fg_fw

1. root@debian:~# cat /etc/firewall
2. #!/bin/bash
3.  
4. ipts_cmds="iptables ip6tables"
5.  
6. for ipt_cmd in ${ipts_cmds} ; do
7.  
8. if [ "$1" != "stop" ]; then
9. echo -n "### Loading ${ipt_cmd} firewall ###"
10. fi
11.  
12. ###############################################################
13. ### Remove all previous rules, and delete any user defined chains ###
14. ${ipt_cmd} -P INPUT ACCEPT
15. ${ipt_cmd} -P FORWARD ACCEPT
16. ${ipt_cmd} -P OUTPUT ACCEPT
17. ${ipt_cmd} -t mangle -P PREROUTING ACCEPT
18. ${ipt_cmd} -t mangle -P OUTPUT ACCEPT
19.  
20. ${ipt_cmd} -X
21. ${ipt_cmd} -F
22.  
23. if [ "${ipt_cmd}" == iptables ] ; then
24. ${ipt_cmd} -t nat -P PREROUTING ACCEPT
25. ${ipt_cmd} -t nat -P POSTROUTING ACCEPT
26. ${ipt_cmd} -t nat -P OUTPUT ACCEPT
27.  
28. ${ipt_cmd} -t nat -X
29. ${ipt_cmd} -t nat -F
30. fi
31.  
32. ${ipt_cmd} -t mangle -X
33. ${ipt_cmd} -t mangle -F
34.  
35. if [ "$1" != "stop" ]; then
36.  
37. ###############################################################
38. ### Set the default policies to drop ###
39. ${ipt_cmd} -P INPUT DROP
40. ${ipt_cmd} -P FORWARD DROP
41. ${ipt_cmd} -P OUTPUT ACCEPT
42.  
43. ###############################################################
44. ### Allow Established connections ###
45. ${ipt_cmd} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
46. ${ipt_cmd} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
47.  
48. ###############################################################
49. ### Accept all LOOPBACK (lo) traffic ###
50. ${ipt_cmd} -A INPUT -i lo -j ACCEPT
51.  
52.  
53. ###############################################################
54. ### INBOUND Rules: Allow ONLY NEW packets on these ports ###.
55. #${ipt_cmd} -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH ##
56. ${ipt_cmd} -A INPUT -p tcp --dport 51238 -m state --state NEW -j ACCEPT ## SSH ##
57. ${ipt_cmd} -A INPUT -p tcp --dport 51239 -m state --state NEW -j ACCEPT ## SSH M2G ##
58. ${ipt_cmd} -A INPUT -p tcp --dport 23432 -m state --state NEW -j ACCEPT ## SSH ##
59. ${ipt_cmd} -A INPUT -p tcp --dport 38000 -m state --state NEW -j ACCEPT ## DARKICE ##
60. ${ipt_cmd} -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ## HTTP ##
61. ${ipt_cmd} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ## HTTPS ##
62. #${ipt_cmd} -A INPUT -p tcp --dport 51236 -m state --state NEW -j ACCEPT ## SQUID ##
63. ${ipt_cmd} -A INPUT -m limit --limit 3/second --limit-burst 3 -j LOG --log-prefix "FW_INPUT: "
64.  
65. ###############################################################
66. ### FORWARD Rules: Allow ONLY NEW packets on these ports ###.
67.  
68. ###############################################################
69. ### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
70. ###############################################################
71. ### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
72. #${ipt_cmd} -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ## HTTP & Shell ##
73. #${ipt_cmd} -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ## HTTPS ##
74. #${ipt_cmd} -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT ## DNS ##
75. #${ipt_cmd} -A OUTPUT -p udp --dport 67 -m state --state NEW -j ACCEPT ## DHCP ##
76. #${ipt_cmd} -A OUTPUT -p tcp --dport 631 -m state --state NEW -j ACCEPT ## CUPS ##
77. #${ipt_cmd} -A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT ## EXIM4 ##
78.  
79. ###############################################################
80. ### Don't Allow all ICMP Traffic (optional) - IN, FORWARD and OUTPUT ###
81. if [ "${ipt_cmd}" == iptables ] ; then
82. ${ipt_cmd} -A INPUT -p icmp --icmp-type any -j DROP
83. ${ipt_cmd} -A FORWARD -p icmp --icmp-type any -j DROP
84. ${ipt_cmd} -A OUTPUT -p icmp --icmp-type any -j DROP
85. fi
86.  
87. ###############################################################
88. echo "### Firewall ${ipt_cmd} Loaded ###"
89.  
90. else
91. echo "### Firewall ${ipt_cmd} flushed ###"
92. fi
93.  
94. done
95.  
96. exit 0
97. root@debian:~#