#!/bin/sh # ################################################################################ ################################################################################ # ## # Copyright (C) 2003 Blueness ## # ## # This program is free software; you can redistribute it and/or ## # modify it under the terms of the GNU General Public License ## # as published by the Free Software Foundation; either version 2 ## # of the License, or (at your option) any later version. ## # ## # This program is distributed in the hope that it will be useful, ## # but WITHOUT ANY WARRANTY; without even the implied warranty of ## # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ## # GNU General Public License for more details. ## # ## # You should have received a copy of the GNU General Public License ## # along with this program; if not, write to the Free Software ## # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ## # ## ################################################################################ ################################################################################ # # Startup script to implement /etc/sysconfig/bluefire.conf rules. # # chkconfig: 2345 09 91 # # description: packet filtering firewall with iptables # # config: /etc/sysconfig/bluefire.conf . /etc/init.d/functions BLUEFIRE_CONFIG=/etc/sysconfig/bluefire.conf if [ ! -x /sbin/iptables ]; then exit 0 fi scans () { # # Catch stealth scans # if [ X"$1" = X"-I" ]; then echo -n "Starting up bluefire stealth scan detection:" elif [ X"$1" = X"-D" ]; then echo -n "Stoping bluefire stealth scan detection:" else echo "Error in scans()" exit 2 fi let sret=0 iptables $1 INPUT -p tcp -m tcp --tcp-flags ALL NONE -j LOG --log-prefix "STEALTH SCAN: ALL:" >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags ALL NONE -j DROP >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "STEALTH SCAN: SYN,FIN: " >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "STEALTH SCAN: SYN,RST:" >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "STEALTH SCAN: FIN,RST:" >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "STEALTH SCAN: FIN,ack:" >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "STEALTH SCAN: PSH,ack" >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -j DROP >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "STEALTH SCAN: URG,ack" >/dev/null 2>&1; let sret+=$? iptables $1 INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP >/dev/null 2>&1; let sret+=$? if [ $sret -eq 0 ]; then success else failure fi echo } firewall() { if [ X"$1" = X"-I" ]; then echo -n "Starting up bluefire filters:" elif [ X"$1" = X"-D" ]; then echo -n "Stoping up bluefire filters:" else echo "Error in firewall()" exit 3 fi let fret=0 for i in `cat $BLUEFIRE_CONFIG | sed -e 's/#.*$//'` ; do iptables $1 INPUT -s $i -j DROP >/dev/null 2>&1 ; let fret+=$? iptables $1 FORWARD -d $i -j REJECT >/dev/null 2>&1 ; let fret+=$? iptables $1 FORWARD -s $i -j DROP >/dev/null 2>&1 ; let fret+=$? iptables $1 OUTPUT -d $i -j REJECT >/dev/null 2>&1 ; let fret+=$? done if [ $fret -eq 0 ]; then success else failure fi echo } start() { firewall -I scans -I } stop () { scans -D firewall -D } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|restart}" exit 1 esac exit 0