From 27cb9e1c6ffc78b079ab6d3db91c2fea70d962b6 Mon Sep 17 00:00:00 2001 From: Vopic Date: Tue, 31 Oct 2017 11:44:14 +0000 Subject: [PATCH] Added Firewall --- Firewall/Docs/README.md | 203 +++++++ Firewall/LICENSE | 21 + Firewall/Modules/DropModule/Makefile | 10 + Firewall/Modules/DropModule/deleteFiles.sh | 6 + Firewall/Modules/DropModule/drop.c | 37 ++ Firewall/Modules/DropModule/insertModule.sh | 11 + Firewall/Modules/NetfilterModule/Makefile | 9 + .../Modules/NetfilterModule/deleteFiles.sh | 6 + .../Modules/NetfilterModule/insertModule.sh | 11 + .../Modules/NetfilterModule/netfilterModule.c | 520 ++++++++++++++++++ Firewall/Modules/StarterModule/Makefile | 18 + Firewall/Modules/StarterModule/headers.sh | 8 + .../Modules/StarterModule/insertModule.sh | 11 + .../Modules/StarterModule/starterModule.c | 24 + Firewall/README.md | 110 ++++ Firewall/Scripts/monitor.pl | 27 + Firewall/Scripts/setPolicy_accept.sh | 15 + Firewall/Scripts/setPolicy_drop.sh | 15 + Firewall/Scripts/setRules.sh | 63 +++ Firewall/Scripts/setRulesDrop.sh | 36 ++ 20 files changed, 1161 insertions(+) create mode 100755 Firewall/Docs/README.md create mode 100755 Firewall/LICENSE create mode 100755 Firewall/Modules/DropModule/Makefile create mode 100755 Firewall/Modules/DropModule/deleteFiles.sh create mode 100755 Firewall/Modules/DropModule/drop.c create mode 100755 Firewall/Modules/DropModule/insertModule.sh create mode 100755 Firewall/Modules/NetfilterModule/Makefile create mode 100755 Firewall/Modules/NetfilterModule/deleteFiles.sh create mode 100755 Firewall/Modules/NetfilterModule/insertModule.sh create mode 100755 Firewall/Modules/NetfilterModule/netfilterModule.c create mode 100755 Firewall/Modules/StarterModule/Makefile create mode 100755 Firewall/Modules/StarterModule/headers.sh create mode 100755 Firewall/Modules/StarterModule/insertModule.sh create mode 100755 Firewall/Modules/StarterModule/starterModule.c create mode 100755 Firewall/README.md create mode 100755 Firewall/Scripts/monitor.pl create mode 100755 Firewall/Scripts/setPolicy_accept.sh create mode 100755 Firewall/Scripts/setPolicy_drop.sh create mode 100755 Firewall/Scripts/setRules.sh create mode 100755 Firewall/Scripts/setRulesDrop.sh diff --git a/Firewall/Docs/README.md b/Firewall/Docs/README.md new file mode 100755 index 0000000..640099f --- /dev/null +++ b/Firewall/Docs/README.md @@ -0,0 +1,203 @@ +# Firewall Guide + +## Table Of Contents + +* Installation +* Commands + * List + * Accept + * Drop + * Save + * Flush +* Kernel + * Commands +* Netfilter + * Netfilter Hooks + * Netfilter Modules +* Resources + + + + +## Installation +IP Tables almost always comes pre-installed on linux, if that is not the case then it can be installed using: + +```command line +sudo apt-get install iptables +``` + + +## Commands + + +#### List +To see what your policy chains are currently configured to do with unmatched traffic. + +```cmd +iptables -L +``` + +To display detailed information (show the interface name, the rule options, the TOS masks and the packet and byte counters) **-v** can be added.
+To display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing. Use **-n**. + +```cmd +iptables -L -v -n --line-numbers +``` + +To display incomming and outgoing connection rules. + +```cmd +# iptables -L INPUT -n -v +# iptables -L OUTPUT -n -v --line-numbers +``` + + + +#### Accept +The command to accept connections by default. + +```cmd +iptables --policy INPUT ACCEPT +iptables --policy OUTPUT ACCEPT +iptables --policy FORWARD ACCEPT +``` + +SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts. + +``` +iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT +``` + + +#### Drop +The command to drop connections by default. + +```cmd +iptables --policy INPUT DROP +iptables --policy OUTPUT DROP +iptables --policy FORWARD DROP +``` + +Example of dropping a connection: + +```cmd +iptables -A INPUT -s 10.10.10.10 -j DROP // SINGLE IP +iptables -A INPUT -s 10.10.10.0/24 -j DROP // RANGE OF IPS +``` + +Example for dropping specific port: + +```cmd +iptables -A INPUT -p tcp --dport ssh -j DROP // DROPS ANY SSH CONNECTION +iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP // DROPS SSH CONNECITON FROM SPECIFIED IP +``` + + +#### Save +To save on ubuntu: + +```cmd +sudo /sbin/iptables-save +``` + + +#### Flush +To clear the current rules, flush command can be used. + +```cmd +iptables -F +``` + + +## Kernel Module + + +### Utilities to Manipulate Kernel Modules + +#### lsmod +Lsmod will show currentely loaded modules into the kernel. + +```cmd +# lsmod +Module Size Used by +dm_crypt 24803 1 +hid_generic 16545 0 +usb_hid 24265 1 +.. +``` + +#### insmod +Insmod inserts new module into the Kernel Modules. + +```cmd +# insmod /lib/modules/3.5.0-19-generic/kernel/fs/squashfs/squashfs.ko + +# lsmod | grep "squash" +squashfs 24214 1 +``` + +#### modinfo +Modinfo will display information about the module. + +```cmd +# modinfo /lib/modules/3.5.0-19-generic/kernel/drivers/net/fjes/fjes.ko + +filename: /lib/modules/3.5.0-19-generic/kernel/drivers/net/fjes/fjes.ko +version: 1.1 +license: GPL +author: Taku Izumi +description: Socket Network Device Driver +srcversion: 3411C5E01C7BDA50105EEE7 +depends: +intree: Y +vermagic: 3.5.0-19-generic SMP mod_unload modversions 686 +``` + +#### rmmod +Removes module from the kernel + +```cmd +rmmod fjes.ko +``` + + +## Netfilter + + +### Netfilter hooks + +1. NF_IP_PRE_ROUTING - where packets come in: having passed the simple sanity checks (i.e., not truncated, IP checksum OK, not a promiscuous receive) + +2. NF_IP_LOCAL_IN - the routing code, which decides whether the packet is destined for another interface, or a local process. The routing code may drop packets that are unroutable. + +3. NF_IP_FORWARD - called when packed is destined to pass to another interface instead. + +4. NF_IP_POST_ROUTING - The final netfilter hook where the packet passes before being put on the wire again. + +5. NF_IP_LOCAL_OUT - called for packets that are created locally. Here you can see that routing occurs after this hook is called: in fact, the routing code is called first (to figure out the source IP address and some IP options): if you want to alter the routing, you must alter the 'skb->dst' field yourself, as is done in the NAT code. + + +### Netfilter modules + +Kernel modules can register to listen at any of these hooks. A module that registers a function must specify the priority of the function within the hook; then when that netfilter hook is called from the core networking code, each module registered at that point is called in the order of priorites, and is free to manipulate the packet. The module can then tell netfilter to do one of five things: + + 1. NF_ACCEPT: continue traversal as normal. + + 2. NF_DROP: drop the packet; don't continue traversal. + + 3. NF_STOLEN: I've taken over the packet; don't continue traversal. + + 4. NF_QUEUE: queue the packet (usually for userspace handling). + + 5. NF_REPEAT: call this hook again. + + +## Resources + +### The Beginner’s Guide to iptables, the Linux Firewall + +### Linux: 20 Iptables Examples For New SysAdmins + +### Iptables Essentials: Common Firewall Rules and Commands + diff --git a/Firewall/LICENSE b/Firewall/LICENSE new file mode 100755 index 0000000..8864d4a --- /dev/null +++ b/Firewall/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Firewall/Modules/DropModule/Makefile b/Firewall/Modules/DropModule/Makefile new file mode 100755 index 0000000..bca130b --- /dev/null +++ b/Firewall/Modules/DropModule/Makefile @@ -0,0 +1,10 @@ +CONFIG_MODULE_SIG=n +CONFIG_MODULE_SIG_ALL=n + +obj-m += drop.o + +all: + make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules + +clean: + make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean diff --git a/Firewall/Modules/DropModule/deleteFiles.sh b/Firewall/Modules/DropModule/deleteFiles.sh new file mode 100755 index 0000000..02b1471 --- /dev/null +++ b/Firewall/Modules/DropModule/deleteFiles.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Remove the kernel files +rm .* +rm modules.order Module.symvers *.ko *.mod.c *.o +rm -r .tmp_versions diff --git a/Firewall/Modules/DropModule/drop.c b/Firewall/Modules/DropModule/drop.c new file mode 100755 index 0000000..7182e0f --- /dev/null +++ b/Firewall/Modules/DropModule/drop.c @@ -0,0 +1,37 @@ +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("PAMELA SABIO, ERYK SZLACHETKA"); +MODULE_DESCRIPTION("A kernel module to drop packets"); + +static struct nf_hook_ops netfilter_ops_in; // NF_IP_PRE_ROUTING +static struct nf_hook_ops netfilter_ops_out; // NF_IP_POST_ROUTING + +// Function prototype in +unsigned int hook_func(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) +{ + return NF_DROP; //Drop ALL Packets +} +int init_module() +{ + netfilter_ops_in.hook = hook_func; + netfilter_ops_in.pf = PF_INET; + netfilter_ops_in.hooknum = NF_INET_PRE_ROUTING; + netfilter_ops_in.priority = NF_IP_PRI_FIRST; + //netfilter_ops_out.hook = hook_func; + //netfilter_ops_out.pf = PF_INET; + //netfilter_ops_out.hooknum = NF_INET_POST_ROUTING; + //netfilter_ops_out.priority = NF_IP_PRI_FIRST; + nf_register_hook(&netfilter_ops_in); // register NF_IP_PRE_ROUTING hook */ + //nf_register_hook(&netfilter_ops_out); // register NF_IP_POST_ROUTING hook */ + return 0; +} + +void cleanup_module() +{ + nf_unregister_hook(&netfilter_ops_in); //unregister NF_IP_PRE_ROUTING hook + nf_unregister_hook(&netfilter_ops_out); //unregister NF_IP_POST_ROUTING hook +} diff --git a/Firewall/Modules/DropModule/insertModule.sh b/Firewall/Modules/DropModule/insertModule.sh new file mode 100755 index 0000000..19793c8 --- /dev/null +++ b/Firewall/Modules/DropModule/insertModule.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Inserts module to the kernel +insmod drop.ko +# Will display init function +dmesg | tail -1 + +# Removes the module from the kernel +#rmmod drop.ko +# Will display exit function +#dmesg | tail -1 diff --git a/Firewall/Modules/NetfilterModule/Makefile b/Firewall/Modules/NetfilterModule/Makefile new file mode 100755 index 0000000..bb9e718 --- /dev/null +++ b/Firewall/Modules/NetfilterModule/Makefile @@ -0,0 +1,9 @@ +CONFIG_MODULE_SIG=n + +obj-m += netfilterModule.o + +all: + make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules + +clean: + make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean diff --git a/Firewall/Modules/NetfilterModule/deleteFiles.sh b/Firewall/Modules/NetfilterModule/deleteFiles.sh new file mode 100755 index 0000000..02b1471 --- /dev/null +++ b/Firewall/Modules/NetfilterModule/deleteFiles.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Remove the kernel files +rm .* +rm modules.order Module.symvers *.ko *.mod.c *.o +rm -r .tmp_versions diff --git a/Firewall/Modules/NetfilterModule/insertModule.sh b/Firewall/Modules/NetfilterModule/insertModule.sh new file mode 100755 index 0000000..f384adb --- /dev/null +++ b/Firewall/Modules/NetfilterModule/insertModule.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Inserts module to the kernel +insmod netfilterModule.ko +# Will display init function +dmesg | tail -10 + +# Removes the module from the kernel +# rmmod netfilterModule.ko +# Will display exit function +# dmesg | tail -1 diff --git a/Firewall/Modules/NetfilterModule/netfilterModule.c b/Firewall/Modules/NetfilterModule/netfilterModule.c new file mode 100755 index 0000000..3edd49d --- /dev/null +++ b/Firewall/Modules/NetfilterModule/netfilterModule.c @@ -0,0 +1,520 @@ +#define PROTOCOL_TCP 6 +#define PROTOCOL_UDP 17 +#define PROTOCOL_SMTP 25 +#define PROTOCOL_HTTP 80 +#define PROTOCOL_HTTPS 443 +#define ONE 1 +#define ZERO 0 + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); // Set the license +MODULE_AUTHOR("Eryk Szlachetka, Pamela Sabio"); // Set the Authors +MODULE_DESCRIPTION("Kernel module to replace functionality of IPTables, allow the user to access TCP/UDP protocols with specific ports only."); // Set the description + +void drop_all_packets(void); +unsigned int port_str_to_int(char *port_str); +unsigned int ip_str_to_hl(char *ip_str); + +/* Firewall policy struct */ +struct mf_rule_desp { + unsigned char in_out; + char *src_ip, *src_netmask, *dest_ip, *dest_netmask;//, *destination_port, *source_port; + unsigned int destination_port, source_port; + unsigned char proto; + unsigned char action; +}; + +/* Firewall policy struct */ + +struct mf_rule { + unsigned char in_out; // 0 = Neither IN nor OUT, 1 = IN, 2 = OUT + unsigned int src_ip; + unsigned int src_netmask; + unsigned int source_port; + unsigned int dest_ip; + + unsigned int dest_netmask; + unsigned int destination_port; + unsigned char proto; // 0 = all, 1 = TCP, 2 = UDP + unsigned char action; // 0 = BLOCK, 1 = UNBLOCK + struct list_head list; +}; + +static struct mf_rule policy_list; +static struct nf_hook_ops nfho_in; +static struct nf_hook_ops nfho_out; +unsigned char *telnet_port = "x00\x17"; // The telnet port +struct udphdr *udp_header, *udp_header_out; +struct sk_buff *sk_buffer_in, *sk_buffer_out; +struct iphdr *ip_header, *ip_header_out; +struct tcphdr *tcp_header, *tcp_header_out; + + +unsigned int port_str_to_int(char *port_str) { + unsigned int port = 0; + int i = 0; + + if (port_str==NULL) { + return 0; + } + + while (port_str[i]!=' ') { + port = port*10 + (port_str[i]-'0'); + ++i; + } + + return port; +} + +unsigned int ip_str_to_hl(char *ip_str) { + + /* Convert the STRING to BYTE ARRAY first, e.g.: from "122.111.195.3" to [122][111][195][3]*/ + unsigned char ip_array[4]; + int i = 0; + unsigned int ip = 0; + + if (ip_str==NULL) { + return 0; + } + + memset(ip_array, 0, 4); + + while (ip_str[i]!='.') { + ip_array[0] = ip_array[0]*10 + (ip_str[i++]-'0'); + } + + ++i; + + while (ip_str[i]!='.') { + ip_array[1] = ip_array[1]*10 + (ip_str[i++]-'0'); + } + + ++i; + + while (ip_str[i]!='.') { + ip_array[2] = ip_array[2]*10 + (ip_str[i++]-'0'); + } + + ++i; + + while (ip_str[i]!=' ') { + ip_array[3] = ip_array[3]*10 + (ip_str[i++]-'0'); + } + + /* Convert from BYTE ARRAY to HOST LONG INT format */ + ip = (ip_array[0] << 24); + ip = (ip | (ip_array[1] << 16)); + ip = (ip | (ip_array[2] << 8)); + ip = (ip | ip_array[3]); + return ip; + +} + +// Hook for outgoing packets. +unsigned int hook_func_out(void *priv, struct sk_buff *skb, const struct nf_hook_state *state){ + struct list_head *lh; + struct mf_rule *rule; + // Local variables for ip addresses, ports and data. + unsigned int destination_ip; + unsigned int source_ip; + unsigned int destination_port, source_port = 0; + int i = 0; + + ip_header_out = (struct iphdr *)skb_network_header(skb); // Assign$ + + // Initialize ips + destination_ip = (unsigned int) ip_header_out -> daddr; + source_ip = (unsigned int) ip_header_out -> saddr; + + printk(KERN_INFO "Outgoing packet."); + + // Check if we are dealing with UDP PACKET + if (ip_header_out->protocol == PROTOCOL_UDP){ + printk(KERN_INFO "UDP Packet Out\n"); + udp_header_out = (struct udphdr *)(skb_transport_header(skb)); + source_port = (unsigned int)ntohs(udp_header_out->source); + destination_port = (unsigned int)ntohs(udp_header_out ->dest); + }else if (ip_header_out->protocol == PROTOCOL_TCP) // Check if we are dealing with TCP PACKET + { + printk(KERN_INFO "TCP Packet Out\n"); + tcp_header_out = (struct tcphdr *)(skb_transport_header(skb)); + //tcp_header_out = + source_port = (unsigned int)ntohs(tcp_header_out->source); + destination_port = (unsigned int)ntohs(tcp_header_out ->dest); + }else{ + return NF_STOLEN; + } + + /*printk(KERN_INFO "OUT / DEST IP: %u Ip_str: %u", destination_ip, ip_str_to_hl("223.202.132.112")); + if(destination_ip == 2551672010 || source_ip == 2551672010){ + printk(KERN_INFO "Test Blocked BLOCKED!"); + return NF_STOLEN; + }*/ + // bing = 847278282 + + list_for_each(lh,&policy_list.list){ + i++; + rule = list_entry(lh, struct mf_rule, list); + // Check if we are not working with "in" packet + if(rule -> in_out != 2){ + continue; // Skip it + }else{ + printk(KERN_INFO "In OUT Packet"); + // Compare rule and the ip_header + if(((rule -> proto == ONE) && ((ip_header_out->protocol != PROTOCOL_TCP) && (ip_header_out->protocol != PROTOCOL_UDP)))){ + printk(KERN_INFO "Skipping TCP / OUT"); + continue; + } + printk(KERN_INFO "After TCP/UDPs Dest_Rule: %u Dest: %u / OUT", ((unsigned int)rule->destination_port), ((unsigned int)destination_port)); + + if( (destination_port == ((unsigned int)rule->destination_port)) || (source_port == ((unsigned int)rule->destination_port)) ){ + printk(KERN_INFO "After comparing the ports / OUT"); + + //a match is found: take action + if (rule->action == 0) { + printk(KERN_INFO "DROPPING PACKET OUT!"); + return NF_STOLEN; + } else { + printk(KERN_INFO "ALLOWING PACKET OUT!"); + return NF_ACCEPT; + } + }else{ + continue; + } + } + continue; + } + + + printk(KERN_INFO "Returning stolen. / OUT"); + return NF_STOLEN; // If packets weren't accept so far, that means we can drop it.*/ + +} + +// Hook function for incoming packets. +unsigned int hook_func_in(void *priv, struct sk_buff *skb, const struct nf_hook_state *state){ + struct list_head *lh; + struct mf_rule *rule; + unsigned int source_ip; + unsigned int destination_ip; + unsigned int source_port, destination_port = 0; + int i = 0; + + ip_header= (struct iphdr *)skb_network_header(skb); // Assign the ip_header + + //Initialize variables + source_ip = (unsigned int)ip_header->saddr; + destination_ip = (unsigned int)ip_header->daddr; + + if (ip_header->protocol == PROTOCOL_UDP){ + printk(KERN_INFO "UDP Packet\n"); + udp_header = (struct udphdr *)(skb_transport_header(skb)); // Assign header + // Assign ports + source_port = (unsigned int)ntohs(udp_header->source); + destination_port = (unsigned int)ntohs(udp_header->dest); + }else if (ip_header->protocol == PROTOCOL_TCP) // Check if it is TCP protocol + { + printk(KERN_INFO "TCP Packet\n"); + tcp_header = (struct tcphdr *)(skb_transport_header(skb)+20); // Assign header + // Assign ports + source_port = (unsigned int)ntohs(tcp_header->source); + destination_port = (unsigned int)ntohs(tcp_header->dest); + }else{ + return NF_STOLEN; + } + /* + printk(KERN_INFO "IN / DEST IP: %u Ip_str: %u", destination_ip, ip_str_to_hl("223.202.132.112")); + if(destination_ip == 2551672010 || source_ip == 2551672010){ + printk(KERN_INFO "Test BLOCKED!"); + return NF_STOLEN; + }*/ + //chinesetest.cn = 223.202.132.112 + + list_for_each(lh,&policy_list.list){ + printk(KERN_INFO "List For Each / IN"); + i++; + rule = list_entry(lh, struct mf_rule, list); + // Check if we are not working with "in" packet + if(rule -> in_out != 1){ + continue; // Skip it + }else{ + printk(KERN_INFO "In Packet / IN"); + // Compare rule and the ip_header + if(((rule -> proto == ONE) && ((ip_header->protocol != PROTOCOL_TCP) && (ip_header->protocol != PROTOCOL_UDP)))){ + printk(KERN_INFO "Skipping TCP/UDP / IN"); + continue; + } + + printk(KERN_INFO "After TCP/UDPs Dest_Rule: %u Source: %u Dest: %u/ IN", ((unsigned int)rule->destination_port), ((unsigned int)source_port), ((unsigned int)destination_port)); + + + if( (destination_port == ((unsigned int)rule->destination_port)) || (source_port == ((unsigned int)rule->destination_port))){ + //a match is found: take action + if (rule->action == 0) { + printk(KERN_INFO "DROPPING PACKET IN!"); + return NF_STOLEN; + } else { + printk(KERN_INFO "ALLOWING PACKET IN!"); + return NF_ACCEPT; + } + }else{ + return NF_ACCEPT; + } + } + continue; + } + printk(KERN_INFO "Returning STOLEN %d / IN", ip_header->protocol); + return NF_STOLEN; + +} + +void add_rule(struct mf_rule_desp * rule_desp_struct, int n){ + struct mf_rule *rule; + rule = kmalloc(sizeof(*rule), GFP_KERNEL); + + if (rule == NULL) { + printk(KERN_INFO "ERROR ! MEMORY ALLOCATION FAILED !"); + return; + } + + printk(KERN_INFO "Adding rule."); + rule->in_out = rule_desp_struct->in_out; + rule->src_ip = ip_str_to_hl(rule_desp_struct->src_ip); + rule->src_netmask = ip_str_to_hl(rule_desp_struct->src_netmask); + //rule->source_port = port_str_to_int(rule_desp_struct->source_port); + rule->source_port = rule_desp_struct->source_port; + rule->dest_ip = ip_str_to_hl(rule_desp_struct->dest_ip); + rule->dest_netmask = ip_str_to_hl(rule_desp_struct->dest_netmask); + //rule->destination_port = port_str_to_int(rule_desp_struct->destination_port); + rule->destination_port = rule_desp_struct->destination_port; + rule->proto = rule_desp_struct->proto; + rule->action = rule_desp_struct->action; + printk(KERN_INFO "Finished adding.\n"); + + INIT_LIST_HEAD(&(rule->list)); + list_add_tail(&(rule->list), &(policy_list.list)); +} + +// Function to drop all the packets +void set_all_packets(void){ + struct mf_rule_desp rule_allow_tcp_ssh_incoming, rule_allow_tcp_ssh_outgoing; + struct mf_rule_desp rule_allow_http_incoming, rule_allow_http_outgoing; + struct mf_rule_desp rule_allow_https_incoming, rule_allow_https_outgoing; + struct mf_rule_desp rule_allow_dns_in, rule_allow_dns_out; + struct mf_rule_desp rule_allow_ipc_in, rule_allow_ipc_out; + + printk(KERN_INFO "\n\nSetting the rules.\n\n"); + + printk(KERN_INFO "Allowing SSH INPUT.\n"); + rule_allow_tcp_ssh_incoming.in_out = 1; // 0 = neither in or out, 1 = in, 2 = out + rule_allow_tcp_ssh_incoming.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_tcp_ssh_incoming.src_ip, "10.0.2.15"); // TODO: CHANGE THE IP + rule_allow_tcp_ssh_incoming.src_netmask = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_tcp_ssh_incoming.src_netmask, "255.255.255.255"); + rule_allow_tcp_ssh_incoming.source_port = 0; + rule_allow_tcp_ssh_incoming.dest_ip = NULL; + rule_allow_tcp_ssh_incoming.dest_netmask = NULL; + //rule_allow_tcp_ssh_incoming.destination_port = (char *)kmalloc(16, GFP_KERNEL); + //strcpy(rule_allow_tcp_ssh_incoming.destination_port, "22"); + rule_allow_tcp_ssh_incoming.destination_port = 22; + rule_allow_tcp_ssh_incoming.proto = 1; // TCP + rule_allow_tcp_ssh_incoming.action = 1; // BLOCK ACTION (DROP) + add_rule(&rule_allow_tcp_ssh_incoming, 0); + + printk(KERN_INFO "Allowing SSH OUTPUT\n"); + rule_allow_tcp_ssh_outgoing.in_out = 2; // 0 = neither in or out, 1 = in, 2 = out + rule_allow_tcp_ssh_outgoing.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_tcp_ssh_outgoing.src_ip, "10.0.2.15"); // TODO: CHANGE THE IP + rule_allow_tcp_ssh_outgoing.src_netmask = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_tcp_ssh_outgoing.src_netmask, "255.255.255.255"); + //rule_allow_tcp_ssh_outgoing.source_port = (char *)kmalloc(16, GFP_KERNEL); + //strcpy(rule_allow_tcp_ssh_outgoing.source_port, "22"); + rule_allow_tcp_ssh_outgoing.source_port = 0; + rule_allow_tcp_ssh_outgoing.dest_ip = NULL; + rule_allow_tcp_ssh_outgoing.dest_netmask = NULL; + rule_allow_tcp_ssh_outgoing.destination_port = 22; + rule_allow_tcp_ssh_outgoing.proto = 1; // 0 all, 1 tcp, 2 udp + rule_allow_tcp_ssh_outgoing.action = 1; // 0 for block, 1 for unblock + add_rule(&rule_allow_tcp_ssh_outgoing,1); + + printk(KERN_INFO "Allowing HTTP INPUT\n"); + rule_allow_http_incoming.in_out = 1; + rule_allow_http_incoming.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_http_incoming.src_ip, "10.0.2.15"); + rule_allow_http_incoming.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_http_incoming.src_netmask, "255.255.255.255"); + rule_allow_http_incoming.source_port = 0; + rule_allow_http_incoming.dest_ip = NULL; + rule_allow_http_incoming.dest_netmask = NULL; + //rule_allow_http_incoming.destination_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_http_incoming.destination_port, "80"); + rule_allow_http_incoming.destination_port = 80; + rule_allow_http_incoming.proto = 1; + rule_allow_http_incoming.action = 1; + add_rule(&rule_allow_http_incoming,2); + + printk(KERN_INFO "Allowing HTTP OUTPUT\n"); + rule_allow_http_outgoing.in_out = 2; + rule_allow_http_outgoing.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_http_outgoing.src_ip, "10.0.2.15"); + rule_allow_http_outgoing.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_http_outgoing.src_netmask, "255.255.255.255"); + //rule_allow_http_outgoing.source_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_http_outgoing.source_port, "80"); + rule_allow_http_outgoing.source_port = 0; + rule_allow_http_outgoing.dest_ip = NULL; + rule_allow_http_outgoing.dest_netmask = NULL; + rule_allow_http_outgoing.destination_port = 80; + rule_allow_http_outgoing.proto = 1; + rule_allow_http_outgoing.action = 1; + add_rule(&rule_allow_http_outgoing,3); + + + printk(KERN_INFO "Allowing HTTPS INPUT\n"); + rule_allow_https_incoming.in_out = 1; + rule_allow_https_incoming.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_https_incoming.src_ip, "10.0.2.15"); + rule_allow_https_incoming.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_https_incoming.src_netmask, "255.255.255.255"); + rule_allow_https_incoming.source_port = 0; + rule_allow_https_incoming.dest_ip = NULL; + rule_allow_https_incoming.dest_netmask = NULL; + //rule_allow_https_incoming.destination_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_https_incoming.destination_port, "443"); + rule_allow_https_incoming.destination_port = 443; + rule_allow_https_incoming.proto = 1; + rule_allow_https_incoming.action = 1; + add_rule(&rule_allow_https_incoming,4); + + printk(KERN_INFO "Allowing HTTPS OUTPUT\n"); + rule_allow_https_outgoing.in_out = 2; + rule_allow_https_outgoing.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_https_outgoing.src_ip, "10.0.2.15"); + rule_allow_https_outgoing.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_https_outgoing.src_netmask, "255.255.255.255"); + //rule_allow_https_outgoing.source_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_https_outgoing.source_port, "443"); + rule_allow_https_outgoing.source_port = 0; + rule_allow_https_outgoing.dest_ip = NULL; + rule_allow_https_outgoing.dest_netmask = NULL; + rule_allow_https_outgoing.destination_port = 443; + rule_allow_https_outgoing.proto = 1; + rule_allow_https_outgoing.action = 1; + add_rule(&rule_allow_https_outgoing,5); + + printk(KERN_INFO "Allowing DNS INPUT\n"); + rule_allow_dns_in.in_out = 1; + rule_allow_dns_in.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_dns_in.src_ip, "10.0.2.15"); + rule_allow_dns_in.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_dns_in.src_netmask, "255.255.255.255"); + rule_allow_dns_in.source_port = 0; + rule_allow_dns_in.dest_ip = NULL; + rule_allow_dns_in.dest_netmask = NULL; + //rule_allow_dns_in.destination_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_dns_in.destination_port, "53"); + rule_allow_dns_in.destination_port = 53; + rule_allow_dns_in.proto = 1; + rule_allow_dns_in.action = 1; + add_rule(&rule_allow_dns_in,6); + + printk(KERN_INFO "Allowing DNS OUTPUT\n"); + rule_allow_dns_out.in_out = 2; + rule_allow_dns_out.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_dns_out.src_ip, "10.0.2.15"); + rule_allow_dns_out.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_dns_out.src_netmask, "255.255.255.255"); + //rule_allow_dns_out.source_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_dns_out.source_port, "53"); + rule_allow_dns_out.source_port = 0; + rule_allow_dns_out.dest_ip = NULL; + rule_allow_dns_out.dest_netmask = NULL; + rule_allow_dns_out.destination_port = 53; + rule_allow_dns_out.proto = 1; + rule_allow_dns_out.action = 1; + add_rule(&rule_allow_dns_out,7); + + printk(KERN_INFO "Allowing IPC INPUT\n"); + rule_allow_ipc_in.in_out = 1; + rule_allow_ipc_in.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_ipc_in.src_ip, "10.0.2.15"); + rule_allow_ipc_in.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_ipc_in.src_netmask, "255.255.255.255"); + rule_allow_ipc_in.source_port = 0; + rule_allow_ipc_in.dest_ip = NULL; + rule_allow_ipc_in.dest_netmask = NULL; + //rule_allow_dns_in.destination_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_dns_in.destination_port, "53"); + rule_allow_ipc_in.destination_port = 768; + rule_allow_ipc_in.proto = 1; + rule_allow_ipc_in.action = 1; + add_rule(&rule_allow_ipc_in,8); + + printk(KERN_INFO "Allowing IPC OUTPUT\n"); + rule_allow_ipc_out.in_out = 2; + rule_allow_ipc_out.src_ip = (char *)kmalloc(16, GFP_KERNEL); + strcpy(rule_allow_ipc_out.src_ip, "10.0.2.15"); + rule_allow_ipc_out.src_netmask = (char *)kmalloc(16,GFP_KERNEL); + strcpy(rule_allow_ipc_out.src_netmask, "255.255.255.255"); + //rule_allow_dns_out.source_port = (char *)kmalloc(16,GFP_KERNEL); + //strcpy(rule_allow_dns_out.source_port, "53"); + rule_allow_ipc_out.source_port = 0; + rule_allow_ipc_out.dest_ip = NULL; + rule_allow_ipc_out.dest_netmask = NULL; + rule_allow_ipc_out.destination_port = 768; + rule_allow_ipc_out.proto = 1; + rule_allow_ipc_out.action = 1; + add_rule(&rule_allow_ipc_out,9); +} + +//Called when module loaded using 'insmod' +int init_module() +{ + INIT_LIST_HEAD(&(policy_list.list)); + set_all_packets(); + nfho_in.hook = hook_func_in; //function to call when conditions below met + nfho_in.hooknum = NF_INET_PRE_ROUTING; + //nfho_in.hooknum = NF_INET_LOCAL_IN; //called right after packet recieved, first hook in Netfilter + nfho_in.pf = PF_INET; //IPV4 packets + nfho_in.priority = NF_IP_PRI_FIRST; //set to highest priority over all other hook functions + nf_register_hook(&nfho_in); // Register the hook + + nfho_out.hook = hook_func_out; + nfho_out.hooknum = NF_INET_POST_ROUTING; + //nfho_out.hooknum = NF_INET_LOCAL_OUT; + nfho_out.pf = PF_INET; + nfho_out.priority = NF_IP_PRI_FIRST; + nf_register_hook(&nfho_out); + + return 0; +} + +//Called when module unloaded using 'rmmod' +void cleanup_module() +{ + struct list_head *p, *q; + struct mf_rule *a_rule; + + nf_unregister_hook(&nfho_in); + nf_unregister_hook(&nfho_out); + + list_for_each_safe(p, q, &policy_list.list) { + a_rule = list_entry(p, struct mf_rule, list); + list_del(p); + kfree(a_rule); + } +} diff --git a/Firewall/Modules/StarterModule/Makefile b/Firewall/Modules/StarterModule/Makefile new file mode 100755 index 0000000..bf84a20 --- /dev/null +++ b/Firewall/Modules/StarterModule/Makefile @@ -0,0 +1,18 @@ +obj-m += starterModule.o + +all: + make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules + +clean: + make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean + +# Make file + +#make -C /lib/modules/3.5.0-19-generic/build M=/Home/Desktop/Beihang/Security/Modules/StarterModule #removed modules +#make[1]: Entering directory `/usr/src/linux-headers-3.5.0-19-generic' +# CC [M] /home/Desktop/Beihang/Security/Modules/StarterModule/starterModule.o +# Building modules, stage 2. +# MODPOST 1 modules +# CC /home/Desktop/Beihang/Security/Modules/StarterModule/starterModule.mod.o +# LD [M] /home/Desktop/Beihang/Security/Modules/StarterModule/starterModule.ko +#make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-19-generic' diff --git a/Firewall/Modules/StarterModule/headers.sh b/Firewall/Modules/StarterModule/headers.sh new file mode 100755 index 0000000..e4be9ac --- /dev/null +++ b/Firewall/Modules/StarterModule/headers.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# This is necessary (Only needs to be done once.) +# If cannot execute, then set privilages e.g. chmod 777 headers.sh + + +echo Installing Headers.. +apt-get install build-essential linux-headers-$(uname -r) + diff --git a/Firewall/Modules/StarterModule/insertModule.sh b/Firewall/Modules/StarterModule/insertModule.sh new file mode 100755 index 0000000..3635baf --- /dev/null +++ b/Firewall/Modules/StarterModule/insertModule.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Inserts module to the kernel +insmod starterModule.ko +# Will display init function +dmesg | tail -1 + +# Removes the module from the kernel +rmmod starterModule.ko +# Will display exit function +dmesg | tail -1 diff --git a/Firewall/Modules/StarterModule/starterModule.c b/Firewall/Modules/StarterModule/starterModule.c new file mode 100755 index 0000000..6d941f3 --- /dev/null +++ b/Firewall/Modules/StarterModule/starterModule.c @@ -0,0 +1,24 @@ +#include // included for all kernel modules +#include // for kernel info +#include // for _init and _exit + + +MODULE_LICENSE("GPL"); // Set the module licence +MODULE_AUTHOR("Eryk Szlachetka"); // Set the module Author +MODULE_DESCRIPTION("A simple program to illustrate how to develop kernel modules"); + +// Initialize function +static int __init initFunction(void) +{ + printk(KERN_INFO "Hello ! Initialized.\n"); // Print the message. + return 0; // If non-zero means failure to load module. +} + +// Exit function +static void __exit cleanFxn(void) +{ + printk(KERN_INFO "Exit fucntion, cleaning up!\n"); // Print the message. +} + +module_init(initFunction); +module_exit(cleanFxn); diff --git a/Firewall/README.md b/Firewall/README.md new file mode 100755 index 0000000..48be8a7 --- /dev/null +++ b/Firewall/README.md @@ -0,0 +1,110 @@ +# Firewall for an Enterprise System +Copyright © 2017 [Eryk Szlachetka](https://www.github.com/EricSzla/) + +Roles: + +- Eryk Szlachetka: Research, IpTables, Scripts, Kernel Module +- Pamela Sabio: Research, IpTables, Scripts, Kernel Module +- Caoimhe Harvey: Research, IpTables. + +## 1. Introduction + +Setting up a firewall in the system is a very important security task, if the firewall is not set up correctly the whole enterprise can be compromised, if the system is compromised this could allow potential hacker to threaten the Confidentiality, Integrity and Availability of the system information.
+This would allow the attacker for various threats such as information surveillance, data alteration or unavailability of the system. +Here I am focusing on enterprise that only needs access to Internet and Email using +- Transmission Control Protocol (**TCP**) +- Simple Mail Transport Protocol (**SMTP**)
+
+ +The communication can happen only on specific ports such as +- Hypertext Transfer Protocol over Transport Layer Security (HTTPS) +- Secure Shell (SSH) +- Domain Name Server (DNS) +
+ +![figure1](https://user-images.githubusercontent.com/15609881/27061070-d54bc9c8-5013-11e7-95a9-824bbca453c7.png)
+Figure 1: Enterprise Environment Design Figure, only Mail/Website specified protocols and ports are allowed to communicate through the firewall. + +There are two methods that can be used to implement the solution: +1) Use IpTables that allows system administrator to specify the rules that each packet has to go through before allowing it in the Enterprise System. + +2) Write Kernel Module to replace the IpTables and load the code that specifies the rules into the Kernel. +In this project both solutions are explained and implemented using Ubuntu 16.04, Linux. + +## 2. IpTables + +IPTables are used to implement the rules specified for the enterprise environment. + +### 2.1. Types of packets + +There are two types of packets that are considered: +- Input Packet – an external packet that arrives at the system designated for a client within the enterprise. +- Output Packet – an internal packet that is designated for the web. + +### 2.2. Policy + +IPTables policy decides what do with packets that do not match the rules specified.
+In order to improve overall security of the system by only allowing specific protocols and ports to communicate, the policy of IPTables is set to **STOLEN** for both the input and the output packets. + +### 2.3. Packet Processing + +When the packet first goes into/outside the system, it has to follow specific path (see Figure 2), it has to be checked for the protocol, if it matches protocol **TCP (6)** or protocol **UDP (17)** then it can be accepted. +
Afterwards it has to be checked what port is the packet coming from, the only ports that are accepted are: + +- SSH (22), +- DNS (53), +- HTTP (80), +- HTTPS (443), +- SMTP (25). + +All the other packets will be **STOLEN**, which means that there is no indication of what is happening with the packet, this approach is used instead of DROP in order to improve the security of the enterprise by avoiding giving clues to potential attacker what happened with the packet which could allow to discover out the rules set up. +
After the port validation, packet is checked for forbidden destinations. + +![Figure 2](https://user-images.githubusercontent.com/15609881/27061626-1bf5e3fa-5018-11e7-9767-e55055c310e6.png) + +## 3. Kernel Module +The code inserted into the Kernel Module has an objective to replace the IPTables. The rules are the same as the one for IPTables (see Section 2.3). + +### 3.1 Code structure + +The code inserted into **Kernel** as a **Module** consists of the functions that are called depending on the action.
+The function called for the **kernel functionality** are: +- ``init_module`` – called when ``insmod`` is used i.e. when the module is inserted into the kernel. +- ``cleanup_module`` – called when ``rmmod`` is used i.e. when module is removed from the kernel . + +**Note this functions are called only once.** + +![Figure 3](https://user-images.githubusercontent.com/15609881/27061794-53012c28-5019-11e7-9a26-a142eece42ca.png) + +All the rules that have been set are set in linked list that all functions have access to. +
The functions that are called for setting the packet processing rules functionality are: +- ``set_all_packets`` – this is a function which is called from init_module, it sets the packet rules and calls add_rule for each packet rule that have been set. +- ``add_rule`` – function called by set_all_packets, it adds the rule to the actual rule linked list (see Figure 4). + +![Figure 4](https://user-images.githubusercontent.com/15609881/27061851-adf677dc-5019-11e7-972a-143da50de506.png) + +There are two hook ops to which parameters are set in ``init_mod`` function: +- ``nfho_in`` – used for the incoming packet. +- ``nfho_out`` – used for the outgoing packet. + +These hook ops are both set to **highest priority**, and are both set to **support IPV4 packets**.
+The two hook ops have different parameters set for the **hooknum** (specifies when the hook is called e.g. straight after packet is received): +- ``NF_INET_PRE_ROUTING`` for ``nfho_in``, +- ``NF_INET_POST_ROUTING`` for ``nfho_out``. + +and the **hook** (function which is called when the packet is received)
+- ``hook_func_in`` for ``nfho_in``, +- ``hook_func_out`` for ``nfho_out``. + +The two functions can be configured differently to do different task, in this case the two functions are configured to achieve the same functionality.
+The incoming packet is compared to known protocols such as **TCP/UDP**, if the packet uses a known, allowed protocol then the headers and ports are extracted and assigned to variables, otherwise the packet is **STOLEN**.
+If the packet gets through the protocol comparison, the iteration through the rules stored in the linked list (see Figure 5), first thing in the loop is to check if the rule is designated to deal with out or in packet, depending on the function call, action will be taken.
+**i.e.** If dealing with outgoing function and the rule is incoming then continue on to next rule, second thing to compare in the loop is the IP address to check if its not forbidden, third thing in the loop is to check if the destination port and source port of the packet matches the ports in the rule, if so then the rule is checked to decide on the action.
+**e.g.** if the rule specifies that HTTP port has to be accepted and the packet is from/to HTTP port then its accepted, if it specifies that HTTP port has to be stolen then it is stolen (see Figure 6). + +![figure 5](https://user-images.githubusercontent.com/15609881/27061719-c7c7c6bc-5018-11e7-8d72-0ef9731e3aca.png) +
+![f6-1](https://user-images.githubusercontent.com/15609881/27062092-314e1cd8-501b-11e7-8d2d-a4cf8103c372.png)
+![f6-2](https://user-images.githubusercontent.com/15609881/27062090-313303c6-501b-11e7-92b9-3e190ffd50ed.png)
+![f6-3](https://user-images.githubusercontent.com/15609881/27062091-3147e3c2-501b-11e7-9f8f-fa9f8ab3a3ee.png)
+ diff --git a/Firewall/Scripts/monitor.pl b/Firewall/Scripts/monitor.pl new file mode 100755 index 0000000..0482e23 --- /dev/null +++ b/Firewall/Scripts/monitor.pl @@ -0,0 +1,27 @@ +ct; +use warnings; +my @types = qw/nat mangle filter/; +$SIG{INT} = sub{print "\e[?25h\e[u"; exit}; +print "\e[40;37m\e[2J\e[?25l"; +while (1) { + print "\e[0;0H"; + my %output = map {$_ => scalar `iptables -t $_ -L -v -Z`} @types; + foreach my $type (@types) { + print "\e[01;34m------", uc($type), '-' x (73 - length($type)), "\ ++n"; + $output{$type} =~ s/ pkts[^\n]*\n(\n|Zeroing)/$1/gs; + foreach my $line (split /\n/, $output{$type}) { + next if $line =~ m/^Zeroing/ || $line eq ''; + print $line =~ m/^\s*(\d+)/ || $line =~ m/(\d+) packets/ + ? ($1 > 0 + ? ($line =~ m/DROP|DENY|REJECT/ + ? "\e[01;40;31m" + : "\e[01;40;32m") + : "\e[00;40;37m") + : "\e[00;40;33m"; + print "\e[K$line\e[01;40;37m\n" + } + } + print "\e[s"; + sleep 1 +} diff --git a/Firewall/Scripts/setPolicy_accept.sh b/Firewall/Scripts/setPolicy_accept.sh new file mode 100755 index 0000000..5b1781e --- /dev/null +++ b/Firewall/Scripts/setPolicy_accept.sh @@ -0,0 +1,15 @@ +#!/bin/bash +#Script to set up ip tables policy to drop. +#Eryk Szlachetka 18/04/17 + +echo Setting INPUT to ACCEPT. +iptables --policy INPUT ACCEPT +echo Setting OUTPUT to ACCEPT. +iptables --policy OUTPUT ACCEPT +echo Setting FORWARD to ACCEPT. +iptables --policy FORWARD ACCEPT +echo +echo DONE. +echo +echo New rules: +iptables -S diff --git a/Firewall/Scripts/setPolicy_drop.sh b/Firewall/Scripts/setPolicy_drop.sh new file mode 100755 index 0000000..963aca9 --- /dev/null +++ b/Firewall/Scripts/setPolicy_drop.sh @@ -0,0 +1,15 @@ +#!/bin/bash +#Script to set up ip tables policy to drop. +#Eryk Szlachetka 18/04/17 + +echo Setting INPUT to drop. +iptables --policy INPUT DROP +echo Setting OUTPUT to drop. +iptables --policy OUTPUT DROP +echo Setting FORWARD to drop. +iptables --policy FORWARD DROP +echo +echo DONE. +echo +echo New rules: +iptables -S diff --git a/Firewall/Scripts/setRules.sh b/Firewall/Scripts/setRules.sh new file mode 100755 index 0000000..675d7a7 --- /dev/null +++ b/Firewall/Scripts/setRules.sh @@ -0,0 +1,63 @@ +#!/bin/bash +#Script to set up ip tables rules. +#Eryk Szlachetka & Caoimhe Harvey 18/04/17 + +echo Setting SSH INPUT.. +#Allow established input SSH connection +iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + +echo Setting SSH OUTPUT.. +#Allow NEW,ESTABLISHED output SSH connection +iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT + +echo Setting HTTP/S INPUT.. +#Allow NEW,ESTABLISHED,RELATED http and https output connections +iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + +echo Setting HTTP/S OUTPUT.. +#Allow ESTABLISHED,RELATED http and https input connections +iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT +iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT + +echo Setting UDP/TCP OUTPUT.. +#Allow NEW udp/tcp output connections +iptables -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT + +echo Setting UDP/TCP INPUT.. +#Allow ESTABLISHED udp/tcp input connections +iptables -A INPUT -m state --state ESTABLISHED -p udp --sport 53 -j ACCEPT +iptables -A INPUT -m state --state ESTABLISHED -p tcp --sport 53 -j ACCEPT + +echo Setting SMTP INPUT.. +#Allow SMTP connections INPUT +iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + +echo Setting SMTP OUTPUT.. +#Allow SMTP connection OUTPUT +iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT + +echo Setting Forwarding.. +#setting IP Forwarding for internal network +iptables -A FORWARD -i eth1 -j ACCEPT +iptables -A FORWARD -o eth1 -j ACCEPT + +#enabling forwarding on this machine +echo Enabling Forwarding on this machine.. +sysctl net.ipv4.ip_forward=1 + +# +echo Setting Masquerade .. +iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +echo Setting PREROUTING details.. +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.12.77:80 + +echo Done +echo +echo New Rules: +iptables -L + +#Flushing the rules for testing purposes +iptables -F diff --git a/Firewall/Scripts/setRulesDrop.sh b/Firewall/Scripts/setRulesDrop.sh new file mode 100755 index 0000000..e9718b2 --- /dev/null +++ b/Firewall/Scripts/setRulesDrop.sh @@ -0,0 +1,36 @@ +#!/bin/bash +#Script to set up ip tables rules. +#Eryk Szlachetka 18/04/17 + +interface=$1 +echo Interface: $interface. +echo Setting SSH INPUT.. + +#Allow established input SSH connection +iptables -A INPUT -i $interface -p tcp --sport 22 -m state --state ESTABLISHED -j DROP + +echo Setting SSH OUTPUT.. + +#Allow NEW,ESTABLISHED output SSH connection +iptables -A OUTPUT -o $interface -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j DROP + +echo Setting HTTP/S OUTPUT +#Allow NEW,ESTABLISHED,RELATED http and https output connections +iptables -A OUTPUT -j DROP -m state --state NEW,ESTABLISHED,RELATED -o $interface -p tcp -m multiport --dports 80,443 + +echo Setting HTTP/S INPUT +#Allow ESTABLISHED,RELATED http and https input connections +iptables -A INPUT -j DROP -m state --state ESTABLISHED,RELATED -i $interface -p tcp -m multiport --sports 80,443 + +echo Setting UDP/TCP OUTPUT +#Allow NEW udp/tcp output connections +iptables -A OUTPUT -m state --state NEW -p udp --dport 53 -j DROP +iptables -A OUTPUT -m state --state NEW -p tcp --dport 53 -j DROP + +#Allow ESTABLISHED udp/tcp input connections +iptables -A INPUT -m state --state ESTABLISHED -p udp --sport 53 -j DROP +iptables -A INPUT -m state --state ESTABLISHED -p tcp --sport 53 -j DROP +echo Done +echo +echo New Rules: +iptables -L