#!/bin/bash## firewall Startup script for the firewall## chkconfi

1. #!/bin/bash
2. #
3. # firewall Startup script for the firewall
4. #
5. # chkconfig: - 85 15
6. # description: iptables firewall
7. #
8. # processname: firewall
9. #
10.  
11. IPTABLES=/sbin/iptables
12. #IP6TABLES=/sbin/ip6tables
13. BLOCK_LIST=/var/log/blocked_ips
14.  
15. LOGOPTS="-m limit --limit 5/second --limit-burst 20"
16.  
17. # 21 FTP "I recommend closing it, and using a tunnel to access FTP if needed"
18. # 25 SMTP
19. # 53 DNS
20. # 80 HTTP
21. # 443 HTTPS
22. # 143 IMAP
23. # 110 POP3
24. # 587 SMTP
25. # 7628 Directadmin
26. # 5278 SSHD
27.  
28. ALLOWPORTS="21 25 53 80 443 143 110 587 7628 5278"
29. UDP_ALLOWPORTS=""
30.  
31. function usage() {
32. echo "$0 {start|stop|reload|force-reload|restart}" > /dev/stderr;
33. exit 1;
34. }
35.  
36. function firewall_flush() {
37. # $IP6TABLES -F
38. $IPTABLES -F
39. $IPTABLES -X
40. $IPTABLES -Z
41. }
42.  
43. function firewall_set_policy() {
44. $IPTABLES -P INPUT DROP
45. $IPTABLES -P OUTPUT ACCEPT
46. $IPTABLES -P FORWARD DROP
47. # $IP6TABLES -P INPUT DROP
48. # $IP6TABLES -P OUTPUT ACCEPT
49. # $IP6TABLES -P FORWARD DROP
50. }
51.  
52. function firewall_rem_policy() {
53. $IPTABLES -P INPUT ACCEPT
54. $IPTABLES -P OUTPUT ACCEPT
55. $IPTABLES -P FORWARD ACCEPT
56. # $IP6TABLES -P INPUT ACCEPT
57. # $IP6TABLES -P OUTPUT ACCEPT
58. # $IP6TABLES -P FORWARD ACCEPT
59. }
60.  
61. function firewall_create_rules() {
62.  
63. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
64. $IPTABLES -A INPUT -p icmp -j ACCEPT
65.  
66. for pt in $ALLOWPORTS; do
67. $IPTABLES -A INPUT -p tcp --dport $pt -j ACCEPT
68. done
69.  
70. for pt in $UDP_ALLOWPORTS; do
71. $IPTABLES -A INPUT -p udp --dport $pt -j ACCEPT
72. done
73.  
74.  
75. # allow access to ports via specific ips, add more ips with space separator
76. ALLOWIPS_DA="127.0.0.1 46.102.241.140 46.102.245.170"
77. for ip in $ALLOWIPS_DA; do
78. $IPTABLES -A INPUT -p tcp --dport 7862 -s $ip -j ACCEPT
79. $IPTABLES -A INPUT -p tcp --dport 21 -s $ip -j ACCEPT
80. done
81.  
82. # ban ips in BLOCK_LIST
83. for ip in $(< $BLOCK_LIST); do
84. $IPTABLES -I INPUT -s $ip -j DROP
85. done
86.  
87. # stealth scans
88. $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
89. # syn & fin
90. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
91. # syn & rst
92. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
93. # fin & rst
94. $IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
95. # fin without ack
96. $IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
97. # psh without ack
98. $IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
99. # log everything else
100. $IPTABLES -A INPUT $LOGOPTS -j LOG
101.  
102.  
103.  
104.  
105. }
106.  
107. ############################################################
108. # Main script
109. ############################################################
110.  
111. if [[ -z "$1" ]]; then usage; fi
112.  
113. case "$1" in
114. start)
115. firewall_flush;
116. firewall_set_policy;
117. firewall_create_rules;
118. ;;
119. stop)
120. firewall_flush;
121. firewall_rem_policy ACCEPT;
122. ;;
123. restart|reload|force-reload)
124. $0 stop;
125. sleep 1;
126. $0 start;
127. ;;
128. *)
129. usage;
130. ;;
131. esac