SHARE
TWEET

patatables

a guest Jul 7th, 2017 11 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2.  
  3. #
  4. #                                XXXXXXXXXXXXXXXXX
  5. #                                XXXX Network XXXX
  6. #                                XXXXXXXXXXXXXXXXX
  7. #                                        +
  8. #                                        |
  9. #                                        v
  10. #  +-------------+              +------------------+
  11. #  |table: filter| <---+        | table: nat       |
  12. #  |chain: INPUT |     |        | chain: PREROUTING|
  13. #  +-----+-------+     |        +--------+---------+
  14. #        |             |                 |
  15. #        v             |                 v
  16. #  [local process]     |           ****************          +--------------+
  17. #        |             +---------+ Routing decision +------> |table: filter |
  18. #        v                         ****************          |chain: FORWARD|
  19. # ****************                                           +------+-------+
  20. # Routing decision                                                  |
  21. # ****************                                                  |
  22. #        |                                                          |
  23. #        v                        ****************                  |
  24. # +-------------+       +------>  Routing decision  <---------------+
  25. # |table: nat   |       |         ****************
  26. # |chain: OUTPUT|       |               +
  27. # +-----+-------+       |               |
  28. #       |               |               v
  29. #       v               |      +-------------------+
  30. # +--------------+      |      | table: nat        |
  31. # |table: filter | +----+      | chain: POSTROUTING|
  32. # |chain: OUTPUT |             +--------+----------+
  33. # +--------------+                      |
  34. #                                       v
  35. #                               XXXXXXXXXXXXXXXXX
  36. #                               XXXX Network XXXX
  37. #                               XXXXXXXXXXXXXXXXX
  38. #
  39. # iptables [-t table] {-A|-C|-D} chain rule-specification
  40. #
  41. # iptables [-t table] {-A|-C|-D} chain  rule-specification
  42. #
  43. # iptables  [-t table] -I chain [rulenum] rule-specification
  44. #
  45. # iptables [-t table] -R chain rulenum  rule-specification
  46. #
  47. # iptables [-t table] -D chain rulenum
  48. #
  49. # iptables [-t table] -S [chain [rulenum]]
  50. #
  51. # iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
  52. #
  53. # iptables [-t table] -N chain
  54. #
  55. # iptables [-t table] -X [chain]
  56. #
  57. # iptables [-t table] -P chain target
  58. #
  59. # iptables [-t table]  -E  old-chain-name  new-chain-name
  60. #
  61. # rule-specification = [matches...] [target]
  62. #
  63. # match = -m matchname [per-match-options]
  64. #
  65. #
  66. # Targets
  67. #
  68. # can be a user defined chain
  69. #
  70. # ACCEPT - accepts the packet
  71. # DROP   - drop the packet on the floor
  72. # QUEUE  - packet will be stent to queue
  73. # RETURN - stop traversing this chain and
  74. #          resume ate the next rule in the
  75. #          previeus (calling) chain.
  76. #
  77. # if packet reach the end of the chain or
  78. # a target RETURN, default policy for that
  79. # chain is applayed.
  80. #
  81. # Target Extensions
  82. #
  83. # AUDIT
  84. # CHECKSUM
  85. # CLASSIFY
  86. # DNAT
  87. # DSCP
  88. # LOG
  89. #     Torn on kernel logging, will print some
  90. #     some information on all matching packets.
  91. #     Log data can be read with dmesg or syslogd.
  92. #     This is a non-terminating target and a rule
  93. #     should be created with matching criteria.
  94. #
  95. #     --log-level level
  96. #           Level of logging (numeric or see sys-
  97. #           log.conf(5)
  98. #
  99. #     --log-prefix prefix
  100. #           Prefix log messages with specified prefix
  101. #           up to 29 chars log
  102. #
  103. #     --log-uid
  104. #           Log the userid of the process with gener-
  105. #           ated the packet
  106. # NFLOG
  107. #     This target pass the packet to loaded logging
  108. #     backend to log the packet. One or more userspace
  109. #     processes may subscribe to the group to receive
  110. #     the packets.
  111. #
  112. # ULOG
  113. #     This target provides userspace logging of maching
  114. #     packets. One or more userspace processes may then
  115. #     then subscribe to various multicast groups and
  116. #     then receive the packets.
  117. #
  118. #
  119. # Commands
  120. #
  121. # -A, --append chain rule-specification
  122. # -C, --check chain rule-specification
  123. # -D, --delete chain rule-specification
  124. # -D, --delete chain rulenum
  125. # -I, --insert chain [rulenum] rule-specification
  126. # -R, --replace chain rulenum rule-specification
  127. # -L, --list [chain]
  128. # -P, --policy chain target
  129. #
  130. # Parameters
  131. #
  132. # -p, --protocol protocol
  133. #       tcp, udp, udplite, icmp, esp, ah, sctp, all
  134. # -s, --source address[/mask][,...]
  135. # -d, --destination address[/mask][,...]
  136. # -j, --jump target
  137. # -g, --goto chain
  138. # -i, --in-interface name
  139. # -o, --out-interface name
  140. # -f, --fragment
  141. # -m, --match options module-name
  142. #       iptables can use extended packet matching
  143. #       modules.
  144. # -c, --set-counters packets bytes
  145.  
  146. IPT="/usr/sbin/iptables"
  147. SPAMLIST="blockedip"
  148. SPAMDROPMSG="BLOCKED IP DROP"
  149. # public interface to network/internet
  150. PUB_IF="wlp7s0"
  151. DHCP_SERV="192.168.1.1"
  152. PUB_IP="192.168.1.33"
  153. NET_ADDR="192.168.0.0/24"
  154. # private interface for virtual/internal
  155. PRIV_IF="br0"
  156. PRIV_IP="10.0.0.1"
  157.  
  158. modprobe ip_conntrack
  159. modprobe ip_conntrack_ftp
  160.  
  161. echo "Stopping ipv4 firewall and deny everyone..."
  162.  
  163. iptables -F
  164. iptables -X
  165. iptables -t nat -F
  166. iptables -t nat -X
  167. iptables -t mangle -F
  168. iptables -t mangle -X
  169. iptables -t raw -F
  170. iptables -t raw -X
  171. iptables -t security -F
  172. iptables -t security -X
  173.  
  174.  
  175. echo "Starting ipv4 firewall filter table..."
  176.  
  177. # Set Default Rules
  178. iptables -P INPUT DROP
  179. iptables -P FORWARD DROP
  180. iptables -P OUTPUT DROP
  181.  
  182. ###### AP rules  ######
  183. echo 1 > /proc/sys/net/ipv4/ip_forward
  184. $IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
  185. $IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
  186.  
  187.  
  188. # Block sync
  189. $IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
  190. $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  191.  
  192. # Block Fragments
  193. $IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
  194. $IPT -A INPUT -f -j DROP
  195.  
  196. # Block bad stuff
  197. $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  198. $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  199.  
  200. $IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
  201. $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
  202.  
  203. $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
  204. $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  205.  
  206. $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
  207. $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
  208.  
  209. $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
  210. $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
  211.  
  212. $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  213.  
  214. $IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
  215. $IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
  216.  
  217. $IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
  218.  
  219. ###### Input Chain ######
  220.  
  221. # Unlimited on local
  222. $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
  223. #$IPT -A INPUT -i lo -s ${PRIV_IP} -j ACCEPT
  224.  
  225. echo "Drop RIP protocol"
  226. $IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s $NET_ADDR -j DROP
  227.  
  228. echo "Allow input from IRC server"
  229. $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 6667 -m state --state ESTABLISHED -j ACCEPT
  230.  
  231. echo "Allow input from FTP server"
  232. $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 21 -m state --state ESTABLISHED -j ACCEPT
  233.  
  234. echo "Allow input to HTTPS Server"
  235. $IPT -A INPUT -i ${PRIV_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  236. $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  237.  
  238. #echo "Allow input to HTTP Server"
  239. #$IPT -A INPUT -i ${PRIV_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  240.  
  241. echo "Allow input from HTTP Server"
  242. $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
  243.  
  244. echo "Allow input from git server"
  245. $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
  246.  
  247. echo "Allow input from POP3S server"
  248. $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
  249.  
  250. echo "Allow input from SMTPS server"
  251. $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
  252.  
  253. echo "Allow input from Https server"
  254. $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
  255. $IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -j ACCEPT
  256.  
  257. #echo "Allow input to DNS Server"
  258. #$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
  259.  
  260. echo "Allow input from DNS Server"
  261. $IPT -A INPUT -i ${PUB_IF} -p udp --dport 1024:65535 --sport 53  -j ACCEPT
  262.  
  263. echo "Allow input to SSH server"
  264. $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
  265.  
  266.  
  267. ###### Output Chain ######
  268.  
  269. # Unlimited on local
  270. $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
  271. #$IPT -A OUTPUT -o lo -d ${PRIV_IP} -j ACCEPT
  272.  
  273. echo "Allow output from https server"
  274. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
  275.  
  276. #echo "Allow output from http server"
  277. #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
  278.  
  279. echo "Allow output to https server"
  280. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  281. $IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443  -j ACCEPT
  282.  
  283. #echo "Allow to HTTP server"
  284. #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  285.  
  286. echo "Allow output to SSH server"
  287. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
  288.  
  289. echo "Allow output to DNS server"
  290. $IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
  291.  
  292. echo "Allow output to ftp server"
  293. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
  294.  
  295. echo "Allow output to git server"
  296. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
  297.  
  298. echo "Allow output to IRC  server"
  299. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
  300.  
  301. echo "Allow output to SMTPS server"
  302. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
  303.  
  304. echo "Allow output to POP3S server"
  305. $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
  306.  
  307. ## DHCP
  308.  
  309. ## less logs
  310. #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -j DROP
  311. #$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 80 -j DROP
  312. $IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
  313.  
  314. ## log everything else and drop
  315. $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
  316. $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
  317. $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
  318. #
  319. exit 0
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top