#!/bin/bash
# Firewall v0.5 | Ultima modificación 05/12/08
# Referencia sobre puertos http://isc.sans.org
# Declarando variables
fail=0
LNEGRA="/etc/lnegra" # Lista Negra de ips o hosts
IPT="/sbin/iptables" # Ubicación de iptables
# Optener mi ip, en caso cambiar la ip fija, detener primero el cortafuegos.
MIPC="$(ifconfig eth0 | sed -n "2s/[^:]*:[ \t]*\([^ ]*\) .*/\1/p")"
# Iniciando librería
. /lib/lsb/init-functions
cstop() {
log_begin_msg "Cortafuegos detenido/purgado"
$IPT -P INPUT ACCEPT || fail=1
$IPT -P OUTPUT ACCEPT || fail=1
$IPT -P FORWARD ACCEPT || fail=1
$IPT -F || fail=1
$IPT -X || fail=1
$IPT -Z || fail=1
$IPT -t nat -F || fail=1
log_end_msg $fail
}
cstart() {
cstop
echo "Iniciando Cortafuegos..."
log_begin_msg "Denegar por defecto conecciones de entrada/salida/enrutamiento"
$IPT -P INPUT DROP || fail=1
$IPT -P OUTPUT DROP || fail=1
$IPT -P FORWARD DROP || fail=1
log_end_msg $fail
if [ -f $LNEGRA ]; then
for HOST in `sed '/^ *#/d; /^ *$/d' $LNEGRA | awk '{print $1}'`; do
$IPT -A INPUT -s $HOST -d $MIPC -j DROP
$IPT -A OUTPUT -s $MIPC -d $HOST -j DROP
done
fi
log_begin_msg "Añadiendo protecciones adicionales"
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter || fail=1 # Prevenir spoofing - Chequea que la direccion de origen si exista
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts || fail=1 # Denegar responder broadcast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all || fail=1 # Denegar responder ping
echo "1" > /proc/sys/net/ipv4/tcp_syncookies || fail=1 # Permitir SYN Cookies, previene algunos DoS
log_end_msg $fail
log_begin_msg "Permitir localhost"
$IPT -A INPUT -i lo -j ACCEPT || fail=1
$IPT -A OUTPUT -o lo -j ACCEPT || fail=1
log_end_msg $fail
log_begin_msg "Permitir acceso a la red local"
$IPT -A INPUT -s 192.168.1.0/24 -d $MIPC -p udp --sport 137 -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT || fail=1
$IPT -A INPUT -s 192.168.1.0/24 -d $MIPC -p tcp --sport 139 -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d 192.168.1.0/24 -p tcp --dport 139 -j ACCEPT || fail=1
$IPT -A INPUT -s 192.168.1.0/24 -d $MIPC -p tcp --sport 445 -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d 192.168.1.0/24 -p tcp --dport 445 -j ACCEPT || fail=1
log_end_msg $fail
log_begin_msg "Permitir consultas DNS"
$IPT -A INPUT -s 192.168.1.1 -d $MIPC -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d 192.168.1.1 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT || fail=1
log_end_msg $fail
log_begin_msg "Permitir comando whois"
$IPT -A INPUT -s 0/0 -d $MIPC -p tcp --sport 43 ! --syn -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d 0/0 -p tcp --dport 43 -j ACCEPT || fail=1
log_end_msg $fail
log_begin_msg "Permitir jabber de google"
$IPT -A INPUT -s talk.google.com -d $MIPC -p tcp --sport 5222 ! --syn -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d talk.google.com -p tcp --dport 5222 -j ACCEPT || fail=1
log_end_msg $fail
log_begin_msg "Permitir repositorios"
$IPT -A INPUT -s ubuntu.com -d $MIPC -p udp -m state --state ESTABLISHED -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d ubuntu.com -p udp -m state --state NEW,ESTABLISHED -j ACCEPT || fail=1
$IPT -A INPUT -s launchpad.net -d $MIPC -p udp -m state --state ESTABLISHED -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d launchpad.net -p udp -m state --state NEW,ESTABLISHED -j ACCEPT || fail=1
log_end_msg $fail
log_begin_msg "Permitir Http (80), Https (443) y Http-alt (8080)"
$IPT -A INPUT -s 0/0 -d $MIPC -p tcp --dport 1025:65535 -m multiport --source-ports 80,443,8080 ! --syn -j ACCEPT || fail=1
$IPT -A OUTPUT -s $MIPC -d 0/0 -p tcp --sport 1025:65535 -m multiport --destination-ports 80,443,8080 -j ACCEPT || fail=1
log_end_msg $fail
#[COLOR="Red"]sin probar, no uso thunderbird ni similar[/COLOR]
#log_begin_msg "Permitir Smtp (25), Pop3 (110), Imap (143), Smtps (465), Submission (587), Imaps (993), Pop3s (995)"
# $IPT -A INPUT -s 0/0 -d $MIPC -p tcp --dport 1025:65535 -m multiport --source-ports 25,110,143,465,587,993,995 ! --syn -j ACCEPT || fail=1
# $IPT -A OUTPUT -s $MIPC -d 0/0 -p tcp --sport 1025:65535 -m multiport --destination-ports 25,110,143,465,587,993,995 -j ACCEPT || fail=1
#log_end_msg $fail
# Crear logs con todo lo bloqueado
$IPT -A INPUT -d $MIPC -j LOG --log-prefix "access denied: " --log-level 4
$IPT -A OUTPUT -s $MIPC -j LOG --log-prefix "access denied: " --log-level 4
if [ $fail -eq 0 ]
then
log_success_msg "Verifique que lo que se aplica con: sudo $0 status"
else
log_warning_msg "Se ha producido un error al aplicar alguna de las reglas"
fi
}
cstatus() {
$IPT -L -n
}
case "$1" in
start)
cstart;
;;
stop)
cstop;
;;
restart)
cstop;
cstart;
;;
status)
cstatus;
;;
*)
echo "Modo de uso: sudo $0 start|stop|restart|status"
esac