Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #
- # XXXXXXXXXXXXXXXXX
- # XXXX Network XXXX
- # XXXXXXXXXXXXXXXXX
- # +
- # |
- # v
- # +-------------+ +------------------+
- # |table: filter| <---+ | table: nat |
- # |chain: INPUT | | | chain: PREROUTING|
- # +-----+-------+ | +--------+---------+
- # | | |
- # v | v
- # [local process] | **************** +--------------+
- # | +---------+ Routing decision +------> |table: filter |
- # v **************** |chain: FORWARD|
- # **************** +------+-------+
- # Routing decision |
- # **************** |
- # | |
- # v **************** |
- # +-------------+ +------> Routing decision <---------------+
- # |table: nat | | ****************
- # |chain: OUTPUT| | +
- # +-----+-------+ | |
- # | | v
- # v | +-------------------+
- # +--------------+ | | table: nat |
- # |table: filter | +----+ | chain: POSTROUTING|
- # |chain: OUTPUT | +--------+----------+
- # +--------------+ |
- # v
- # XXXXXXXXXXXXXXXXX
- # XXXX Network XXXX
- # XXXXXXXXXXXXXXXXX
- #
- # iptables [-t table] {-A|-C|-D} chain rule-specification
- #
- # iptables [-t table] {-A|-C|-D} chain rule-specification
- #
- # iptables [-t table] -I chain [rulenum] rule-specification
- #
- # iptables [-t table] -R chain rulenum rule-specification
- #
- # iptables [-t table] -D chain rulenum
- #
- # iptables [-t table] -S [chain [rulenum]]
- #
- # iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
- #
- # iptables [-t table] -N chain
- #
- # iptables [-t table] -X [chain]
- #
- # iptables [-t table] -P chain target
- #
- # iptables [-t table] -E old-chain-name new-chain-name
- #
- # rule-specification = [matches...] [target]
- #
- # match = -m matchname [per-match-options]
- #
- #
- # Targets
- #
- # can be a user defined chain
- #
- # ACCEPT - accepts the packet
- # DROP - drop the packet on the floor
- # QUEUE - packet will be stent to queue
- # RETURN - stop traversing this chain and
- # resume ate the next rule in the
- # previeus (calling) chain.
- #
- # if packet reach the end of the chain or
- # a target RETURN, default policy for that
- # chain is applayed.
- #
- # Target Extensions
- #
- # AUDIT
- # CHECKSUM
- # CLASSIFY
- # DNAT
- # DSCP
- # LOG
- # Torn on kernel logging, will print some
- # some information on all matching packets.
- # Log data can be read with dmesg or syslogd.
- # This is a non-terminating target and a rule
- # should be created with matching criteria.
- #
- # --log-level level
- # Level of logging (numeric or see sys-
- # log.conf(5)
- #
- # --log-prefix prefix
- # Prefix log messages with specified prefix
- # up to 29 chars log
- #
- # --log-uid
- # Log the userid of the process with gener-
- # ated the packet
- # NFLOG
- # This target pass the packet to loaded logging
- # backend to log the packet. One or more userspace
- # processes may subscribe to the group to receive
- # the packets.
- #
- # ULOG
- # This target provides userspace logging of maching
- # packets. One or more userspace processes may then
- # then subscribe to various multicast groups and
- # then receive the packets.
- #
- #
- # Commands
- #
- # -A, --append chain rule-specification
- # -C, --check chain rule-specification
- # -D, --delete chain rule-specification
- # -D, --delete chain rulenum
- # -I, --insert chain [rulenum] rule-specification
- # -R, --replace chain rulenum rule-specification
- # -L, --list [chain]
- # -P, --policy chain target
- #
- # Parameters
- #
- # -p, --protocol protocol
- # tcp, udp, udplite, icmp, esp, ah, sctp, all
- # -s, --source address[/mask][,...]
- # -d, --destination address[/mask][,...]
- # -j, --jump target
- # -g, --goto chain
- # -i, --in-interface name
- # -o, --out-interface name
- # -f, --fragment
- # -m, --match options module-name
- # iptables can use extended packet matching
- # modules.
- # -c, --set-counters packets bytes
- IPT="/usr/sbin/iptables"
- SPAMLIST="blockedip"
- SPAMDROPMSG="BLOCKED IP DROP"
- # public interface to network/internet
- PUB_IF="wlp7s0"
- DHCP_SERV="192.168.1.1"
- PUB_IP="192.168.1.33"
- NET_ADDR="192.168.0.0/24"
- # private interface for virtual/internal
- PRIV_IF="br0"
- PRIV_IP="10.0.0.1"
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- echo "Stopping ipv4 firewall and deny everyone..."
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t raw -F
- iptables -t raw -X
- iptables -t security -F
- iptables -t security -X
- echo "Starting ipv4 firewall filter table..."
- # Set Default Rules
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
- ###### AP rules ######
- echo 1 > /proc/sys/net/ipv4/ip_forward
- $IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
- $IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
- # Block sync
- $IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
- $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- # Block Fragments
- $IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
- $IPT -A INPUT -f -j DROP
- # Block bad stuff
- $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
- $IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
- $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
- $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
- $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
- $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
- $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
- $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
- $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- $IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
- $IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
- $IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
- ###### Input Chain ######
- # Unlimited on local
- $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- #$IPT -A INPUT -i lo -s ${PRIV_IP} -j ACCEPT
- echo "Drop RIP protocol"
- $IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s $NET_ADDR -j DROP
- echo "Allow input from IRC server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 6667 -m state --state ESTABLISHED -j ACCEPT
- echo "Allow input from FTP server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 21 -m state --state ESTABLISHED -j ACCEPT
- echo "Allow input to HTTPS Server"
- $IPT -A INPUT -i ${PRIV_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
- #echo "Allow input to HTTP Server"
- #$IPT -A INPUT -i ${PRIV_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
- echo "Allow input from HTTP Server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- echo "Allow input from git server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- echo "Allow input from POP3S server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- echo "Allow input from SMTPS server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- echo "Allow input from Https server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -j ACCEPT
- #echo "Allow input to DNS Server"
- #$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
- echo "Allow input from DNS Server"
- $IPT -A INPUT -i ${PUB_IF} -p udp --dport 1024:65535 --sport 53 -j ACCEPT
- echo "Allow input to SSH server"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- ###### Output Chain ######
- # Unlimited on local
- $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- #$IPT -A OUTPUT -o lo -d ${PRIV_IP} -j ACCEPT
- echo "Allow output from https server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
- #echo "Allow output from http server"
- #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
- echo "Allow output to https server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443 -j ACCEPT
- #echo "Allow to HTTP server"
- #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
- echo "Allow output to SSH server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
- echo "Allow output to DNS server"
- $IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
- echo "Allow output to ftp server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
- echo "Allow output to git server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
- echo "Allow output to IRC server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
- echo "Allow output to SMTPS server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- echo "Allow output to POP3S server"
- $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- ## DHCP
- ## less logs
- #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -j DROP
- #$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 80 -j DROP
- $IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
- ## log everything else and drop
- $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
- $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
- $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
- #
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement