in security

Simple firewall with netfilter / iptables

image_pdfimage_print

Kita terkadang sering terkena attack / serangan dari pihak yang tidak bertanggung jawab, dan tidak hanya itu mungkin saja data atau informasi kita diambil oleh orang tersebut. Sebagai seorang yang mengurusi Network dan System enginer maka dibawah ini saya berikan sedikit filtering dan blocking jaringan dari attack dan juga serangan yang tidak2.  caranya cukup mudah, berikut saya berikan secara bertahap..

 

1   Buat file pada /etc/init.d/firewall ( bisa pakai vim, nano atau editor lainnya ) : vim /etc/init.d/firewall

Kemudian isi dengan code shell script berikut..

#! /bin/bash
#
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network syslog
# Required-Stop:
# Should-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Firewall configuration
### END INIT INFO

##############################################################################
# DEFAULT POLICY
SetDefaultPolicy() {
	# Drop everything
	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP
}

##############################################################################
# FLUSH TABLES
FlushTables() {
	iptables -F -t nat
	iptables -F -t mangle
	iptables -F -t filter
	iptables -X
}

##############################################################################
# ROUTING
EnableRouting() {
	echo 1 > /proc/sys/net/ipv4/ip_forward
}

DisableRouting() {
	echo 0 > /proc/sys/net/ipv4/ip_forward
}

##############################################################################
# FORWARDING
SetForwardingRules() {
	iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}

##############################################################################
# LOOPBACK
SetLoopbackRules() {
	# Allow everything
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT
}

##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
	# Allow everything
	iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
	iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}

#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
	iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}

##############################################################################
# SOURCE NAT
EnableSourceNAT() {
	# Then source NAT everything else
	iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
}

# Various ICMP
SetICMP_Open() {
	iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
	iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
	iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
	iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}

# SSH (on a non-standard port)
SetSSH_Open() {
	iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}

##############################################################################
# Destination NAT

# smtp
SetSMTP_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport smtp -j ACCEPT
}

# pop3
SetPOP3_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j DNAT --to 192.168.10.254
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport pop3 -j ACCEPT
}

# Webmail (444->443)
SetWebmail_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.10.254:443
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT
}

# http
SetHTTP_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.10.253
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT
}

# Blocked protocols
SetBlockedProtocols() {
	# Block all normal irc (used by botnets)
	iptables -A INPUT -p tcp --dport irc -j DROP
	iptables -A INPUT -p udp --dport irc -j DROP
	iptables -A INPUT -p tcp --dport irc-serv -j DROP
	iptables -A INPUT -p udp --dport irc-serv -j DROP
	iptables -A INPUT -p tcp --dport ircs -j DROP
	iptables -A INPUT -p udp --dport ircs -j DROP
}

# Blocked hosts
SetBlockedHosts() {
	iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-host-prohibited
	iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-host-prohibited
}

# Blocked networks
SetBlockedNetworks() {
	iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-net-prohibited
	iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-net-prohibited
}

# Specify things to drop before logging
SetPrelogDropRules() {
	# DHCP
	iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}

# Log those on the public interface
SetLoggingRules() {
	iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT   "
	iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT  "
	iptables -A FORWARD -j LOG --log-prefix="FORWARD "
#	iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre    "
#	iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost   "
#	iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}

# Drop them all
SetDropRules() {
	# Reset tcp connection attempts on all other ports
	# This is the standard TCP behaviour for a closed port. Reading
	# suggests there is no value in stealthing ports and since some are
	# open on this host it doesn't seem to matter. Therefore, let's be a
	# good TCP citizen
	iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
}

##############################################################################
# SCRIPT ENTRY POINT

echo -n "Firewall configuration..."
echo $1

##############################################################################
# ENVIRONMENT

# Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24

# Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24

# Others
ANYWHERE=0.0.0.0/0

. /etc/rc.status
rc_reset

##############################################################################
# COMMAND LINE

case "$1" in
	start)
		SetDefaultPolicy
		FlushTables

		EnableRouting

		SetBlockedProtocols
		SetBlockedNetworks
		SetBlockedHosts

		SetForwardingRules

		SetLoopbackRules
		SetPrivateInterfaceRules
		SetPublicInterfaceRules

		EnableSourceNAT

		SetICMP_Open
		SetSSH_Open

		SetSMTP_DNAT
		SetPOP3_DNAT
		SetWebmail_DNAT
		SetHTTP_DNAT

		SetPrelogDropRules
		SetLoggingRules
		SetDropRules
		;;

	stop)
		SetDefaultPolicy
		FlushTables

		SetPrivateInterfaceRules
		SetPublicInterfaceRules
		;;

	restart)
		$0 stop
		$0 start
		;;

	*)
		;;
esac

rc_exit

2. Berikan akses untuk menjalankan script :

chmod +x /etc/init.d/firewall

3. Masukan ke chkconfig :

chkconfig add firewall

untuk melihat :

chkconfig --list

jika sudah maka firewall siap untuk di jalankan serta firewall siap menangani serangan..

sekian
ini aja [dot] com

Write a Comment

Comment