Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # ---------------------------------------------------------------------
- # Linux-iptables-Firewallskript, Copyright (c) 2010 under the GPL
- # Autogenerated by iptables Generator v1.22 (c) 2002-2010 by Harald Bertram
- # Please visit http://harry.homelinux.org for new versions of
- # the iptables Generator (c).
- #
- #
- # If you have questions about the iptables Generator or about
- # your Firewall-Skript feel free to take a look at out website or
- # send me an E-Mail to webmaster@harry.homelinux.org.
- #
- # My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
- # who made lots of Beta-Testing and gave me lots of well qualified
- # Feedback that made me able to improve the iptables Generator.
- # --------------------------------------------------------------------
- # Besondere Hinweise fuer Nutzer einer Debian-Distribution oder eines Debian-Derivates (Ubuntu, Knoppix, Kanotix, ...)!
- # Fuehren Sie die folgenden Kommandos aus, nachdem das Skript "firewall" nach /etc/init.d kopiert wurde:
- # chmod 755 /etc/init.d/firewall
- # update-rc.d firewall defaults
- # /etc/init.d/firewall start
- # --------------------------------------------------------------------
- case "$1" in
- start)
- echo "Starte IP-Paketfilter"
- # iptables-Modul
- modprobe ip_tables
- # Connection-Tracking-Module
- modprobe ip_conntrack
- # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
- modprobe ip_conntrack_irc
- modprobe ip_conntrack_ftp
- # Tabelle flushen
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -t nat -X
- iptables -t mangle -X
- # Default-Policies setzen
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- iptables -P FORWARD DROP
- # MY_REJECT-Chain
- iptables -N MY_REJECT
- # MY_REJECT fuellen
- iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A MY_REJECT -p icmp -j DROP
- iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
- # MY_DROP-Chain
- iptables -N MY_DROP
- iptables -A MY_DROP -j DROP
- # Reject packets from RFC1918 class networks (i.e., spoofed)
- iptables -A INPUT -s 10.0.0.0/8 -j DROP
- iptables -A INPUT -s 169.254.0.0/16 -j DROP
- iptables -A INPUT -s 172.16.0.0/12 -j DROP
- iptables -A INPUT -s 127.0.0.0/8 -j DROP
- iptables -A INPUT -s 224.0.0.0/4 -j DROP
- iptables -A INPUT -d 224.0.0.0/4 -j DROP
- iptables -A INPUT -s 240.0.0.0/5 -j DROP
- iptables -A INPUT -d 240.0.0.0/5 -j DROP
- iptables -A INPUT -s 0.0.0.0/8 -j DROP
- iptables -A INPUT -d 0.0.0.0/8 -j DROP
- iptables -A INPUT -d 239.255.255.0/24 -j DROP
- iptables -A INPUT -d 255.255.255.255 -j DROP
- # Korrupte Pakete zurueckweisen
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- # Stealth Scans etc. DROPpen
- # Keine Flags gesetzt
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
- # SYN und FIN gesetzt
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
- # SYN und RST gleichzeitig gesetzt
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
- # FIN und RST gleichzeitig gesetzt
- iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
- # FIN ohne ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
- # PSH ohne ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
- # URG ohne ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
- # Loopback-Netzwerk-Kommunikation zulassen
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- # Connection-Tracking aktivieren
- iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # DNS
- iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 53 -j ACCEPT
- iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 53 -j ACCEPT
- # FTP
- iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
- # SSH
- iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
- # SMTP
- iptables -A OUTPUT -o eth0 -m state --state NEW -p tcp --dport 25 -j ACCEPT
- # Webmin
- iptables -A INPUT -i eth0 -m tcp -p tcp --dport 10000 -j ACCEPT
- # Webserver
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- iptables -A INPUT -p tcp --dport 667 -j ACCEPT
- iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
- # Default-Policies mit REJECT
- iptables -A INPUT -j MY_REJECT
- iptables -A OUTPUT -j MY_REJECT
- # Max. 500/Sekunde (5/Jiffie) senden
- echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
- # Speicherallozierung und -timing for-De/-Fragmentierung
- echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
- echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
- echo 30 > /proc/sys/net/ipv4/ipfrag_time
- # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
- echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
- # Maximal 3 Antworten auf ein TCP-SYN
- echo 3 > /proc/sys/net/ipv4/tcp_retries1
- # TCP-Pakete maximal 15x wiederholen
- echo 15 > /proc/sys/net/ipv4/tcp_retries2
- ;;
- stop)
- echo "Stoppe IP-Paketfilter"
- # Tabelle flushen
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -t nat -X
- iptables -t mangle -X
- # Default-Policies setzen
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- ;;
- status)
- echo "Tabelle filter"
- iptables -L -vn
- echo "Tabelle nat"
- iptables -t nat -L -vn
- echo "Tabelle mangle"
- iptables -t mangle -L -vn
- ;;
- *)
- echo "Fehlerhafter Aufruf"
- echo "Syntax: $0 {start|stop|status}"
- exit 1
- ;;
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement