API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 21st, 2012
823
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.34 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. # A Linux Shell Script with common rules for IPTABLES Firewall.
  3. # By default this script only open port 80, 22, 53 (input)
  4. # All outgoing traffic is allowed (default - output)
  5. # -------------------------------------------------------------------------
  6. # Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
  7. # This script is licensed under GNU GPL version 2.0 or above
  8. # -------------------------------------------------------------------------
  9. # This script is part of nixCraft shell script collection (NSSC)
  10. # Visit http://bash.cyberciti.biz/ for more information.
  11. # -------------------------------------------------------------------------
  12.  
  13. IPT="/sbin/iptables"
  14. SPAMLIST="blockedip"
  15. SPAMDROPMSG="BLOCKED IP DROP"
  16. SQUID_PORT="3128"
  17.  
  18. echo "Starting IPv4 Wall..."
  19. $IPT -F
  20. $IPT -X
  21. $IPT -t nat -F
  22. $IPT -t nat -X
  23. $IPT -t mangle -F
  24. $IPT -t mangle -X
  25. modprobe ip_conntrack
  26.  
  27. [ -f /root/fwscripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fwscripts/blocked.ips.txt)
  28.  
  29. PUB_IF="eth0"
  30.  
  31. #unlimited
  32. $IPT -A INPUT -i lo -j ACCEPT
  33. $IPT -A OUTPUT -o lo -j ACCEPT
  34.  
  35. # DROP all incomming traffic
  36. $IPT -P INPUT DROP
  37. $IPT -P OUTPUT DROP
  38. $IPT -P FORWARD DROP
  39.  
  40. if [ -f /root/fwscripts/blocked.ips.txt ];
  41. then
  42. # create a new iptables list
  43. $IPT -N $SPAMLIST
  44.  
  45. for ipblock in $BADIPS
  46. do
  47. $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
  48. $IPT -A $SPAMLIST -s $ipblock -j DROP
  49. done
  50.  
  51. $IPT -I INPUT -j $SPAMLIST
  52. $IPT -I OUTPUT -j $SPAMLIST
  53. $IPT -I FORWARD -j $SPAMLIST
  54. fi
  55.  
  56. # Block sync
  57. $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
  58. $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
  59.  
  60. # Block Fragments
  61. $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
  62. $IPT -A INPUT -i ${PUB_IF} -f -j DROP
  63.  
  64. # Block bad stuff
  65. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  66. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
  67.  
  68. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
  69. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
  70.  
  71. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  72.  
  73. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
  74. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
  75.  
  76. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
  77. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
  78.  
  79. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  80.  
  81. # Allow full outgoing connection but no incomming stuff
  82. $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  83. $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  84.  
  85. # Allow ssh
  86. #$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
  87.  
  88. # allow incomming ICMP ping pong stuff
  89. $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  90. $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  91.  
  92. # Allow port 53 tcp/udp (DNS Server)
  93. $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  94. $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
  95.  
  96. $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  97. $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
  98.  
  99. # Open port 80
  100. $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
  101.  
  102. ##### Add your rules below ######
  103. $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
  104. $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  105.  
  106.  
  107. ##### END your rules ############
  108.  
  109. # Do not log smb/windows sharing packets - too much logging
  110. $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
  111. $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
  112.  
  113. # log everything else and drop
  114. $IPT -A INPUT -j LOG
  115. $IPT -A FORWARD -j LOG
  116. $IPT -A INPUT -j DROP
  117.  
  118. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!