API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 24th, 2014
67
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.96 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2.  
  3. SYSCTL="/sbin/sysctl -w"
  4.  
  5. IPT="/usr/sbin/iptables"
  6. IPTS="/usr/sbin/iptables-save"
  7. IPTR="/usr/sbin/iptables-restore"
  8.  
  9. # Internet Interface
  10. INET_IFACE="eth0"
  11. INET_ADDRESS="109.121.200.222"
  12.  
  13. # Local Interface Information
  14. LOCAL_IFACE="eth1"
  15. LOCAL_IP="192.168.0.1"
  16. LOCAL_NET="192.168.0.0/24"
  17. LOCAL_BCAST="192.168.0.255"
  18.  
  19. #Clients Interface Information
  20. CLIENT_IFACE="eth2"
  21. CLIENT_IP="192.168.142.1"
  22. CLIENT_NET="192.168.142.0/24"
  23. CLIENT_BCAST="192.168.142.255"
  24.  
  25.  
  26. # Localhost Interface
  27. LO_IFACE="lo"
  28. LO_IP="127.0.0.1"
  29.  
  30. if [ "$1" = "save" ]
  31. then
  32. echo -n "Saving firewall to /etc/sysconfig/iptables ... "
  33. $IPTS > /etc/sysconfig/iptables
  34. echo "done"
  35. exit 0
  36. elif [ "$1" = "restore" ]
  37. then
  38. echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
  39. $IPTR < /etc/sysconfig/iptables
  40. echo "done"
  41. exit 0
  42. fi
  43.  
  44. echo "Loading kernel modules ..."
  45.  
  46. # core netfilter module
  47. /sbin/modprobe ip_tables
  48. /sbin/modprobe ip_conntrack
  49. /sbin/modprobe ip_nat_ftp
  50. /sbin/modprobe ip_conntrack_ftp
  51. /sbin/modprobe ip_conntrack_irc
  52.  
  53. if [ "$SYSCTL" = "" ]
  54. then
  55. echo "1" > /proc/sys/net/ipv4/ip_forward
  56. else
  57. $SYSCTL net.ipv4.ip_forward="1"
  58. fi
  59.  
  60. if [ "$SYSCTL" = "" ]
  61. then
  62. echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  63. else
  64. $SYSCTL net.ipv4.tcp_syncookies="1"
  65. fi
  66.  
  67. if [ "$SYSCTL" = "" ]
  68. then
  69. echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
  70. else
  71. $SYSCTL net.ipv4.conf.all.rp_filter="1"
  72. fi
  73.  
  74. if [ "$SYSCTL" = "" ]
  75. then
  76. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  77. else
  78. $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
  79. fi
  80.  
  81. if [ "$SYSCTL" = "" ]
  82. then
  83. echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
  84. else
  85. $SYSCTL net.ipv4.conf.all.accept_source_route="0"
  86. fi
  87.  
  88. if [ "$SYSCTL" = "" ]
  89. then
  90. echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
  91. else
  92. $SYSCTL net.ipv4.conf.all.secure_redirects="1"
  93. fi
  94.  
  95. if [ "$SYSCTL" = "" ]
  96. then
  97. echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
  98. else
  99. $SYSCTL net.ipv4.conf.all.log_martians="0"
  100. fi
  101.  
  102.  
  103. echo "Flushing Tables ..."
  104. $IPT -P INPUT ACCEPT
  105. $IPT -P FORWARD ACCEPT
  106. $IPT -P OUTPUT ACCEPT
  107. $IPT -t nat -P PREROUTING ACCEPT
  108. $IPT -t nat -P POSTROUTING ACCEPT
  109. $IPT -t nat -P OUTPUT ACCEPT
  110. $IPT -t mangle -P PREROUTING ACCEPT
  111. $IPT -t mangle -P OUTPUT ACCEPT
  112.  
  113. # Flush all rules
  114. $IPT -F
  115. $IPT -t nat -F
  116. $IPT -t mangle -F
  117.  
  118. # Erase all non-default chains
  119. $IPT -X
  120. $IPT -t nat -X
  121. $IPT -t mangle -X
  122.  
  123. if [ "$1" = "stop" ]
  124. then
  125. echo "Firewall completely flushed! Now running with no firewall."
  126. exit 0
  127. fi
  128.  
  129. # Set Policies
  130. $IPT -P INPUT DROP
  131. $IPT -P OUTPUT DROP
  132. $IPT -P FORWARD DROP
  133.  
  134.  
  135. echo "set traffic control"
  136. /etc/rc.d/rc.ipclient
  137.  
  138. echo "Create and populate custom rule chains ..."
  139. $IPT -N bad_packets
  140. $IPT -N bad_tcp_packets
  141. $IPT -N icmp_packets
  142. $IPT -N udp_inbound
  143. $IPT -N udp_outbound
  144. $IPT -N tcp_inbound
  145. $IPT -N tcp_outbound
  146.  
  147. $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG --log-prefix "Illegal source: "
  148. $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
  149. $IPT -A bad_packets -p ALL -i $INET_IFACE -s $CLIENT_NET -j LOG --log-prefix "Illegal source: "
  150. $IPT -A bad_packets -p ALL -i $INET_IFACE -s $CLIENT_NET -j DROP
  151.  
  152. $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
  153. $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
  154.  
  155. $IPT -A bad_packets -p tcp -j bad_tcp_packets
  156.  
  157. # All good, so return
  158. $IPT -A bad_packets -p ALL -j RETURN
  159.  
  160. $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
  161. $IPT -A bad_tcp_packets -p tcp -i $CLIENT_IFACE -j RETURN
  162.  
  163. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn: "
  164. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
  165. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "Stealth scan: "
  166. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
  167. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "Stealth scan: "
  168. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
  169. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "Stealth scan: "
  170. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  171. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "Stealth scan: "
  172. $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  173.  
  174. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
  175. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  176. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Stealth scan: "
  177. $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  178.  
  179. $IPT -A bad_tcp_packets -p tcp -j RETURN
  180.  
  181. $IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: "
  182. $IPT -A icmp_packets --fragment -p ICMP -j DROP
  183.  
  184. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
  185.  
  186. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
  187.  
  188. # Not matched, so return so it will be logged
  189. $IPT -A icmp_packets -p ICMP -j RETURN
  190.  
  191. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
  192. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
  193.  
  194. # Not matched, so return for logging
  195. $IPT -A udp_inbound -p UDP -j RETURN
  196.  
  197. # No match, so ACCEPT
  198. $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
  199.  
  200. while read IP; do
  201. #WEBMIN
  202. $IPT -A tcp_inbound -p TCP -s $IP --destination-port 10000 -j ACCEPT
  203. #SNORT
  204. $IPT -A tcp_inbound -p TCP -s $IP --destination-port 3000 -j ACCEPT
  205. #MYSQL
  206. $IPT -A FORWARD -p tcp -i $INET_IFACE -s $IP --destination-port 1020 --destination 192.168.0.3 -j ACCEPT
  207. $IPT -A FORWARD -p tcp -i $INET_IFACE -s $IP --destination-port 22 --destination 192.168.0.3 -j ACCEPT
  208. $IPT -A FORWARD -p tcp -i $INET_IFACE -s $IP --destination-port 2222 --destination 192.168.0.7 -j ACCEPT
  209. done < /etc/rc.d/allowed_ips.conf
  210.  
  211. # HTTP
  212. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
  213. # Email Server (SMTP)
  214. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
  215. # Email Server (POP3)
  216. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
  217. # Email Server (IMAP4)
  218. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
  219. #PPTP
  220. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1723 -j ACCEPT
  221.  
  222. #ECHOLINK
  223. $IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 5198 --destination 192.168.0.200 -j ACCEPT
  224. $IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 5199 --destination 192.168.0.200 -j ACCEPT
  225. $IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 5200 --destination 192.168.0.200 -j ACCEPT
  226.  
  227. # Not matched, so return so it will be logged
  228. $IPT -A tcp_inbound -p TCP -j RETURN
  229.  
  230. # No match, so ACCEPT
  231. $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
  232.  
  233. echo "Process INPUT chain ..."
  234.  
  235. $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
  236.  
  237. # Drop bad packets
  238. $IPT -A INPUT -p ALL -j bad_packets
  239. $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
  240.  
  241. # Rules for the private network (accessing gateway system itself)
  242. $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
  243. $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
  244. $IPT -A INPUT -p ALL -i $CLIENT_IFACE -s $CLIENT_NET -j ACCEPT
  245. $IPT -A INPUT -p ALL -i $CLIENT_IFACE -d $CLIENT_BCAST -j ACCEPT
  246. $IPT -A INPUT -p ALL -i ppp+ -s $LOCAL_NET -j ACCEPT
  247. $IPT -A INPUT -p ALL -i ppp+ -d $LOCAL_BCAST -j ACCEPT
  248.  
  249. $IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT
  250. $IPT -A INPUT -p UDP -i $CLIENT_IFACE --source-port 68 --destination-port 67 -j ACCEPT
  251. # Accept Established Connections
  252. $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
  253.  
  254. # Route the rest to the appropriate user chain
  255. $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
  256. $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
  257. $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
  258.  
  259. # Drop without logging broadcasts that get this far.
  260. $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
  261.  
  262. # Log packets that still don't match
  263. $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
  264.  
  265.  
  266. echo "Process FORWARD chain ..."
  267.  
  268. # Drop bad packets
  269. $IPT -A FORWARD -p ALL -j bad_packets
  270.  
  271. # Accept TCP packets we want to forward from internal sources
  272. $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
  273. $IPT -A FORWARD -p tcp -i $CLIENT_IFACE -j tcp_outbound
  274. $IPT -A FORWARD -p tcp -i ppp+ -j tcp_outbound
  275.  
  276. # Accept UDP packets we want to forward from internal sources
  277. $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
  278. $IPT -A FORWARD -p udp -i $CLIENT_IFACE -j udp_outbound
  279. $IPT -A FORWARD -p udp -i ppp+ -j udp_outbound
  280.  
  281. # If not blocked, accept any other packets from the internal interface
  282. $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
  283. $IPT -A FORWARD -p ALL -i $CLIENT_IFACE -j ACCEPT
  284. $IPT -A FORWARD -p ALL -i ppp+ -j ACCEPT
  285.  
  286. # Deal with responses from the internet
  287. $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
  288.  
  289. # Log packets that still don't match
  290. $IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
  291.  
  292. echo "Process OUTPUT chain ..."
  293. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
  294.  
  295. # Localhost
  296. $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
  297. $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
  298.  
  299. # To internal network
  300. $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
  301. $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
  302. $IPT -A OUTPUT -p ALL -s $CLIENT_IP -j ACCEPT
  303. $IPT -A OUTPUT -p ALL -o $CLIENT_IFACE -j ACCEPT
  304. $IPT -A OUTPUT -p ALL -o ppp+ -j ACCEPT
  305.  
  306. # To internet
  307. $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
  308.  
  309. # Log packets that still don't match
  310. $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
  311.  
  312. echo "Load rules for nat table ..."
  313. $IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp -s $LOCAL_NET --dport 25 -j DNAT --to-destination $LOCAL_IP:25
  314. $IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp -s $LOCAL_NET --dport 587 -j DNAT --to-destination $LOCAL_IP:587
  315.  
  316. #NAT ECHOLINK
  317. $IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 5198 -j DNAT --to-destination 192.168.0.200
  318. $IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 5199 -j DNAT --to-destination 192.168.0.200
  319. $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 5200 -j DNAT --to-destination 192.168.0.200
  320. $IPT -A FORWARD -i $INET_IFACE -d 192.168.0.200 -p tcp --dport 5200 -j tcp_inbound
  321.  
  322. #NAT ALLOWED IPS
  323. while read IP; do
  324. $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 9913 -j DNAT --to-destination 192.168.0.3:1020
  325. $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 22 -j DNAT --to-destination 192.168.0.3:22
  326. $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 2222 -j DNAT --to-destination 192.168.0.7:22
  327. done < /etc/rc.d/allowed_ips.conf
  328.  
  329. $IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS
  330.  
  331. echo "Load rules for mangle table ..."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!