Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # Flush alle Chains
- iptables -F INPUT
- iptables -F FORWARD
- iptables -F OUTPUT
- case "$1" in
- start)
- # Drop Alles
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- #-> logging-chain anlegen und loglevel festlegen
- iptables -N NIRVANA
- #-> log-prefix für gedropte tcp-pakete
- iptables -A NIRVANA -p TCP -j LOG --log-level debug --log-prefix "iptables: TCP"
- #-> log-prefix für gedropte udp-pakete
- iptables -A NIRVANA -p UDP -j LOG --log-level debug --log-prefix "iptables: UDP "
- #-> log-prefix für gedropte icmp-pakete - bringt das logfile zum glühen!
- #iptables -A NIRVANA -p icmp -j LOG --log-level debug --log-prefix "iptables: ICMP "
- #->als letzte regel in der VIRAVA-chain: alles wegwerfen
- iptables -A NIRVANA -j DROP
- #
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
- iptables -A INPUT -m state --state INVALID -j DROP
- # Alles von Lokalhsot ist ok
- iptables -A INPUT -i lo -j ACCEPT
- # Portkonfiguration
- # -J ACCEPT = erlauben
- # -J Drop = verwerfen
- # -J NIRVANA = loggen
- #
- #iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT # FTP DATA
- #iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT # FTP Control
- iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # SSH
- iptables -A INPUT -p tcp -m tcp --dport 23 -j NIRVANA # Telnet
- iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # HTTP
- # Mail
- iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # SMTP
- #iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT # Pop3
- #iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT # IMAP
- #iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT # SMTP TLS/SSL
- #iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # IMAP TLS/SSL
- #iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT # Pop3 TLS/SSL
- #iptables -A INPUT -p tcp -m tcp --dport 443 -j DROP # HTTPS
- #iptables -A INPUT -p tcp -m tcp --dport 8443 -j DROP # HTTPS
- # VPN
- #iptables -A INPUT -p udp -m udp --dport 500 -j DROP # isakmp
- #iptables -A INPUT -p udp -m udp --dport 1194 -j DROP # OpenVPN
- # "Spannende Dienste zum überwachen"
- #iptables -A INPUT -p udp -m udp --dport 53 -j DROP # DNS
- #iptables -A INPUT -p tcp -m tcp --dport 53 -j DROP # DNS
- #iptables -A INPUT -p tcp -m tcp --dport 137 -j DROP # NETBIOS Name Service
- #iptables -A INPUT -p udp -m udp --dport 137 -j DROP # NETBIOS Name Service
- #iptables -A INPUT -p tcp -m tcp --dport 138 -j DROP # NETBIOS Datagram Service
- #iptables -A INPUT -p udp -m udp --dport 138 -j DROP # NETBIOS Datagram Service
- #iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP # NETBIOS Session Service
- #iptables -A INPUT -p udp -m udp --dport 139 -j DROP # NETBIOS Session Service
- #iptables -A INPUT -p tcp -m tcp --dport 445 -j DROP # Microsoft-DS SMB over TCP
- #iptables -A INPUT -p udp -m udp --dport 445 -j DROP # Microsoft-DS SMB over TCP
- #iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP # Mysql
- #iptables -A INPUT -p tcp -m tcp --dport 5432 -j DROP # PostgreSQL
- # ICMP Alles erlauben
- iptables -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
- # Alles weitere wird in die NIRVANA Chain geleitet
- iptables -A INPUT -j NIRVANA
- # Forwarding Chain
- iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
- iptables -A FORWARD -m state --state INVALID -j DROP
- iptables -A FORWARD -i lo -o lo -j ACCEPT
- iptables -A FORWARD -j DROP
- # Outgoing alles Erlauben
- iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -A OUTPUT -o lo -j ACCEPT
- iptables -A OUTPUT -j ACCEPT
- #
- # Limit Apache to 15 Connection per IP
- #
- iptables -N LIMIT
- iptables -A LIMIT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j REJECT --reject-with tcp-reset
- iptables -A INPUT -p tcp --dport 80 -j LIMIT
- iptables -A FORWARD -p tcp --dport 80 -j LIMIT
- ;;
- stop)
- # Flush Benutezrdefinierte Chains
- iptables -F NIRVANA
- iptables -F LIMIT
- # Alles Chains auf ACCEPT setzen
- iptables -P INPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -P OUTPUT ACCEPT
- # Lösche Benutzerdefinierte Chains
- iptables -X NIRVANA
- iptables -X LIMIT
- ;;
- restart)
- $0 stop
- sleep 1
- $0 start
- exit
- ;;
- *)
- echo "Usage:"
- echo "$0 start : startet die firewall"
- echo "$0 stop : startet die firewall"
- echo "$0 restart : startet die firewall"
- exit 1
- ;;
- esac
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement