Broadband Tech > Security > Security > Help: Configuring Router IPTables to stealth all ports ...

reply to HappyDude

Re: Help: Configuring Router IPTables to stealth all ports ...

#! /bin/sh
# 
# Author: Stanley Chan
#
# Version 06/27/08
#
# /etc/init.d/firewall
#
#
### Based on rules from:
### http://www.novell.com/coolsolutions/feature/18139.html
### http://www.linuxquestions.org/questions/linux-security-4/stealth-iptables-ruleset-21338/
### http://fixunix.com/security/17626-shields-up-reports-one-open-port-through-iptables.html
### http://www.dslreports.com/forum/r20642422-Help-Configuring-Router-IPTables-to-stealth-all-ports-
#
#
### BEGIN INIT INFO
# Provides: Firewall for Router/Modem/Switch [Westell Versalink 7500]
# Required-Start: $network syslog
# Required-Stop:
# Should-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Firewall Configuration
### END INIT INFO
#
#
 
##############################################################################
# DEFAULT POLICY
SetDefaultPolicy() {
# Drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
}
 
##############################################################################
# FLUSH TABLES
FlushTables() {
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
iptables -X
}
 
##############################################################################
# ROUTING
EnableRouting() {
echo 1 > /proc/sys/net/ipv4/ip_forward
}
 
DisableRouting() {
echo 0 > /proc/sys/net/ipv4/ip_forward
}
 
##############################################################################
# FORWARDING
SetForwardingRules() {
iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}
 
##############################################################################
# Stan's Custom Rules
SetCustomRules() {
iptables -N inbound
iptables -A INPUT -i eth0 -j inbound
 
iptables -A INPUT -i eth0 -p tcp --syn -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP
iptables -A INPUT -i eth0 -p udp --syn -j DROP
iptables -A INPUT -i eth0 -p udp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 1 -j DROP
 
# Drop all traffic that's not allowed
iptables -A INPUT -i eth0 -d $YOURBOX -j LOG --log-level 7 --log-prefix "Default Deny"
iptables -A INPUT -j DROP
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
}
 
##############################################################################
# LOOPBACK
SetLoopbackRules() {
# Allow everything
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
}
 
##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
# Allow everything
iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}
 
#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}
 
##############################################################################
# SOURCE NAT
EnableSourceNAT() {
# Then source NAT everything else
iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
}
 
# Various ICMP
SetICMP_Open() {
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}
 
# SSH (on a non-standard port)
SetSSH_Open() {
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}
 
##############################################################################
# Destination NAT
 
# smtp
SetSMTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport smtp -j ACCEPT
}
 
# pop3
SetPOP3_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j DNAT --to 192.168.10.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport pop3 -j ACCEPT
}
 
# Webmail (444->443)
SetWebmail_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.10.254:443
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT
}
 
# http
SetHTTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.10.253
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT
}
 
# Blocked protocols
SetBlockedProtocols() {
# Block all normal irc (used by botnets)
iptables -A INPUT -p tcp --dport irc -j DROP
iptables -A INPUT -p udp --dport irc -j DROP
iptables -A INPUT -p tcp --dport irc-serv -j DROP
iptables -A INPUT -p udp --dport irc-serv -j DROP
iptables -A INPUT -p tcp --dport ircs -j DROP
iptables -A INPUT -p udp --dport ircs -j DROP
}
 
# Blocked hosts
SetBlockedHosts() {
iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited
iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited
}
 
# Blocked networks
SetBlockedNetworks() {
iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited
iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited
}
 
# Specify things to drop before logging
SetPrelogDropRules() {
# DHCP
iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}
 
# Log those on the public interface
SetLoggingRules() {
iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT   "
iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT  "
iptables -A FORWARD -j LOG --log-prefix="FORWARD "
#iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre    "
#iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost   "
#iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}
 
# Drop them all
SetDropRules() {
# Reset tcp connection attempts on all other ports
# This is the standard TCP behaviour for a closed port. Reading
# suggests there is no value in stealthing ports and since some are
# open on this host it doesn't seem to matter. Therefore, let's be a 
# good TCP citizen
### Stan- Changed rule from REJECT to DROP for stealthing
iptables -A INPUT -p tcp -j DROP --reject-with tcp-reset
}
 
##############################################################################
# SCRIPT ENTRY POINT
 
echo -n "Firewall Configuration..."
echo $1
 
##############################################################################
# ENVIRONMENT
 
# Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24
 
# Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24
 
# Others
ANYWHERE=0.0.0.0/0
 
. /etc/rc.status
rc_reset
 
##############################################################################
# COMMAND LINE
 
case "$1" in
start)
SetDefaultPolicy
FlushTables
 
EnableRouting
 
SetBlockedProtocols
SetBlockedNetworks
SetBlockedHosts
 
SetForwardingRules
 
SetCustomRules
 
SetLoopbackRules
SetPrivateInterfaceRules
SetPublicInterfaceRules
 
EnableSourceNAT
 
SetICMP_Open
SetSSH_Open
 
SetSMTP_DNAT
SetPOP3_DNAT
SetWebmail_DNAT
SetHTTP_DNAT
 
SetPrelogDropRules
SetLoggingRules
SetDropRules
;;
 
stop)
SetDefaultPolicy
FlushTables
 
SetPrivateInterfaceRules
SetPublicInterfaceRules
;;
 
restart)
$0 stop
$0 start
;;
 
*)
;;
esac
 
rc_exit
 

When a port IS in Stealth, the Firewall will state that it is closed. Think of Stealth like Harry Potter's Inviso Cloak. You know that he is under it, but you do not know where he is.

I forgot about that one, but then again.