API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 22nd, 2014
309
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.66 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3.  
  4. #### Clear ####
  5.  
  6. iptables -F
  7. iptables -X
  8.  
  9. #++++++++++++++
  10.  
  11.  
  12. #### Policy ####################
  13.  
  14. iptables -P INPUT DROP
  15. iptables -P FORWARD DROP
  16. iptables -P OUTPUT DROP
  17.  
  18. #+++++++++++++++++++++++++++++++
  19.  
  20.  
  21. ##### CUSTOM CHAINS ####################################################################
  22.  
  23. echo icmp
  24. # Icmp
  25. iptables -N ICMP
  26. iptables -A ICMP -m limit --limit 15/minute -j LOG --log-prefix "Icmp: "
  27. iptables -A ICMP -j DROP
  28.  
  29. echo bad flags
  30. # Bad Flags, Bogus etc.
  31. iptables -N BOGUS
  32. iptables -A BOGUS -m limit --limit 15/minute -j LOG --log-prefix "Bogus: "
  33. iptables -A BOGUS -j DROP
  34.  
  35. echo lan spoof
  36. # Lan Spoof
  37. iptables -N LANSPOOF
  38. iptables -A LANSPOOF -m limit --limit 15/minute -j LOG --log-prefix "LanSpoof: "
  39. iptables -A LANSPOOF -j DROP
  40.  
  41. echo loopback spoof
  42. # Loopback Spoof
  43. iptables -N LOOPSPOOF
  44. iptables -A LOOPSPOOF -m limit --limit 15/minute -j LOG --log-prefix "LoopSpoof: "
  45. iptables -A LOOPSPOOF -j DROP
  46.  
  47. echo final firewall
  48. # Finall Firewall
  49. iptables -N FIREWALL
  50. iptables -A FIREWALL -m limit --limit 15/minute -j LOG --log-prefix "Firewall: "
  51. iptables -A FIREWALL -j DROP
  52.  
  53. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  54.  
  55.  
  56. ##### INPUT BLOCK ##############################################################################
  57.  
  58. # Drop all ICMP
  59. iptables -A INPUT -p icmp -j ICMP
  60.  
  61. # LAN Spoof
  62. iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j LANSPOOF
  63. iptables -A INPUT -i wlan0 -s 192.168.1.0/24 -j LANSPOOF
  64.  
  65. # Loopback Spoof
  66. iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j LOOPSPOOF
  67.  
  68. # Fragments
  69. iptables -A INPUT -f -j BOGUS
  70.  
  71. # Bogus packets
  72. iptables -A INPUT -m conntrack --ctstate INVALID -j BOGUS
  73. iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j BOGUS
  74. iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j BOGUS
  75. iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j BOGUS
  76. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BOGUS
  77. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BOGUS
  78. iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j BOGUS
  79. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BOGUS
  80. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BOGUS
  81. iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j BOGUS
  82. iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j BOGUS
  83. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BOGUS
  84. iptables -A INPUT -m conntrack --ctstate NEW,RELATED -p tcp ! --tcp-flags ALL SYN -j BOGUS
  85.  
  86.  
  87. #----- INPUT ACCEPT ----------------------------------------------------------------------------
  88.  
  89. # Already established and related
  90. iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  91.  
  92. # Loopback
  93. iptables -A INPUT -i lo -j ACCEPT
  94.  
  95. # allow sshing
  96. iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  97.  
  98. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  99.  
  100.  
  101.  
  102. ##### OUTPUT BLOCK #####################################################################
  103.  
  104. # Drop all ICMP
  105. iptables -A OUTPUT -p icmp -j ICMP
  106.  
  107. # Bogus packets
  108. iptables -A OUTPUT -m conntrack --ctstate INVALID -j BOGUS
  109.  
  110. #---- OUTPUT ACCEPT --------------------------------------------------------------------
  111.  
  112. # Loopback
  113. iptables -A OUTPUT -o lo -j ACCEPT
  114.  
  115. # Dns
  116. iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
  117. iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
  118.  
  119. # Services
  120. iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
  121. iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
  122. iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT
  123. iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
  124. iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
  125. iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
  126. # ssh
  127. #iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT
  128. iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT
  129.  
  130. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  131.  
  132.  
  133.  
  134. ##### FORWARD BLOCK ####################################################################
  135.  
  136. # Bogus Packets
  137. iptables -A FORWARD -m conntrack --ctstate INVALID -j BOGUS
  138.  
  139. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  140.  
  141.  
  142.  
  143. ##### FINAL CATCH ALL ##########
  144.  
  145. iptables -A INPUT -j FIREWALL
  146. iptables -A OUTPUT -j FIREWALL
  147.  
  148. #+++++++++++++++++++++++++
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!