ejbca_3_5_3(1).zip ejbcafirewall.sh

www.pudn.com > ejbca_3_5_3(1).zip > ejbcafirewall.sh

#!/bin/sh

######## IPtables Firewall script for EJBCA. ######
######## Made by Thomas Karlsson 2002 #############
######## This script has taken some functions from another script made by Henrik Andreasson
# What this script does:
# It blocks ALL incoming ports except for WEBServer, SSLWebserver and SSH from ONE ip.
# It blocks ALL outgoing ports except for SMTP(25) and DNS requests to your own trusted dns servers.
######## How to install ###########################
# 1. Preferly copy this script to /etc/init.d
# 2. Make a softlink from your runleveldirectory to this script
# cp this.script.sh /etc/init.d
# cd /etc/rc2.d (or the preferred runlevel (in redhat its rc3.d)
# ln -s ../init.d/this.script.sh .
# 3. Now the script will automatically be run everytime the server is rebooted
# 4. Edit the script so it matches your environment. The variables speaks for them selves
# 5. If you do not plan to reboot now, please just run this once.

######## Userchangable variables ##################
######## Add trusted sites here ###################

USE_EXTERNAL_LDAPSERVER="yes"
USE_LOCAL_LDAPSERVER="no"
TRUSTEDSSH="10.1.1.110";
EJBCAWEBSERVERPORT="8080";
EJBCASSLWEBSERVERPORT1="8442";
EJBCASSLWEBSERVERPORT2="8443";
LDAPPORT="389";
LDAPSSLPORT="636";

######## config ###############
#point to iptables binary
IPTABLES=/sbin/iptables
ROUTE=/sbin/route
IFCONFIG=/sbin/ifconfig

######## End Userchangable variables ####

logger $0 "Securing EJBCA with iptables firewall"
echo "Securing EJBCA with iptables firewall"

###################
# peers definitions
WORLD=0.0.0.0/0
BROADCAST="255.255.255.255"

###### end config ###########

###### get ip addresses from ifconfig ####
# inside of fw (3c59x)
INET_IFACE="eth0"
INET_IP=`$IFCONFIG $INET_IFACE | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
INETNET=`$ROUTE |grep $INET_IFACE |grep -v UG |cut -f1 -d\ `

#loopback if
LO_IFACE="lo"
LO_IP=`$IFCONFIG $LO_IFACE | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
LO_NET=`$ROUTE |grep $LO_IFACE |grep -v UG |cut -f1 -d\ `

###############################

echo "INET IF: $INET_IFACE"
echo "INET IP: $INET_IP"

#####################################
echo -n "Removing old firewall rules... "
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F # Flush all rules
$IPTABLES -X # Delete all usermade chains

echo "done"

################ DEFAULT POLICES ###############################
echo -n "Setting default polices to DROP... "

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
echo "done"

############ LOOPBACK access rules ###########################
echo -n "Setting LOOPBACK access rules... "

# local loop back interface allow all
$IPTABLES -A INPUT -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -i $LO_IFACE -s $INET_IP -j ACCEPT
echo "done"

############ INPUT access rules ###########################
echo -n "Setting INPUT access rules... "

$IPTABLES -A INPUT -m state --state INVALID -j DROP # Drop evil invalid packets from the start
$IPTABLES -A INPUT -i $INET_IFACE -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT # Use the statefulfiltering capability
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -s $WORLD -d $INET_IP --dport $EJBCAWEBSERVERPORT -m state --state NEW -j ACCEPT # Open webserverport
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -s $WORLD -d $INET_IP --dport $EJBCASSLWEBSERVERPORT1 -m state --state NEW -j ACCEPT # Open sslwebserverport
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -s $WORLD -d $INET_IP --dport $EJBCASSLWEBSERVERPORT2 -m state --state NEW -j ACCEPT # Open sslwebserverport
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -s $TRUSTEDSSH -d $INET_IP --dport 22 -m state --state NEW -j ACCEPT # Open SSH for one ip
if [ "$USE_LOCAL_LDAPSERVER" = yes ]
then
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport $LDAPPORT -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -d $INET_IP --dport $LDAPSSLPORT -m state --state NEW -j ACCEPT
fi
$IPTABLES -A INPUT -j LOG --log-level info --log-prefix="FW-DROP: " # Log every DROP
$IPTABLES -A INPUT -j DROP # Drop them

echo "done"
############ OUTPUT access rules ##########################
echo -n "Setting OUTPUT access rules... "

$IPTABLES -A OUTPUT -o $INET_IFACE -m state --state ESTABLISHED -j ACCEPT # Use the statefulfiltering capability
### Add dns servers, this loop grabs all dns server you have in your /etc/resolv.conf and allows dns traffic to them
for dnsserv in `cat /etc/resolv.conf | awk '/nameserver/ { print $2 }'` ; do $IPTABLES -A OUTPUT -p udp -o $INET_IFACE -d $dnsserv --dport 53 -m state --state NEW -j ACCEPT ; done
### END adding local dns servers
if [ "$USE_EXTERNAL_LDAPSERVER" = yes ]
then
$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE --dport $LDAPPORT -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE --dport $LDAPSSLPORT -m state --state NEW -j ACCEPT

fi
$IPTABLES -A OUTPUT -j LOG --log-level info --log-prefix="FW OUT: "
$IPTABLES -A OUTPUT -j DROP

echo "done"