Advertisement
Guest User

tedeansiii

a guest
Jun 7th, 2011
111
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.99 KB | None | 0 0
  1. #!/bin/bash
  2. # In order to use this iptables firewall script you
  3. # must have iptables installed. You also must be using
  4. # a 2.4.x series Kernel, with iptables suppport compiled
  5. # into it, which is standard for most newer linux distributions.
  6. #
  7. # If you need help compiling iptables into your kernel, please
  8. # see our kernel Compile/Upgrade Guide located at
  9. # www.linuxhelp.net/guides/
  10. #
  11. # Once the script has been edited with all your relevant
  12. # information (IP's Network Interfaces, etc..) simply
  13. # make the script executable and run it as root.
  14. #
  15. # chmod 700 fw_rules.sh
  16. # ./fw_rules.sh
  17. #
  18. # If you would like to see what rules are currently set, as
  19. # root run iptables -L
  20. #
  21. # If you've messed up and need to bring down the firewall
  22. # for whatever reason, run iptables -F
  23. #
  24. # If you would like to have the firewall automatically
  25. # come up at boot time, add the path to the script to
  26. # the bottom of your /etc/rc.d/rc.local file. For instance
  27. # /root/bin/fw_rules.sh
  28. #
  29. # If you're not sure about something, check out the iptables
  30. # man page by typing 'man iptables' (without the ''s) at the
  31. # command prompt.
  32. #
  33. # This script is an enhanced/modified version of the
  34. # iptables-script written by Davion
  35. #
  36. # If you have any questions, please come to us in #Linuxhelp.net
  37. # on the DALnet IRC network. (www.linuxhelp.net/ircinfo.shtml)
  38.  
  39. # The location of the iptables binary on your system.
  40. IPT="/sbin/iptables"
  41.  
  42. # The network interface you will be protecting. For ADSL/dialup users,
  43. # ppp0 should be fine. If you are using a cable internet connection or
  44. # are connected to a LAN, you will have to change this to "eth0".
  45. #INT="ppp0"
  46.  
  47. ## assuming 'eth0' is appropriate interface
  48. INT="eth0"
  49.  
  50. # The following rules will clear out any existing firewall rules,
  51. # and any chains that might have been created.
  52. $IPT -F
  53. $IPT -F INPUT
  54. $IPT -F OUTPUT
  55. $IPT -F FORWARD
  56. $IPT -F -t mangle
  57. $IPT -F -t nat
  58. $IPT -X
  59.  
  60. # These will setup our policies.
  61. $IPT -P INPUT DROP
  62. $IPT -P OUTPUT ACCEPT
  63. $IPT -P FORWARD ACCEPT
  64.  
  65. # The following line below enables IP forwarding and thus
  66. # by extension, NAT. Turn this on if you're going to be doing NAT or IP masquerading.
  67.  
  68. ## not needed if not acting as router
  69. ## #echo 1 > /proc/sys/net/ipv4/ip_forward
  70.  
  71. # Source NAT everything heading out the $INT (external)
  72. # interface to be the given IP. If you have a dynamic IP
  73. # address or a DHCP IP that changes semi-regularly, comment out
  74. # the first line and uncomment the second line.
  75. #
  76. # Remember to change the ip address below to your static ip.
  77. #
  78. #$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 192.168.8.100
  79.  
  80. ## not acting as router SNAT/MASQ not necessary
  81. ## #$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE
  82.  
  83. # This rule protects your forwarding rule.
  84. ## not acting as router
  85. ## #$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP
  86.  
  87. # If you would like to forward specific ports to other machines
  88. # on your home network, edit and uncomment the rules below. They are
  89. # currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51.
  90. # Anything incoming over your $INT through your gateway will
  91. # be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
  92. # Mail Traffic
  93. #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 10.1.1.51:25
  94. # DNS Traffic
  95. #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to 10.1.1.51:53
  96. #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 10.1.1.51:53
  97. # SSH Traffic
  98. ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 22 -j DNAT --to 192.168.8.100
  99. # VNC Traffic
  100. ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 5900 -j DNAT --to 192.168.8.100
  101. ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 5901 -j DNAT --to 192.168.8.100
  102. # NetBios-Ns Name Service Traffic (Samba)
  103. ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 137 -j DNAT --to 192.168.8.100
  104. ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 137 -j DNAT --to 192.168.8.100
  105.  
  106. # NetBios-Dgm Datagram Service Traffic (Samba)
  107. ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 138 -j DNAT --to 192.168.8.100
  108. ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 138 -j DNAT --to 192.168.8.100
  109.  
  110. # NetBios-Ssn Session Service Traffic (Samba)
  111. ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 139 -j DNAT --to 192.168.8.100
  112. ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 139 -j DNAT --to 192.168.8.100
  113.  
  114. # Microsoft-ds Domain Service Traffic (Samba)
  115. ## #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 445 -j DNAT --to 192.168.8.100
  116. ## #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 445 -j DNAT --to 192.168.8.100
  117.  
  118. # These two redirect a block of ports, in both udp and tcp.
  119. #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50
  120. #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50
  121.  
  122. # Now, our SSH_WHITELIST chain.
  123. ## #$IPT -N SSH_WHITELIST
  124.  
  125. # Now, our firewall chain. We use the limit commands to
  126. # cap the rate at which it alerts to 15 log messages per minute.
  127. $IPT -N firewall
  128. $IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
  129. $IPT -A firewall -j DROP
  130.  
  131. # Now our dropwall chain, for the final catchall filter.
  132. $IPT -N dropwall
  133. $IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
  134. $IPT -A dropwall -j DROP
  135.  
  136. # Our "Hey, them's some bad tcp flags!" chain.
  137. $IPT -N badflags
  138. $IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
  139. $IPT -A badflags -j DROP
  140.  
  141. # And our silent logging chain.
  142. ## #$IPT -N silent
  143. ## #$IPT -A silent -j DROP
  144.  
  145. # This rule will accept connections from local machines. If you have
  146. # a home network, enter in the IP's of the machines on the
  147. # network below.
  148. $IPT -A INPUT -i lo -j ACCEPT
  149. ## consider that 'wrt54gl' is also on this network
  150. $IPT -A INPUT -s 192.168.8.0/24 -d 0/0 -p all -j ACCEPT
  151. #$IPT -A INPUT -s 10.1.1.51 -d 0/0 -p all -j ACCEPT
  152. #$IPT -A INPUT -s 10.1.1.52 -d 0/0 -p all -j ACCEPT
  153.  
  154. # Drop these nasty packets! These are all TCP flag
  155. # combinations that should never, ever occur in the
  156. # wild. All of these are illegal combinations that
  157. # are used to attack a box in various ways, so we
  158. # just drop them and log them here.
  159. $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
  160. $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
  161. $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
  162. $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
  163. #$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST SYN,RST -j badflags #Commented out because my box tells me SYN,RST are invalid commands
  164. #$IPT -A INPUT -p tcp --tcp-flags ALL SYN,FIN SYN,FIN -j badflags #Commented out because my box tells me SYN,FIN are invalid commands
  165.  
  166. #NOT SURE HERE I want pinging to return no response as if the box didn't exist
  167. # Drop icmp, but only after letting certain types through.
  168. ## unless you forward icmp from 'wrt54gl' to 'server', \
  169. ## 'wrt54gl' is handling public icmp requests negating this for all but \
  170. ## local network
  171. $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
  172. $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
  173. $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
  174. $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
  175. $IPT -A INPUT -p icmp -j firewall
  176.  
  177. # If you would like to open up port 22 (SSH Access) to various IP's
  178. # simply edit the IP's below and uncomment the line. If you wish to
  179. # enable SSH access from anywhere, uncomment the second line only.
  180. #$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
  181. #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT
  182. ## #$IPT -A SSH_WHITELIST -s "my work IP without quotes" -m recent --remove --name SSH -j ACCEPT
  183. ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
  184. ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
  185. ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_BRUTE_FORCE
  186. ## #$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
  187. ## # #$IPT -A INPUT -s BAD_GUY_IP -j DROP
  188.  
  189. ##
  190. ## whitelist known (?trusted?) network block
  191. ## local network is already addressed above in 'global' localnet ACCEPT
  192. ## example for completeness
  193. $IPT -A INPUT -s 192.168.8.0/24 -p tcp --dport 22 \
  194. -m state --state NEW -j ACCEPT
  195.  
  196. ## change this to 'work' public network block
  197. ## as written, it _will_ fail because it is not a valid IP
  198. $IPT -A INPUT -s 123.456.12.0/28 -p tcp --dport 22 \
  199. -m state --state NEW -j ACCEPT
  200.  
  201. ## limit scanned brute-force/dictionary login attempts
  202. $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
  203. --name NEW_SSH_ATTEMPT --update --seconds 60 --hitcount 2 \
  204. -j LOG --log-prefix " NEW_SSH_ATTEMPT DROP "
  205.  
  206. $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
  207. --name NEW_SSH_ATTEMPT --update --seconds 60 --hitcount 2 -j DROP
  208.  
  209. $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
  210. --name NEW_SSH_ATTEMPT --set -j ACCEPT
  211.  
  212.  
  213. # Open Samba for Local Computers
  214. $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 137:139 -j ACCEPT
  215. $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 445 -j ACCEPT
  216.  
  217. # If you are running a web server, uncomment the next line to open
  218. # up port 80 on your machine.
  219. #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
  220.  
  221. # Lets do some basic state-matching. This allows us
  222. # to accept related and established connections, so
  223. # client-side things like ftp work properly, for example.
  224. ## ideally this would be fairly early on in the chain since it should \
  225. ## match most often
  226. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  227.  
  228. # Uncomment to drop port 137 netbiso packets silently.
  229. # We don't like that netbios stuff, and it's way too
  230. # spammy with windows machines on the network.
  231. #$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent
  232.  
  233. # Our final trap. Everything on INPUT goes to the dropwall
  234. # so we don't get silent drops.
  235. $IPT -A INPUT -j dropwall
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement