File: uruk.in

package info (click to toggle)
uruk 20080330-1
links: PTS
area: main
in suites: lenny, squeeze
size: 620 kB
ctags: 18
sloc: sh: 1,181; makefile: 117; xml: 51
file content (411 lines) | stat: -rw-r--r-- 11,381 bytes
#!/bin/sh

# this file maintained using arch at http://arch.gna.org/uruk/

# Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org
# Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/
# Copyright (C) 2003, 2004, 2005, 2007 Joost van Baal
#
# This file is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option)
# any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.
#
# You should have received a copy of the GNU GPL along with this file, see
# e.g. the file named COPYING.  If not, see <http://www.gnu.org/licenses/>.


#
# peeksheet: iptables predefined chains:
#
#               - INPUT - - localhost - - OUTPUT -
#             /                                    \
# PREROUTING - - - - - - - - FORWARD  - - - - - - - - POSTROUTING
#

iptables=${URUK_IPTABLES:-/sbin/iptables}

# By default, we don't do any /sbin/ip6tables calls.  This will change
# once Uruk's IPv6 support is blessed mature.
ip6tables=${URUK_IP6TABLES:-":"}
#
# Add
#
#  ip6tables=${URUK_IP6TABLES:-/sbin/ip6tables}
#
# to your rc file and
#
#  "enable_ipv6=true"
#
# to /etc/default/uruk if you'd like to play with IPv6 support in Uruk
#
# New variables used: ip6_<...>, sources6_<...>, ip6tables.

interfaces_unprotect=${URUK_INTERFACES_UNPROTECT:-lo}

etcdir="@SYSCONF_PATH@/@PACKAGE_TARNAME@"

config=${URUK_CONFIG:-${etcdir}/rc}

test -r $config || {
    echo >&2 "No readable rc file $config found.  Please create one." && exit 1
}

. $config

if test -n "$version"
then
    if test "$version" -lt 20040210
    then
        cat >&2 <<EOT
 Uruk rc file $config claims to be pre-20040210 format.  That's likely not
 supported.  Please read the Uruk README file for upgrade instructions.
EOT
        exit 1
    fi
fi

uruk_log () {
    $iptables -A INPUT -j LOG --log-level debug --log-prefix 'iptables: ' $@
}

uruk6_log () {
    $ip6tables -A INPUT -j LOG --log-level debug --log-prefix 'ip6tables: ' $@
}

uruk_hook () {
    if test -d "$1"
    then
        for f in "$1"/*.rc
        do
            test -r "$f" && . "$f"
        done
    else
        test -r "$1" && . "$1"
    fi
}

#
# bootstrap these rules
#

# 40 < 60 (         50) medium:  log denied non-broadcasts  (default)
test -z "$loglevel" && loglevel=50

#
# traffic on interfaces_unprotect (lo, per default) is trusted
for iface in ${interfaces_unprotect}
do
    $iptables -A INPUT  -i $iface -j ACCEPT
    $iptables -A OUTPUT -o $iface -j ACCEPT

    $ip6tables -A INPUT -i $iface -j ACCEPT
    $ip6tables -A OUTPUT -o $iface -j ACCEPT
done

uruk_hook "$rc_a"

if test $loglevel -ge 80
then
    # 80 < 99 (         90) fascist: log all packets
    uruk_log
    uruk6_log
fi

$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ip6tables has no connection tracking support.
$ip6tables -A INPUT --protocol tcp ! --syn --destination-port 1024: -j ACCEPT
$ip6tables -A INPUT --protocol udp --destination-port 1024: -j ACCEPT


uruk_hook "$rc_b"

#
# protect interfaces_public agains spoofing
#

for iface in ${interfaces}
do
    #
    # don't allow anyone to spoof non-routeable addresses
    #

    eval is="\"\$ips_${iface}\""
    if test -n "$is"
    then
        interfaces_x=
        for i in $is
        do
            interfaces_x="$interfaces_x ${iface}_$i"
        done
    else
        interfaces_x=$iface
    fi

    for iface_x in $interfaces_x
    do
        eval net="\"\$net_${iface_x}\""
        for no_route_ip in 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
        do
            if test $no_route_ip != "$net"
            then
                # TODO: this behaves odd in multiple-IP cases.  Furthermore,
                # excluding one private network from being dropped works ugly.
                $iptables -A INPUT -i $iface --source $no_route_ip -j DROP
                $iptables -A INPUT -i $iface --destination $no_route_ip \
                  -j DROP

                $iptables -A OUTPUT -o $iface --source $no_route_ip -j DROP
                $iptables -A OUTPUT -o $iface --destination $no_route_ip \
                  -j DROP
            fi
        done

        # block outgoing packets that don't have our address as source,
        # they are either spoofed or something is misconfigured (NAT disabled,
        # for instance), we want to be nice and don't send out garbage.
        #
        # NOTE: this is stricter than above no_route_ip rule.
        if test -n "$is"
        then
            # this rule is only enabled in single-ip-per-nic situations.
            # in multiple ip mode, we'd have to drop only if source is
            # not _one_ of the nic's IPs

            # supporting this for multiple-ips would need multiple chains
            # or, perhaps, some iptables extension.
            :
        else
            eval ip="\"\$ip_${iface_x}\""
            $iptables -A OUTPUT -o $iface --source ! "$ip" -j DROP

            # drop all incoming packets which don't have us as destination
            $iptables -A INPUT -i $iface --destination ! "$ip" -j DROP
            # NOTE: this is stricter than above no_route_ip rule.  If this
            # rule is used, above rule ``$iptables -A INPUT -i $iface
            # --destination $no_route_ip -j DROP'' could get disabled. See
            # also the broadcast rule below.
        fi
    done

    # Always allow outgoing connections
    $iptables -A OUTPUT -m state --state NEW -o $iface -j ACCEPT
done

uruk_hook "$rc_c"

#
# allow traffic to offered services, from trusted sources
#

for iface in $interfaces
do
    eval is="\"\$ips_${iface}\""
    if test -n "$is"
    then
        interfaces_x=
        for i in $is
        do
            interfaces_x="$interfaces_x ${iface}_$i"
        done
    else
        interfaces_x=$iface
    fi

    for iface_x in $interfaces_x
    do
        eval ip="\"\$ip_${iface_x}\""
        eval ip6="\"\$ip6_${iface_x}\""
        for proto in tcp udp
        do
            eval services="\"\$services_${iface_x}_${proto}\""
            if test -n "$services"
            then
                for service in $services
                do
                    # service is a servicegroupname, e.g. "local"
                    eval sources="\"\$sources_${iface_x}_${proto}_${service}\""
                    eval sources6="\"\$sources6_${iface_x}_${proto}_${service}\""
                    eval ports="\"\$ports_${iface_x}_${proto}_${service}\""
                    if test -n "$ports"
                    then
                        for port in $ports
                        do
                            # port is e.g. www or 1023
                            for source in $sources
                            do
                                # source is e.g. 10.56.0.10/32
                                $iptables -A INPUT -m state --state NEW \
                                  -i $iface --protocol $proto \
                                  --source "$source" --destination "$ip" \
                                  --destination-port "$port" -j ACCEPT
                            done
                            for source6 in $sources6
                            do
                                $ip6tables -A INPUT \
                                  -i $iface --protocol $proto \
                                  --source "$source6" --destination "$ip6" \
                                  --destination-port "$port" -j ACCEPT
                            done
                        done
                    fi
                done
            fi
        done
    done
done

uruk_hook "$rc_d"

#
# rc_e: backwards compatibility.  should be removed one day.
#
uruk_hook "$rc_e"

#
# Don't answer broadcast and multicast packets
#
for iface in $interfaces_nocast
do
    eval is="\"\$bcasts_${iface}\""
    if test -n "$is"
    then
        interfaces_x=
        for i in $is
        do
            interfaces_x="$interfaces_x ${iface}_$i"
        done
    else
        interfaces_x=$iface
    fi

    for iface_x in $interfaces_x
    do
        eval bcast="\"\$bcast_${iface_x}\""
        $iptables -A INPUT -i $iface --destination "$bcast" -j DROP
    done

    $iptables -A INPUT -i $iface --destination 255.255.255.255 -j DROP
done

uruk_hook "$rc_f"

#
# icmp stuff. See RFC 1122 and also RFC 792, RFC 950, RFC 1812, RFC 1349,
# RFC 2474 and Stevens' TCP/IP Illustrated Chapter 6, p 69.
# The icmp types are even in %num2icmp_type in Lire::Firewall.
# Running "iptables -p icmp -h" gives iptables's idea of icmp types
#

#
# By default, we disallow
#
#  source-quench
#  redirect (
#   network-redirect
#   host-redirect
#   TOS-network-redirect
#   TOS-host-redirect
#  )
#  router-advertisement
#  router-solicitation
#
# You might want to allow just
#
#  echo-request echo-reply ttl-zero-during-transit \
#   ttl-zero-during-reassembly ip-header-bad required-option-missing
#
# This makes pings succeed, as well as traceroute.  However
# debugging network problems might be _much_ more difficult when disallowing
# lots of other icmp types.  If you really want to do this, use rc_g.
#

for type in \
  address-mask-reply \
  address-mask-request \
  destination-unreachable \
  echo-reply \
  echo-request \
  parameter-problem \
  timestamp-reply \
  timestamp-request \
  ttl-zero-during-reassembly \
  ttl-zero-during-transit
do
    $iptables -A INPUT --protocol icmp --icmp-type $type -j ACCEPT
done

# for now, we allow _all_ ICMPv6 packets.
$ip6tables -A INPUT --protocol icmpv6 -j ACCEPT

uruk_hook "$rc_g"

#
# log packets which make it till here: denied packets (not denied broadcasts
#     or spoofed stuff).  take loglevel into account.
#

if test $loglevel -lt 20
then
    # be silent
    :
elif test $loglevel -lt 40
then
    # log denied packets, targetted at our IPs
    for iface in $interfaces
    do
        eval is="\"\$ips_${iface}\""
        if test -n "$is"
        then
            interfaces_x=
            for i in $is
            do
                interfaces_x="$interfaces_x ${iface}_$i"
            done
        else
            interfaces_x=$iface
        fi

        for iface_x in $interfaces_x
        do
            eval ip="\"\$ip_${iface_x}\""
            eval ip6="\"\$ip6_${iface_x}\""
            test -n "$ip" && uruk_log -i $iface --destination $ip
            test -n "$ip6" && uruk6_log -i $iface --destination $ip6
        done
    done
elif test $loglevel -lt 60
then
    # 40 < 60 (         50) medium:  log denied non-broadcasts  (default)
    uruk_log
    uruk6_log
fi

# FIXME : yet to implement:
# 60 < 80 (         70) high:    log denied packets

uruk_hook "$rc_h"

#
# reject all others
#

$iptables -A INPUT -j REJECT --reject-with tcp-reset --protocol tcp
$iptables -A INPUT -j REJECT

$ip6tables -A INPUT -j DROP
# FIXME : these:
#  $ip6tables -A INPUT -j REJECT --reject-with tcp-reset --protocol tcp
#  $ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
# would be better but don't seem to be supported with stock linux kernel.

uruk_hook "$rc_i"

# make sure we exit 0, even if last test failed
exit 0