iptables.basic-setup.local.example

#!/bin/sh

#################################################################################### 
# This file is outdated. It still here as an example. Use 'firewall.*.sh' instead! #
####################################################################################

# Name:    firewall/iptables-basic-setup.local{.example}
# Summary: Firewall setup
# Home:    https://github.com/metalevel-tech/wwwsas
# Author:  Spas Z. Spasov <spas.z.spasov@gmail.com> (C) 2021
#
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation, version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; See the GNU General Public License for more details.

# Call syntax: sudo sh 'iptables.basic-setup.local <iptables_add_rules | iptables_remove_rules | ufw_purge | ufw_install | ufw_disable | ufw_enable>'

# The following rules are stolen from these sources,
# where, of course, an additional information is provided:
# :: digital  index :: https://javapipe.com/ddos/blog/iptables-ddos-protection/
# :: alphabet index :: http://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/
# :: Port Scan Prt  :: https://unix.stackexchange.com/a/407904/201297

# Notes:
#
# Add the following job(s) in roots crontab (sudo crontab -e) as insurance
# in case you are locked out from the system during the tests (remove it later):
#    2 * * * * /sbin/iptables -P INPUT ACCEPT && /sbin/iptables -F
#    1 * * * * /usr/sbin/ufw disable
#
# Also you can temporary remove our iptables-restore script: rm -f /etc/network/if-pre-up.d/iptables-restore
#
# In addition UFW could be engaged - by default it will add more usefull rules.
# When you enable/disable UFW it changes the default policies, no matter our Iptables rules.
# UFW's default policies are: enable -> INPUT:DROP OUTPUT:ALLOW | disable -> INPUT:ALLOW OUTPUT:ALLOW
# But in case we have done 'iptables -F' these default policies are terminated.
#
# ATTENTION !!! THIS IS VERY DANGEROUS COMBINATION !!!
# :: ufw disable && iptables -F && ufw enable
# In this case better purge, reinstall, reconfigure UFW before 'enable' it!


# If you want you can flush all the iptables rules ---
# But in that case do not forgoto to add WWWSAS chain!
#iptables -F
#sudo iptables -N WWWSAS
#sudo iptables -I INPUT 3 -j WWWSAS

# Define the ports to be open in the INPUT chain
SSH='22'
SMTP='25'
HTTP='80'
HTTPS='443'
WWW_SAS_IPTBL_CHAIN="WWWSAS"

# -----------------------
# Functions section BEGIN

iptables_add_rules() {
	# -- A: Accept loopback input -- INPUT iptables Rules ---
	if iptables -C INPUT -i lo -p all -j ACCEPT >/dev/null 2>&1 || iptables -C INPUT -i lo -j ACCEPT  >/dev/null 2>&1;
	then 
		echo "This rule already exists."
	else 
		# The rule
		iptables -I INPUT 1 -i lo -p all -j ACCEPT
	fi

	# -- B: Allow 3 way handshake -- INPUT iptables Rules ---
	if iptables -C INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT >/dev/null 2>&1; 
	then 
		echo "This rule already exists."
	else
		# The rule 
		iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
	fi

	# -- Add WWWSAS chanin if doesn't exist ---
	if iptables -n --list "$WWW_SAS_IPTBL_CHAIN" >/dev/null 2>&1
	then
		echo "The chain $WWW_SAS_IPTBL_CHAIN exists."
	else
		iptables -N "$WWW_SAS_IPTBL_CHAIN"
		iptables -I INPUT 3 -j "$WWW_SAS_IPTBL_CHAIN"
	fi

	# -- C: Define the default Policy -- Without the above - This rule will lock the system! ---
	sudo iptables -P INPUT DROP
	sudo iptables -P FORWARD DROP
	sudo iptables -P OUTPUT ACCEPT

	# -- 1: SSH brute-force protection ---
	iptables -A INPUT -p tcp --dport "$SSH" -m conntrack --ctstate NEW -m recent --set
	iptables -A INPUT -p tcp --dport "$SSH" -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

	# -- D: Open the necessary ports ---
	iptables -A INPUT -p tcp -m tcp --dport "$SSH" -j ACCEPT
	#iptables -A INPUT -p tcp -m tcp --dport "$SMTP" -j ACCEPT
	iptables -A INPUT -p tcp -m tcp --dport "$HTTP" -j ACCEPT
	iptables -A INPUT -p tcp -m tcp --dport "$HTTPS" -j ACCEPT

	# -- 2: Drop invalid packets ---
	iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

	# -- 3: Drop TCP packets that are new and are not SYN ---
	iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

	# -- 4: Drop SYN packets with suspicious MSS value ---
	iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
	# :: Port by port
	#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport "$SSH" -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP
	#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport "$SMTP" -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP
	#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport "$HTTP" -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP
	#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport "$HTTPS" -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP

	# -- 5: Block packets with bogus TCP flags ---
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

	# -- 6: Block spoofed packets ---
	iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
	iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
	iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
	iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
	iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

	# -- 7: Drop ICMP (you usually don't need this protocol) ---
	# :: If you want to allow ICMP (ping) replace DROP with ACCEPT
	iptables -t mangle -A PREROUTING -p icmp -j DROP

	# -- E: Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with REJECT) ---
	#iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

	# -- F: for SMURF attack protection
	#iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
	#iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
	#iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

	# -- 8: Drop fragments in all chains ---
	iptables -t mangle -A PREROUTING -f -j DROP

	# -- 9: Limit connections per source IP ---
	iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

	# -- 10: Limit RST packets ---
	iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
	iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

	# -- G: flooding of RST packets, smurf attack Rejection
	#iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

	# -- 11: Limit new TCP connections per second per source IP ---
	iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
	iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

	# -- 12: Use SYNPROXY on all ports (disables connection limiting rule) ---
	# :: Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section
	# :: Available only for Linux kernel version 3.12 and above, and iptables 1.4.21
	#iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
	#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
	#iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

	# -- 13: Protection against Port Scanning ---
	#iptables -N wwwsas_port_scanning
	#iptables -A wwwsas_port_scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
	#iptables -A wwwsas_port_scanning -j DROP

	# -- H: Protecting Port Scans ---
	# :: Attacking IP will be locked for 1 hour (24 hours - 3600 x 24 = 86400 Seconds)
	#iptables -A INPUT -m recent --name portscan --rcheck --seconds 3600 -j DROP
	#iptables -A FORWARD -m recent --name portscan --rcheck --seconds 3600 -j DROP
	# :: Remove attacking IP after 1 hour (24 hours)
	#iptables -A INPUT -m recent --name portscan --remove
	#iptables -A FORWARD -m recent --name portscan --remove
	# :: These rules add scanners to the portscan list, and log the attempt.
	#iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
	#iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
	#iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
	#iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

	# -- Real protection against Port Scanning ---
	# :: https://unix.stackexchange.com/a/407904/201297
	if [ -x '/sbin/ipset' ]
	then
		ipset create WWWSAS_PORT_SCANNERS hash:ip family inet hashsize 32768 maxelem 65536 timeout 600
		ipset create WWWSAS_SCANNED_PORTS hash:ip,port family inet hashsize 32768 maxelem 65536 timeout 60
		sleep 1
		iptables -A INPUT -m state --state INVALID -j DROP
		iptables -A INPUT -m state --state NEW -m set ! --match-set WWWSAS_SCANNED_PORTS src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name portscan --hashlimit-htable-expire 10000 -j SET --add-set WWWSAS_PORT_SCANNERS src --exist
		iptables -A INPUT -m state --state NEW -m set --match-set WWWSAS_PORT_SCANNERS src -j DROP
		iptables -A INPUT -m state --state NEW -j SET --add-set WWWSAS_SCANNED_PORTS src,dst
	else
		echo "'ipset' is not installed."
	fi
}

iptables_remove_rules() {
	# -- C:
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT

	# -- A:
	iptables -D INPUT -i lo -p all -j ACCEPT

	# -- B:
	iptables -D INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	# -- 12:
	iptables -D INPUT -p tcp --dport "$SSH" -m conntrack --ctstate NEW -m recent --set
	iptables -D INPUT -p tcp --dport "$SSH" -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

	# -- D:
	iptables -D INPUT -p tcp -m tcp --dport "$SSH" -j ACCEPT
	#iptables -D INPUT -p tcp -m tcp --dport "$SMTP" -j ACCEPT
	iptables -D INPUT -p tcp -m tcp --dport "$HTTP" -j ACCEPT
	iptables -D INPUT -p tcp -m tcp --dport "$HTTPS" -j ACCEPT

	# -- 2:
	iptables -t mangle -D PREROUTING -m conntrack --ctstate INVALID -j DROP

	# -- 3:
	iptables -t mangle -D PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

	# -- 4:
	iptables -t mangle -D PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

	# -- 5:
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
	iptables -t mangle -D PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

	# -- 6:
	iptables -t mangle -D PREROUTING -s 224.0.0.0/3 -j DROP
	iptables -t mangle -D PREROUTING -s 169.254.0.0/16 -j DROP
	iptables -t mangle -D PREROUTING -s 172.16.0.0/12 -j DROP
	iptables -t mangle -D PREROUTING -s 192.0.2.0/24 -j DROP
	iptables -t mangle -D PREROUTING -s 192.168.0.0/16 -j DROP
	iptables -t mangle -D PREROUTING -s 10.0.0.0/8 -j DROP
	iptables -t mangle -D PREROUTING -s 0.0.0.0/8 -j DROP
	iptables -t mangle -D PREROUTING -s 240.0.0.0/5 -j DROP
	iptables -t mangle -D PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

	# -- 7:
	iptables -t mangle -D PREROUTING -p icmp -j DROP

	# -- E:
	#iptables -D INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

	# -- F:
	#iptables -D INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
	#iptables -D INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
	#iptables -D INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

	# -- 8:
	iptables -t mangle -D PREROUTING -f -j DROP

	# -- 9:
	iptables -D INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

	# -- 10:
	iptables -D INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
	iptables -D INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

	# -- G:
	#iptables -D INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

	# -- 11:
	iptables -D INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
	iptables -D INPUT -p tcp -m conntrack --ctstate NEW -j DROP

	# -- 12:
	#iptables -t raw -D PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack
	#iptables -D INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
	#iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

	# -- 13:
	#iptables -D wwwsas_port_scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
	#iptables -D wwwsas_port_scanning -j DROP
	#iptables --flush wwwsas_port_scanning
	#iptables -X wwwsas_port_scanning

	# -- H: Protecting portscans ---
	#iptables -D INPUT -m recent --name portscan --rcheck --seconds 3600 -j DROP
	#iptables -D FORWARD -m recent --name portscan --rcheck --seconds 3600 -j DROP
	#iptables -D INPUT -m recent --name portscan --remove
	#iptables -D FORWARD -m recent --name portscan --remove
	#iptables -D INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
	#iptables -D INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
	#iptables -D FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
	#iptables -D FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

	# -- According: Real protection against Port Scanning ---
	if [ -x '/sbin/ipset' ]
	then
		iptables -D INPUT -m state --state INVALID -j DROP
		iptables -D INPUT -m state --state NEW -m set ! --match-set WWWSAS_SCANNED_PORTS src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name portscan --hashlimit-htable-expire 10000 -j SET --add-set WWWSAS_PORT_SCANNERS src --exist
		iptables -D INPUT -m state --state NEW -m set --match-set WWWSAS_PORT_SCANNERS src -j DROP
		iptables -D INPUT -m state --state NEW -j SET --add-set WWWSAS_SCANNED_PORTS src,dst
	else
		echo "'ipset' is not installed."
	fi
}

ufw_enable() {
	if [ -x '/usr/sbin/ufw' ]
	then
		ufw limit "$SSH"/tcp comment 'SSH port'
		#ufw allow "$SMTP"/tcp comment 'SMTP port'
		ufw allow "$HTTP"/tcp comment 'HTTP port'
		ufw allow "$HTTPS"/tcp comment 'HTTPS port'
		ufw enable
		ufw status verbose
	else
		echo "'ufw' is not installed."
	fi
}

ufw_disable() {
	if [ -x '/usr/sbin/ufw' ]
	then
		ufw disable
		ufw status verbose
	else
		echo "'ufw' is not installed."
	fi
}

ufw_purge() {
	if [ -x '/usr/sbin/ufw' ]
	then
		apt purge ufw -y
	else
		echo "'ufw' is not installed."
	fi
}

ufw_install() {
	if [ -x '/usr/sbin/ufw' ]
	then
		apt install ufw -y
	else
		echo "'ufw' is not installed."
	fi
}
# Functions section END
# -----------------------

# ----------------------------------------------
# Main script - call the functions conditionally
# ----------------------------------------------

if   [ "${1}" = 'iptables_add_rules' ]
then
	iptables_add_rules
elif [ "${1}" = 'iptables_remove_rules' ]
then
	iptables_remove_rules
elif [ "${1}" = 'ufw_purge' ]
then
	ufw_purge
elif [ "${1}" = 'ufw_install' ]
then
	ufw_install
elif [ "${1}" = 'ufw_disable' ]
then
	ufw_disable
elif [ "${1}" = 'ufw_enable' ]
then
	ufw_enable
fi

# -------------
# Output Status
# -------------

#ufw status verbose
#iptables -S
#iptables -S -t mangle
#iptables -S -t raw
#iptables -L
#iptables -L -t mangle
#iptables -L -t raw
#ipset list


# ----------------------
# Save the current state
# ----------------------

cp iptables.current-state.conf iptables.current-state.conf.bak
./iptables-save.sh

# -- According: Real protection against Port Scanning ---
if [ -x '/sbin/ipset' ]
then
	cp ipset.current-state.conf ipset.current-state.conf.bak
	./ipset-save.sh
else
	echo "'ipset' is not installed."
fi