Tuesday, January 8, 2013

A basic IPTables (firewall) for just about anyone using Asterisk and FreePBX

Hi guys, developed this simple bash script that will enable and disable IPTABLES based firewall targeted to mainly Asterisk with FreePBX users.
NOTE:
  • This is a basic firewall, feel free to fine tune as much as you want.
  • IT may erase existing FW/IPTABLES rules you have but it does back it up to /root
  • It does not interfere with fail2ban if you are using fail2ban
  • You add this into a startup if you like but it is not formatted to the init format, you need to set that up yourself or include this script into any existing init.d script you may have
  • It only allows SSH from anywhere, rest are allowed internally
  • You can edit the file to set to allow anywhere access to other common protocols if you want
  • Make sure you define your internal network range, by default it will allow RFC1918 …
What are the default rules
  • SSH allow from any
  • HTTP/HTTPS, SIP(and RTP), IAX2, NTP, SSH, TFTP and DHCP (tftp and dhcp accepts both server mode and client mode)
  • For HTTP(insecure http) you need to uncomment inside the script to allow port 80
  • Outbound is unrestrictive
  • Uses default ports as defined by standards
  1. # nano astfw.sh
  2. Copy the script as below and paste into the file you just opened/created, save and exit
  3. # chmod +x astfw.sh
  4. # mv astfw.sh /bin/
  5. Try starting and stopping (MAKE SURE YOU CAN ACCESS CONSOLE IF SOMETHING BREAKS!!!!!!)
    /bin/astfw.sh start
    /bin/astfw.sh stop
  6. Add to an init.d script or edit the rc.local to start this automatically when booting


Copy these below…
#!/bin/bash
# sanjayws@gmail.com
# V.1.1 - Modded for our Asterisk installs, reldate 08-01-2013
# V.1.2 - Added enable disable functinality just incase
# iptables Asterisk related to stop start
# usage ./astfw.sh start[stop]
#
# IMPORTANT READ THIS NOW
# =======================
# ---BE SURE TO DEFINE WHAT IS YOUR INTERNAL NETWORK, BY DEFAULT ALL RFC1918 IPs ARE ALLOWED
# ---DO NOT USE OTHER 3RD PARTY IPTABLES MANAGEMENT SYSTEM WHEN USING THIS, E.G. WEBMIN
# ---There is a section below to define custom ports/rules for incoming, use that
# ---YOU CAN DISABLE ENABLE SCRIPT COMPLETELY NOW
#
# ---DEFAULT SERVICES INBOUND ALLOWED FROM ANYWHERE
# ++++SSH
#
# ---DEFAULT SERVICES INBOUND ALLOWED INTERNAL ONLY
# ++++HTTPS,IAX2,NTP,SSH,SIP(WITH RTP),TFTP (SERVER AND CLIENT MODE), DHCP(SERVER AND CLIENT MODE)
#
# ---DEFAULT SERVICES ALLOWED OUTBOUND
# ++++ANY
#
# ---DEFAULT SERVICES ALLOWED LOCALHOST
# ++++ANY
#
# --- EXISTING RULES WILL ALWAYS BE BACKED UP IN /root/fwrulesbackup.<datetime>
#
# USER DEFINITION
# ENABLE OR DISABLE,IF DISABLED, ONLY FAIL2BAN WILL RUN, YES[NO]
ENABLE=YES
#
# INTERNAL BY DEFAULT ACCEPTS RFC1918 IP RANGES. ADD NEW OR MODIFY NEW ONES BY ADDING COMMAS. DEFINE BY MASK BITS LIKE 192.168.100.0/24
INTERNALNETWORK="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
#
# BY DEFAULT ONLY SSH IS ALLOWED FROM ANYWHERE, REST RESTRICTED INTERNAL ONLY, ACCEPTS 0 OR 1
allowextsip=0
allowextntp=0
allowextssh=1
allowextdhcp=0
allowexttftp=0
allowextiax=0
allowextweb=0
allowextntp=0

#
# Starting script here
if [[ "$ENABLE" == "YES" ]]; then
    mydate=`date +%d%m%y-%H%M%S`
    fw=`which iptables`
    fwsave=`which iptables-save`
    opt=$1
    if [[ "$opt" == "" ]]; then
        echo Command not specified, quitting
        exit
    fi
    if [[ "$opt" == "start" ]]; then

            echo "Starting firewall rules"
            echo "Backing up current rules to /root/filename"
            $fwsave > /root/fwrulesbackup.$mydate
            echo "Setting up defaults, clearing other rules"
            $fw -F INPUT
            $fw -F OUTPUT
            $fw -F FORWARD
            $fw -P INPUT ACCEPT
            $fw -P FORWARD ACCEPT
            $fw -P OUTPUT ACCEPT
            echo "Done sweeping"
            echo "Setting specific rules"
           
            #####INBOUND RULES#####
            # DEFAULT ALLOWED
            $fw -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
            $fw -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
            #
            if [[ $allowextsip == "1" ]]; then
                $fw -A INPUT -p udp -m udp --dport 5060:5062 -j ACCEPT
                $fw -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
            else
                $fw -A INPUT -s $INTERNALNETWORK -p udp -m udp --dport 5060:5062 -j ACCEPT
                $fw -A INPUT -s $INTERNALNETWORK -p udp -m udp --dport 10000:20000 -j ACCEPT
            fi
            if [[ $allowextiax == "1" ]]; then
                $fw -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
            else
                $fw -A INPUT -s $INTERNALNETWORK -p udp -m udp --dport 4569 -j ACCEPT       
            fi
            if [[ $allowextweb == "1" ]]; then
                $fw -A INPUT -p tcp -m tcp  --dport 443 -j ACCEPT
                #$fw -A INPUT -p tcp -m tcp  --dport 80 -j ACCEPT
            else
                $fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp --dport 443 -j ACCEPT
                #$fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp --dport 80 -j ACCEPT
            fi
            if [[ $allowextssh == "1" ]]; then
                $fw -A INPUT -p tcp -m tcp  --dport 22 -j ACCEPT
            else
                $fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp --dport 22 -j ACCEPT
            fi
            if [[ $allowextntp == "1" ]]; then
                $fw -A INPUT -p udp -m udp --dport 123 -j ACCEPT
            else
                $fw -A INPUT -s $INTERNALNETWORK -p udp -m udp --dport 123 -j ACCEPT       
            fi
            if [[ $allowextdhcp == "1" ]]; then
                $fw -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
            else
                $fw -A INPUT -s $INTERNALNETWORK -p udp -m udp --dport 67:68 -j ACCEPT       
            fi
            if [[ $allowexttftp == "1" ]]; then
                $fw -A INPUT -p udp -m udp --dport 69 -j ACCEPT
            else
                $fw -A INPUT -s $INTERNALNETWORK -p udp -m udp --dport 69 -j ACCEPT       
            fi
          if [[ $allowextntp== "1" ]]; then
              $fw -A INPUT -p udp -m udp --dport 123 -j ACCEPT
          else
              $fw -A INPUT -s $INTERNALNETWORK -p udp -m udp --dport 123 -j ACCEPT       
          fi


            #
            #
            ###ADD YOUR CUSTOM INBOUND PORTS HERE
            # E.G. MYSQL, INTERNAL ONLY
            # $fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp --dport 3306 -j ACCEPT
            # E.G. MYSQL EXTERNAL AND INTERNAL
            # $fw -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
           
            #####OUTRULES#####
            #out stuff, currently none only defaults
            $fw -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
            $fw -A OUTPUT -j ACCEPT

            #loopallow, dont mess with this
            $fw -A INPUT -i lo -j ACCEPT
            $fw -A OUTPUT -s 127.0.0.1 -j ACCEPT       
                   
            #policy
            $fw -P INPUT DROP
            $fw -P OUTPUT DROP
            $fw -P FORWARD DROP   
            clear
            tput bel
            echo "Done - FIREWALL RUNNING - SECURED"
            exit 0

    elif [[ "$opt" == "stop" ]]; then       
            echo "Stopping firewall rules"
            echo "Backing up current rules to /root/filename"
            $fwsave > /root/fwrulesbackup.$mydate
            $fw -F INPUT
            $fw -F OUTPUT
            $fw -F FORWARD
            $fw -P INPUT ACCEPT
            $fw -P FORWARD ACCEPT
            $fw -P OUTPUT ACCEPT
            tput bel
            clear
            echo "Done - FIREWALL NOT RUNNING - INSECURE"
            exit 0
    else
            echo "Option not found, quitting"
            exit 1
    fi
    exit 0
   
else
    echo "Bypassing since flag set to ENABLE=$ENABLE"
    exit 0
fi

No comments: