Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #! /bin/sh
- ### BEGIN INIT INFO
- # Provides: rc.firewall
- # Required-Start: $remote_fs $syslog $network
- # Required-Stop: $remote_fs $syslog $network
- # Default-Start: 2 3 4 5
- # Default-Stop: 0 1 6
- # Short-Description: Run /etc/init.d/rc.firewall if it exist
- ### END INIT INFO
- start_fw() {
- echo ""
- # Set up using https://wiki.archlinux.org/index.php/simple_stateful_firewall
- #
- # For traffic incoming directly to this machine, we will create two user-defined chains that we will use to open up ports in the firewall.
- iptables -N TCP
- iptables -N UDP
- # And a table for brutforce attacks on SSH prevention
- iptables -N IN_SSH
- # And two tables for forwarding ports through the NAT
- iptables -N fw-interfaces
- iptables -N fw-ports-open
- # We have no intention of filtering any outgoing traffic
- iptables -P OUTPUT ACCEPT
- # Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.
- iptables -P INPUT DROP
- # This rule will allow traffic that belongs to established connections, or new valid traffic that is related to
- # these connections
- iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- # Accept all traffic from the (lo) interface, which is necessary for many applications and services.
- iptables -A INPUT -i lo -j ACCEPT
- # This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages
- # (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can
- # be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any
- # response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT"
- # response to packets that are INVALID, and we do not want to acknowledge that we received these packets. ICMPv6
- # Neighbor Discovery packets remain untracked, and will always be classified "INVALID", accept them
- iptables -A INPUT -p 41 -j ACCEPT
- iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
- # The next rule will accept all new incoming ICMP echo requests and log them
- iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j LOG --log-prefix "IPTABLES: Ping detected: "
- iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
- # The next rule will use IN_SSH rule for incoming SSH traffic IN_SSH defined in the very beggining and is made
- # for brutforce attacks prevention
- iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
- # Now we attach the TCP and UDP chains to the INPUT chain to handle all new incoming connections. Once a
- # connection is accepted by either TCP or UDP chain, it is handled by the RELATED/ESTABLISHED traffic rule. The
- # TCP and UDP chains will either accept new incoming connections, or politely reject them. New TCP connections
- # must be started with SYN packets. NEW but not SYN is the only invalid TCP flag not covered by the INVALID
- # state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead,
- # we simply do not accept them, so they are rejected with a TCP RST by the next rule.
- iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
- iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
- # We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports
- # are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close
- # the connection and clean up.
- iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
- # For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp
- # protocol unreachable messages. This imitates Linux's default behavior.
- iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
- # SSH BF prevention set here
- #That's very easy: if failed to login for three times -- ban for 10 seconds And the
- # fourth trial will result in ban for 30 min And everything is logged To view logs do something like "cat
- # /var/log/messages | grep IPTABLES"
- # PLEASE NOTE THAT IT DOESN'T FILTER LOCAL NET
- echo "Blocking SSH brutforce attacks..."
- iptables -A IN_SSH -s 192.168.0.0/20 -j LOG --log-prefix "IPTABLES: [INFO] SSH FROM LOCALNET: "
- iptables -A IN_SSH -s 192.168.0.0/20 -j ACCEPT
- iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j LOG --log-prefix "IPTABLES: [ALARM] SSH POSSIBLE BRUTFORCE: "
- iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
- iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j LOG --log-prefix "IPTABLES: [ALARM] SSH 30 MIN COOLDOWN: "
- iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
- iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
- # Router-specific settings
- echo "Setting router-specific rules..."
- iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -j fw-interfaces
- iptables -A FORWARD -j fw-ports-open
- iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach
- iptables -P FORWARD DROP
- # Now, we have to define who is allowed to connect to the internet. next lines define our internal ifaces do
- # notice that all of them are virtual ifaces made using vconfig
- iptables -A fw-interfaces -i eth1.100 -j ACCEPT
- iptables -A fw-interfaces -i eth1.101 -j ACCEPT
- iptables -A fw-interfaces -i eth1.2 -j ACCEPT
- iptables -A fw-interfaces -i eth1.3 -j ACCEPT
- iptables -A fw-interfaces -i eth0 -j ACCEPT
- #iptables -A fw-interfaces -i eth1.6 -j ACCEPT
- # enable NAT on external iface this needs to be modified for two ifaces
- echo "Enabling NAT..."
- iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
- #
- ### OPEN PORTS HERE
- #
- # Ports specifically for this machine
- # Ports for dnsmasq
- iptables -A TCP -p tcp --dport 53 -s 192.168.0.0/20 -j ACCEPT
- iptables -A UDP -p udp --dport 53 -s 192.168.0.0/20 -j ACCEPT
- # Port-forwarding for NAT
- # This example will show you how to change packets to a different port
- # than the incoming port. We want to change any incoming connection on port 8000 to our web server on
- # 192.168.0.6, port 80: iptables -A fw-ports-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT iptables -t nat -A
- # PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80
- ### WARNING!!! THIS IS FULLY EXPERIMETNAL
- ### TCP/UDP TIMEOUT TUNING
- echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
- echo 524288 > /proc/sys/net/netfilter/nf_conntrack_max
- echo 120 > /proc/sys/net/netfilter/nf_conntrack_generic_timeout
- echo 7440 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
- echo "Setting NAT-specific options..."
- }
- flush_fw() {
- # Flush everything, restore default iptables
- iptables -P INPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -t nat -P PREROUTING ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- iptables -t nat -P OUTPUT ACCEPT
- iptables -t mangle -P PREROUTING ACCEPT
- iptables -t mangle -P OUTPUT ACCEPT
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -t nat -X
- iptables -t mangle -X
- }
- case "$1" in start) echo -n "Starting firewall: iptables"
- start_fw
- echo ""
- echo -n "Starting firewall Ok!"
- echo ""
- ;; stop) echo -n "Stopping firewall: iptables"
- flush_fw
- echo ""
- echo -n "Stopping firewall Ok!"
- echo ""
- ;; save) echo -n "Saving firewall: iptables"
- iptables-save > /etc/rules-save
- echo ""
- echo -n "Status save Ok!."
- echo ""
- ;; restart) echo -n "Restarting firewall: iptables"
- flush_fw
- start_fw
- echo ""
- echo -n "Status restart Ok!"
- echo ""
- ;; *) echo "Usage: /etc/init.d/rc.firewall start|stop|save|restart"
- exit 1
- ;; esac
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement