Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

firewall

By: a guest on Sep 24th, 2012  |  syntax: None  |  size: 4.26 KB  |  hits: 24  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #!/bin/sh
  2. # firewall.sh - Configurable per-host firewall for workstations and
  3. # servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL
  4.  
  5. stop_fw()
  6. {
  7.     echo -n "stopping `basename $0`..."
  8.     iptables --flush
  9.     iptables --delete-chain
  10.     iptables -P FORWARD ACCEPT
  11.     iptables -P INPUT ACCEPT
  12.     iptables -P OUTPUT ACCEPT
  13.     echo "done."
  14. }
  15.  
  16. start_fw()
  17. {
  18.     echo -n "starting `basename $0`..."
  19. # Cleanup old rules # All the time firewall is in a secure, closed state
  20.     iptables -P INPUT DROP
  21.     iptables -P FORWARD DROP
  22.     iptables --flush        # Flush all rules, but keep policies
  23.     iptables --delete-chain
  24. ## Workstation Minimal firewall ###
  25.     iptables -P FORWARD DROP
  26.     iptables -P INPUT DROP
  27. #loopback
  28.     iptables -A INPUT -i lo -j ACCEPT
  29.     iptables -A INPUT -s 212.117.63.0/24 -j ACCEPT
  30. #Kiryakov home
  31.     iptables -A INPUT -s 212.117.49.236/32 -j ACCEPT
  32. #Kiryakov work
  33.     iptables -A INPUT -s 213.226.29.178/32 -j ACCEPT
  34.     iptables -A INPUT -s 89.215.140.180/32 -j ACCEPT
  35.     iptables -A INPUT -s 200.43.193.212/32 -j DROP
  36.     iptables -A INPUT -s 200.43.193.180/32 -j DROP
  37.     iptables -A INPUT -s 91.206.202.23/32  -j DROP
  38.     iptables -A INPUT -s 89.190.64.47/32 -j DROP
  39.     iptables -A INPUT -s 190.210.176.44/32 -j DROP
  40.     iptables -A INPUT -s 212.80.69.60/32 -j DROP
  41.     iptables -A INPUT -s 200.43.192.246/32 -j DROP
  42.     iptables -A INPUT -s 89.190.196.252/32 -j DROP
  43.     iptables -A INPUT -s 89.190.196.51/32 -j DROP
  44.     iptables -A INPUT -s 89.190.196.55/32 -j DROP
  45.     iptables -A INPUT -s 89.190.196.52/32 -j DROP
  46.     iptables -A INPUT -s 200.82.77.144/32 -j DROP
  47.     iptables -A INPUT -s 199.15.234.159/32 -j DROP
  48. #Svetlana home
  49.     iptables -A INPUT -s 212.117.49.235/32 -j ACCEPT
  50. #Svetlin home
  51.     iptables -A INPUT -s 79.100.171.74/32 -j ACCEPT
  52. #Svetlin work
  53.     iptables -A INPUT -s 88.213.199.34/32 -j ACCEPT
  54. #ircN
  55.     #iptables -A INPUT -s 46.47.97.98/32 -j ACCEPT
  56.     #iptables -A INPUT -s 83.228.2.18/32 -j ACCEPT
  57.     iptables -A INPUT -s 62.182.112.97/32 -j ACCEPT
  58.     iptables -A INPUT -s 94.26.69.137/32 -j ACCEPT
  59.     iptables -A INPUT -s 78.90.162.209/32 -j ACCEPT #ivo-niki
  60.     iptables -A INPUT -s 85.130.29.167/32 -j ACCEPT
  61.     #iptables -A INPUT -s 212.104.115.143 -j ACCEPT
  62. #defaults settings
  63.     iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
  64.     iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
  65.     iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
  66.     iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
  67.     iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
  68. ####### HOLES ####### Edit holes below, then run this script again
  69.  
  70. #* time(37), bind(53), apache2(80), openssh(2266), unknown(4444) on all ips
  71.     iptables -A INPUT -p tcp -m multiport --dports 20,21,25,37,53,80,113 -j ACCEPT
  72.     #* Ventrilo Server
  73.     #iptables -A INPUT -d 212.117.63.66 -p tcp -m multiport --dports 3784 -j ACCEPT
  74.     #iptables -A INPUT -d 212.117.63.66 -p udp -m multiport --dports 3784 -j ACCEPT
  75.  
  76. #* standart ircd ports & qwebirc on 212.117.63.66
  77.     iptables -A INPUT -d 212.117.63.66 -p tcp -m multiport --dports 6665:6669,7000,7777,9000,9090 -j ACCEPT
  78. #    iptables -A INPUT -d 212.117.63.67 -p tcp -m multiport --dports 3333,4141,8033 -j ACCEPT
  79. #    iptables -A INPUT -d 212.117.63.68 -p tcp -m multiport --dports 5000,6665:6669,7000,7777,9000 -j ACCEPT
  80. #* counter strike on all ips
  81.     iptables -A INPUT -p tcp -m multiport --dports 27000:27050 -j DROP
  82.     iptables -A INPUT -p udp -m multiport --dports 27000:27050 -j DROP
  83.     #iptables -A INPUT -p udp -m udp --dport 27000:27050 -m string --hex-string "|07000080050000003b7464043d657c2e617c216f7026792b237127697b344307302c79612b71682771617c616c6f3e22791b40237321366b2c3820223e6c362b707635615e587466|" --algo kmp --to 65535 -j DROP
  84. ##################### Edit above
  85.     iptables -A INPUT -j LOG -m limit --limit 40/minute
  86.     iptables -A INPUT -j DROP
  87. # Save
  88.     iptables-save > /etc/sysconfig/iptables
  89.     echo "done."
  90. }
  91. fw_status()
  92. {
  93.    iptables -L
  94. }
  95.  
  96. case "$1" in
  97.     start)
  98.         start_fw
  99.         ;;
  100.     stop)
  101.         stop_fw
  102.         ;;
  103.     status)
  104.         fw_status
  105.         ;;
  106.     *)
  107.         echo "Usage:" $0 "{start|stop|status}"
  108.         exit 1
  109.         ;;
  110. esac
  111.  
  112. exit 0
create a new version of this paste RAW Paste Data