Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #######################################
- ### BEGIN INIT INFO
- # Provides: firewall
- # Required-Start: $local_fs $network $named $time $syslog $remote_fs
- # Required-Stop: $local_fs $network $named $time $syslog $remote_fs
- # Default-Start: 2 3 4 5
- # Default-Stop: 0 1 6
- # Description: Personal Firewall - Preventing attacks/open common ports
- ### END INIT INFO
- ### Module loading ###
- /sbin/depmod -a
- ### Required modules ###
- /sbin/modprobe ip_tables
- /sbin/modprobe iptable_filter
- /sbin/modprobe ipt_REJECT
- /sbin/modprobe iptable_nat
- /sbin/modprobe ipt_LOG
- /sbin/modprobe ipt_limit
- ### Non-Required modules ###
- #/sbin/modprobe ipt_owner
- #/sbin/modprobe iptable_mangle
- #/sbin/modprobe ip_conntrack
- #/sbin/modprobe ip_conntrack_ftp
- #/sbin/modprobe ip_conntrack_irc
- #/sbin/modprobe ip_nat_ftp
- #/sbin/modprobe ip_nat_irc
- #/sbin/modprobe ipt_MASQUERADE
- # To start the firewall
- start()
- {
- ### Allow Forward ip ###
- echo 1 > /proc/sys/net/ipv4/ip_forward
- ### Flush any Existing iptable Rules and start afresh ###
- iptables -F INPUT
- iptables -F OUTPUT
- iptables -F FORWARD
- iptables -F POSTROUTING -t nat
- iptables -F PREROUTING -t nat
- ### Setting up Port Services ###
- iptables -A INPUT -p tcp --dport 25 -j ACCEPT //incoming mail
- iptables -A INPUT -p tcp --dport 53 -j ACCEPT //dns - udp for large queries
- iptables -A INPUT -p udp --dport 53 -j ACCEPT //dns - udp for small queries
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT //apache
- iptables -A INPUT -p tcp --dport 443 -j ACCEPT //apache ssl
- iptables -A INPUT -p udp --dport 161 -j ACCEPT //snmpd
- iptables -A INPUT -p tcp --dport 953 -j ACCEPT //dns internal
- iptables -A INPUT -p tcp --dport 1080 -j ACCEPT //dante socks server
- iptables -A INPUT -p all --dport 3020 -j ACCEPT //cifs-smb
- iptables -A INPUT -p tcp --dport 3128 -j ACCEPT //squid
- iptables -A INPUT -p tcp --dport 4949 -j ACCEPT //munin stats
- ### Setting up Local Ports ###
- iptables -A INPUT -d 192.168.1.120 -p udp --dport 9 -j ACCEPT //WOL (wake on lan)
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 20:21 -j ACCEPT //ftp
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -j ACCEPT //sshd
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 139 -j ACCEPT //samba
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 993 -j ACCEPT //imaps
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 3306 -j ACCEPT //mysql
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 8000 -j ACCEPT //apache on phi
- iptables -A INPUT -s 192.168.1.120 -p tcp --dport 8080 -j ACCEPT //tomcat
- iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT //to speed up mail via courier. Identified via logging
- iptables -A INPUT -s 127.0.0.1 -p tcp --dport 143 -j ACCEPT //squirrelmail
- ### Preventing Attacks ###
- iptables -A INPUT -p icmp -j ACCEPT //Allow ICMP Ping packets.
- iptables -A INPUT -p tcp --tcp-flags ACK ACK -j ACCEPT //Accept traffic with the ACK flag set
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP //Deny all null packets
- iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP //Deny all recon packets
- iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP //nmap FIN stealth scan
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP //SYN + FIN
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP //SYN + RST
- iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP //FIN + RST
- iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP //FIN + URG + PSH
- iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP //XMAS
- iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP //FIN without ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP //PSH without ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP //URG without ACK
- iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP //Deny SYN flood attack
- iptables -A INPUT -m state --state ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT //Accept traffic with ESTABLISHED flag set (limit - DDoS prevent)
- iptables -A INPUT -m state --state RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT //Accept traffic with RELATED flag set (limit - DDoS prevent)
- iptables -A INPUT -m state --state INVALID -j DROP //Deny traffic with the INVALID flag set
- #################################
- ### PERSONALIZED RULES 80 PORT ###
- iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT //Protection DDoS attacks
- ### PERSONALIZED RULES 22 PORT ###
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset //Protection bruteforce SSH
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
- iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
- ########### CLOSE ALL ############
- iptables -A INPUT -j REJECT //Close up firewall. All else blocked.
- ######### PORT FORWARDING #######
- iptables -t nat -A PREROUTING -p tcp -d 192.168.1.120 --dport 8000 -j DNAT --to 1.2.3.4:80
- iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 //for static ip
- #iptables -t nat -A POSTROUTING -d 1.2.3.4 -j MASQUERADE //for dynamic ip
- #################################
- echo "--------------------------------------------------"
- echo "Firewall Loaded"
- echo "--------------------------------------------------"
- echo "Netstat output:"
- echo ""
- netstat -tuanp
- echo "Verify enabled rules with:"
- echo "filter) iptables -L -nvx"
- echo "nat) iptables -t nat -L -nvx"
- echo "script) firewall.sh status"
- EXT=0
- }
- ### To stop the firewall ###
- stop()
- {
- ### Deny Forward ip ###
- echo 0 > /proc/sys/net/ipv4/ip_forward
- echo "--------------------------------------------------"
- echo "Firewall Stopped"
- echo "--------------------------------------------------"
- EXT=0
- }
- ### To clear rules ###
- clear()
- {
- iptables -F INPUT
- iptables -F OUTPUT
- iptables -F FORWARD
- iptables -F POSTROUTING -t nat
- iptables -F PREROUTING -t nat
- EXT=0
- }
- case $1 in
- start)
- clear
- start
- ;;
- stop)
- clear
- stop
- ;;
- restart)
- clear
- sleep 2
- start
- ;;
- status)
- echo "--------------------------------------------------"
- echo "--------------------------------------------------"
- echo "Status Firewall"
- echo "--------------------------------------------------"
- #iptables -L -n
- echo "--------------------------------------------------"
- echo "FILTER"
- echo "--------------------------------------------------"
- iptables -L -nvx
- echo "--------------------------------------------------"
- echo "NAT"
- echo "--------------------------------------------------"
- iptables -t nat -L -nvx
- EXT=0
- ;;
- *)
- echo "Usage: firewall.sh {start|stop|restart|status}"
- EXT=1
- ;;
- esac
- exit $EXT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement