[alff.git] / share / plugins / plugin.d / create_chain_tcp_scan_handling

#!/bin/bash -e
#
# create_chain_tcp_scan_handling
#
# These rules are mainly copied from "Arno's IPTABLES firewall script"
# by Arno van Amersfoort. See http://rocky.eld.leidenuniv.nl/ for details
#
# Maximilian Wilhelm <max@rfc2324.org>
#  -- Mon, 24 Apr 2006 20:05:49 +0200
# 

. /usr/share/alff/lib/plugin-routines

loglevel="info"
log_scans="1"
drop_scans="1"

##
# Make sure there is (an empty) chain tcp_scan_handling
createChain tcp_scan_handling

##
# Log scanning of nmap etc.
if [ "${log_scans}" != "0" ]; then
        echo " * Logging of stealth scans (nmap probes etc.) enabled."

cat <<- EOF >&3
        # (NMAP) FIN/URG/PSH
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN,URG,PSH \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth XMAS scan: "
        
        # SYN/RST/ACK/FIN/URG
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth XMAS-PSH scan: "
        
        # ALL/ALL
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL ALL \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth XMAS-ALL scan: "
        
        # NMAP FIN Stealth
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth FIN scan: "
        
        # SYN/RST
        iptables -A tcp_scan_handling -p tcp --tcp-flags SYN,RST SYN,RST \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth SYN/RST scan: "
        
        # SYN/FIN (probably)
        iptables -A tcp_scan_handling -p tcp --tcp-flags SYN,FIN SYN,FIN \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth SYN/FIN scan(?): "
        
        # Null scan
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL NONE \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth Null scan: "

        # ipv6
        # (NMAP) FIN/URG/PSH
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN,URG,PSH \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth XMAS scan: "
        
        # SYN/RST/ACK/FIN/URG
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth XMAS-PSH scan: "
        
        # ALL/ALL
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL ALL \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth XMAS-ALL scan: "
        
        # NMAP FIN Stealth
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth FIN scan: "
        
        # SYN/RST
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags SYN,RST SYN,RST \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth SYN/RST scan: "
        
        # SYN/FIN (probably)
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags SYN,FIN SYN,FIN \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth SYN/FIN scan(?): "
        
        # Null scan
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL NONE \
          -m limit --limit 3/m --limit-burst 5 -j LOG --log-level ${loglevel} --log-prefix "Stealth Null scan: "


EOF

else
        echo " * Logging of stealth scans (nmap probes etc.) disabled."
fi

##
# Drop (NMAP) scan packets:
if [ "${drop_scans}" != '0' ]; then
        echo " * stealth scans (nmap probes etc.) will be DROPed."

cat <<- EOF >&3
        # NMAP FIN/URG/PSH
        ##################
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

        # SYN/RST/ACK/FIN/URG
        #####################
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

        # ALL/ALL Scan
        ##############
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL ALL -j DROP

        # NMAP FIN Stealth
        ##################
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN -j DROP

        # SYN/RST
        #########
        iptables -A tcp_scan_handling -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

        # SYN/FIN -- Scan(probably)
        ###########################
        iptables -A tcp_scan_handling -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

        # NMAP Null Scan
        ################
        iptables -A tcp_scan_handling -p tcp --tcp-flags ALL NONE -j DROP

        # IPv6
        # NMAP FIN/URG/PSH
        ##################
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

        # SYN/RST/ACK/FIN/URG
        #####################
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

        # ALL/ALL Scan
        ##############
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL ALL -j DROP

        # NMAP FIN Stealth
        ##################
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL FIN -j DROP

        # SYN/RST
        #########
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

        # SYN/FIN -- Scan(probably)
        ###########################
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

        # NMAP Null Scan
        ################
        ip6tables -A tcp_scan_handling -p tcp --tcp-flags ALL NONE -j DROP


EOF

else
        echo " * stealth scans (nmap probes etc.) will *not* be DROPed."
fi