finish_iptables_firewall

#!/bin/bash

#my iptables Firewall with Portscan Blocking and Redjuce of DDos.

PATH=$PATH:/usr/sbin:/sbin:/usr/bin:/bin

#config
interface='br0'
ping='0'
trace='0'
gateway='0'


# iptables suchen
iptables=`which iptables`

# wenn iptables nicht installiert abbrechen
test -f $iptables || exit 0

case "$1" in
   start)
echo "Starte Firewall..."
# alle Regeln löschen
$iptables -F
$iptables -X
$iptables -t nat -F
$iptables -t nat -X
$iptables -t mangle -F
$iptables -t mangle -X


$iptables -P INPUT DROP
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT


# über Loopback alles erlauben
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# chains für kvm
$iptables -N 'LIBVIRT_FWI'
$iptables -N 'LIBVIRT_FWO'
$iptables -N 'LIBVIRT_FWX'
$iptables -N 'LIBVIRT_INP'
$iptables -N 'LIBVIRT_OUT'


# bestehende Verbindungen akzeptieren
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#finger
#$iptables -A INPUT -p tcp --dport 79 -j ACCEPT

#pptp GRE
#$iptables -A INPUT -p gre -j ACCEPT

$iptables -A INPUT -m state --state NEW -s 0.0.0.0/0 -m recent --set
$iptables -A INPUT -m state --state NEW -s 0.0.0.0/0 -m recent --update --seconds 15 --hitcount 5 -j DROP


if [ -f "/root/ports.conf" ]; then

cat "/root/ports.conf" | while read line; do
echo "Open Port $line"


$iptables -A INPUT -p tcp --dport "$line" -m state --state NEW -m recent --set
$iptables -A INPUT -p tcp --dport "$line" -m state --state NEW -m recent --update --seconds 15 --hitcount 5 -j DROP
$iptables -A INPUT -p tcp --dport "$line" -j ACCEPT
$iptables -A INPUT -p tcp --sport "$line" -j ACCEPT

$iptables -A INPUT -p udp --dport "$line" -m state --state NEW -m recent --set
$iptables -A INPUT -p udp --dport "$line" -m state --state NEW -m recent --update --seconds 15 --hitcount 5 -j DROP
$iptables -A INPUT -p udp --dport "$line" -j ACCEPT
$iptables -A INPUT -p udp --sport "$line" -j ACCEPT


done

fi


#anti PortScan
$iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#anti smurf
$iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Ping-of-Death
$iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT

# SYN-Flood-Schutz
$iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# SYN und RST gleichzeitig gesetzt
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# SYN und FIN gesetzt
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#fin und urg und psh gesetzt
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

#all syn
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

#all
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

#Keine Flags gesetzt nmap 0 scan
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

#nmap fin stealth scan
$iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL FIN -j DROP

#xmas
$iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP

# FIN und RST gleichzeitig gesetzt
$iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN ohne ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH ohne ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG ohne ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP

# All TCP sessions should begin with SYN
$iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP


#traceroute erlauben
if [ $trace -eq "1" ]; then

echo "accept trace"
$iptables -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT

fi


#Limiting the incoming icmp ping request:
if [ $ping -eq "1" ]; then

echo "accept icmp ping"

$iptables -A INPUT -p icmp --icmp-type echo-request -m recent --set
$iptables -A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 3 --hitcount 20 -j DROP
$iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

fi


#####################################################

# Forwarding/Routing
echo 0 > /proc/sys/net/ipv4/ip_forward 2> /dev/null

#Activate Gateway Mode:
if [ $gateway -eq "1" ]; then

echo "activate gateway"

echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
$iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356
$iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE

fi


#SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null

#Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done

#Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done

#Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done

#Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done

#BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done

#Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done

#Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null

#ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null

#Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit

#Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time

#TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

#Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1

#TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2


;;
   stop)
echo "Stoppe Firewall..."
# alle Regeln löschen
$iptables -F
$iptables -X
$iptables -t nat -F
$iptables -t nat -X
$iptables -t mangle -F
$iptables -t mangle -X
$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT

;;
   test)
   $0 start
sleep 2m
   $0 stop

;;
   *)
echo "Usage: /etc/init.d/firewall (start|stop|test)"
exit 1
;;
esac
exit 0