firewall/src/functions.firewall

   1 #!/bin/bash
   2 ###############################################################################
   3 #                                                                             #
   4 # IPFire.org - A linux based firewall                                         #
   5 # Copyright (C) 2009  Michael Tremer & Christian Schmidt                      #
   6 #                                                                             #
   7 # This program is free software: you can redistribute it and/or modify        #
   8 # it under the terms of the GNU General Public License as published by        #
   9 # the Free Software Foundation, either version 3 of the License, or           #
  10 # (at your option) any later version.                                         #
  11 #                                                                             #
  12 # This program is distributed in the hope that it will be useful,             #
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
  15 # GNU General Public License for more details.                                #
  16 #                                                                             #
  17 # You should have received a copy of the GNU General Public License           #
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
  19 #                                                                             #
  20 ###############################################################################
  21
  22 function firewall_init() {
  23         decho "Initializing firewall interface."
  24         iptables_init
  25         firewall_tcp_state_flags
  26         firewall_connection_tracking
  27 }
  28
  29 function firewall_tcp_state_flags() {
  30         vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..."
  31         chain_create BADTCP_LOG
  32         iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
  33         iptables -A BADTCP_LOG -j DROP
  34
  35         chain_create BADTCP
  36         iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
  37         iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
  38         iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
  39         iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
  40         iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN     -j BADTCP_LOG
  41         iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH     -j BADTCP_LOG
  42         iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG     -j BADTCP_LOG
  43
  44         iptables -A INPUT   -p tcp -j BADTCP
  45         iptables -A OUTPUT  -p tcp -j BADTCP
  46         iptables -A FORWARD -p tcp -j BADTCP
  47 }
  48
  49 function firewall_connection_tracking() {
  50         vecho "Adding ${BOLD}Connection Tracking${NORMAL} chain..."
  51         chain_create CONNTRACK
  52         iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
  53         iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
  54         iptables -A CONNTRACK -m state --state INVALID -j DROP
  55
  56         iptables -A INPUT   -p tcp -j CONNTRACK
  57         iptables -A OUTPUT  -p tcp -j CONNTRACK
  58         iptables -A FORWARD -p tcp -j CONNTRACK
  59 }