Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- SYSCTL="/sbin/sysctl -w"
- IPT="/usr/sbin/iptables"
- IPTS="/usr/sbin/iptables-save"
- IPTR="/usr/sbin/iptables-restore"
- # Internet Interface
- INET_IFACE="eth0"
- INET_ADDRESS="109.121.200.222"
- # Local Interface Information
- LOCAL_IFACE="eth1"
- LOCAL_IP="192.168.0.1"
- LOCAL_NET="192.168.0.0/24"
- LOCAL_BCAST="192.168.0.255"
- #Clients Interface Information
- CLIENT_IFACE="eth2"
- CLIENT_IP="192.168.142.1"
- CLIENT_NET="192.168.142.0/24"
- CLIENT_BCAST="192.168.142.255"
- # Localhost Interface
- LO_IFACE="lo"
- LO_IP="127.0.0.1"
- if [ "$1" = "save" ]
- then
- echo -n "Saving firewall to /etc/sysconfig/iptables ... "
- $IPTS > /etc/sysconfig/iptables
- echo "done"
- exit 0
- elif [ "$1" = "restore" ]
- then
- echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
- $IPTR < /etc/sysconfig/iptables
- echo "done"
- exit 0
- fi
- echo "Loading kernel modules ..."
- # core netfilter module
- /sbin/modprobe ip_tables
- /sbin/modprobe ip_conntrack
- /sbin/modprobe ip_nat_ftp
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_conntrack_irc
- if [ "$SYSCTL" = "" ]
- then
- echo "1" > /proc/sys/net/ipv4/ip_forward
- else
- $SYSCTL net.ipv4.ip_forward="1"
- fi
- if [ "$SYSCTL" = "" ]
- then
- echo "1" > /proc/sys/net/ipv4/tcp_syncookies
- else
- $SYSCTL net.ipv4.tcp_syncookies="1"
- fi
- if [ "$SYSCTL" = "" ]
- then
- echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
- else
- $SYSCTL net.ipv4.conf.all.rp_filter="1"
- fi
- if [ "$SYSCTL" = "" ]
- then
- echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- else
- $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
- fi
- if [ "$SYSCTL" = "" ]
- then
- echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
- else
- $SYSCTL net.ipv4.conf.all.accept_source_route="0"
- fi
- if [ "$SYSCTL" = "" ]
- then
- echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
- else
- $SYSCTL net.ipv4.conf.all.secure_redirects="1"
- fi
- if [ "$SYSCTL" = "" ]
- then
- echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
- else
- $SYSCTL net.ipv4.conf.all.log_martians="0"
- fi
- echo "Flushing Tables ..."
- $IPT -P INPUT ACCEPT
- $IPT -P FORWARD ACCEPT
- $IPT -P OUTPUT ACCEPT
- $IPT -t nat -P PREROUTING ACCEPT
- $IPT -t nat -P POSTROUTING ACCEPT
- $IPT -t nat -P OUTPUT ACCEPT
- $IPT -t mangle -P PREROUTING ACCEPT
- $IPT -t mangle -P OUTPUT ACCEPT
- # Flush all rules
- $IPT -F
- $IPT -t nat -F
- $IPT -t mangle -F
- # Erase all non-default chains
- $IPT -X
- $IPT -t nat -X
- $IPT -t mangle -X
- if [ "$1" = "stop" ]
- then
- echo "Firewall completely flushed! Now running with no firewall."
- exit 0
- fi
- # Set Policies
- $IPT -P INPUT DROP
- $IPT -P OUTPUT DROP
- $IPT -P FORWARD DROP
- echo "set traffic control"
- /etc/rc.d/rc.ipclient
- echo "Create and populate custom rule chains ..."
- $IPT -N bad_packets
- $IPT -N bad_tcp_packets
- $IPT -N icmp_packets
- $IPT -N udp_inbound
- $IPT -N udp_outbound
- $IPT -N tcp_inbound
- $IPT -N tcp_outbound
- $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG --log-prefix "Illegal source: "
- $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
- $IPT -A bad_packets -p ALL -i $INET_IFACE -s $CLIENT_NET -j LOG --log-prefix "Illegal source: "
- $IPT -A bad_packets -p ALL -i $INET_IFACE -s $CLIENT_NET -j DROP
- $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
- $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
- $IPT -A bad_packets -p tcp -j bad_tcp_packets
- # All good, so return
- $IPT -A bad_packets -p ALL -j RETURN
- $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
- $IPT -A bad_tcp_packets -p tcp -i $CLIENT_IFACE -j RETURN
- $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn: "
- $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "Stealth scan: "
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "Stealth scan: "
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "Stealth scan: "
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "Stealth scan: "
- $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
- $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Stealth scan: "
- $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- $IPT -A bad_tcp_packets -p tcp -j RETURN
- $IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: "
- $IPT -A icmp_packets --fragment -p ICMP -j DROP
- $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
- $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
- # Not matched, so return so it will be logged
- $IPT -A icmp_packets -p ICMP -j RETURN
- $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
- $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
- # Not matched, so return for logging
- $IPT -A udp_inbound -p UDP -j RETURN
- # No match, so ACCEPT
- $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
- while read IP; do
- #WEBMIN
- $IPT -A tcp_inbound -p TCP -s $IP --destination-port 10000 -j ACCEPT
- #SNORT
- $IPT -A tcp_inbound -p TCP -s $IP --destination-port 3000 -j ACCEPT
- #MYSQL
- $IPT -A FORWARD -p tcp -i $INET_IFACE -s $IP --destination-port 1020 --destination 192.168.0.3 -j ACCEPT
- $IPT -A FORWARD -p tcp -i $INET_IFACE -s $IP --destination-port 22 --destination 192.168.0.3 -j ACCEPT
- $IPT -A FORWARD -p tcp -i $INET_IFACE -s $IP --destination-port 2222 --destination 192.168.0.7 -j ACCEPT
- done < /etc/rc.d/allowed_ips.conf
- # HTTP
- $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
- # Email Server (SMTP)
- $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
- # Email Server (POP3)
- $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
- # Email Server (IMAP4)
- $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
- #PPTP
- $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1723 -j ACCEPT
- #ECHOLINK
- $IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 5198 --destination 192.168.0.200 -j ACCEPT
- $IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 5199 --destination 192.168.0.200 -j ACCEPT
- $IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 5200 --destination 192.168.0.200 -j ACCEPT
- # Not matched, so return so it will be logged
- $IPT -A tcp_inbound -p TCP -j RETURN
- # No match, so ACCEPT
- $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
- echo "Process INPUT chain ..."
- $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
- # Drop bad packets
- $IPT -A INPUT -p ALL -j bad_packets
- $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
- # Rules for the private network (accessing gateway system itself)
- $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
- $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
- $IPT -A INPUT -p ALL -i $CLIENT_IFACE -s $CLIENT_NET -j ACCEPT
- $IPT -A INPUT -p ALL -i $CLIENT_IFACE -d $CLIENT_BCAST -j ACCEPT
- $IPT -A INPUT -p ALL -i ppp+ -s $LOCAL_NET -j ACCEPT
- $IPT -A INPUT -p ALL -i ppp+ -d $LOCAL_BCAST -j ACCEPT
- $IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT
- $IPT -A INPUT -p UDP -i $CLIENT_IFACE --source-port 68 --destination-port 67 -j ACCEPT
- # Accept Established Connections
- $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Route the rest to the appropriate user chain
- $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
- $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
- $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
- # Drop without logging broadcasts that get this far.
- $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
- # Log packets that still don't match
- $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
- echo "Process FORWARD chain ..."
- # Drop bad packets
- $IPT -A FORWARD -p ALL -j bad_packets
- # Accept TCP packets we want to forward from internal sources
- $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
- $IPT -A FORWARD -p tcp -i $CLIENT_IFACE -j tcp_outbound
- $IPT -A FORWARD -p tcp -i ppp+ -j tcp_outbound
- # Accept UDP packets we want to forward from internal sources
- $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
- $IPT -A FORWARD -p udp -i $CLIENT_IFACE -j udp_outbound
- $IPT -A FORWARD -p udp -i ppp+ -j udp_outbound
- # If not blocked, accept any other packets from the internal interface
- $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
- $IPT -A FORWARD -p ALL -i $CLIENT_IFACE -j ACCEPT
- $IPT -A FORWARD -p ALL -i ppp+ -j ACCEPT
- # Deal with responses from the internet
- $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Log packets that still don't match
- $IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
- echo "Process OUTPUT chain ..."
- $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
- # Localhost
- $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
- $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
- # To internal network
- $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
- $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
- $IPT -A OUTPUT -p ALL -s $CLIENT_IP -j ACCEPT
- $IPT -A OUTPUT -p ALL -o $CLIENT_IFACE -j ACCEPT
- $IPT -A OUTPUT -p ALL -o ppp+ -j ACCEPT
- # To internet
- $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
- # Log packets that still don't match
- $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
- echo "Load rules for nat table ..."
- $IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp -s $LOCAL_NET --dport 25 -j DNAT --to-destination $LOCAL_IP:25
- $IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp -s $LOCAL_NET --dport 587 -j DNAT --to-destination $LOCAL_IP:587
- #NAT ECHOLINK
- $IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 5198 -j DNAT --to-destination 192.168.0.200
- $IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 5199 -j DNAT --to-destination 192.168.0.200
- $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 5200 -j DNAT --to-destination 192.168.0.200
- $IPT -A FORWARD -i $INET_IFACE -d 192.168.0.200 -p tcp --dport 5200 -j tcp_inbound
- #NAT ALLOWED IPS
- while read IP; do
- $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 9913 -j DNAT --to-destination 192.168.0.3:1020
- $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 22 -j DNAT --to-destination 192.168.0.3:22
- $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 2222 -j DNAT --to-destination 192.168.0.7:22
- done < /etc/rc.d/allowed_ips.conf
- $IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS
- echo "Load rules for mangle table ..."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement