cento 6.5 - firewall script

1. create firewall script:
2. nano /root/fwrules.sh
3.  
4. add below:
5.  
6. ------------------------------------------------------------------------------------------------
7. #!/bin/sh
8. #server IP
9. SERVERPRIV_IP="192.168.0.1"
10. SERVERPUB_IP="10.10.10.1"
11.  
12. # Interface connected to Internet
13. INTERNET="eth0"
14.  
15. # Interface connected to LAN
16. LAN_IN="eth1"
17.  
18. #network ip
19. NETWORKIP="192.168.0.0/24"
20.  
21. #remote desktop pc ip
22. RDPCLIENTIP="192.168.0.200"
23.  
24. # flush existing firewall rules
25. iptables -F
26. iptables -F -t nat
27.  
28. # Load IPTABLES modules for NAT and IP conntrack support
29. modprobe ip_conntrack
30. modprobe ip_conntrack_ftp
31.  
32. # For win xp ftp client
33. #modprobe ip_nat_ftp
34. echo 1 > /proc/sys/net/ipv4/ip_forward
35.  
36. #policies
37. iptables -P OUTPUT ACCEPT
38. iptables -P INPUT DROP
39. iptables -P FORWARD ACCEPT
40. iptables -t nat -P OUTPUT ACCEPT
41. iptables -t nat -P PREROUTING ACCEPT
42. iptables -t nat -P POSTROUTING ACCEPT
43.  
44. #masquerade
45. iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
46. iptables -A FORWARD -i $LAN_IN -o $INTERNET -j ACCEPT
47.  
48. #drop spoofed packets
49. iptables -A INPUT --source 127.0.0.0/8 ! --in-interface lo -j DROP
50.  
51. #limit ping requests
52. iptables -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT
53.  
54. #drop bogus packets
55. iptables -A INPUT -m state --state INVALID -j DROP
56. iptables -A FORWARD -m state --state INVALID -j DROP
57. iptables -A OUTPUT -m state --state INVALID -j DROP
58. iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
59. iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
60. iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
61. iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
62. iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
63. iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
64. iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
65.  
66. #allow responses
67. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
68.  
69. #allow loopback
70. iptables -A INPUT --in-interface lo -j ACCEPT
71.  
72. #allow SSH
73. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
74.  
75. #allow http and https
76. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
77. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
78.  
79. #allow samba share
80. iptables -A INPUT -p udp -m udp -s $NETWORKIP --dport 137 -j ACCEPT
81. iptables -A INPUT -p udp -m udp -s $NETWORKIP --dport 138 -j ACCEPT
82. iptables -A INPUT -m state --state NEW -m tcp -p tcp -s $NETWORKIP --dport 139 -j ACCEPT
83. iptables -A INPUT -m state --state NEW -m tcp -p tcp -s $NETWORKIP --dport 445 -j ACCEPT
84.  
85. #allow pptpd
86. iptables -A INPUT -p gre -j ACCEPT
87. iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
88.  
89. #port forward remote desktop from public ip to private client ip inside the network
90. iptables -t nat -A PREROUTING -i eth0 -d $SERVERPUB_IP -p tcp --dport 3390 -j DNAT --to $RDPCLIENTIP:3389
91. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3390 -j REDIRECT --to-port 3389
92. iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
93. iptables -A FORWARD -d $RDPCLIENTIP -p tcp --dport 3389 -j ACCEPT
94.  
95. ------------------------------------------------------------------------------------------------
96.  
97.  
98.  
99. run script on boot:
100. nano /etc/rc.local
101.  
102. add below:
103. ------------------------------------------------------------------------------------------------
104. sh /root/fwrules.sh
105. ------------------------------------------------------------------------------------------------