API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 25th, 2017
68
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.23 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2.  
  3. # Flush alle Chains
  4. iptables -F INPUT
  5. iptables -F FORWARD
  6. iptables -F OUTPUT
  7.  
  8. case "$1" in
  9. start)
  10. # Drop Alles
  11. iptables -P INPUT DROP
  12. iptables -P FORWARD DROP
  13. iptables -P OUTPUT ACCEPT
  14.  
  15. #-> logging-chain anlegen und loglevel festlegen
  16. iptables -N NIRVANA
  17.  
  18. #-> log-prefix für gedropte tcp-pakete
  19. iptables -A NIRVANA -p TCP -j LOG --log-level debug --log-prefix "iptables: TCP"
  20.  
  21. #-> log-prefix für gedropte udp-pakete
  22. iptables -A NIRVANA -p UDP -j LOG --log-level debug --log-prefix "iptables: UDP "
  23.  
  24. #-> log-prefix für gedropte icmp-pakete - bringt das logfile zum glühen!
  25. #iptables -A NIRVANA -p icmp -j LOG --log-level debug --log-prefix "iptables: ICMP "
  26.  
  27. #->als letzte regel in der VIRAVA-chain: alles wegwerfen
  28. iptables -A NIRVANA -j DROP
  29.  
  30. #
  31. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  32. iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
  33. iptables -A INPUT -m state --state INVALID -j DROP
  34.  
  35. # Alles von Lokalhsot ist ok
  36. iptables -A INPUT -i lo -j ACCEPT
  37.  
  38. # Portkonfiguration
  39. # -J ACCEPT = erlauben
  40. # -J Drop = verwerfen
  41. # -J NIRVANA = loggen
  42. #
  43.  
  44. #iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT # FTP DATA
  45. #iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT # FTP Control
  46. iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # SSH
  47. iptables -A INPUT -p tcp -m tcp --dport 23 -j NIRVANA # Telnet
  48. iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # HTTP
  49.  
  50. # Mail
  51. iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # SMTP
  52. #iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT # Pop3
  53. #iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT # IMAP
  54. #iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT # SMTP TLS/SSL
  55. #iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # IMAP TLS/SSL
  56. #iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT # Pop3 TLS/SSL
  57.  
  58. #iptables -A INPUT -p tcp -m tcp --dport 443 -j DROP # HTTPS
  59. #iptables -A INPUT -p tcp -m tcp --dport 8443 -j DROP # HTTPS
  60.  
  61. # VPN
  62. #iptables -A INPUT -p udp -m udp --dport 500 -j DROP # isakmp
  63. #iptables -A INPUT -p udp -m udp --dport 1194 -j DROP # OpenVPN
  64.  
  65. # "Spannende Dienste zum überwachen"
  66. #iptables -A INPUT -p udp -m udp --dport 53 -j DROP # DNS
  67. #iptables -A INPUT -p tcp -m tcp --dport 53 -j DROP # DNS
  68. #iptables -A INPUT -p tcp -m tcp --dport 137 -j DROP # NETBIOS Name Service
  69. #iptables -A INPUT -p udp -m udp --dport 137 -j DROP # NETBIOS Name Service
  70. #iptables -A INPUT -p tcp -m tcp --dport 138 -j DROP # NETBIOS Datagram Service
  71. #iptables -A INPUT -p udp -m udp --dport 138 -j DROP # NETBIOS Datagram Service
  72. #iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP # NETBIOS Session Service
  73. #iptables -A INPUT -p udp -m udp --dport 139 -j DROP # NETBIOS Session Service
  74. #iptables -A INPUT -p tcp -m tcp --dport 445 -j DROP # Microsoft-DS SMB over TCP
  75. #iptables -A INPUT -p udp -m udp --dport 445 -j DROP # Microsoft-DS SMB over TCP
  76. #iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP # Mysql
  77. #iptables -A INPUT -p tcp -m tcp --dport 5432 -j DROP # PostgreSQL
  78.  
  79. # ICMP Alles erlauben
  80. iptables -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
  81.  
  82. # Alles weitere wird in die NIRVANA Chain geleitet
  83. iptables -A INPUT -j NIRVANA
  84.  
  85. # Forwarding Chain
  86. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  87. iptables -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
  88. iptables -A FORWARD -m state --state INVALID -j DROP
  89. iptables -A FORWARD -i lo -o lo -j ACCEPT
  90. iptables -A FORWARD -j DROP
  91.  
  92. # Outgoing alles Erlauben
  93. iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  94. iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
  95. iptables -A OUTPUT -m state --state INVALID -j DROP
  96. iptables -A OUTPUT -o lo -j ACCEPT
  97. iptables -A OUTPUT -j ACCEPT
  98.  
  99. #
  100. # Limit Apache to 15 Connection per IP
  101. #
  102. iptables -N LIMIT
  103. iptables -A LIMIT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j REJECT --reject-with tcp-reset
  104. iptables -A INPUT -p tcp --dport 80 -j LIMIT
  105. iptables -A FORWARD -p tcp --dport 80 -j LIMIT
  106. ;;
  107.  
  108. stop)
  109. # Flush Benutezrdefinierte Chains
  110. iptables -F NIRVANA
  111. iptables -F LIMIT
  112.  
  113. # Alles Chains auf ACCEPT setzen
  114. iptables -P INPUT ACCEPT
  115. iptables -P FORWARD ACCEPT
  116. iptables -P OUTPUT ACCEPT
  117.  
  118. # Lösche Benutzerdefinierte Chains
  119. iptables -X NIRVANA
  120. iptables -X LIMIT
  121. ;;
  122. restart)
  123. $0 stop
  124. sleep 1
  125. $0 start
  126. exit
  127. ;;
  128.  
  129. *)
  130. echo "Usage:"
  131. echo "$0 start : startet die firewall"
  132. echo "$0 stop : startet die firewall"
  133. echo "$0 restart : startet die firewall"
  134. exit 1
  135. ;;
  136.  
  137. esac
  138.  
  139. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!