Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # In order to use this iptables firewall script you
- # must have iptables installed. You also must be using
- # a 2.4.x series Kernel, with iptables suppport compiled
- # into it, which is standard for most newer linux distributions.
- #
- # If you need help compiling iptables into your kernel, please
- # see our kernel Compile/Upgrade Guide located at
- # www.linuxhelp.net/guides/
- #
- # Once the script has been edited with all your relevant
- # information (IP's Network Interfaces, etc..) simply
- # make the script executable and run it as root.
- #
- # chmod 700 fw_rules.sh
- # ./fw_rules.sh
- #
- # If you would like to see what rules are currently set, as
- # root run iptables -L
- #
- # If you've messed up and need to bring down the firewall
- # for whatever reason, run iptables -F
- #
- # If you would like to have the firewall automatically
- # come up at boot time, add the path to the script to
- # the bottom of your /etc/rc.d/rc.local file. For instance
- # /root/bin/fw_rules.sh
- #
- # If you're not sure about something, check out the iptables
- # man page by typing 'man iptables' (without the ''s) at the
- # command prompt.
- #
- # This script is an enhanced/modified version of the
- # iptables-script written by Davion
- #
- # If you have any questions, please come to us in #Linuxhelp.net
- # on the DALnet IRC network. (www.linuxhelp.net/ircinfo.shtml)
- # The location of the iptables binary on your system.
- IPT="/sbin/iptables"
- # The network interface you will be protecting. For ADSL/dialup users,
- # ppp0 should be fine. If you are using a cable internet connection or
- # are connected to a LAN, you will have to change this to "eth0".
- #INT="ppp0"
- ## assuming 'eth0' is appropriate interface
- INT="eth0"
- # The following rules will clear out any existing firewall rules,
- # and any chains that might have been created.
- $IPT -F
- $IPT -F INPUT
- $IPT -F OUTPUT
- $IPT -F FORWARD
- $IPT -F -t mangle
- $IPT -F -t nat
- $IPT -X
- # These will setup our policies.
- $IPT -P INPUT DROP
- $IPT -P OUTPUT ACCEPT
- $IPT -P FORWARD ACCEPT
- # The following line below enables IP forwarding and thus
- # by extension, NAT. Turn this on if you're going to be doing NAT or IP masquerading.
- ## not needed if not acting as router
- ## #echo 1 > /proc/sys/net/ipv4/ip_forward
- # Source NAT everything heading out the $INT (external)
- # interface to be the given IP. If you have a dynamic IP
- # address or a DHCP IP that changes semi-regularly, comment out
- # the first line and uncomment the second line.
- #
- # Remember to change the ip address below to your static ip.
- #
- #$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 192.168.8.100
- ## not acting as router SNAT/MASQ not necessary
- ## #$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE
- # This rule protects your forwarding rule.
- ## not acting as router
- ## #$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP
- # If you would like to forward specific ports to other machines
- # on your home network, edit and uncomment the rules below. They are
- # currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51.
- # Anything incoming over your $INT through your gateway will
- # be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
- # Mail Traffic
- #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 10.1.1.51:25
- # DNS Traffic
- #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to 10.1.1.51:53
- #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 10.1.1.51:53
- # SSH Traffic
- ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 22 -j DNAT --to 192.168.8.100
- # VNC Traffic
- ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 5900 -j DNAT --to 192.168.8.100
- ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 5901 -j DNAT --to 192.168.8.100
- # NetBios-Ns Name Service Traffic (Samba)
- ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 137 -j DNAT --to 192.168.8.100
- ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 137 -j DNAT --to 192.168.8.100
- # NetBios-Dgm Datagram Service Traffic (Samba)
- ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 138 -j DNAT --to 192.168.8.100
- ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 138 -j DNAT --to 192.168.8.100
- # NetBios-Ssn Session Service Traffic (Samba)
- ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 139 -j DNAT --to 192.168.8.100
- ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 139 -j DNAT --to 192.168.8.100
- # Microsoft-ds Domain Service Traffic (Samba)
- ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 445 -j DNAT --to 192.168.8.100
- ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 445 -j DNAT --to 192.168.8.100
- # These two redirect a block of ports, in both udp and tcp.
- #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50
- #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50
- # Now, our SSH_WHITELIST chain.
- ## #$IPT -N SSH_WHITELIST
- # Now, our firewall chain. We use the limit commands to
- # cap the rate at which it alerts to 15 log messages per minute.
- $IPT -N firewall
- $IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
- $IPT -A firewall -j DROP
- # Now our dropwall chain, for the final catchall filter.
- $IPT -N dropwall
- $IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
- $IPT -A dropwall -j DROP
- # Our "Hey, them's some bad tcp flags!" chain.
- $IPT -N badflags
- $IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
- $IPT -A badflags -j DROP
- # And our silent logging chain.
- ## #$IPT -N silent
- ## #$IPT -A silent -j DROP
- # This rule will accept connections from local machines. If you have
- # a home network, enter in the IP's of the machines on the
- # network below.
- $IPT -A INPUT -i lo -j ACCEPT
- ## consider that 'wrt54gl' is also on this network
- $IPT -A INPUT -s 192.168.8.0/24 -d 0/0 -p all -j ACCEPT
- #$IPT -A INPUT -s 10.1.1.51 -d 0/0 -p all -j ACCEPT
- #$IPT -A INPUT -s 10.1.1.52 -d 0/0 -p all -j ACCEPT
- # Drop these nasty packets! These are all TCP flag
- # combinations that should never, ever occur in the
- # wild. All of these are illegal combinations that
- # are used to attack a box in various ways, so we
- # just drop them and log them here.
- $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
- $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
- $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
- $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
- #$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST SYN,RST -j badflags #Commented out because my box tells me SYN,RST are invalid commands
- #$IPT -A INPUT -p tcp --tcp-flags ALL SYN,FIN SYN,FIN -j badflags #Commented out because my box tells me SYN,FIN are invalid commands
- #NOT SURE HERE I want pinging to return no response as if the box didn't exist
- # Drop icmp, but only after letting certain types through.
- ## unless you forward icmp from 'wrt54gl' to 'server', \
- ## 'wrt54gl' is handling public icmp requests negating this for all but \
- ## local network
- $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
- $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
- $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
- $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
- $IPT -A INPUT -p icmp -j firewall
- # If you would like to open up port 22 (SSH Access) to various IP's
- # simply edit the IP's below and uncomment the line. If you wish to
- # enable SSH access from anywhere, uncomment the second line only.
- #$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
- #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT
- ## #$IPT -A SSH_WHITELIST -s "my work IP without quotes" -m recent --remove --name SSH -j ACCEPT
- ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
- ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
- ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_BRUTE_FORCE
- ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
- ## # #$IPT -A INPUT -s BAD_GUY_IP -j DROP
- ##
- ## whitelist known (?trusted?) network block
- ## local network is already addressed above in 'global' localnet ACCEPT
- ## example for completeness
- $IPT -A INPUT -s 192.168.8.0/24 -p tcp --dport 22 \
- -m state --state NEW -j ACCEPT
- ## change this to 'work' public network block
- ## as written, it _will_ fail because it is not a valid IP
- $IPT -A INPUT -s 123.456.12.0/28 -p tcp --dport 22 \
- -m state --state NEW -j ACCEPT
- ## limit scanned brute-force/dictionary login attempts
- $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
- --name NEW_SSH_ATTEMPT --update --seconds 60 --hitcount 2 \
- -j LOG --log-prefix " NEW_SSH_ATTEMPT DROP "
- $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
- --name NEW_SSH_ATTEMPT --update --seconds 60 --hitcount 2 -j DROP
- $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
- --name NEW_SSH_ATTEMPT --set -j ACCEPT
- # Open Samba for Local Computers
- $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 137:139 -j ACCEPT
- $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 445 -j ACCEPT
- # If you are running a web server, uncomment the next line to open
- # up port 80 on your machine.
- #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
- # Lets do some basic state-matching. This allows us
- # to accept related and established connections, so
- # client-side things like ftp work properly, for example.
- ## ideally this would be fairly early on in the chain since it should \
- ## match most often
- $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # Uncomment to drop port 137 netbiso packets silently.
- # We don't like that netbios stuff, and it's way too
- # spammy with windows machines on the network.
- #$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent
- # Our final trap. Everything on INPUT goes to the dropwall
- # so we don't get silent drops.
- $IPT -A INPUT -j dropwall
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement