Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # A Linux Shell Script with common rules for IPTABLES Firewall.
- # By default this script only open port 80, 22, 53 (input)
- # All outgoing traffic is allowed (default - output)
- # -------------------------------------------------------------------------
- # Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
- # This script is licensed under GNU GPL version 2.0 or above
- # -------------------------------------------------------------------------
- # This script is part of nixCraft shell script collection (NSSC)
- # Visit http://bash.cyberciti.biz/ for more information.
- # -------------------------------------------------------------------------
- IPT="/sbin/iptables"
- SPAMLIST="blockedip"
- SPAMDROPMSG="BLOCKED IP DROP"
- SQUID_PORT="3128"
- echo "Starting IPv4 Wall..."
- $IPT -F
- $IPT -X
- $IPT -t nat -F
- $IPT -t nat -X
- $IPT -t mangle -F
- $IPT -t mangle -X
- modprobe ip_conntrack
- [ -f /root/fwscripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fwscripts/blocked.ips.txt)
- PUB_IF="eth0"
- #unlimited
- $IPT -A INPUT -i lo -j ACCEPT
- $IPT -A OUTPUT -o lo -j ACCEPT
- # DROP all incomming traffic
- $IPT -P INPUT DROP
- $IPT -P OUTPUT DROP
- $IPT -P FORWARD DROP
- if [ -f /root/fwscripts/blocked.ips.txt ];
- then
- # create a new iptables list
- $IPT -N $SPAMLIST
- for ipblock in $BADIPS
- do
- $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
- $IPT -A $SPAMLIST -s $ipblock -j DROP
- done
- $IPT -I INPUT -j $SPAMLIST
- $IPT -I OUTPUT -j $SPAMLIST
- $IPT -I FORWARD -j $SPAMLIST
- fi
- # Block sync
- $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
- $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
- # Block Fragments
- $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
- $IPT -A INPUT -i ${PUB_IF} -f -j DROP
- # Block bad stuff
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
- $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- # Allow full outgoing connection but no incomming stuff
- $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- # Allow ssh
- #$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
- # allow incomming ICMP ping pong stuff
- $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Allow port 53 tcp/udp (DNS Server)
- $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Open port 80
- $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
- ##### Add your rules below ######
- $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
- $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- ##### END your rules ############
- # Do not log smb/windows sharing packets - too much logging
- $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
- $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
- # log everything else and drop
- $IPT -A INPUT -j LOG
- $IPT -A FORWARD -j LOG
- $IPT -A INPUT -j DROP
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement