Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #
- # Modified firewall
- #
- ### BEGIN INIT INFO
- # Provides: firewall
- # Required-Start: $remote_fs $local_fs $syslog
- # Required-Stop: umountfs
- # Default-Start: 2 3 4 5
- # Default-Stop:
- # Short-Description: firewall initialization
- # Description: System firewall
- ### END INIT INFO
- reset_firewall() {
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD DROP
- }
- start_firewall() {
- ##############################################
- # INPUT RULES
- ##############################################
- # loopback adapter
- iptables -A INPUT -i lo -j ACCEPT
- # drop private petworks
- iptables -A INPUT -s 192.168.0.0/24 -j DROP # (C)
- iptables -A INPUT -s 172.16.0.0/12 -j DROP # (B)
- iptables -A INPUT -s 224.0.0.0/4 -j DROP # (MULTICAST D)
- iptables -A INPUT -s 240.0.0.0/5 -j DROP # (E)
- iptables -A INPUT -s 10.0.1.1 -j DROP # router
- iptables -A INPUT -d 10.0.1.255 -j DROP # broadcast
- iptables -A INPUT -d 255.255.255.255 -j DROP # broadcast
- # related/established
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # invalid
- iptables -A INPUT -m state --state INVALID -j DROP
- # syn-flood protection
- iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
- # allow http
- iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
- # allow ssh only from LAN
- iptables -A INPUT -s 10.0.1.0/24 -m state --state NEW -p tcp --dport 65212 -j ACCEPT
- # allow ping only from LAN
- iptables -A INPUT -s 10.0.1.0/24 -m state --state NEW -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
- # log the rest
- iptables -A INPUT -m limit --limit 2/min --limit-burst 2 -j LOG --log-prefix "INPUT DROP: "
- # block everything else
- iptables -A INPUT -j DROP
- ##############################################
- # OUTPUT RULES
- ##############################################
- # loopback adapter
- iptables -A OUTPUT -o lo -j ACCEPT
- # related/established
- iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # allow dns queries
- iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
- # allow http/https queries
- iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
- # log the rest
- iptables -A OUTPUT -m limit --limit 2/min --limit-burst 2 -j LOG --log-prefix "OUTPUT DROP: "
- # block everything else
- iptables -A OUTPUT -j DROP
- }
- case "$1" in
- start)
- start_firewall
- ;;
- stop)
- reset_firewall
- ;;
- reload)
- echo 'Only restart is accepted!';
- exit 1
- ;;
- status)
- clear
- iptables -L -nv --line-numbers
- ;;
- force-reload|restart)
- reset_firewall
- start_firewall
- exit 1
- ;;
- live)
- while true; do $0 status; sleep 1; done;
- ;;
- active_connections)
- watch netstat -anlp
- ;;
- *)
- echo "Usage: /etc/init.d/firewall {start|stop|restart|status|live|active_connections}"
- exit 1
- ;;
- esac
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement