]>
Commit | Line | Data |
---|---|---|
8838c71a MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2009 Michael Tremer & Christian Schmidt # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | function firewall_init() { | |
2534973b | 23 | decho "Initializing firewall interface." |
8838c71a MT |
24 | iptables_init |
25 | firewall_tcp_state_flags | |
26 | firewall_connection_tracking | |
27 | } | |
28 | ||
29 | function firewall_tcp_state_flags() { | |
30 | vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..." | |
31 | chain_create BADTCP_LOG | |
dbfeda6c | 32 | iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ") |
8838c71a MT |
33 | iptables -A BADTCP_LOG -j DROP |
34 | ||
35 | chain_create BADTCP | |
36 | iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG | |
37 | iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG | |
38 | iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG | |
39 | iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG | |
40 | iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG | |
41 | iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG | |
42 | iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG | |
43 | ||
44 | iptables -A INPUT -p tcp -j BADTCP | |
45 | iptables -A OUTPUT -p tcp -j BADTCP | |
46 | iptables -A FORWARD -p tcp -j BADTCP | |
47 | } | |
48 | ||
49 | function firewall_connection_tracking() { | |
50 | vecho "Adding ${BOLD}Connection Tracking${NORMAL} chain..." | |
51 | chain_create CONNTRACK | |
52 | iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT | |
53 | iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ") | |
54 | iptables -A CONNTRACK -m state --state INVALID -j DROP | |
55 | ||
56 | iptables -A INPUT -p tcp -j CONNTRACK | |
57 | iptables -A OUTPUT -p tcp -j CONNTRACK | |
58 | iptables -A FORWARD -p tcp -j CONNTRACK | |
59 | } |