Last active
April 6, 2017 10:10
-
-
Save aduzsardi/cbe92c0650d7d89c30a48a6387d4d51a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Configurare firewall ('man iptables') linux | |
| # Cerinte: privilegii elevate (root) | |
| # Setari: copiaza scriptul undeva accesibil doar de userul 'root' , | |
| # editeaza /etc/rc.local si inainte de 'exit 0' adauga calea absoluta spre script ex: /root/firewall.sh | |
| # Contact: Alex Duzsardi <alex.duzsardi@pitechplus.com> | |
| # www.pitechplus.com | |
| #-------------------------------------------------------------- | |
| # Scriptul va rula cu debuging activat | |
| set -x | |
| ### VARIABILE DE CONFIGURAT ######### | |
| net_pitech="" # access neconditionat pentru IP-urile din lista (separate de un spatiu, ex: 10.10.10.1 10.10.10.2 ... ...) | |
| porturi_tcp="80 443" # porturi TCP care trebuie permise pentru toata lumea | |
| porturi_udp="" # porturi UDP care trebuie permise pentru toata lumea | |
| int_retea="enp0s3" # interfata de retea (ex: eth0) | |
| ip_retea="10.0.2.15" # ip net | |
| ##################################### | |
| ## Permitem orice trafic 'by default' daca nu este nicio regula de firewall | |
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| ## Stergem toate regulile existente | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| ### REGULI FIREWALL ### | |
| ## trafic neconditionat pe localhost si de la Pitech | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A INPUT -i $int_retea -s $ip_retea -d $ip_retea -j ACCEPT | |
| for ip in $net_pitech; do | |
| iptables -A INPUT -s $ip -j ACCEPT | |
| done | |
| ## ping-pong permis | |
| iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| ## trafic initiat de server | |
| iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT | |
| ## traficul TCP trebuie sa inceapa cu 'syn' , altfel DROP | |
| iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| ## access permis pentru toata lumea pe porturile 'porturi_tcp' si 'porturi_udp' | |
| for tcp in $porturi_tcp; do | |
| iptables -A INPUT -p tcp --dport $tcp -j ACCEPT | |
| done | |
| for udp in $porturi_udp; do | |
| iptables -A INPUT -p udp --dport $udp -j ACCEPT | |
| done | |
| # restul DROP | |
| iptables -A INPUT -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment