Skip to content

Instantly share code, notes, and snippets.

@binzram

binzram/iptables

Created December 21, 2017 12:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save binzram/3c83cef81057c7ccf3500db28d1dc391 to your computer and use it in GitHub Desktop.
Save binzram/3c83cef81057c7ccf3500db28d1dc391 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables
#! /bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall-Script
# Description: Firewall-Script with IPTABLES
### END INIT INFO
PATH=/sbin:/bin
DESC="Firewall"
NAME=iptables
SCRIPTNAME=/etc/init.d/firewall
. /lib/init/vars.sh
. /lib/lsb/init-functions
#- VARIABLEN ------------------------------------------------------------------
INTERFACE_WAN="eth1"
INTERFACE_LAN="eth0"
HOSTNAME_LAN="192.168.1.0/24"
IP4_HOSTNAME_WAN="212.103.78.210"
IP4_HOSTNAME_LAN="192.168.1.10"
TCP_PORTS_HOSTNAME_WAN="22 8000"
UDP_PORTS_HOSTNAME_WAN=""
TCP_PORTS_HOSTNAME_LAN="21 22 139 445 8000"
UDP_PORTS_HOSTNAME_LAN="137 138 445"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
EPHEMERAL_IANA_PORTS="49152:65535"
case "$1" in
start)
log_daemon_msg "Starting $DESC" $NAME
#- KERNEL MODULE ------------------------------------------------------
modprobe nf_conntrack_ftp
#- STANDARD REGELN (zuerst akzeptieren falls was schief geht...) ------
iptables --flush
iptables --delete-chain
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
#- BEREITS AUFGEBAUTE VERBINDUNGEN AKZEPTIEREN ------------------------
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#- LOOPBACK AKZEPTIEREN -----------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#- ALLE AUSGEHENDEN VERBINDUNGEN ZULASSEN -----------------------------
iptables -A OUTPUT -o $INTERFACE_WAN -j ACCEPT
iptables -A OUTPUT -o $INTERFACE_LAN -j ACCEPT
#- KOMISCHE VERBINDUNGEN DROPPEN --------------------------------------
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -i $INTERFACE_WAN -s $IP4_HOSTNAME_WAN -j DROP
iptables -A FORWARD -i $INTERFACE_LAN -s $IP4_HOSTNAME_LAN -j DROP
iptables -A INPUT --fragment -j DROP
iptables -A INPUT -i $INTERFACE_WAN -m addrtype --dst-type MULTICAST -j DROP
#- REGELN FUER ICMP ---------------------------------------------------
iptables --new icmpchain
iptables -A icmpchain -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type echo-request -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type time-exceeded -j ACCEPT
#- ICMP REGELN ANWENDEN -----------------------------------------------
iptables -A INPUT -p icmp -j icmpchain
#- HOSTNAME WAN ------------------------------------------------------
iptables --new hostnamewanchain
for TMP_PORT in $TCP_PORTS_HOSTNAME_WAN; do
iptables -A hostnamewanchain -p tcp --sport $UNPRIVPORTS --dport $TMP_PORT -m conntrack --ctstate NEW -j ACCEPT
done
for TMP_PORT in $UDP_PORTS_HOSTNAME_WAN; do
iptables -A hostnamewanchain -p udp --sport $UNPRIVPORTS --dport $TMP_PORT -j ACCEPT
done
iptables -A hostnamewanchain -p tcp --sport $UNPRIVPORTS --dport $EPHEMERAL_IANA_PORTS -m conntrack --ctstate NEW -j ACCEPT
#----------------------------------------------------------------------
#- HOSTNAME LAN ------------------------------------------------------
iptables --new hostnamelanchain
for TMP_PORT in $TCP_PORTS_HOSTNAME_LAN; do
iptables -A hostnamelanchain -p tcp -s $HOSTNAME_LAN --sport $UNPRIVPORTS --dport $TMP_PORT -m conntrack --ctstate NEW -j ACCEPT
done
for TMP_PORT in $UDP_PORTS_HOSTNAME_LAN; do
iptables -A hostnamelanchain -p udp -s $HOSTNAME_LAN --sport $UNPRIVPORTS --dport $TMP_PORT -j ACCEPT
done
iptables -A hostnamelanchain -p tcp -s $HOSTNAME_LAN --sport $UNPRIVPORTS --dport $EPHEMERAL_IANA_PORTS -m conntrack --ctstate NEW -j ACCEPT
#----------------------------------------------------------------------
#- HOSTREGELN ANWENDEN ------------------------------------------------
iptables -A INPUT -i $INTERFACE_WAN -j hostnamewanchain
iptables -A INPUT -i $INTERFACE_LAN -j hostnamelanchain
#- IDENTD (PORT 113) --------------------------------------------------
iptables -A INPUT -i $INTERFACE_WAN -p tcp --dport 113 -j REJECT
iptables -A FORWARD -i $INTERFACE_WAN -p tcp --dport 113 -j REJECT
#- ECHO (PORT 7) ------------------------------------------------------
iptables -A INPUT -i $INTERFACE_WAN -p udp --dport 7 -j REJECT
iptables -A FORWARD -i $INTERFACE_WAN -p udp --dport 7 -j REJECT
#- STANDARD REGELN (nun richtig...) -----------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
#- DAS SOLL NICHT INS LOG... ------------------------------------------
#445 -> Windows Shares
#135 -> Windows Remote Management (TCP und UDP)
#5060 -> SIP (TCP und UDP)
#5900 -> VNC (TCP und UDP)
#4899 -> Radmin
TCP_PORTSCAN_PORTS="445 135 5060 5900 4899"
UDP_PORTSCAN_PORTS="135 5060 5900 4899"
for TMP_PORT in $TCP_PORTSCAN_PORTS; do
iptables -A INPUT -p tcp --dport $TMP_PORT -m recent --name PORTSCAN --set
iptables -A FORWARD -p tcp --dport $TMP_PORT -m recent --name PORTSCAN --set
done
for TMP_PORT in $UDP_PORTSCAN_PORTS; do
iptables -A INPUT -p udp --dport $TMP_PORT -m recent --name PORTSCAN --set
iptables -A FORWARD -p udp --dport $TMP_PORT -m recent --name PORTSCAN --set
done
iptables -A INPUT -i $INTERFACE_WAN -m recent --name PORTSCAN --rcheck --seconds 300 --reap -j DROP
iptables -A FORWARD -i $INTERFACE_WAN -m recent --name PORTSCAN --rcheck --seconds 300 --reap -j DROP
#- LOGGEN BISHER NICHT ABGEFANGENER PAKETE ----------------------------
iptables -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-tcp-options --log-ip-options --log-prefix "$DESC-INPUT: " --log-uid --log-level debug
iptables -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-tcp-options --log-ip-options --log-prefix "$DESC-OUTPUT: " --log-uid --log-level debug
iptables -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG --log-tcp-options --log-ip-options --log-prefix "$DESC-FORWARD: " --log-uid --log-level debug
log_end_msg 0
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
iptables --flush
iptables --delete-chain
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
log_end_msg 0
;;
accept)
log_daemon_msg "Accepting all traffic on $DESC" "$NAME"
iptables --flush
iptables --delete-chain
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
log_end_msg 0
;;
status)
log_daemon_msg "List $DESC" "$NAME"
iptables --list -n -v --line-numbers
log_end_msg 0
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|accept|status}" >&2
exit 3
;;
esac
:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment