Firewall script design

Step by step

To implement this case, follow the steps below.
Step 1: write a typical Linux gateway firewall script

1) write script file / opt/ipfw-gw.sh

[root@gw1 ~]# vim /opt/ipfw-gw.sh
#!/bin/bash
## 2015.05.20 TsengYia.
#### 1. Define environment variables for easy migration ####
INET_IF="eth1"
INET_IP="174.16.16.1"
LAN_NET="192.168.4.0/24"
LAN_WWW_IP="192.168.4.5"
IPT="/sbin/iptables"
#### 2. Adjustment of kernel parameters and related modules ####
/sbin/modprobe nf_nat_ftp
/sbin/sysctl -w net.ipv4.ip_forward=1
/sbin/sysctl -w net.ipv4.ip_default_ttl=128
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts
/sbin/sysctl -w net.ipv4.tcp_syncookies=1
/sbin/sysctl -w net.ipv4.tcp_syn_retries=3
/sbin/sysctl -w net.ipv4.tcp_synack_retries=3
/sbin/sysctl -w net.ipv4.tcp_fin_timeout=60
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=3200
#### 3. Clear old rules and set default rules for each chain ####
#/etc/init.d/iptables stop
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t raw -X
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t raw -F
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
#### 4. Custom rules .. ####
#### 4.1 detailed strategy of NAT table
$IPT -t nat -A POSTROUTING -s $LAN_NET -o $INET_IF -j SNAT --to-source $INET_IP
$IPT -t nat -A PREROUTING -i $INET_IF -d $INET_IP -p tcp --dport 80 -j DNAT --t
o-destination $LAN_WWW_IP
#### 4.2 detailed strategy of filter table
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A FORWARD -s $LAN_NET -o $INET_IF -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -s $LAN_NET -o $INET_IF -p tcp -m multiport --dport 20:22,25,80
,110,143,443,993,995 -j ACCEPT
$IPT -A FORWARD -d $LAN_NET -i $INET_IF -m state --state ESTABLISHED,RELATED -j
 ACCEPT
$IPT -A FORWARD -d $LAN_WWW_IP -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -s $LAN_WWW_IP -p tcp --sport 80 -j ACCEPT

[root@gw1 ~]# chmod  +x /opt/ipfw-gw.sh

2) set the ipfw-gw.sh script to run automatically after power on as required

[root@gw1 ~]# vim /etc/rc.local 
#!/bin/sh
.. ..
touch /var/lock/subsys/local
/opt/ipfw-gw.sh
//Step 2: write network type and host type protection rules
1)Host script
//The control packets focus on the access between the local machine and other hosts, so the iptables firewall rules are mainly based on the INPUT chain of the filter table, followed by the OUTPUT chain.
//For example, write firewall script for svr5:
[root@svr5 ~]# vim /opt/ipfw-host.sh
#!/bin/bash
## 2015.05.20 TsengYia.
#### 1. Define environment variables for easy migration ####
INET_IF="eth0"
INET_IP="192.168.4.5"
IPT="/sbin/iptables"
#### 2. Adjustment of kernel parameters and related modules ####
/sbin/sysctl -w net.ipv4.ip_forward=0
/sbin/sysctl -w net.ipv4.ip_default_ttl=128
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts
/sbin/sysctl -w net.ipv4.tcp_syncookies=1
/sbin/sysctl -w net.ipv4.tcp_syn_retries=3
/sbin/sysctl -w net.ipv4.tcp_synack_retries=3
/sbin/sysctl -w net.ipv4.tcp_fin_timeout=60
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=3200
#### 3. Clear old rules and set default rules for each chain ####
#/etc/init.d/iptables stop
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t raw -X
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t raw -F
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
#### 4. Custom rules .. ####
$IPT -A INPUT -p tcp -m multiport --dport 22,25,80,110,143,443,993,995,2150:2750 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@svr5 ~]# Chmod + X / opt / ipfw host. SH / / add execution permission
[root@svr5 ~]# vim /etc/rc.local / / set to power on and run automatically
#!/bin/sh
.. ..
touch /var/lock/subsys/local
/opt/ipfw-host.sh

2) network script
The control packets focus on the access between the internal network and the external network, so iptables firewall rules are mainly based on the FORWRD chain of the filter table, and the nat table is also used when address conversion is needed.
For example, the gateway firewall script ipfw-gw.sh in step 1:

[root@gw1 ~]# cat /opt/ipfw-gw.sh
.. ..
$IPT  -t nat  -A  POSTROUTING  -s  $LAN_NET  -o  $INET_IF  -j  SNAT  --to-source  $INET_IP
$IPT  -t nat  -A  PREROUTING  -i  $INET_IF  -d  $INET_IP  -p tcp  --dport  80  -j DNAT  --to-destination  $LAN_WWW_IP
.. ..
$IPT  -A  FORWARD  -d  $LAN_NET  -i  $INET_IF  -m state  --state  ESTABLISHED,RELATED   -j  ACCEPT
.. ..

Step 3: use IP address Black / white list
1) prepare IP address blacklist and whitelist
Define a white list. Packets from these addresses (such as the remote manager) will be released unconditionally:

[root@gw1 ~]# vim /opt/ipfw.wlist
## the SSH-Station for administrators
192.168.4.110
220.121.72.85
//Define blacklist. Packets from these addresses will be discarded unconditionally:
[root@gw1 ~]# cat  /opt/ipfw.blist
61.45.135.29
121.113.79.81
2)modify ipfw-gw.sh Gateway firewall script, enable blacklist and whitelist
[root@gw1 ~]# vim /opt/ipfw-gw.sh
.. ..

#### 5. White & Black List .. ####
WHITE_LIST="/opt/ipfw.wlist"
for  i  in  $(grep -v "^#"$white list) / / traversal sets the white list rule
do
    $IPT  -I  INPUT  -s $i  -j ACCEPT
    $IPT  -I  OUTPUT  -d $i  -j ACCEPT
    $IPT  -I  FORWARD  -s $i  -j ACCEPT
    $IPT  -I  FORWARD  -d $i  -j ACCEPT
done
BLACK_LIST="/opt/ipfw.blist"  
for  i  in  $(grep -v "^#"$blacklist) / / traverse to set blacklist rules
do
    $IPT  -I  INPUT  -s $i  -j DROP
    $IPT  -I  OUTPUT  -d $i  -j DROP
    $IPT  -I  FORWARD  -s $i  -j DROP
    $IPT  -I  FORWARD  -d $i  -j DROP
done
3)implement ipfw-gw.sh Scripts, confirming firewall rules
[root@gw1 ~]# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  218.29.30.131        0.0.0.0/0           
DROP       all  --  121.113.79.81        0.0.0.0/0           
DROP       all  --  61.45.135.29         0.0.0.0/0           
ACCEPT     all  --  220.121.72.85        0.0.0.0/0           
ACCEPT     all  --  192.168.4.110        0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            218.29.30.131       
DROP       all  --  218.29.30.131        0.0.0.0/0           
DROP       all  --  0.0.0.0/0            121.113.79.81       
DROP       all  --  121.113.79.81        0.0.0.0/0           
DROP       all  --  0.0.0.0/0            61.45.135.29        
DROP       all  --  61.45.135.29         0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            220.121.72.85       
ACCEPT     all  --  220.121.72.85        0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            192.168.4.110       
ACCEPT     all  --  192.168.4.110        0.0.0.0/0           
ACCEPT     udp  --  192.168.4.0/24       0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  192.168.4.0/24       0.0.0.0/0           multiport dports 20:22,25,80,110,143,443,993,995 
ACCEPT     all  --  0.0.0.0/0            192.168.4.0/24      state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            192.168.4.5         tcp dpt:80 
ACCEPT     tcp  --  192.168.4.5          0.0.0.0/0           tcp spt:80 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            218.29.30.131       
DROP       all  --  0.0.0.0/0            121.113.79.81       
DROP       all  --  0.0.0.0/0            61.45.135.29        
ACCEPT     all  --  0.0.0.0/0            220.121.72.85       
ACCEPT     all  --  0.0.0.0/0            192.168.4.110


Tags: firewall iptables vim network

Posted on Thu, 07 Nov 2019 12:28:26 -0500 by cocell