#!/bin/bash # By Brielle Bruns # URL: http://www.sosdg.org/freestuff/firewall # License: GPLv3 # # Copyright (C) 2009 - 2010 Brielle Bruns # Copyright (C) 2009 - 2010 The Summit Open Source Development Group # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # display_c $COLOR $TEXT BOOL(YN) # $COLOR being bash colors # $TEXT being what to output (make sure to put " " around text) # BOOL being (Y or N) to do newline at end or not function display_c { unset COLOR_CODE TEXT NEWLINE DEFAULT_COLOR="\E[39m" COLOR_CODE=`pick_color $1` TEXT="$2" if [ "$3" == "N" ]; then NEWLINE="-n" fi echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR" } # display_m $COLOR(IGNORED) $TEXT BOOL(YN) # Non-color version of display_c function display_m { unset TEXT NEWLINE TEXT="$2" if [ "$3" == "N" ]; then NEWLINE="-n" fi echo -e $NEWLINE "$TEXT" } # pick_color $COLOR # returns appropriate color codes for use in display_c and such function pick_color { case $1 in BLUE) COLOR="\E[34m" ;; GREEN) COLOR="\E[32m" ;; RED) COLOR="\E[31m" ;; YELLOW) COLOR="\E[33m" ;; PURPLE) COLOR="\E[35m" ;; AQUA) COLOR="\E[36m" ;; WHITE) COLOR="\E[1m" ;; GREY) COLOR="\E[37m" ;; *) COLOR="\E[37m" ;; esac echo "$COLOR" } # reset_color function reset_color { unset NEWLINE DEFAULT_COLOR="\E[39m" if [ "$1" == "N" ]; then NEWLINE="-n" fi echo $NEWLINE -e "$DEFAULT_COLOR" } # iptables_rules_flush (ipv6|ipv4) # Clear all rules from iptables - be very careful in how this is called as it # could easily lock out the user from the network. Best way to be safe, is to # call iptables_policy_reset first then this function. function iptables_rules_flush { IP_VERSION=$1 case $IP_VERSION in ipv6) VER_IPTABLES=$IP6TABLES ; TABLE_NAMES=/proc/net/ip6_tables_names ;; ipv4|*) VER_IPTABLES=$IPTABLES ; TABLE_NAMES=/proc/net/ip_tables_names ;; esac display_c RED "Flushing ${IP_VERSION} rules..." $VER_IPTABLES --flush &>/dev/null $VER_IPTABLES -F OUTPUT &>/dev/null $VER_IPTABLES -F PREROUTING &>/dev/null $VER_IPTABLES -F POSTROUTING &>/dev/null for i in `cat $TABLE_NAMES`; do $VER_IPTABLES -F -t $i &>/dev/null done #if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then # $VER_IPTABLES -F -t nat &>/dev/null #fi #$VER_IPTABLES -F -t raw &>/dev/null } # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 # If no policy given, assume ACCEPT function iptables_policy_reset { IP_VERSION=$1 SET_POLICY=${2=ACCEPT} case $IP_VERSION in ipv6) VER_IPTABLES=$IP6TABLES ;; ipv4|*) VER_IPTABLES=$IPTABLES ;; esac display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." $VER_IPTABLES --policy INPUT $SET_POLICY $VER_IPTABLES --policy OUTPUT $SET_POLICY $VER_IPTABLES --policy FORWARD $SET_POLICY } # show_help # Show command line options help function show_help { echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns " echo -e "\t--help\t\tShows this info" echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT" echo -e "\t--generate-cache\tGenerate cached rule file" } # apply_ipv4_hack $HACKS function apply_ipv4_hack { display_c YELLOW "Applying IPv4 hack/fix:" N while [ $# -gt 0 ]; do case "$1" in NS-IN-DDOS) # NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see: # http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ display_c PURPLE " ./NS/IN-DDOS-FIX" N if `$MODPROBE --quiet $MOD_U32 &>/dev/null`; then $IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \ "0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001" else display_c RED "\nError: could not load $MOD_U32 module into the kernel. Not using fix." fi ;; MULTI-NIC-ARP-LOCK) # MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that # do not actually have the IP in question. In some (alot in my case), # I have things going through specific wires for a reason. This fixes # that and makes it behave as expected. display_c PURPLE " MULTI-NIC-ARP-LOCK" N for i in default all; do if [ -w ${PROC_NET_IPV4}/$i/arp_ignore ]; then echo "1" > ${PROC_NET_IPV4}/$i/arp_ignore else display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_ignore" fi if [ -w ${PROC_NET_IPV4}/$i/arp_announce ]; then echo "2" > ${PROC_NET_IPV4}/$i/arp_announce else display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_announce" fi done ;; NTPDDOSRATELIMIT) # Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by # pashdown@xmission.com $IPTABLES -N NTP $IPTABLES -I BLACKHOLE 1 -m recent --set --name ntpv4blackhole --rsource $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \ ntpv4 --rsource -j BLACKHOLE $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \ ntpv4blackhole --rsource -j DROP $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP esac shift done echo -en "\n" } # write_out_rules(_v6) function write_out_rules { echo "$*" >> "$RULE_CACHE" } function write_out_rules_v6 { echo "$*" >> "$RULE_CACHE_V6" }