before   BlOG   next
OpenVZ Firewall Template - V 1.3

#!/bin/sh
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: iptables Script fuer OpenVZ Server ipv4 & ipv6
# Description: Minimales iptables Script fuer OpenVZ Server ipv4 & ipv6 - peter.grunert@gmail.com - Version 1.3
### END INIT INFO
#

# Variablendefinitionen
 # IP-Adressen fuer Netzwerkinterfaces besorgen
  ipv4_venet0_0=$(ifconfig venet0:0 | awk '/inet / {split ($2,A,":"); print A[2]}')
  ipv6_venet0=$(ip -6 addr show | awk '/scope global/ {split ($2,A," "); print A[1]}')
 # Einstellungen zum generellen Verhalten
  log_per_hour=600
	
case "$1" in
 start)
  echo -n "Starte IP-Paketfilter (venet0:0) "

  # Tabellen flushen
   iptables -F
   iptables -t mangle -F
   iptables -X
   iptables -t mangle -X

   ip6tables -F
   ip6tables -X
   ip6tables -Z

  # default-Policies setzen
   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -P FORWARD DROP

   ip6tables -P INPUT DROP
   ip6tables -P OUTPUT DROP
   ip6tables -P FORWARD DROP

  # default drop fuellen
   iptables -N default_drop_v4
   iptables -A default_drop_v4 -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_drop_v4 "
   iptables -A default_drop_v4 -j DROP

   ip6tables -N default_drop_v6
   ip6tables -A default_drop_v6 -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_drop_v6 "
   ip6tables -A default_drop_v6 -j DROP

  # default reject fuellen
   iptables -N default_reject_v4
   iptables -A default_reject_v4 -p tcp -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_reject_tcp "
   iptables -A default_reject_v4 -p tcp -m limit --limit $log_per_hour/h -j REJECT --reject-with tcp-reset
   iptables -A default_reject_v4 -p tcp -j DROP
   iptables -A default_reject_v4 -p udp -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_reject_udp "
   iptables -A default_reject_v4 -p udp -m limit --limit $log_per_hour/h -j REJECT --reject-with icmp-port-unreachable
   iptables -A default_reject_v4 -p udp -j DROP
   iptables -A default_reject_v4 -p icmp -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_drop_icmp "
   iptables -A default_reject_v4 -p icmp -j DROP
   iptables -A default_reject_v4 -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_reject_unknown_proto "
   iptables -A default_reject_v4 -m limit --limit $log_per_hour/h -j REJECT --reject-with icmp-proto-unreachable
   iptables -A default_reject_v4 -j DROP

###
### Hier musst doch Du super Code, fuer ipv6 reject, einfuegen BeDa
###

  # default accept fuellen (ACCEPT mit logging)
   iptables -N default_accept_v4
   iptables -A default_accept_v4 -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_accept_v4 "
   iptables -A default_accept_v4 -j ACCEPT

   ip6tables -N default_accept_v6
   ip6tables -A default_accept_v6 -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "default_accept_v6 "
   ip6tables -A default_accept_v6 -j ACCEPT

  # Verbindungen auf loopback zulassen
   iptables -A INPUT -i lo -j ACCEPT
   iptables -A OUTPUT -o lo -j ACCEPT

   ip6tables -A INPUT -i lo -j ACCEPT
   ip6tables -A OUTPUT -o lo -j ACCEPT
  
#  # Blacklist mit ipset anlegen (ipset -v gt 5 for ipv6)
#  # befuellen z.B. per script "ipset add blacklist 11.144.0.0/12"
#  # Fail2Ban or http://bogeskov.dk/Ipset.html
#  # SpamHouse do not route http://www.spamhaus.org/drop/
#  # DShield Top20 Attackers http://feeds.dshield.org/block.txt
#  # or http://www.ipdeny.com/ipblocks/data/countries/de.zone for whitelist?
#   ipset create blacklist hash:net
#   iptables -I INPUT -m set --match-set blacklist src -j DROP
#   ip6tables -I INPUT -m set --match-set blacklist src -j DROP

  # ungueltige Verbindungen verwerfen
   iptables -A INPUT -m state --state INVALID -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "input_state_v4 ungueltig "
   iptables -A OUTPUT -m state --state INVALID -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "output_state_v4 ungueltig "
   iptables -A FORWARD -m state --state INVALID -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "forward_state_v4 ungueltig "
   iptables -A INPUT -m state --state INVALID -j DROP
   iptables -A OUTPUT -m state --state INVALID -j DROP
   iptables -A FORWARD -m state --state INVALID -j DROP

   ip6tables -A INPUT -m state --state INVALID -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "input_state_v6 ungueltig "
   ip6tables -A OUTPUT -m state --state INVALID -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "output_state_v6 ungueltig "
   ip6tables -A FORWARD -m state --state INVALID -m limit --limit $log_per_hour/h -j LOG --log-level info --log-prefix "forward_state_v6 ungueltig "
   ip6tables -A INPUT -m state --state INVALID -j DROP
   ip6tables -A OUTPUT -m state --state INVALID -j DROP
   ip6tables -A FORWARD -m state --state INVALID -j DROP

  # bestehende Verbindungen aus der Statustabelle akzeptieren
   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
   ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  ########
  ## INPUT - ab hier werden eingehende Verbindungen erlaubt
  ## x/s ICMP Request von aussen
    iptables -A INPUT -p icmp -d $ipv4_venet0_0 --icmp-type "echo-request" -m limit --limit 5/s -m state --state NEW -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp -d $ipv6_venet0 --icmpv6-type "echo-request" -m limit --limit 5/s -m state --state NEW -j ACCEPT

   # ssh - ipv4 & ipv6 - limitiert auf x Verbindungen / Stunde / SRC-IP 
    iptables -A INPUT -p tcp -d $ipv4_venet0_0 --dport 22 \
             -m hashlimit --hashlimit 3/hour --hashlimit-mode srcip --hashlimit-name sshv4 --hashlimit-burst 6 \
             -m state --state NEW -j default_accept_v4
    ip6tables -A INPUT -p tcp -d $ipv6_venet0 --dport 22 \
              -m hashlimit --hashlimit 3/hour --hashlimit-mode srcip --hashlimit-name sshv6 --hashlimit-burst 6 \
              -m state --state NEW -j default_accept_v6

   ## lokaler Bind9 - für DNS Anfragen aus dem Internet
   # iptables -A INPUT -d $ipv4_venet0_0 -p udp --dport 53 -m state --state NEW -j ACCEPT
   # iptables -A INPUT -d $ipv4_venet0_0 -p tcp --dport 53 -m state --state NEW -j ACCEPT
   # ip6tables -A INPUT -d $ipv6_venet0 -p udp --dport 53 -m state --state NEW -j ACCEPT 
   # ip6tables -A INPUT -d $ipv6_venet0 -p tcp --dport 53 -m state --state NEW -j ACCEPT 
		
   ## https und http vom dem Internet erlauben
   # iptables -A INPUT -d $ipv4_venet0_0 -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
   # ip6tables -A INPUT -d $ipv6_venet0 -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT

   ## teamspeak3 Server INPUT PUT ...
   # iptables -A INPUT -d $ipv4_venet0_0 -p tcp --dport 30033 --sport 1024:65535 -m state --state NEW -j ACCEPT
   # iptables -A INPUT -d $ipv4_venet0_0 -p tcp --dport 41144 --sport 1024:65535 -m state --state NEW -j ACCEPT
   # iptables -A INPUT -d $ipv4_venet0_0 -p udp --dport 9987 --sport 1024:65535 -m state --state NEW -j ACCEPT
   # iptables -A INPUT -d $ipv4_venet0_0 -p udp --dport 9986 --sport 1024:65535 -m state --state NEW -j ACCEPT
   #
   # ip6tables -A INPUT -d $ipv6_venet0 -p tcp --dport 30033 --sport 1024:65535 -m state --state NEW -j ACCEPT
   # ip6tables -A INPUT -d $ipv6_venet0 -p tcp --dport 41144 --sport 1024:65535 -m state --state NEW -j ACCEPT
   # ip6tables -A INPUT -d $ipv6_venet0 -p udp --dport 9987 --sport 1024:65535 -m state --state NEW -j ACCEPT
   # ip6tables -A INPUT -d $ipv6_venet0 -p udp --dport 9986 --sport 1024:65535 -m state --state NEW -j ACCEPT

   ## wir bieten Mumble Server fuers Internet an
   # iptables -A INPUT -d $ipv4_venet0_0 -p udp -m multiport --dport 64737,64738,64739 -m state --state NEW -j ACCEPT
   # iptables -A INPUT -d $ipv4_venet0_0 -p tcp -m multiport --dport 64737,64738,64739 -m state --state NEW -j ACCEPT
   # ip6tables -A INPUT -d $ipv6_venet0 -p udp -m multiport --dport 64737,64738,64739 -m state --state NEW -j ACCEPT
   # ip6tables -A INPUT -d $ipv6_venet0 -p tcp -m multiport --dport 64737,64738,64739 -m state --state NEW -j ACCEPT

  #########
  ## OUTPUT - ab hier werden ausgehende Verbindungen erlaubt - als erstes root
  ## wer root ist darf alles Richtung Internet 
    iptables -A OUTPUT -s $ipv4_venet0_0 -m owner --uid-owner 0 -m state --state NEW -j default_accept_v4
    ip6tables -A OUTPUT -s $ipv6_venet0 -m owner --uid-owner 0 -m state --state NEW -j default_accept_v6

   ## lokaler Bind9 - für Anfragen ins Internet 
   # iptables -A OUTPUT -s $ipv4_venet0_0 -p udp --dport 53 -m owner --uid-owner 101 -m state --state NEW -j ACCEPT
   # iptables -A OUTPUT -s $ipv4_venet0_0 -p tcp --dport 53 -m owner --uid-owner 101 -m state --state NEW -j ACCEPT
   # ip6tables -A OUTPUT -s $ipv6_venet0 -p udp --dport 53 -m owner --uid-owner 101 -m state --state NEW -j ACCEPT
   # ip6tables -A OUTPUT -s $ipv6_venet0 -p tcp --dport 53 -m owner --uid-owner 101 -m state --state NEW -j ACCEPT

   ## teamspeak3 Server OUTPUT PUT ...
   # iptables -A OUTPUT -s $ipv4_venet0_0 -p tcp --dport 2008 -m owner --uid-owner 10001 -m state --state NEW -j ACCEPT
   # iptables -A OUTPUT -s $ipv4_venet0_0 -p tcp --dport 2010 -m owner --uid-owner 10001 -m state --state NEW -j ACCEPT
   # iptables -A OUTPUT -s $ipv4_venet0_0 -p udp --dport 2010 -m owner --uid-owner 10001 -m state --state NEW -j ACCEPT
   # 
   # ip6tables -A OUTPUT -s $ipv6_venet0 -p tcp --dport 2008 -m owner --uid-owner 10001 -m state --state NEW -j ACCEPT
   # ip6tables -A OUTPUT -s $ipv6_venet0 -p tcp --dport 2010 -m owner --uid-owner 10001 -m state --state NEW -j ACCEPT
   # ip6tables -A OUTPUT -s $ipv6_venet0 -p udp --dport 2010 -m owner --uid-owner 10001 -m state --state NEW -j ACCEPT

  # Letzte Regel alles verwerfen - mit logging (klogd starten)
   iptables -A OUTPUT -j default_reject_v4
   iptables -A INPUT -j default_drop_v4
   iptables -A FORWARD -j default_drop_v4
    
   ip6tables -A OUTPUT -j default_drop_v6
   ip6tables -A INPUT -j default_drop_v6
   ip6tables -A FORWARD -j default_drop_v6

  echo "..."

 ;;

 stop)
  echo "Stoppe IP-Paketfilter (ACCEPT ALL - FORWARD bleibt DROP)"
   # Tabelle flushen
    iptables -F
    iptables -t mangle -F
    iptables -X
    iptables -t mangle -X

    ip6tables -F
    ip6tables -X
    ip6tables -Z

   # default-Policies setzen
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP

    ip6tables -P INPUT ACCEPT
    ip6tables -P OUTPUT ACCEPT
    ip6tables -P FORWARD DROP

   ## ipset destroy blacklist
   # ipset destroy blacklist

 ;;

 status)
   echo "#########################"
   echo "### Tabelle filter v4 ###"
   echo "#########################"
    iptables -L -vn
   echo "#########################"
   echo "### Tabelle filter v6 ###"
   echo "#########################"
    ip6tables -L -vn
   #echo "#########################"
   #echo "### Tabelle blacklist ###"
   #echo "#########################"
   # ipset -L blacklist
 ;;

 *)
  echo "Fehlerhafter Aufruf"
  echo "Syntax: $0 {start|stop|status}"
  exit 1
 ;;
esac

before   BlOG   next

seemly