-
Notifications
You must be signed in to change notification settings - Fork 1
/
Int-FW.startup
281 lines (149 loc) · 14 KB
/
Int-FW.startup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
# Internal Firewall with Squid Proxy capabilities is responsible to filter all
# inside traffic towards internal servers, allow internet and DMZ access.
# Its primary goal is to act as as a protection shield between the DMZ and
# the enterprise internal network.
ifconfig eth0 10.0.3.1/30
ifconfig eth1 10.0.1.1/30
ifconfig eth2 10.0.0.2/30
ifconfig eth3 10.0.2.1/30
ifconfig eth4 10.0.10.1/30
ifconfig eth5 10.0.8.1/30
ifconfig eth6 10.0.12.1/30
# Adding networks that are accessible through
# directly connected gateways.
# OpenVPN Server accessible through the DMZ Gateway VPN.
route add -net 172.16.1.0/30 gw 10.0.1.2
# Mail Server accessible through the DMZ Gateway Mail.
route add -net 192.168.1.0/30 gw 10.0.2.2
# Attaches GW-Dep-A.
route add -net 10.0.4.0/30 gw 10.0.3.2
# Attaches GW-Dep-B.
route add -net 10.0.6.0/30 gw 10.0.3.2
# Attaches Dep-A LAN.
route add -net 10.0.5.0/24 gw 10.0.3.2
# Attaches Dep-B LAN.
route add -net 10.0.7.0/24 gw 10.0.3.2
# Attaches Internal Servers LAN.
route add -net 10.0.9.0/29 gw 10.0.8.2
# Attaches LDAP LAN.
route add -net 10.0.11.0/30 gw 10.0.10.2
# Attaches Admin LAN.
route add -net 10.0.13.0/30 gw 10.0.12.2
# External Firewall as Default for the rest.
route add default gw 10.0.0.1
# Firewall Rules for the Internal Firewall
# DISABLES IP6 Traffic which is accepted by default.
ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P OUTPUT DROP
ip6tables -t filter -P FORWARD DROP
# DEFAULT Policies are set to DROP towards whitelisting.
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
# LOGs of dropped packets matching XMAS scans and other malicious methodologies (Biswas, 2019).
# -sX flag from nmap (nmap.org, 2019).
# The field "--log-prefix=iptables:" makes log inspection much easier using
# cat /var/log/syslog | grep iptables
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL FIN,PSH,URG -m comment --comment "Logs Nmap Scan Type 1" -j LOG --log-prefix=iptables:
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m comment --comment "Logs Nmap Scan Type 2" -j LOG --log-prefix=iptables:
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "Logs Nmap Scan Type 3" -j LOG --log-prefix=iptables:
# ESTABLISHED, RELATED are placed high in order inside chains to boost performance.
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming Internal VPN connection" -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing Internal VPN connection" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth3 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming Internal Mail connection" -j ACCEPT
iptables -A FORWARD -i eth3 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing Internal Mail connection" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth4 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming Internal LDAP connection" -j ACCEPT
iptables -A FORWARD -i eth4 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing Internal LDAP connection" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming External WWW Connection" -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing External WWW Connection" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth5 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming Internal WWW Connection" -j ACCEPT
iptables -A FORWARD -i eth5 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing Internal WWW Connection" -j ACCEPT
iptables -A FORWARD -i eth6 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming SSH from Admin to VPN" -j ACCEPT
iptables -A FORWARD -i eth1 -o eth6 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing SSH from Admin to VPN" -j ACCEPT
iptables -A FORWARD -i eth6 -o eth3 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming SSH from Admin to Mail" -j ACCEPT
iptables -A FORWARD -i eth3 -o eth6 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing SSH from Admin to Mail" -j ACCEPT
iptables -A FORWARD -i eth6 -o eth5 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming SSH from Admin to Internal Servers" -j ACCEPT
iptables -A FORWARD -i eth5 -o eth6 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing SSH from Admin to Internal Servers" -j ACCEPT
iptables -A FORWARD -i eth6 -o eth4 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming SSH from Admin to LDAP" -j ACCEPT
iptables -A FORWARD -i eth4 -o eth6 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing SSH from Admin to LDAP" -j ACCEPT
# Forward chain logs of dropped packets matching malicious scans are placed after RELATED and
# ESTABLISHED for performance purposes.
iptables -A FORWARD -p tcp -m tcp --tcp-flags ALL FIN,PSH,URG -m comment --comment "Logs Nmap Scan Type 1" -j LOG --log-prefix=iptables:
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m comment --comment "Logs Nmap Scan Type 2" -j LOG --log-prefix=iptables:
iptables -A FORWARD -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "Logs Nmap Scan Type 3" -j LOG --log-prefix=iptables:
# RULE 1 -- DNAT for DMZ's OpenVPN Server alongside FORWARD chain stateful rules.
# Only accepts connections from Dep-A and Dep-B IP range to follow the Least Privilege Principle.
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn --dport 1194 -m comment --comment "Routes incoming packets addressed to the VPN" -j DNAT --to-destination 172.16.1.2
iptables -A FORWARD -i eth0 -o eth1 -s 10.0.5.0/24 -d 172.16.1.2 -p tcp --syn --dport 1194 -m conntrack --ctstate NEW -m comment --comment "Only accept VPN connection initiations from the Dep-A LAN" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 10.0.7.0/24 -d 172.16.1.2 -p tcp --syn --dport 1194 -m conntrack --ctstate NEW -m comment --comment "Only accept VPN connection initiations from the Dep-B LAN" -j ACCEPT
# RULE 2 -- DNAT for DMZ's Mail Server alongside FORWARD chain stateful rules.
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn --match multiport --dports 25,587,993 -m comment --comment "Routes incoming packets addressed to the Mail Server" -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -i eth0 -o eth3 -s 10.0.5.0/24 -d 192.168.1.2 -p tcp --syn --match multiport --dports 25,587,993 -m conntrack --ctstate NEW -m comment --comment "Accept new Mail connection initiation from Dep-A LAN" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth3 -s 10.0.7.0/24 -d 192.168.1.2 -p tcp --syn --match multiport --dports 25,587,993 -m conntrack --ctstate NEW -m comment --comment "Accept new Mail connection initiation from Dep-B LAN" -j ACCEPT
# RULE 3 -- DNAT for Internal LDAP Server alongside FORWARD chain stateful rules for both UDP and TCP.
# UDP is implemented in a bidirectional manner due to the nature of LDAP (Reference: https://serverfault.com/questions/828769/need-iptables-port-forwarding-for-bidirectional-udp)
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 389 -m comment --comment "Makes a UDP connection behave like a TCP with bidirectional capabilities" -j MARK --set-mark 0x1
iptables -t nat -A PREROUTING -p udp -m mark --mark 0x1 -m comment --comment "Routes incoming UDP packets addressed to the internal LDAP Server" -j DNAT --to-destination 10.0.11.2:389
iptables -A FORWARD -i eth0 -o eth4 -s 10.0.5.0/24 -d 10.0.11.2 -p udp --dport 389 -m comment --comment "Accept new UDP LDAP connection from WMB LAN" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth4 -s 10.0.7.0/24 -d 10.0.11.2 -p udp --dport 389 -m comment --comment "Accept new UDP LDAP connection from Dep-B LAN" -j ACCEPT
# TCP follows.
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn --dport 389 -m comment --comment "Routes incoming TCP packets addressed to the internal LDAP Server" -j DNAT --to-destination 10.0.11.2
iptables -A FORWARD -i eth0 -o eth4 -s 10.0.5.0/24 -d 10.0.11.2 -p tcp --syn --dport 389 -m conntrack --ctstate NEW -m comment --comment "Accept new TCP LDAP connection initiations from Dep-A LAN" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth4 -s 10.0.7.0/24 -d 10.0.11.2 -p tcp --syn --dport 389 -m conntrack --ctstate NEW -m comment --comment "Accept new TCP LDAP connection initiations from Dep-B LAN" -j ACCEPT
# RULE 4 -- Internal users should connect to Ext-WWW and Int-WWW, look RULE 10 due to SQUID.
# Achieved above using the ESTABLISHED,RELATED. This is because it was done by forwarding
# port 80 and 443 packets towards the external firewall. The destination IP address is not
# specified assuming that websites in the public Internet can reside in any IP address and
# connection is achieved via the squid proxy therefore firewall's INPUT and OUTPUT chains.
# RULE 5 -- Internal users should connect to External DNS that resides in the public Internet (Ext-DNS).
# The destination address is specified to prevent attacks such as DNS poisoning.
iptables -A FORWARD -i eth0 -o eth2 -s 10.0.5.0/24 -d 8.8.8.8 -p udp --dport 53 -m comment --comment "External DNS Access from Dep-A LAN" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -s 10.0.7.0/24 -d 8.8.8.8 -p udp --dport 53 -m comment --comment "External DNS Access from Dep-B LAN" -j ACCEPT
# RULE 6 -- Internal users should connect to Internal DNS (Int-DNS).
iptables -A FORWARD -i eth0 -o eth5 -s 10.0.5.0/24 -d 10.0.9.2 -p udp --dport 53 -m comment --comment "Internal DNS Access from Dep-A LAN" -j ACCEPT
iptables -A FORWARD -i eth0 -o eth5 -s 10.0.7.0/24 -d 10.0.9.2 -p udp --dport 53 -m comment --comment "Internal DNS Access from Dep-B LAN" -j ACCEPT
# RULE 7 -- Internal users should be able to ping the DMZ and internal servers (never the other way around) and never the admin LAN.
iptables -A FORWARD -i eth0 ! -o eth6 -p icmp --icmp-type echo-request -m comment --comment "Internal clients to Ping internal and DMZ servers" -j ACCEPT
iptables -A FORWARD ! -i eth0 -p icmp --icmp-type echo-reply -m comment --comment "Pong response from internal clients and DMZ servers to internal clients" -j ACCEPT
# RULE 8 -- Admins should be able to ping the DMZ and internal servers and not the other way around.
iptables -A FORWARD -i eth6 -p icmp --icmp-type echo-request -m comment --comment "Admin clients to Ping internal and DMZ servers" -j ACCEPT
iptables -A FORWARD ! -i eth6 -p icmp --icmp-type echo-reply -m comment --comment "Pong response from internal clients and DMZ servers to Admin clients" -j ACCEPT
# RULE 9 -- Internal Firewall receives and replies to pings.
iptables -A INPUT -p icmp --icmp-type echo-request -m comment --comment "Ping to Int-FW" -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -m comment --comment "Pong from Int-FW" -j ACCEPT
# RULE 10 -- SQUID PROXY for Logging, Caching and Filtering for both external and internal servers
# and this is why this is placed in the internal firewall and not in the external.
# Squid Proxy
# Redirection to transparent proxy. Transparent is chosen to prevent installing corresponding
# settings to all client machines (I.T Consulting, 2019), (TechMint-a, 2014).
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn --dport 80 -m comment --comment "Redirection to transparent proxy" -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn --dport 443 -m comment --comment "Redirection to transparent proxy" -j REDIRECT --to-port 3129
# Internal machines from Dep-B and Dep-A LAN connect to the external and internal internet without
# any impact on user experience, caching makes responses much faster for all users and does not
# depend on department since it is placed in the internal firewall.
iptables -A INPUT -i eth0 -s 10.0.5.0/24 -p tcp --match multiport --dports 3128,3129 -m comment --comment "Dep-A LAN external/internal internet access" -j ACCEPT
iptables -A INPUT -i eth0 -s 10.0.7.0/24 -p tcp --match multiport --dports 3128,3129 -m comment --comment "Dep-B LAN external/internal internet access" -j ACCEPT
iptables -A INPUT -i eth2 -s 201.224.0.0/16 -p tcp -m comment --comment "Response from Ext-WWW to transparent proxy" -j ACCEPT
# Allows internal WWW (Int-WWW) connections to be cached as well.
iptables -A INPUT -i eth5 -s 10.0.9.3 -p tcp -m comment --comment "Response from Int-WWW to transparent proxy" -j ACCEPT
# The output of the internal firewall after proxying is then forwarded, "! - o" is necessary
# to avoid remote logging confusion.
iptables -A OUTPUT ! -o eth4 -p tcp -m comment --comment "Squid proxy redirection forward continues" -j ACCEPT
# SQUID LOG
touch /var/log/squid/access.log
chmod 777 /var/log/squid/access.log
mkdir /var/cache/squid
service squid start
# RULE 11 -- SSH forwarding including misdirection ports and port knocking legit ports.
# Misdirection ports.
iptables -A FORWARD -s 10.0.13.0/30 -i eth6 -p tcp --syn --dport 22456 -m conntrack --ctstate NEW -m comment --comment "Misdirection Port Allowance" -j ACCEPT
iptables -A FORWARD -s 10.0.13.0/30 -i eth6 -p tcp --syn --dport 38964 -m conntrack --ctstate NEW -m comment --comment "Misdirection Port Allowance" -j ACCEPT
# The actual sequence port is 1887.
iptables -A FORWARD -s 10.0.13.0/30 -i eth6 -p tcp --syn --dport 1887 -m conntrack --ctstate NEW -m comment --comment "Port Knock Allowance" -j ACCEPT
# SSH Port is 36747 and not 22.
iptables -A FORWARD -s 10.0.13.0/30 -i eth6 -p tcp --syn --dport 36747 -m conntrack --ctstate NEW -j ACCEPT
# REMOTE Logs (TechMint-b, 2018)
service rsyslog restart
# RULE 12 -- REMOTE LOGGING performed in the LDAP server.
iptables -A INPUT -i eth4 -s 10.0.11.2 -p tcp -j ACCEPT
iptables -A OUTPUT -d 10.0.11.2 -p tcp --dport 514 -j ACCEPT