22
June
June
chmod +x iptables.sh
# chkconfig --list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# service iptables save
#!/bin/bash # External interface EXTIF=eth0 # Internal interface INTIF=eth1 # Loop device/localhost LPDIF=lo LPDIP=127.0.0.1 LPDMSK=255.0.0.0 LPDNET="$LPDIP/$LPDMSK" # Text tools variables IPT='/sbin/iptables' IFC='/sbin/ifconfig' G='/bin/grep' SED='/bin/sed' # Deny then accept: this keeps holes from opening up # while we close ports and such $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # Flush all existing chains and erase personal chains CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $CHAINS; do $IPT -t $i -F done for i in $CHAINS; do $IPT -t $i -X done # Setting up external interface environment variables EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`" #EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`" EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`" EXTNET="$EXTIP/$EXTMSK" #echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET" echo "EXTIP=$EXTIP EXTMSK=$EXTMSK EXTNET=$EXTNET" # Setting up environment variables for internal interface one INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`" #INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`" INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`" INTNET="$INTIP/$INTMSK" #echo "INTIP1=$INTIP INTBC=$INTBC INTMSK1=$INTMSK1 INTNET1=$INTNET1" echo "INTIP=$INTIP INTMSK=$INTMSK INTNET=$INTNET" # We are now going to create a few custom chains that will result in # logging of dropped packets. This will enable us to avoid having to # enter a log command prior to every drop we wish to log. The # first will be first log drops the other will log rejects. # Do not complain if chain already exists (so restart is clean) $IPT -N DROPl 2> /dev/null $IPT -A DROPl -j LOG --log-prefix 'DROPl:' $IPT -A DROPl -j DROP $IPT -N REJECTl 2> /dev/null $IPT -A REJECTl -j LOG --log-prefix 'REJECTl:' $IPT -A REJECTl -j REJECT # Now we are going to accept all traffic from our loopback device # if the IP matches any of our interfaces. $IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT $IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT $IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT $IPT -A OUTPUT -o $LPDIF -s $LPDIP -j ACCEPT $IPT -A OUTPUT -o $LPDIF -s $EXTIP -j ACCEPT $IPT -A OUTPUT -o $LPDIF -s $INTIP -j ACCEPT # Block WAN access to internal network # This also stops nefarious crackers from using our network as a # launching point to attack other people # iptables translation: # "if input going into our external interface does not originate from our isp assigned # ip address, drop it like a hot potato $IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl # Now we will block internal addresses originating from anything but our # predefined interface.....just remember that if you jack your # your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly # for that IP as well # Interface one/internal net one $IPT -A INPUT -i $INTIF -s ! $INTNET -j DROPl $IPT -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl $IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl $IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl # An additional Egress check $IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl # Allow access from internal network to Internet $IPT -A OUTPUT -o $EXTIF -s $EXTIP -m state --state NEW -j ACCEPT $IPT -A FORWARD -i $INTIF -s $INTNET -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $INTIF -s $INTNET -m state --state NEW -j ACCEPT $IPT -A INPUT -i $INTIF -s $INTNET -m state --state NEW -j ACCEPT # Allow ping from outside ICMPPORT="0 8 3 11" for i in $ICMPPORT do $IPT -A INPUT -i $EXTIF -p icmp --icmp-type $i -m state --state NEW -j ACCEPT done # Allow access to services on gateway #TCP ports #80 HTTP #443 HTTPS #53 DNS #20:21 FTP data+active #45000:50000 FTP passive ports #25 SMTP #123 Time #81 ISPConfig #6890:6999 rTorrent TCPPORT="80 443 53 20:21 45000:50000 25 123 81 6890:6999" echo -n "FW: Allow access to services on gateway (TCP):" for i in $TCPPORT do echo -n "$i " $IPT -A INPUT -i $EXTIF -p tcp --dport $i --syn -m state --state NEW -j ACCEPT done echo "" #UDP ports #53 DNS #123 Time #6890:6999 rTorrent #33434:33534 traceroute UDPPORT="53 123 6890:6999 33434:33534" echo -n "FW: Allow access to services on gateway (UDP):" for i in $UDPPORT do echo -n "$i " $IPT -A INPUT -i $EXTIF -p udp --dport $i -m state --state NEW -j ACCEPT done echo "" #Block brute force ssh attack $IPT -N SSHSCAN #WHITE_LIST_IP="xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy" #for i in $WHITE_LIST_IP #do # $IPT -A INPUT -i $EXTIF -p tcp --dport 22 -s $i -j ACCEPT #done $IPT -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -j SSHSCAN $IPT -A SSHSCAN -m recent --set --name SSH $IPT -A SSHSCAN -m recent --update --seconds 3600 --hitcount 4 --name SSH -j LOG --log-level info --log-prefix "SSH SCAN blocked: " $IPT -A SSHSCAN -m recent --update --seconds 3600 --hitcount 4 --name SSH -j DROP $IPT -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -j ACCEPT #Block brute force imap attack #dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user xxx $IPT -N IMAPSCAN $IPT -A INPUT -i $EXTIF -p tcp --dport 143 -m state --state NEW -j IMAPSCAN $IPT -A INPUT -i $EXTIF -p tcp --dport 993 -m state --state NEW -j IMAPSCAN $IPT -A IMAPSCAN -m recent --set --name IMAP $IPT -A IMAPSCAN -m recent --update --seconds 900 --hitcount 4 --name IMAP -j LOG --log-level info --log-prefix "IMAP SCAN blocked: " $IPT -A IMAPSCAN -m recent --update --seconds 900 --hitcount 4 --name IMAP -j DROP $IPT -A INPUT -i $EXTIF -p tcp --dport 143 -m state --state NEW -j ACCEPT $IPT -A INPUT -i $EXTIF -p tcp --dport 993 -m state --state NEW -j ACCEPT #Port forwarding $IPT -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 8080 -j DNAT --to 192.0.1.2:8080 $IPT -A FORWARD -i $EXTIF -d 192.0.1.2 -p tcp --dport 8080 -j ACCEPT #NAT $IPT -t nat -A PREROUTING -j ACCEPT $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE $IPT -t nat -A POSTROUTING -j ACCEPT $IPT -t nat -A OUTPUT -j ACCEPT #Other stuff $IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Block and log what me may have forgot $IPT -A INPUT -j DROPl $IPT -A OUTPUT -j REJECTl $IPT -A FORWARD -j DROPl
http://www.petrich.me/files/scripts/iptables.sh
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
You must be logged in to post a comment.
Русский
English
Recent Comments