pastebin - collaborative debugging

pastebin is a collaborative debugging tool allowing you to share and modify code snippets while chatting on IRC, IM or a message board.

This site is developed to XHTML and CSS2 W3C standards. If you see this paragraph, your browser does not support those standards and you need to upgrade. Visit WaSP for a variety of options.

Bash pastebin - collaborative debugging tool View Help


Posted by Jack Wallen on Sat 3 Oct 20:53
report abuse | download | new post

  1. #!/bin/bash
  2. # This iptables shell script was based upon the nixCraft project script from
  3. # http://cyberciti.biz/fb/
  4. # A Linux Shell Script with common rules for IPTABLES Firewall.
  5. # By default this script only open port 80, 22, 25, 143, and 53 (input)
  6. # All outgoing traffic is allowed (default - output)
  7.  
  8. SCRIPT_DIR="/PATH/TO/DIRECTORY"
  9. IPT="/sbin/iptables"
  10. SPAMLIST="blockedip"
  11. SPAMDROPMSG="BLOCKED IP DROP"
  12.  
  13. echo "Starting IPv4 Wall..."
  14. $IPT -F
  15. $IPT -X
  16. $IPT -t nat -F
  17. $IPT -t nat -X
  18. $IPT -t mangle -F
  19. $IPT -t mangle -X
  20. modprobe ip_conntrack
  21.  
  22. [ -f /$SCRIPT_DIR/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /$SCRIPT_DIR/blocked.ips.txt)
  23.  
  24. PUB_IF="eth0"
  25.  
  26. #unlimited
  27. $IPT -A INPUT -i lo -j ACCEPT
  28. $IPT -A OUTPUT -o lo -j ACCEPT
  29.  
  30. # DROP all incomming traffic
  31. $IPT -P INPUT DROP
  32. $IPT -P OUTPUT DROP
  33. $IPT -P FORWARD DROP
  34.  
  35. if [ -f /$SCRIPT_DIR/blocked.ips.txt ];
  36. then
  37. # create a new iptables list
  38. $IPT -N $SPAMLIST
  39.  
  40. for ipblock in $BADIPS
  41. do
  42.    $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
  43.    $IPT -A $SPAMLIST -s $ipblock -j DROP
  44. done
  45.  
  46. $IPT -I INPUT -j $SPAMLIST
  47. $IPT -I OUTPUT -j $SPAMLIST
  48. $IPT -I FORWARD -j $SPAMLIST
  49. fi
  50.  
  51. # Block sync
  52. $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
  53. $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
  54.  
  55. # Block Fragments
  56. $IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
  57. $IPT -A INPUT -i ${PUB_IF} -f -j DROP
  58.  
  59. # Block bad stuff
  60. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  61. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
  62.  
  63. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
  64. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
  65.  
  66. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  67.  
  68. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
  69. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
  70.  
  71. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
  72. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
  73.  
  74. $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  75.  
  76. # Allow full outgoing connection but no incoming stuff
  77. $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  78. $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  79.  
  80. # Allow ssh
  81. $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
  82.  
  83. # allow incomming ICMP ping pong stuff
  84. $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  85. $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  86.  
  87. # Allow port 53 tcp/udp (DNS Server)
  88. $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  89. $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
  90.  
  91. $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
  92. $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
  93.  
  94. # Open port 22 for ssh
  95. $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
  96.  
  97. # Open port 25 for SMTP
  98. $IPT -A INPUT -p tcp --destination-port 25 -j ACCEPT
  99.  
  100. # Open port 80
  101. $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
  102.  
  103. # Open port 143 for IMAP
  104. $IPT -A INPUT -p tcp --destination-port 143 -j ACCEPT
  105.  
  106. ##### Add your rules below ######
  107.  
  108. ##### END your rules ############
  109.  
  110. # Do not log smb/windows sharing packets - too much logging
  111. $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
  112. $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
  113.  
  114. # log everything else and drop
  115. $IPT -A INPUT -j LOG
  116. $IPT -A FORWARD -j LOG
  117. $IPT -A INPUT -j DROP
  118.  
  119. exit 0

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:

To highlight particular lines, prefix each line with @@


Remember me so that I can delete my post