Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- ###########################
- ##Netfilter Config Script##
- ##By xispirito -- 12/2011##
- ###########################
- ################
- #Set Confs Here#
- ################
- #Politcs
- #Input
- INPUTP="DROP"
- #Output
- OUTPUTP="DROP"
- #Forward
- FORWARDP="DROP"
- #Load Modules ( options are: yes or no )
- MLOAD="yes"
- #Modules To Load ( case MLOAD = yes )
- MODULES="ip_conntrack_ftp"
- #Outputs
- #Tcp Output Ports
- TCPOPORTS="53 80"
- #Udp Output Ports
- UDPOPORTS=""
- #Inputs
- #Tcp Input Ports
- TCPIPORTS=""
- #Udp Input Ports
- UDPIPORTS=""
- #Source Ip's Authorized To Connect On those Ports Above
- SOURCE=""
- #Tcp Input Ports -- Any Source
- TCPIAPORTS=""
- #Udp Input Ports -- Any Source
- UDPIAPORTS=""
- #Icmp
- #Icmp Output Type
- ICMPOTY=""
- #Icmp Reply Type for Output Above
- ICMPRTY=""
- #Icmp Input type
- ICMPITY=""
- #Icmp Reply Type for Input Above
- ICMPIRTY=""
- #Icmp Input authorized source ( blank to all )
- ICMPIS=""
- #Defaults
- #Output ( options are: free, filtered )
- OUTPUTOP="filtered"
- #Allow Input ( options are: auth, any, all or no )
- INPUTOP="no"
- #Allow ICMP Output ( options are: in, out, any or no )
- ICMPOP="no"
- ###########
- #Functions#
- ###########
- LMODULES()
- {
- if [ $1 == load ];
- then
- echo -e "[\e[32m*\e[0m] Loading modules"
- echo -e "\tModules:$MODULES"
- modprobe $MODULES
- elif [ $1 == unload ];
- then
- echo -e "[\e[33m*\e[0m] Unloading modules"
- modprobe -r $MODULES
- else
- echo "Bad Argument for MODULES() : $1"
- fi
- }
- BASE()
- {
- echo -e "[\e[32m*\e[0m] Load basic rules"
- iptables -F
- iptables -X
- echo -e "\tCleaning Rules"
- iptables -P INPUT $INPUTP
- iptables -P FORWARD $FORWARDP
- iptables -P OUTPUT $OUTPUTP
- echo -e "\tSet Politcs"
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- echo -e "\tSet loopback"
- if [ $MLOAD == yes ];
- then
- LMODULES load
- fi
- }
- OUT()
- {
- BASE
- if [ $1 == filtered ];
- then
- echo -e "[\e[32m*\e[0m] Filtering Output"
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- #TCP
- PROTO="tcp"
- for i in $PROTO
- do
- for j in $TCPOPORTS
- do
- iptables -A OUTPUT -p $i --dport $j -j ACCEPT
- done
- done
- echo -e "\tTCP Output ports:$TCPOPORTS"
- #UDP
- PROTO="udp"
- for i in $PROTO
- do
- for j in $UDPOPORTS
- do
- iptables -A OUTPUT -p $i --dport $j -j ACCEPT
- done
- done
- echo -e "\tUDP Output ports:$UDPOPORTS"
- elif [ $1 == free ];
- then
- echo -e "[\e[33m*\e[0m] Filtering Input only"
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
- else
- echo "Bad argument for OUTPUT : $1"
- fi
- }
- INPUT()
- {
- if [ $1 == auth ];
- then
- echo -e "[\e[32m*\e[0m] Set Iputs for authorized sources"
- #TCP
- PROTO="tcp"
- for i in $PROTO
- do
- for j in $TCPIPORTS
- do
- iptables -A INPUT -p $i --dport $j -s $SOURCE -j ACCEPT
- done
- done
- echo -e "\tTCP Input ports:$TCPIPORTS"
- #UDP
- PROTO="udp"
- for i in $PROTO
- do
- for j in $UDPIPORTS
- do
- iptables -A INPUT -p $i --dport $j -s $SOURCE -j ACCEPT
- done
- done
- echo -e "\tUDP Input ports:$UDPIPORTS"
- echo -e "\tSource Allowed:$SOURCE"
- elif [ $1 == any ];
- then
- echo -e "[\e[32m*\e[0m] Set Iputs for any"
- #TCP
- PROTO="tcp"
- for i in $PROTO
- do
- for j in $TCPAIPORTS
- do
- iptables -A INPUT -p $i --dport $j -j ACCEPT
- done
- done
- echo -e "TCP Input ports ( all sources ):$TCPAIPORTS"
- #UDP
- PROTO="udp"
- for i in $PROTO
- do
- for j in $UDPIAPORTS
- do
- iptables -A INPUT -p $i --dport $j -j ACCEPT
- done
- done
- echo -e "\tUDP Input ports ( all sources ):$UDPIAPORTS"
- else
- echo "Bad argument for INPUT : $1"
- fi
- }
- ICMP()
- {
- if [ $1 == out ];
- then
- echo -e "[\e[32m*\e[0m] Set out ICMP rules"
- iptables -A OUTPUT -p icmp --icmp-type $ICMPOTY -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p icmp --icmp-type $ICMPRTY -m state --state ESTABLISHED,RELATED -j ACCEPT
- echo -e "\tICMP Output type:$ICMPOTY, reply type:$ICMPRTY"
- elif [ $1 == in ];
- then
- if [ ! $ICMPIS ];
- then
- echo -e "[\e[32m*\e[0m] Set Input ICMP rules"
- iptables -A INPUT -p icmp --icmp-type $ICMPITY -s $ICMPIS -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p icmp --icmp-type $ICMPIRTY -s $ICMPIS -m state --state ESTABLISHED,RELATED -j ACCEPT
- echo -e "\tICMP input allowed sources:$ICMPIS"
- else
- iptables -A INPUT -p icmp --icmp-type $ICMPITY -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p icmp --icmp-type $ICMPIRTY -m state --state ESTABLISHED,RELATED -j ACCEPT
- echo -e "\tICMP Input type:$ICMPITY, reply type:$ICMPIRTY"
- fi
- else
- echo "Bad argument for ICMP : $1"
- fi
- }
- STOP()
- {
- echo -e "[\e[31m*\e[0m] Cleaning rules"
- iptables -F
- iptables -X
- iptables -Z
- echo -e "\tFlush'em all"
- iptables -A INPUT -i o -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- iptables -A INPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
- iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
- echo -e "\tSet all to ACCEPT"
- LMODULES unload
- }
- HELP()
- {
- echo ""
- echo "Usage:"
- echo -e "\t-s or start Start the Netfilter Script"
- echo -e "\t-t or stop Stop, unload Modules and set all to ACCEPT"
- echo -e "\t-r or restart\t Restart( using start rules )"
- echo ""
- echo -e "[-a]"
- echo "Arguments:"
- echo -e "\tdefault: Same as start"
- echo -e "\tauthin\t Output filtered, Input from authorized sources"
- echo -e "\tallin\t Output filtered, Input from sources"
- echo -e "\texin Output filtered, Input from external sources only"
- echo -e "\tfout Free Output, no Input"
- echo -e "\tfout_authin Free Output, Input from authorized sources"
- echo -e "\tfout_exin Free Output, Input from external sources only"
- echo -e "\tfout_allin Free Output, Input from any source"
- echo ""
- echo -e "[-i]"
- echo "Arguments:"
- echo -e "\tauth Input Allowed for authorized Sources"
- echo -e "\tany Input Allowed for external sources"
- echo""
- echo -e "[-o]"
- echo "Arguments:"
- echo -e "\tfree Free Output"
- echo -e "\tfiltered Filtered Output"
- echo""
- echo -e "[-p]"
- echo "Arguments:"
- echo -e "\tout Allow ICMP Output"
- echo -e "\tin Allow ICMP Iput"
- echo -e "\tall Allow ICMP Iput and Output"
- echo ""
- }
- DEFAULT()
- {
- if [ $INPUTOP == auth ];
- then
- INPUT auth
- elif [ $INPUTOP == any ];
- then
- INPUT any
- elif [ $INPUTOP == all ];
- then
- INPUT auth
- INPUT any
- fi
- if [ $ICMPOP == in ];
- then
- ICMP in
- elif [ $ICMPOP == out ];
- then
- ICMP out
- elif [ $ICMPOP == any ];
- then
- ICMP in
- ICMP out
- fi
- if [ $OUTPUTOP == free ];
- then
- OUT free
- else
- OUT filtered
- fi
- }
- ##########
- #Starting#
- ##########
- #Get Options
- if [ ! $1 ];
- then
- DEFAULT
- exit
- elif [ $1 == start ];
- then
- DEFAULT
- exit
- elif [ $1 == stop ];
- then
- STOP
- exit
- elif [ $1 == restart ];
- then
- DEFAULT
- exit
- fi
- while getopts sa:o:p:i:rth ARGM;
- do
- case $ARGM in
- i)
- if [ $OPTARG == auth ];
- then
- INPUT auth
- elif [ $OPTARG == any ];
- then
- INPUT any
- else
- echo "Bad argument for -i : $OPTARG"
- fi
- ;;
- o)
- if [ $OPTARG == filtered ];
- then
- OUT filtered
- elif [ $OPTARG == free ];
- then
- OUT free
- else
- echo "Bad argument for -o : $OPTARG"
- fi
- ;;
- a)
- if [ $OPTARG == default ];
- then
- DEFAULT
- elif [ $OPTARG == authin ];
- then
- INPUT auth
- OUT filtered
- elif [ $OPTARG == allin ];
- then
- INPUT auth
- INPUT any
- OUT filtered
- elif [ $OPTARG == exin ];
- then
- INPUT any
- OUT filtered
- elif [ $OPTARG == fout ];
- then
- OUT free
- elif [ $OPTARG == fout_authin ];
- then
- INPUT auth
- OUT free
- elif [ $OPTARG == fout_allin ];
- then
- INPUT auth
- INPUT any
- OUT free
- elif [ $OPTARG == fout_exin ];
- then
- INPUT any
- OUT free
- else
- echo "Bad Argument for -o : $OPTARG"
- fi
- ;;
- p)
- if [ $OPTARG == out ];
- then
- ICMP out
- elif [ $OPTARG == in ];
- then
- ICMP in
- elif [ $OPTARG == all ];
- then
- ICMP in
- ICMP out
- else
- echo "Bad argument for -p : $OPTARG"
- fi
- ;;
- r)
- DEFAULT
- exit
- ;;
- s)
- DEFAULT
- ;;
- t)
- STOP
- exit
- ;;
- h)
- HELP
- exit
- ;;
- ?)
- echo -e "[\e[31m*\e[0m] Bad Argument"
- HELP
- exit
- ;;
- esac
- done
- shift $((OPTIND-1))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement