Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # firewall Startup script for the firewall
- #
- # chkconfig: - 85 15
- # description: iptables firewall
- #
- # processname: firewall
- #
- IPTABLES=/sbin/iptables
- #IP6TABLES=/sbin/ip6tables
- BLOCK_LIST=/var/log/blocked_ips
- LOGOPTS="-m limit --limit 5/second --limit-burst 20"
- # 21 FTP "I recommend closing it, and using a tunnel to access FTP if needed"
- # 25 SMTP
- # 53 DNS
- # 80 HTTP
- # 443 HTTPS
- # 143 IMAP
- # 110 POP3
- # 587 SMTP
- # 7628 Directadmin
- # 5278 SSHD
- ALLOWPORTS="21 25 53 80 443 143 110 587 7628 5278"
- UDP_ALLOWPORTS=""
- function usage() {
- echo "$0 {start|stop|reload|force-reload|restart}" > /dev/stderr;
- exit 1;
- }
- function firewall_flush() {
- # $IP6TABLES -F
- $IPTABLES -F
- $IPTABLES -X
- $IPTABLES -Z
- }
- function firewall_set_policy() {
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD DROP
- # $IP6TABLES -P INPUT DROP
- # $IP6TABLES -P OUTPUT ACCEPT
- # $IP6TABLES -P FORWARD DROP
- }
- function firewall_rem_policy() {
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD ACCEPT
- # $IP6TABLES -P INPUT ACCEPT
- # $IP6TABLES -P OUTPUT ACCEPT
- # $IP6TABLES -P FORWARD ACCEPT
- }
- function firewall_create_rules() {
- $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p icmp -j ACCEPT
- for pt in $ALLOWPORTS; do
- $IPTABLES -A INPUT -p tcp --dport $pt -j ACCEPT
- done
- for pt in $UDP_ALLOWPORTS; do
- $IPTABLES -A INPUT -p udp --dport $pt -j ACCEPT
- done
- # allow access to ports via specific ips, add more ips with space separator
- ALLOWIPS_DA="127.0.0.1 46.102.241.140 46.102.245.170"
- for ip in $ALLOWIPS_DA; do
- $IPTABLES -A INPUT -p tcp --dport 7862 -s $ip -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 21 -s $ip -j ACCEPT
- done
- # ban ips in BLOCK_LIST
- for ip in $(< $BLOCK_LIST); do
- $IPTABLES -I INPUT -s $ip -j DROP
- done
- # stealth scans
- $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- # syn & fin
- $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- # syn & rst
- $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- # fin & rst
- $IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- # fin without ack
- $IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
- # psh without ack
- $IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
- # log everything else
- $IPTABLES -A INPUT $LOGOPTS -j LOG
- }
- ############################################################
- # Main script
- ############################################################
- if [[ -z "$1" ]]; then usage; fi
- case "$1" in
- start)
- firewall_flush;
- firewall_set_policy;
- firewall_create_rules;
- ;;
- stop)
- firewall_flush;
- firewall_rem_policy ACCEPT;
- ;;
- restart|reload|force-reload)
- $0 stop;
- sleep 1;
- $0 start;
- ;;
- *)
- usage;
- ;;
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement