Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # modifikovano: 12.05.2011 16:53:33
- #
- # port app
- #------------------------
- # 21 = FTP
- # 22 = SSH (može da se menja)
- # 25 = SMTP
- # 53 = DNS
- # 80 = HTTP
- # 110 = POP3
- # 143 = IMAP
- # 443 = HTTPS
- # 465 = GMail SMTP (SSL)
- # 587 = GMail SMTP (TLS)
- # 993 = IMAP encrypted
- # 6667/8 = IRC
- # 7000 = IRC (SSL)
- # 9418 = GIT (default)
- #
- firewall="/usr/sbin/iptables"
- iptables_rules () {
- #notifier
- echo 'Configuring iptables ports and services...'
- # flaš starih pravila ("flush the toilet" analogija :>)
- echo ' * Flushing old rules...'
- flush_rules
- # definisanje polisa koje ćemo kasnije da koristimo
- $firewall -P INPUT ACCEPT
- $firewall -P OUTPUT ACCEPT
- # rutiranje ukoliko vaša linuks mašina služi kao ruter?
- $firewall -P FORWARD DROP
- # dozvole za ostvarivanje veze koje iniciraju paketi sa mog računara
- # dolazece
- $firewall -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # odlazece
- $firewall -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # dozvole za sve što se odvija na "localhost"-u (apache, ftp etc.)
- $firewall -A INPUT -i lo -j ACCEPT
- $firewall -A OUTPUT -o lo -j ACCEPT
- #regulisanje "loših" TCP paketa
- #$firewall -A OUTPUT -p tcp -j bad_tcp_packets
- ############################### Korisnikova pravila za odredjene portove
- echo ' * Applying specific rules for separated services...'
- #dns upiti i sl.
- #echo ' - dns'
- #$firewall -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
- #$firewall -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
- #http (mislim dooh)
- #echo ' - http'
- #$firewall -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
- #https zahtevi
- #echo ' - https'
- #$firewall -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
- #imap (encrypted)
- #echo ' - imap (encrypted)'
- #$firewall -A OUTPUT -m state --state NEW -p tcp --dport 993 -j ACCEPT
- #gmail smtp (TLS)
- #echo ' - GMail SMTP (tls)'
- #$firewall -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
- #IRC (freenode + oftc ssl)
- echo ' - IRC (ssl)'
- $firewall -A OUTPUT -m state --state NEW -p tcp --dport 6697 -j ACCEPT
- $firewall -A OUTPUT -m state --state NEW -p tcp --dport 7000 -j ACCEPT
- #GIT
- #echo ' - git'
- #$firewall -A OUTPUT -m state --state NEW -p tcp --dport 9418 -j ACCEPT
- ## Nesigurne i debilne stvari
- #ftp (koristi se i za pristup FTP serverima iz veb pregledaca)
- #echo ' - ftp'
- #$firewall -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
- #echo ' - ftp kernel module' #ftp modul u kernelu
- #modprobe ip_conntrack_ftp
- #torrent
- echo ' - torrent (sharing)'
- $firewall -A OUTPUT -m state --state NEW -p tcp --dport 32120 -j ACCEPT
- $firewall -A INPUT -m state --state NEW -p tcp --dport 32120 -j ACCEPT
- ########################################################################
- # blokiranje ICMP pinga
- echo ' * Blocking ICMP ping'
- # !Note: Kažu da ovo nije dobra stvar pa nije loše koristiti neko drugo pravilo
- $firewall -A OUTPUT -p icmp --icmp-type echo-request -j DROP
- # blokiranje svega ostalog
- echo ' * Blocking everything else...'
- $firewall -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- $firewall -A INPUT -i eth+ -p udp -j DROP
- $firewall -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
- #imcp blok
- $firewall -A INPUT -p icmp -j DROP
- $firewall -A OUTPUT -p icmp -j DROP
- $firewall -A FORWARD -p icmp -j DROP
- # blokiranje **svega** ostalog
- $firewall -A INPUT -j DROP
- #$firewall -A OUTPUT -j DROP
- $firewall -A FORWARD -j DROP
- }
- flush_rules () {
- echo ' * Flushing all iptables rules...'
- $firewall -F
- $firewall -X
- $firewall -Z
- $firewall -t nat -F
- $firewall -t mangle -F
- $firewall -t nat -X
- $firewall -t mangle -X
- }
- help () {
- echo "$0 - manage iptables rules
- usage: $0 action
- Actions:
- start - use defined iptables rules
- stop - flush iptables rules
- * - displays this help"
- }
- case $@ in
- start ) iptables_rules ;;
- stop ) flush_rules ;;
- * ) help ;;
- esac
- exit 0
Add Comment
Please, Sign In to add comment