Operation of the firewall rule generator
The base of the firewall rules are the logged traffic.
Application of the firewall rule generator
1. Setting the traffic logging: iptables -A INPUT -j LOGiptables -A OUTPUT -j LOGiptables -A FORWARD -j LOG
2. Start the required communications, and wait to accumulate in logging!
3. Configure the variable: logfile path, exclude addresses, scanned and scanner hosts!
4. Start the firewall rule generator, and wait until the establishment of the fwrules.sh file!
5. If necessary, edit the rules in fwrules.sh file!
6. Start the firewall.sh!
Source of the firewall rule generator
#!/bin/bashlogfwkernel=`hostname`" kernel"logfile=/var/log/kern.loglogtmp=/root/logtmpfwtmp=/root/fwtmpfwrules=/root/fwrules.shexclude=".255.255"hostip=$(cat /etc/hosts | grep `hostname` | awk '{ print $1 }' | sort -u)scannerhosts="scanner_host_1,scanner_host_2"scannedhosts="scanned_host_1,scanned_host_2"rm -f $logtmprm -f $fwtmprm -f $fwrulescat "$logfile" | grep "$logfwkernel" | grep -e ".*IN=.*OUT=.*" | egrep -v "SRC=$hostip.*DST=$hostip|SRC=127.0.0.1.*DST=127.0.0.1" | grep -v 0.0.0.0 | grep -v "$exclude" > $logtmpif [ -s $logtmp ] ; then srvports=`netstat -lptun | grep -e [1-9].* | awk '{ print $4 }' | sed -e 's/^.*://g' | sort -u` while IFS=$'n' read values ; do inval=`echo $values | gawk '{ if (match($0,/IN=(S+)/,m)) print m[0] }' | sed 's/IN=/-i /g'` outval=`echo $values | gawk '{ if (match($0,/OUT=(S+)/,m)) print m[0] }' | sed 's/OUT=/-o /g'` protoval=`echo $values | gawk '{ if (match($0,/PROTO=[A-Z](S+)/,m)) print m[0] }' | sed 's/PROTO=/-p /g'` typeval=`echo $values | gawk '{ if (match($0,/TYPE=(S+)/,m)) print m[0] }' | sed 's/TYPE=/--icmp-type /g'` srcval=`echo $values | gawk '{ if (match($0,/SRC=(S+)/,m)) print m[0] }' | sed 's/SRC=/--src /g'` dstval=`echo $values | gawk '{ if (match($0,/DST=(S+)/,m)) print m[0] }' | sed 's/DST=/--dst /g'` sptval=`echo $values | gawk '{ if (match($0,/SPT=(S+)/,m)) print m[0] }' | sed 's/SPT=//g'` dptval=`echo $values | gawk '{ if (match($0,/DPT=(S+)/,m)) print m[0] }' | sed 's/DPT=//g'` if [ -n "$inval" ] ; then direction="INPUT" dstval="" if [[ "${srvports[@]}" =~ "$dptval" ]] ; then sptval="" if [ -n "$dptval" ] ; then dptval="--dport "$dptval else dptval="" fi else dptval="" if [ -n "$sptval" ] ; then sptval="--sport "$sptval else sptval="" fi fi fi if [ -n "$outval" ] ; then direction="OUTPUT" srcval="" if [[ "${srvports[@]}" =~ "$sptval" ]] ; then dptval="" if [ -n "$sptval" ] ; then sptval="--sport "$sptval else sptval="" fi else sptval="" if [ -n "$dptval" ] ; then dptval="--dport "$dptval else dptval="" fi fi fi if [ -n "$inval" ] && [ -n "$outval" ] ; then direction="FORWARD" if [ -n "$sptval" ] ; then sptval="--sport "$sptval else sptval="" fi if [ -n "$dptval" ] ; then dptval="--dport "$dptval else dptval="" fi fi if [[ ! "${scannedhosts[@]}" =~ "$srcval" ]] ; then echo "iptables -A" $direction $inval $outval $srcval $dstval $protoval $typeval $sptval $dptval "-j ACCEPT" echo "iptables -A" $direction $inval $outval $srcval $dstval $protoval $typeval $sptval $dptval "-j ACCEPT" >> $fwtmp fi done < $logtmp echo "#!/bin/bash" > $fwrules echo "#Reset firewall:" >> $fwrules echo iptables -F >> $fwrules echo iptables -P INPUT DROP >> $fwrules echo iptables -P OUTPUT DROP >> $fwrules echo iptables -P FORWARD DROP >> $fwrules echo "#Base rules:" >> $fwrules echo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> $fwrules echo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> $fwrules echo iptables -A INPUT -i lo --src 127.0.0.1 -j ACCEPT >> $fwrules echo iptables -A OUTPUT -o lo --dst 127.0.0.1 -j ACCEPT >> $fwrules echo iptables -A INPUT --src $hostip -j ACCEPT >> $fwrules echo iptables -A OUTPUT --dst $hostip -j ACCEPT >> $fwrules echo "#Enable scanner and scanned hosts:" >> $fwrules if [ -n "$scannerhosts" ] ; then echo iptables -A INPUT --src $scannerhosts -j ACCEPT >> $fwrules fi if [ -n "$scannedhosts" ] ; then echo iptables -A OUTPUT --dst $scannedhosts -j ACCEPT >> $fwrules fi if [ -n "$scannerhosts" ] && [ -n "$scannedhosts" ] ; then echo iptables -A FORWARD --src $scannerhosts --dst $scannedhosts -j ACCEPT >> $fwrules fi echo "#SMURF attack protection:" >> $fwrules echo iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP >> $fwrules echo iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP >> $fwrules echo iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT >> $fwrules echo "#Droping all invalid packets:" >> $fwrules echo iptables -A INPUT -m state --state INVALID -j DROP >> $fwrules echo iptables -A FORWARD -m state --state INVALID -j DROP >> $fwrules echo iptables -A OUTPUT -m state --state INVALID -j DROP >> $fwrules echo "#Flooding of RST packets, smurf attack Rejection:" >> $fwrules echo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT >> $fwrules echo "#Protecting portscans - Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds):" >> $fwrules echo iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP >> $fwrules echo iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP >> $fwrules echo "#Remove attacking IP after 24 hours:" >> $fwrules echo iptables -A INPUT -m recent --name portscan --remove >> $fwrules echo iptables -A FORWARD -m recent --name portscan --remove >> $fwrules echo "#These rules add scanners to the portscan list, and log the attempt:" >> $fwrules echo iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" >> $fwrules echo iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP >> $fwrules echo iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" >> $fwrules echo iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP >> $fwrules echo "#Recognized communications:" >> $fwrules cat $fwtmp | sort -u >> $fwrules echo "#Other communication (denied) to log:" >> $fwrules echo iptables -A INPUT -j LOG >> $fwrules echo iptables -A OUTPUT -j LOG >> $fwrules echo iptables -A FORWARD -j LOG >> $fwrules chmod +x $fwrulesfirm -f $logtmprm -f $fwtmp
Backup/restore firewall rules
- Debian-like system: /etc/init.d/iptables-persistent save/reload
- Ubuntu 16.04 system: netfilter-persistent save/reload