IPTables Firewall Rule Generator

March 5, 2017 | Views: 16946

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

Operation of the firewall rule generator

The base of the firewall rules are the logged traffic.

Application of the firewall rule generator

1. Setting the traffic logging:

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG

2. Start the required communications, and wait to accumulate in logging!

3. Configure the variable: logfile path, exclude addresses, scanned and scanner hosts!

4. Start the firewall rule generator, and wait until the establishment of the fwrules.sh file!

5. If necessary, edit the rules in fwrules.sh file!

6. Start the firewall.sh!

Source of the firewall rule generator

#!/bin/bash

logfwkernel=`hostname`" kernel"
logfile=/var/log/kern.log
logtmp=/root/logtmp
fwtmp=/root/fwtmp
fwrules=/root/fwrules.sh
exclude=".255.255"

hostip=$(cat /etc/hosts | grep `hostname` | awk '{ print $1 }' | sort -u)

scannerhosts="scanner_host_1,scanner_host_2"
scannedhosts="scanned_host_1,scanned_host_2"

rm -f $logtmp
rm -f $fwtmp
rm -f $fwrules

cat "$logfile" | grep "$logfwkernel" | grep -e ".*IN=.*OUT=.*" | egrep -v "SRC=$hostip.*DST=$hostip|SRC=127.0.0.1.*DST=127.0.0.1" | grep -v 0.0.0.0 | grep -v "$exclude" > $logtmp

if [ -s $logtmp ] ; then
  srvports=`netstat -lptun | grep -e [1-9].* | awk '{ print $4 }' | sed -e 's/^.*://g' | sort -u`

  while IFS=$'n' read values ; do
    inval=`echo $values | gawk '{ if (match($0,/IN=(S+)/,m)) print m[0] }' | sed 's/IN=/-i /g'`
    outval=`echo $values | gawk '{ if (match($0,/OUT=(S+)/,m)) print m[0] }' | sed 's/OUT=/-o /g'`
    protoval=`echo $values | gawk '{ if (match($0,/PROTO=[A-Z](S+)/,m)) print m[0] }' | sed 's/PROTO=/-p /g'`
    typeval=`echo $values | gawk '{ if (match($0,/TYPE=(S+)/,m)) print m[0] }' | sed 's/TYPE=/--icmp-type /g'`
    srcval=`echo $values | gawk '{ if (match($0,/SRC=(S+)/,m)) print m[0] }' | sed 's/SRC=/--src /g'`
    dstval=`echo $values | gawk '{ if (match($0,/DST=(S+)/,m)) print m[0] }' | sed 's/DST=/--dst /g'`
    sptval=`echo $values | gawk '{ if (match($0,/SPT=(S+)/,m)) print m[0] }' | sed 's/SPT=//g'`
    dptval=`echo $values | gawk '{ if (match($0,/DPT=(S+)/,m)) print m[0] }' | sed 's/DPT=//g'`

    if [ -n "$inval" ] ; then
      direction="INPUT"
      dstval=""
      if [[ "${srvports[@]}" =~ "$dptval" ]] ; then
        sptval=""
        if [ -n "$dptval" ] ; then
          dptval="--dport "$dptval
        else dptval=""
        fi
      else
        dptval=""
        if [ -n "$sptval" ] ; then
          sptval="--sport "$sptval
        else sptval=""
        fi
      fi
    fi

    if [ -n "$outval" ] ; then
      direction="OUTPUT"
      srcval=""
      if [[ "${srvports[@]}" =~ "$sptval" ]] ; then
        dptval=""
        if [ -n "$sptval" ] ; then
          sptval="--sport "$sptval
        else sptval=""
        fi
      else
        sptval=""
        if [ -n "$dptval" ] ; then
          dptval="--dport "$dptval
        else dptval=""
        fi
      fi
    fi

    if [ -n "$inval" ] && [ -n "$outval" ] ; then
      direction="FORWARD"
      if [ -n "$sptval" ] ; then
        sptval="--sport "$sptval
      else sptval=""
      fi
      if [ -n "$dptval" ] ; then
        dptval="--dport "$dptval
      else dptval=""
      fi
    fi

    if [[ ! "${scannedhosts[@]}" =~ "$srcval" ]] ; then
      echo "iptables -A" $direction $inval $outval $srcval $dstval $protoval $typeval $sptval $dptval "-j ACCEPT"
      echo "iptables -A" $direction $inval $outval $srcval $dstval $protoval $typeval $sptval $dptval "-j ACCEPT" >> $fwtmp
    fi

  done < $logtmp

  echo "#!/bin/bash" > $fwrules

  echo "#Reset firewall:" >> $fwrules
  echo iptables -F >> $fwrules
  echo iptables -P INPUT DROP >> $fwrules
  echo iptables -P OUTPUT DROP >> $fwrules
  echo iptables -P FORWARD DROP >> $fwrules

  echo "#Base rules:" >> $fwrules
  echo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> $fwrules
  echo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> $fwrules
  echo iptables -A INPUT -i lo --src 127.0.0.1 -j ACCEPT >> $fwrules
  echo iptables -A OUTPUT -o lo --dst 127.0.0.1 -j ACCEPT >> $fwrules
  echo iptables -A INPUT --src $hostip -j ACCEPT >> $fwrules
  echo iptables -A OUTPUT --dst $hostip -j ACCEPT >> $fwrules

  echo "#Enable scanner and scanned hosts:" >> $fwrules

  if [ -n "$scannerhosts" ] ; then
    echo iptables -A INPUT --src $scannerhosts -j ACCEPT >> $fwrules
  fi
  if [ -n "$scannedhosts" ] ; then
    echo iptables -A OUTPUT --dst $scannedhosts -j ACCEPT >> $fwrules
  fi
  if [ -n "$scannerhosts" ] && [ -n "$scannedhosts" ] ; then
      echo iptables -A FORWARD --src $scannerhosts --dst $scannedhosts -j ACCEPT >> $fwrules
  fi

  echo "#SMURF attack protection:" >> $fwrules
  echo iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP >> $fwrules
  echo iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP >> $fwrules
  echo iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT >> $fwrules

  echo "#Droping all invalid packets:" >> $fwrules
  echo iptables -A INPUT -m state --state INVALID -j DROP >> $fwrules
  echo iptables -A FORWARD -m state --state INVALID -j DROP >> $fwrules
  echo iptables -A OUTPUT -m state --state INVALID -j DROP >> $fwrules

  echo "#Flooding of RST packets, smurf attack Rejection:" >> $fwrules
  echo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT >> $fwrules

  echo "#Protecting portscans - Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds):" >> $fwrules
  echo iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP >> $fwrules
  echo iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP >> $fwrules

  echo "#Remove attacking IP after 24 hours:" >> $fwrules
  echo iptables -A INPUT -m recent --name portscan --remove >> $fwrules
  echo iptables -A FORWARD -m recent --name portscan --remove >> $fwrules

  echo "#These rules add scanners to the portscan list, and log the attempt:" >> $fwrules
  echo iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" >> $fwrules
  echo iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP >> $fwrules
  echo iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" >> $fwrules
  echo iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP >> $fwrules

  echo "#Recognized communications:" >> $fwrules

  cat $fwtmp | sort -u >> $fwrules

  echo "#Other communication (denied) to log:" >> $fwrules
  echo iptables -A INPUT -j LOG >> $fwrules
  echo iptables -A OUTPUT -j LOG >> $fwrules
  echo iptables -A FORWARD -j LOG >> $fwrules
  chmod +x $fwrules

fi

rm -f $logtmp
rm -f $fwtmp

Backup/restore firewall rules

  • Debian-like system:
/etc/init.d/iptables-persistent save/reload
  • Ubuntu 16.04 system:

 

netfilter-persistent save/reload
Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel