1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with Firewall Script

Discussion in 'Tomato Firmware' started by JodelJoe, Mar 22, 2011.

  1. JodelJoe

    JodelJoe Networkin' Nut Member

    Hello everybody. I am using tomato now for 2 years and this
    is really great firmware. A few days ago, i have read about firewall
    script in tomato and started to read about iptables. I am not sure
    if i have really understood all thing (i think no :D) and started to
    search for other firewall and iptables scripts at the internet and
    copy the needed things for my needs. I think i am ready now, but
    i am not 100% sure if this works how it should. May someone take
    a look on this and tell me mistakes or any suggestions about this?
    Maybe some tips or enhancements?
    Here is a list of what i wanted to do with that script:

    -A possibility to acces my external modem over wan port
    (I want to activate this manually by removing # if needed)
    - Drop private networks from Internet to LAN
    - Drop multicast adresses for Internet and LAN
    - Drop smurf attack from Internet to LAN
    - Drop fragmented ICMP packets from Internet to LAN
    - Acces only for new connections with syn flag from Internet to LAN
    - Drop invalid packets (packetsize) from Internet to LAN
    - Drop known port scan techniques / packets with bad tcp flags only at WANIN
    - Drop packets from Internet to LAN services
    - Drop packets from LAN services to Internet
    - I want to be able to log dropped packets with WallWatcher


    ### Firewall Script ###
    # Add route to access external modem over WAN-Port
    #ip addr add 192.168.178.254/24 dev vlan1 brd +
    #iptables -A POSTROUTING -t nat -o vlan1 -d 192.168.178.0/24 -j MASQUERADE
    ### DROP wanin ###
    # drop private networks
    iptables -A wanin -s 169.254.0.0/16 -j DROP
    iptables -A wanin -s 192.168.0.0/16 -j DROP
    iptables -A wanin -s 172.16.0.0/12 -j DROP
    iptables -A wanin -s 10.0.0.0/8 -j DROP
    iptables -A wanin -s 127.0.0.0/8 -j DROP
    # drop multicast adresses
    iptables -A wanin -s 224.0.0.0/4 -j DROP
    iptables -A wanin -d 224.0.0.0/4 -j DROP
    iptables -A wanin -s 240.0.0.0/5 -j DROP
    iptables -A wanin -d 240.0.0.0/5 -j DROP
    iptables -A wanin -s 0.0.0.0/8 -j DROP
    iptables -A wanin -d 0.0.0.0/8 -j DROP
    iptables -A wanin -d 239.255.255.0/24 -j DROP
    iptables -A wanin -d 255.255.255.255 -j DROP
    # drop Smurf attack
    iptables -A wanin -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
    # drop fragmented ICMP packets
    iptables -A wanin -p icmp --fragment -j DROP
    # Drop new tcp connections without SYN flags
    iptables -A wanin -p tcp ! --syn -m state --state NEW -j DROP
    # drop invalid packets
    iptables -A wanin -p tcp --tcp-option 128 -j DROP
    iptables -A wanin -p tcp --tcp-option 64 -j DROP
    ### drop packets with bad tcp flags
    # FIN/URG/PSH - Stealth XMAS scan
    iptables -A wanin -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    # SYN/RST/ACK/FIN/URG - Stealth XMAS-PSH scan
    iptables -A wanin -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    # ALL/ALL - Stealth XMAS-ALL scan
    iptables -A wanin -p tcp --tcp-flags ALL ALL -j DROP
    # ALL/FIN - Stealth FIN scan
    iptables -A wanin -p tcp --tcp-flags ALL FIN -j DROP
    # SYN/RST - Stealth SYN/RST scan
    iptables -A wanin -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    # SYN/FIN - Stealth SYN/FIN scan
    iptables -A wanin -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    # Null scan - Stealth Null scan
    iptables -A wanin -p tcp --tcp-flags ALL NONE -j DROP
    # Furtive port scanner
    #iptables -A wanin -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
    ### wanin CHAIN
    # drop port 0
    iptables -A wanin -p tcp --dport 0 -j DROP
    iptables -A wanin -p udp --dport 0 -j DROP
    # drop ports 1:19
    iptables -A wanin -p tcp --dport 1:19 -j DROP
    iptables -A wanin -p udp --dport 1:19 -j DROP
    # drop ftp-data
    iptables -A wanin -p tcp --dport 20 -j DROP
    iptables -A wanin -p udp --dport 20 -j DROP
    # drop ftp
    iptables -A wanin -p tcp --dport 21 -j DROP
    iptables -A wanin -p udp --dport 21 -j DROP
    # drop ssh
    iptables -A wanin -p tcp --dport 22 -j DROP
    iptables -A wanin -p udp --dport 22 -j DROP
    # drop telnet
    iptables -A wanin -p tcp --dport 23 -j DROP
    iptables -A wanin -p udp --dport 23 -j DROP
    # drop dhcp
    iptables -A wanin -p tcp --dport 67 -j DROP
    iptables -A wanin -p udp --dport 67 -j DROP
    # drop tftp
    iptables -A wanin -p tcp --dport 69 -j DROP
    iptables -A wanin -p udp --dport 69 -j DROP
    # drop HTTP
    iptables -A wanin -p tcp --dport 80 -j DROP
    iptables -A wanin -p udp --dport 80 -j DROP
    # drop rpc
    iptables -A wanin -p tcp --dport 135 -j DROP
    iptables -A wanin -p udp --dport 135 -j DROP
    # drop netbios
    iptables -A wanin -p tcp --dport 137:139 -j DROP
    iptables -A wanin -p udp --dport 137:139 -j DROP
    # drop HTTPS
    iptables -A wanin -p tcp --dport 443 -j DROP
    iptables -A wanin -p udp --dport 443 -j DROP
    # drop ms-ds
    iptables -A wanin -p tcp --dport 445 -j DROP
    iptables -A wanin -p udp --dport 445 -j DROP
    # drop syslog
    iptables -A wanin -p tcp --dport 514 -j DROP
    iptables -A wanin -p udp --dport 514 -j DROP
    # drop IPP
    iptables -A wanin -p tcp --dport 631 -j DROP
    iptables -A wanin -p udp --dport 631 -j DROP
    # drop SWAT
    iptables -A wanin -p tcp --dport 901 -j DROP
    iptables -A wanin -p udp --dport 901 -j DROP
    # drop Socks 4/5 Proxy
    iptables -A wanin -p tcp --dport 1080 -j DROP
    iptables -A wanin -p udp --dport 1080 -j DROP
    # drop Microsoft SQL Server
    iptables -A wanin -p tcp --dport 1433 -j DROP
    iptables -A wanin -p udp --dport 1433 -j DROP
    # drop VPN
    iptables -A wanin -p tcp --dport 1723 -j DROP
    iptables -A wanin -p udp --dport 1723 -j DROP
    # drop SSDP
    iptables -A wanin -p tcp --dport 1900 -j DROP
    iptables -A wanin -p udp --dport 1900 -j DROP
    # drop NFS
    iptables -A wanin -p tcp --dport 2049 -j DROP
    iptables -A wanin -p udp --dport 2049 -j DROP
    # drop ICSLAP
    iptables -A wanin -p tcp --dport 2869 -j DROP
    iptables -A wanin -p udp --dport 2869 -j DROP
    # drop Squid Proxy
    iptables -A wanin -p tcp --dport 3128 -j DROP
    iptables -A wanin -p udp --dport 3128 -j DROP
    # drop MySQL
    iptables -A wanin -p tcp --dport 3306 -j DROP
    iptables -A wanin -p udp --dport 3306 -j DROP
    # drop RDP
    iptables -A wanin -p tcp --dport 3389 -j DROP
    iptables -A wanin -p udp --dport 3389 -j DROP
    # drop W32.Blaster Worm
    iptables -A wanin -p tcp --dport 4444 -j DROP
    iptables -A wanin -p udp --dport 4444 -j DROP
    # drop UPnP
    iptables -A wanin -p tcp --dport 5000 -j DROP
    iptables -A wanin -p udp --dport 5000 -j DROP
    # drop Playstation3 Media Server
    iptables -A wanin -p tcp --dport 5001 -j DROP
    iptables -A wanin -p udp --dport 5001 -j DROP
    # drop alternate HTTP
    iptables -A wanin -p tcp --dport 8080 -j DROP
    iptables -A wanin -p udp --dport 8080 -j DROP
    ### wanout CHAIN
    iptables -A wanout -p tcp --sport 0 -j DROP
    iptables -A wanout -p udp --sport 0 -j DROP
    #
    iptables -A wanout -p tcp --sport 1:19 -j DROP
    iptables -A wanout -p udp --sport 1:19 -j DROP
    #
    iptables -A wanout -p tcp --sport 20 -j DROP
    iptables -A wanout -p udp --sport 20 -j DROP
    #
    iptables -A wanout -p tcp --sport 21 -j DROP
    iptables -A wanout -p udp --sport 21 -j DROP
    #
    iptables -A wanout -p tcp --sport 22 -j DROP
    iptables -A wanout -p udp --sport 22 -j DROP
    #
    iptables -A wanout -p tcp --sport 23 -j DROP
    iptables -A wanout -p udp --sport 23 -j DROP
    #
    iptables -A wanout -p tcp --sport 67 -j DROP
    iptables -A wanout -p udp --sport 67 -j DROP
    #
    iptables -A wanout -p tcp --sport 69 -j DROP
    iptables -A wanout -p udp --sport 69 -j DROP
    #
    iptables -A wanout -p tcp --sport 80 -j DROP
    iptables -A wanout -p udp --sport 80 -j DROP
    #
    iptables -A wanout -p tcp --sport 135 -j DROP
    iptables -A wanout -p udp --sport 135 -j DROP
    #
    iptables -A wanout -p tcp --sport 137:139 -j DROP
    iptables -A wanout -p udp --sport 137:139 -j DROP
    #
    iptables -A wanout -p tcp --sport 443 -j DROP
    iptables -A wanout -p udp --sport 443 -j DROP
    #
    iptables -A wanout -p tcp --sport 445 -j DROP
    iptables -A wanout -p udp --sport 445 -j DROP
    #
    iptables -A wanout -p tcp --sport 514 -j DROP
    iptables -A wanout -p udp --sport 514 -j DROP
    #
    iptables -A wanout -p tcp --sport 631 -j DROP
    iptables -A wanout -p udp --sport 631 -j DROP
    #
    iptables -A wanout -p tcp --sport 901 -j DROP
    iptables -A wanout -p udp --sport 901 -j DROP
    #
    iptables -A wanout -p tcp --sport 1080 -j DROP
    iptables -A wanout -p udp --sport 1080 -j DROP
    #
    iptables -A wanout -p tcp --sport 1433 -j DROP
    iptables -A wanout -p udp --sport 1433 -j DROP
    #
    iptables -A wanout -p tcp --sport 1723 -j DROP
    iptables -A wanout -p udp --sport 1723 -j DROP
    #
    iptables -A wanout -p tcp --sport 1900 -j DROP
    iptables -A wanout -p udp --sport 1900 -j DROP
    #
    iptables -A wanout -p tcp --sport 2049 -j DROP
    iptables -A wanout -p udp --sport 2049 -j DROP
    #
    iptables -A wanout -p tcp --sport 2869 -j DROP
    iptables -A wanout -p udp --sport 2869 -j DROP
    #
    iptables -A wanout -p tcp --sport 3128 -j DROP
    iptables -A wanout -p udp --sport 3128 -j DROP
    #
    iptables -A wanout -p tcp --sport 3306 -j DROP
    iptables -A wanout -p udp --sport 3306 -j DROP
    #
    iptables -A wanout -p tcp --sport 3389 -j DROP
    iptables -A wanout -p udp --sport 3389 -j DROP
    #
    iptables -A wanout -p tcp --sport 4444 -j DROP
    iptables -A wanout -p udp --sport 4444 -j DROP
    #
    iptables -A wanout -p tcp --sport 5000 -j DROP
    iptables -A wanout -p udp --sport 5000 -j DROP
    #
    iptables -A wanout -p tcp --sport 5001 -j DROP
    iptables -A wanout -p udp --sport 5001 -j DROP
    #
    iptables -A wanout -p tcp --sport 8080 -j DROP
    iptables -A wanout -p udp --sport 8080 -j DROP
     

Share This Page