Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- IPT="/sbin/iptables"
- echo "Starting IPv4 Wall..."
- $IPT -F
- $IPT -X
- $IPT -t nat -F
- $IPT -t nat -X
- $IPT -t mangle -F
- $IPT -t mangle -X
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- modprobe nf_conntrack_ftp
- BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.fw)
- PUB_IF="eth0"
- SSH_PORT="22"
- #unlimited
- $IPT -A INPUT -i lo -j ACCEPT
- $IPT -A OUTPUT -o lo -j ACCEPT
- # DROP all inc
- $IPT -P INPUT DROP
- $IPT -P OUTPUT DROP
- $IPT -P FORWARD DROP
- # block all bad ip
- for ip in $BADIPS
- do
- $IPT -A INPUT -s $ip -j DROP
- $IPT -A OUTPUT -d $ip -j DROP
- done
- # sync
- $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
- $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
- # Fragments
- $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
- $IPT -A INPUT -i ${PUB_IF} -f -j DROP
- # bad stuff
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- # full outgoing connection
- $IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- # ssh
- $IPT -A INPUT -i ${PUB_IF} -p tcp --dport ${ssh_port} -j ACCEPT
- $IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport ${ssh_port} -j ACCEPT
- $IPT -I INPUT -i ${PUB_IF} -p tcp --dport ${ssh_port} -m state --state NEW -m recent --set
- $IPT -I INPUT -i ${PUB_IF} -p tcp --dport ${ssh_port} -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
- # http
- $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT
- $IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 80 -j ACCEPT
- #dns
- $IPT -A OUTPUT -i ${PUB_IF} -p udp –dport 53 -j ACCEPT
- # ping pong stuff
- $IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
- #NTP
- $IPT -A OUTPUT -i ${PUB_IF} -p udp –dport 123 -j ACCEPT
- $IPT -A INPUT -i ${PUB_IF} -p udp –dport 123 -j ACCEPT
- # smb/windows
- $IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
- $IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
- # Log
- $IPT -A INPUT -j LOG
- $IPT -A FORWARD -j LOG
- $IPT -A INPUT -j DROP
- # Start ipv6 firewall
- #echo "Starting IPv6 Wall..."
- #/root/scripts/start6.fw
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement