow anyone to spoof non-routeable addresses
102
eval is="\"\$ips_${iface}\""
108
interfaces_x="$interfaces_x ${iface}_$i"
114
for iface_x in $interfaces_x
116
eval net="\"\$net_${iface_x}\""
117
for no_route_ip in 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
119
if test $no_route_ip != "$net"
121
# TODO: this behaves odd in multiple-IP cases. Furthermore,
122
# excluding one private network from being dropped works ugly.
123
$iptables -A INPUT -i $iface --source $no_route_ip -j DROP
124
$iptables -A INPUT -i $iface --destination $no_route_ip \
127
$iptables -A OUTPUT -o $iface --source $no_route_ip -j DROP
128
$iptables -A OUTPUT -o $iface --destination $no_route_ip \
133
# block outgoing packets that don't have our address as source,
134
# they are either spoofed or something is misconfigured (NAT disabled,
135
# for instance), we want to be nice and don't send out garbage.
137
# NOTE: this is stricter than above no_route_ip rule.
140
# this rule is only enabled in single-ip-per-nic situations.
141
# in multiple ip mode, we'd have to drop only if source is
142
# not _one_ of the nic's IPs
144
# supporting this for multiple-ips would need multiple chains
145
# or, perhaps, some iptables extension.
148
eval ip="\"\$ip_${iface_x}\""
149
$iptables -A OUTPUT -o $iface --source ! "$ip" -j DROP
151
# drop all incoming packets which don't have us as destination
152
$iptables -A INPUT -i $iface --destination ! "$ip" -j DROP
153
# NOTE: this is stricter than above no_route_ip rule. If this
154
# rule is used, above rule ``$iptables -A INPUT -i $iface
155
# --destination $no_route_ip -j DROP'' could get disabled. See
156
# also the broadcast rule below.
160
# Always allow outgoing connections
161
$iptables -A OUTPUT -m state --state NEW -o $iface -j ACCEPT
164
test -r "$rc_c" && . "$rc_c"
167
# allow traffic to offered services, from trusted sources
170
for iface in $interfaces
172
eval is="\"\$ips_${iface}\""
178
interfaces_x="$interfaces_x ${iface}_$i"
184
for iface_x in $interfaces_x
186
eval ip="\"\$ip_${iface_x}\""
187
eval ip6="\"\$ip6_${iface_x}\""
190
eval services="\"\$services_${iface_x}_${proto}\""
191
if test -n "$services"
193
for service in $services
195
# service is a servicegroupname, e.g. "local"
196
eval sources="\"\$sources_${iface_x}_${proto}_${service}\""
197
eval sources6="\"\$sources6_${iface_x}_${proto}_${service}\""
198
eval ports="\"\$ports_${iface_x}_${proto}_${service}\""
203
# port is e.g. www or 1023
204
for source in $sources
206
# source is e.g. 10.56.0.10/32
207
$iptables -A INPUT -m state --state NEW \
208
-i $iface --protocol $proto \
209
--source "$source" --destination "$ip" \
210
--destination-port "$port" -j ACCEPT
212
for source6 in $sources6
214
$ip6tables -A INPUT \
215
-i $iface --protocol $proto \
216
--source "$source6" --destination "$ip6" \
217
--destination-port "$port" -j ACCEPT
227
test -r "$rc_d" && . "$rc_d"
230
# traffic on lo is trusted
233
$iptables -A INPUT -i lo -j ACCEPT
234
$iptables -A OUTPUT -o lo -j ACCEPT
236
$ip6tables -A INPUT -i lo -j ACCEPT
237
$ip6tables -A OUTPUT -o lo -j ACCEPT
239
test -r "$rc_e" && . "$rc_e"
242
# Don't answer broadcast and multicast packets
244
for iface in $interfaces_nocast
246
eval is="\"\$bcasts_${iface}\""
252
interfaces_x="$interfaces_x ${iface}_$i"
258
for iface_x in $interfaces_x
260
eval bcast="\"\$bcast_${iface_x}\""
261
$iptables -A INPUT -i $iface --destination "$bcast" -j DROP
264
$iptables -A INPUT -i $iface --destination 255.255.255.255 -j DROP
267
test -r "$rc_f" && . "$rc_f"
270
# icmp stuff. See RFC 1122 and also RFC 792, RFC 950, RFC 1812, RFC 1349,
271
# RFC 2474 and Stevens' TCP/IP Illustrated Chapter 6, p 69.
272
# The icmp types are even in %num2icmp_type in Lire::Firewall.
273
# Running "iptables -p icmp -h" gives iptables's idea of icmp types
277
# By default, we disallow
283
# TOS-network-redirect
286
# router-advertisement
287
# router-solicitation
289
# You might want to allow just
291
# echo-request echo-reply ttl-zero-during-transit \
292
# ttl-zero-during-reassembly ip-header-bad required-option-missing
294
# This makes pings succeed, as well as traceroute. However
295
# debugging network problems might be _much_ more difficult when disallowing
296
# lots of other icmp types. If you really want to do this, use rc_g.
301
address-mask-request \
302
destination-unreachable \
308
ttl-zero-during-reassembly \
309
ttl-zero-during-transit
311
$iptables -A INPUT --protocol icmp --icmp-type $type -j ACCEPT
314
# for now, we allow _all_ ICMPv6 packets.
315
$ip6tables -A INPUT --protocol icmpv6 -j ACCEPT
317
test -r "$rc_g" && . "$rc_g"
320
# log packets which make it till here: denied packets (not denied broadcasts
321
# or spoofed stuff). take loglevel into account.
324
if test $loglevel -lt 20
328
elif test $loglevel -lt 40
330
# log denied packets, targetted at our IPs
331
for iface in $interfaces
333
eval is="\"\$ips_${iface}\""
339
interfaces_x="$interfaces_x ${iface}_$i"
345
for iface_x in $interfaces_x
347
eval ip="\"\$ip_${iface_x}\""
348
uruk_log -i $iface --destination $ip
351
elif test $loglevel -lt 60
353
# 40 < 60 ( 50) medium: log denied non-broadcasts (default)
357
# FIXME : yet to implement:
358
# 60 < 80 ( 70) high: log denied packets
360
test -r "$rc_h" && . "$rc_h"
366
$iptables -A INPUT -j REJECT --reject-with tcp-reset --protocol tcp
367
$iptables -A INPUT -j REJECT
369
$ip6tables -A INPUT -j DROP
371
# $ip6tables -A INPUT -j REJECT --reject-with tcp-reset --protocol tcp
372
# $ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
373
# would be better but don't seem to be supported with stock linux kernel.
375
test -r "$rc_i" && . "$rc_i"
377
# make sure we exit 0, even if last test failed