BASH 39
Firewall_script Guest on 21st November 2020 10:07:10 AM
  1. #!/bin/sh
  2. #
  3. # Set an absolute path to IPTABLES and define the interfaces
  4. # OUTSIDE is the outside or untrusted interface that connects to the Internet.
  5. IPTABLES="/sbin/iptables"
  6. OUTSIDE=eth0
  7. VPN=tun0
  8. VPN2=TUN1
  9. #
  10. # Clear out any existing firewall rules, and any chains that might have
  11. # been created. Then set the default policies.
  12. $IPTABLES -F
  13. $IPTABLES -F INPUT
  14. $IPTABLES -F OUTPUT
  15. $IPTABLES -F FORWARD
  16. $IPTABLES -F -t mangle
  17. $IPTABLES -F -t nat
  18. $IPTABLES -X
  19. $IPTABLES -P INPUT DROP
  20. $IPTABLES -P OUTPUT ACCEPT
  21. $IPTABLES -P FORWARD ACCEPT
  22. #
  23. # Begin setting up the rulesets. First define some rule chains to handle
  24. # exception conditions. These chains will receive packets that we aren't
  25. # willing to pass. Limiters on logging are used so as to not to swamp the
  26. # firewall in a DOS scenario.
  27. # silent   - Just drop it on the floor, used for internal traffic
  28. # badflags - Log packets with bad flags, most likely an attack
  29. # dropit   - Log packets that that we refuse, possibly from an attack
  30. $IPTABLES -N silent
  31. $IPTABLES -A silent -j DROP
  32. $IPTABLES -N tcpflags
  33. #$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
  34. $IPTABLES -A tcpflags -j DROP
  35. $IPTABLES -N firewalled
  36. #$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
  37. $IPTABLES -A firewalled -j DROP
  38. #
  39. # These are all TCP flag combinations that should never, ever, occur in the
  40. # wild.  All of these are illegal combinations that are used to attack a box
  41. # in various ways.
  42. $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
  43. $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
  44. $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
  45. $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
  46. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
  47. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
  48. #
  49. # Allow selected ICMP types and drop the rest.
  50. $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
  51. $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
  52. $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
  53. $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
  54. $IPTABLES -A INPUT -p icmp -j firewalled
  55. #
  56. # The loopback interface is inheritly trustworthy. Don't disable it or
  57. # a number of things on the firewall will break.
  58. $IPTABLES -A INPUT -i lo -j ACCEPT
  59. #
  60. #
  61. # IPs that need to be blocked for some reason.
  62. #$IPTABLES -A INPUT -i $OUTSIDE -s 173.186.200.78 -p tcp -j firewalled
  63. #
  64. #
  65. # Allow packets that are part of an established connection to pass
  66. # through the firewall. This is required for normal Internet activity
  67. # by inside clients.
  68. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  69. #
  70. # Silently drop any SMB traffic.  We've slipped the surly bonds of windows
  71. # and are dancing on the silvery wings of Linux, so block that windows trash.
  72. $IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
  73. #
  74. # Various incoming stuff.
  75. $IPTABLES -A INPUT -i $VPN     -d 0/0 -p tcp              -j ACCEPT   # Allow everything over VPN.
  76. $IPTABLES -A INPUT -i $VPN     -d 0/0 -p udp              -j ACCEPT   # .
  77. $IPTABLES -A INPUT -i $VPN2    -d 0/0 -p udp              -j ACCEPT   # Same from other VPN.
  78. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22   -j ACCEPT   # SSH
  79. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25   -j ACCEPT   # SMTP
  80. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80   -j ACCEPT   # WWW
  81. #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 143  -j ACCEPT   # IMAP disabled for now.
  82. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 587  -j ACCEPT   # mail submission for a friend
  83. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 1194 -j ACCEPT   # openvpn connections
  84. #$IPTABLES -A INPUT -i $OUTSIDE -s 204.155.28.10 -d 0/0 -p udp --dport 5060 -j ACCEPT   # SIP from Sipgate
  85. #$IPTABLES -A INPUT -i $OUTSIDE -s 8.17.37.23    -d 0/0 -p udp --dport 5060 -j ACCEPT   # SIP from Teliax only
  86. $IPTABLES -A INPUT -i $OUTSIDE -s 1.2.3.0/24 -d 0/0 -p tcp --dport 5900 -j ACCEPT   # vnc
  87. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 6667 -j ACCEPT   # IRC
  88. #
  89. # Anything that hasn't already matched gets logged and then dropped.
  90. $IPTABLES -A INPUT -j firewalled
  91. #
  92. #

Paste is for source code and general debugging text.

Login or Register to edit, delete and keep track of your pastes and more.

Raw Paste

Login or Register to edit or fork this paste. It's free.