crashdump/iptables

## iptables
### BEGIN INIT INFO
# Provides:          firewall-ipv4
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     S 2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Firewall rules
# Description:       Simple script to initialise an iptables firewall
### END INIT INFO

#-----------------------------------------------------------------------#
#                                                                       #
# Description : Firewall Config                                         #
# OS          : Debian                                                  #
# Requires    : iptables                                                #
# Licence     : GPL                                                     #
# Version     : 0.1.7-3                                                 #
# Author      : Adrien Pujol <adrien.pujol@crashdump.fr>                #
# Web site    : http://www.crashdump.fr/                                #
#                                                                       #
#-----------------------------------------------------------------------#

#   install rsyslog and create /etc/rsyslog.d/iptables.conf with:
#               :msg, contains, "[iptables]" -/var/log/iptables.log
#               & ~

#   logrotate that with the following config in /etc/logrotate.d/iptables
#               /var/log/iptables.log {
#                   weekly
#                   missingok
#                   rotate 7
#                   compress
#                   delaycompress
#                   notifempty
#               }

#   Put this in /etc/init.d/iptables, then activate it:
#                            # /etc/init.d/iptables start
#                            # update-rc.d iptables defaults


test -f /sbin/iptables || exit 0

. /lib/lsb/init-functions

# Un peu de couleurs
#31=rouge, 32=vert, 33=jaune,34=bleu, 35=rose, 36=cyan, 37= blanc
color()
{
  #echo [$1`shift`m$*[m
  printf '\033[%sm%s\033[m\n' "$@"
}

#-----> VARIABLES A CONFIGURER <----------------------------------------#

IPTABLES=/sbin/iptables
IF_EXT=eth0
LOGFLAGS="LOG --log-tcp-options --log-tcp-sequence --log-ip-options --log-level warning --log-prefix"

#-----> START/STOP <----------------------------------------------------#

case "$1" in
    start)
        log_begin_msg "Starting iptables firewall rules..."
        ######################################################################

        #----- Initialisation --------------------------------------------------#

        echo ">Shutting down Fail2Ban"
        /etc/init.d/fail2ban stop

        echo ">Setting firewall rules..."

        ## Vider les tables actuelles
        ${IPTABLES} -t filter -F
        ${IPTABLES} -t filter -X
        ${IPTABLES} -t mangle -F
        ${IPTABLES} -t mangle -X
        ${IPTABLES} -t nat -F
        ${IPTABLES} -t nat -X
        ${IPTABLES} -F
        ${IPTABLES} -X
        ${IPTABLES} -Z
        echo "- Vidage : [`color 32 "OK"`]"

        #----- Default rules --------------------------------------------------#

        ## ignore_echo_broadcasts, TCP Syncookies, ip_forward
        echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo "1" > /proc/sys/net/ipv4/tcp_syncookies
        echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
        echo 0 > /proc/sys/net/ipv4/ip_forward
        echo "- Ignore echo broadcast, TCP Syncookies and IP forwarding : [`color 32 "OK"`]"

        # Reduce DoS'ing ability by reducing timeouts
        echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
        echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
        echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
        echo "0" > /proc/sys/net/ipv4/tcp_sack
        echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog

        ## Police par defaut
        ${IPTABLES} -P INPUT DROP
        ${IPTABLES} -P OUTPUT ACCEPT
        ${IPTABLES} -P FORWARD DROP
        echo "- Police par defaut, DROP : [`color 32 "OK"`]"

        ## Loopback accepted
        ${IPTABLES} -A FORWARD -i lo -o lo -j ACCEPT
        ${IPTABLES} -A INPUT -i lo -j ACCEPT
        echo "- Accepter les loopbacks : [`color 32 "OK"`]"

        #----- Chains creation  -------------------------------------------------#

        ## Creation des chaines
        ${IPTABLES} -N SERVICES
        ${IPTABLES} -N LOVELYPEOPLES
        ${IPTABLES} -N FUCKINGASSHOLES
        ${IPTABLES} -N SECURITY
        echo "- Creation des chaines : [`color 32 "OK"`]"

        #----- Security ---------------------------------------------------------#

        # Anyone who tried to portscan us is locked out for an entire day.
        ${IPTABLES} -A SECURITY -m recent --name portscan --rcheck --seconds 86400 -j DROP                                            -m comment --comment "Portscan"
        # Once the day has passed, remove them from the portscan list
        ${IPTABLES} -A SECURITY -m recent --name portscan --remove                                                                         -m comment --comment "Portscan"
        # These rules add scanners to the portscan list, and log the attempt.
        ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j ${LOGFLAGS} "[iptables] [:portscan:]"         -m comment --comment "Portscan"
        ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP                                          -m comment --comment "Portscan"
        ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j ${LOGFLAGS} "[iptables] [:portscan:]"        -m comment --comment "Portscan"
        ${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j DROP                                         -m comment --comment "Portscan"
        echo "- Portscan (Connect. on port 139 banned for a day) : [`color 32 "OK"`]"

        ## No NULL Packet
        ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[iptables] [:nullpackets:]" -m comment --comment "Null packets"
        ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -j DROP                                                                        -m comment --comment "Null packets"
        echo "- Protection NULL Packets : [`color 32 "OK"`]"

        ## No XMAS
        ${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[iptables] [:xmaspackets:]" -m comment --comment "Xmas packet"
        ${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP                                                                 -m comment --comment "Xmas packet"
        echo "- Protection XMAS : [`color 32 "OK"`]"

        ## No FIN packet scans
        ${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[iptables] [:finpacketsscan:]" -m comment --comment "Fin packet"
        ${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -j DROP                                                                     -m comment --comment "Fin packet"
        ${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP                                                         -m comment --comment "Fin packet"
        echo "- Protection FIN packet scans : [`color 32 "OK"`]"

        ## No Broadcast / Multicast / Invalid and Bogus
        ${IPTABLES} -A SECURITY -m pkttype --pkt-type broadcast -j ${LOGFLAGS} "[iptables] [:broadcast:]"                                  -m comment --comment "No broadcast"
        ${IPTABLES} -A SECURITY -m pkttype --pkt-type broadcast -j DROP                                                                    -m comment --comment "No Broadcast"
        ${IPTABLES} -A SECURITY -m pkttype --pkt-type multicast -j ${LOGFLAGS} "[iptables] [:multicast:]"                                  -m comment --comment "No multicast"
        ${IPTABLES} -A SECURITY -m pkttype --pkt-type multicast -j DROP                                                                    -m comment --comment "No multicast"
        ${IPTABLES} -A SECURITY -m state --state INVALID -j ${LOGFLAGS} "[iptables] [:invalid:]"                                           -m comment --comment "Invalid"
        ${IPTABLES} -A SECURITY -m state --state INVALID -j DROP                                                                           -m comment --comment "Invalid"
        ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j ${LOGFLAGS} "[iptables] [:bogus:]"                            -m comment --comment "Invalid"
        ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP                                                          -m comment --comment "Invalid"
        ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j ${LOGFLAGS} "[iptables] [:bogus:]"                            -m comment --comment "Invalid"
        ${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP                                                          -m comment --comment "Invalid"
        echo "- No Broadcast / Multicast / Invalid and Bogus : [`color 32 "OK"`]"

        ## REJECT les fausses connex pretendues s'initialiser et sans syn
        ${IPTABLES} -A SECURITY -p tcp ! --syn -m state --state NEW,INVALID -j ${LOGFLAGS} "[iptables] [:falsenosyn:]"                     -m comment --comment "NoSyn"
        ${IPTABLES} -A SECURITY -p tcp ! --syn -m state --state NEW,INVALID -j DROP                                                        -m comment --comment "NoSyn"
        echo "- Rejeter les fakes de connection, pas de syn : [`color 32 "OK"`]"

        ## Ne pas casser les connexions etablies
        ${IPTABLES} -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        echo "- Ne pas casser les connexions etablies : [`color 32 "OK"`]"

        #----- Whitelisted nets -------------------------------------------------#

       ${IPTABLES} -A LOVELYPEOPLES -s 46.105.40.109 -j ACCEPT    -m comment --comment "photon.cdfr.net"
       ${IPTABLES} -A LOVELYPEOPLES -s 46.105.40.182 -j ACCEPT    -m comment --comment "higgs.cdfr.net"

        #----- Banned nets ------------------------------------------------------#

        ${IPTABLES} -A FUCKINGASSHOLES -s 82.227.212.85 -j DROP   -m comment --comment "Scanned me"
        ${IPTABLES} -A FUCKINGASSHOLES -s 83.206.67.226 -j DROP   -m comment --comment "Scanned me"
        ${IPTABLES} -A FUCKINGASSHOLES -s 38.104.205.222 -j DROP  -m comment --comment "Bruteforced me"
        ${IPTABLES} -A FUCKINGASSHOLES -s 38.121.56.1 -j DROP     -m comment --comment "Bruteforced me"
        ${IPTABLES} -A FUCKINGASSHOLES -s 85.133.135.130 -j DROP  -m comment --comment "Bruteforced me"
        ${IPTABLES} -A FUCKINGASSHOLES -s 218.15.33.20 -j DROP    -m comment --comment "Strange ssh attemps"

        #----- Debut des regles  ------------------------------------------------#

        # Autoriser ICMP
        ${IPTABLES} -I SERVICES -p icmp  -j ACCEPT                                                        -m comment --comment "Ping"
        echo "- ICMP : [`color 32 "OK"`]"

        # Autoriser SSH
        ${IPTABLES} -A SERVICES -p tcp --dport 22 -j ACCEPT                                               -m comment --comment "sshd"
        echo "- Autoriser SSH (ipv4) : [`color 32 "OK"`]"

        # Autoriser les requetes HTTP
        ${IPTABLES} -A SERVICES -p tcp --dport 80 -j ACCEPT                                               -m comment --comment "http"
        ${IPTABLES} -A SERVICES -p tcp --dport 443 -j ACCEPT                                              -m comment --comment "https"
        echo "- Autoriser les requetes HTTP/S (ipv4) : [`color 32 "OK"`]"

        # Autoriser NTP
        ${IPTABLES} -A SERVICES -p udp --dport 123 -j ACCEPT                                              -m comment --comment "ntpd"
        echo "- Autoriser NTP (ipv4) : [`color 32 "OK"`]"

        # Mail
        ${IPTABLES} -A SERVICES -p tcp --dport 25 -j ACCEPT                                               -m comment --comment "smtp"
        #${IPTABLES} -A SERVICES -p tcp --dport 110 -j ACCEPT                                              -m comment --comment "pop3"
        ${IPTABLES} -A SERVICES -p tcp --dport 143 -j ACCEPT                                              -m comment --comment "imap"
        ${IPTABLES} -A SERVICES -p tcp --dport 993 -j ACCEPT                                              -m comment --comment "imaps"
        echo "- Autoriser serveur Mail (ipv4) : [`color 32 "OK"`]"

        #----- Fin des regles  --------------------------------------------------#


        # Ecriture de la politique de log
        # Ici on affiche [IPTABLES DROP] dans /var/log/messages a chaque paquet rejette par iptables
        ${IPTABLES} -N LOG_DROP
        ${IPTABLES} -A LOG_DROP -j ${LOGFLAGS} '[iptables] [:finaldrop:]'
        ${IPTABLES} -A LOG_DROP -j DROP

        # On met en place les logs en entree, sortie et routage selon la politique LOG_DROP ecrit avant
        ${IPTABLES} -A FORWARD -j LOG_DROP
        ${IPTABLES} -A INPUT -j LOG_DROP
        #
        ${IPTABLES} -I INPUT -i ${IF_EXT} -j SERVICES
        ${IPTABLES} -I INPUT -i ${IF_EXT} -j SECURITY
        ${IPTABLES} -I INPUT -j FUCKINGASSHOLES
        ${IPTABLES} -I INPUT -j LOVELYPEOPLES
        echo "- Mise en place des politiques prededement d?finies : [`color 32 "OK"`]"

        ##
        echo ">Starting Fail2Ban"
        sleep 5
        /etc/init.d/fail2ban start
        sleep 1

        echo "- Fail2Ban actives modules: "
        echo `iptables -L -nv --line-numbers | grep -e "Chain fail2ban-"`

        echo "`color 32 ">Firewall mis a jour avec succes !"`"

        ######################################################################
        log_end_msg $?
        ;;


    stop)
        log_begin_msg "Flushing rules..."
        ## Vider les tables actuelles
        ${IPTABLES} -t filter -F
        ${IPTABLES} -t filter -X
        ${IPTABLES} -t mangle -F
        ${IPTABLES} -t mangle -X
        ${IPTABLES} -t nat -F
        ${IPTABLES} -t nat -X
        ${IPTABLES} -F
        ${IPTABLES} -X
        ${IPTABLES} -Z
        ${IPTABLES} -P INPUT ACCEPT
        ${IPTABLES} -A INPUT -j ACCEPT
        ${IPTABLES} -P OUTPUT ACCEPT
        ${IPTABLES} -A OUTPUT -j ACCEPT
        ${IPTABLES} -P FORWARD ACCEPT
        ${IPTABLES} -A FORWARD -j ACCEPT
        log_end_msg $?
        ;;


        restart)
        $0 stop
        $0 start
        ;;


    status)
        ${IPTABLES} -nvL
        ;;


    *)
        log_success_msg "Usage: /etc/init.d/firewall {start|stop|restart|status}"
        exit 1
        ;;
esac

exit 0
	### BEGIN INIT INFO
	# Provides: firewall-ipv4
	# Required-Start: $network
	# Required-Stop: $network
	# Default-Start: S 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: Firewall rules
	# Description: Simple script to initialise an iptables firewall
	### END INIT INFO

	#-----------------------------------------------------------------------#
	# #
	# Description : Firewall Config #
	# OS : Debian #
	# Requires : iptables #
	# Licence : GPL #
	# Version : 0.1.7-3 #
	# Author : Adrien Pujol <adrien.pujol@crashdump.fr> #
	# Web site : http://www.crashdump.fr/ #
	# #
	#-----------------------------------------------------------------------#

	# install rsyslog and create /etc/rsyslog.d/iptables.conf with:
	# :msg, contains, "[iptables]" -/var/log/iptables.log
	# & ~

	# logrotate that with the following config in /etc/logrotate.d/iptables
	# /var/log/iptables.log {
	# weekly
	# missingok
	# rotate 7
	# compress
	# delaycompress
	# notifempty
	# }

	# Put this in /etc/init.d/iptables, then activate it:
	# # /etc/init.d/iptables start
	# # update-rc.d iptables defaults



	test -f /sbin/iptables \|\| exit 0

	. /lib/lsb/init-functions

	# Un peu de couleurs
	#31=rouge, 32=vert, 33=jaune,34=bleu, 35=rose, 36=cyan, 37= blanc
	color()
	{
	#echo [$1`shift`m$*[m
	printf '\033[%sm%s\033[m\n' "$@"
	}

	#-----> VARIABLES A CONFIGURER <----------------------------------------#

	IPTABLES=/sbin/iptables
	IF_EXT=eth0
	LOGFLAGS="LOG --log-tcp-options --log-tcp-sequence --log-ip-options --log-level warning --log-prefix"

	#-----> START/STOP <----------------------------------------------------#

	case "$1" in
	start)
	log_begin_msg "Starting iptables firewall rules..."
	######################################################################

	#----- Initialisation --------------------------------------------------#

	echo ">Shutting down Fail2Ban"
	/etc/init.d/fail2ban stop

	echo ">Setting firewall rules..."

	## Vider les tables actuelles
	${IPTABLES} -t filter -F
	${IPTABLES} -t filter -X
	${IPTABLES} -t mangle -F
	${IPTABLES} -t mangle -X
	${IPTABLES} -t nat -F
	${IPTABLES} -t nat -X
	${IPTABLES} -F
	${IPTABLES} -X
	${IPTABLES} -Z
	echo "- Vidage : [`color 32 "OK"`]"

	#----- Default rules --------------------------------------------------#

	## ignore_echo_broadcasts, TCP Syncookies, ip_forward
	echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo "1" > /proc/sys/net/ipv4/tcp_syncookies
	echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
	echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
	echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
	echo 0 > /proc/sys/net/ipv4/ip_forward
	echo "- Ignore echo broadcast, TCP Syncookies and IP forwarding : [`color 32 "OK"`]"

	# Reduce DoS'ing ability by reducing timeouts
	echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
	echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
	echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
	echo "0" > /proc/sys/net/ipv4/tcp_sack
	echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog

	## Police par defaut
	${IPTABLES} -P INPUT DROP
	${IPTABLES} -P OUTPUT ACCEPT
	${IPTABLES} -P FORWARD DROP
	echo "- Police par defaut, DROP : [`color 32 "OK"`]"

	## Loopback accepted
	${IPTABLES} -A FORWARD -i lo -o lo -j ACCEPT
	${IPTABLES} -A INPUT -i lo -j ACCEPT
	echo "- Accepter les loopbacks : [`color 32 "OK"`]"

	#----- Chains creation -------------------------------------------------#

	## Creation des chaines
	${IPTABLES} -N SERVICES
	${IPTABLES} -N LOVELYPEOPLES
	${IPTABLES} -N FUCKINGASSHOLES
	${IPTABLES} -N SECURITY
	echo "- Creation des chaines : [`color 32 "OK"`]"

	#----- Security ---------------------------------------------------------#

	# Anyone who tried to portscan us is locked out for an entire day.
	${IPTABLES} -A SECURITY -m recent --name portscan --rcheck --seconds 86400 -j DROP -m comment --comment "Portscan"
	# Once the day has passed, remove them from the portscan list
	${IPTABLES} -A SECURITY -m recent --name portscan --remove -m comment --comment "Portscan"
	# These rules add scanners to the portscan list, and log the attempt.
	${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j ${LOGFLAGS} "[iptables] [:portscan:]" -m comment --comment "Portscan"
	${IPTABLES} -A SECURITY -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -m comment --comment "Portscan"
	${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j ${LOGFLAGS} "[iptables] [:portscan:]" -m comment --comment "Portscan"
	${IPTABLES} -A SECURITY -p tcp -m tcp --dport 5353 -m recent --name portscan --set -j DROP -m comment --comment "Portscan"
	echo "- Portscan (Connect. on port 139 banned for a day) : [`color 32 "OK"`]"

	## No NULL Packet
	${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[iptables] [:nullpackets:]" -m comment --comment "Null packets"
	${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Null packets"
	echo "- Protection NULL Packets : [`color 32 "OK"`]"

	## No XMAS
	${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[iptables] [:xmaspackets:]" -m comment --comment "Xmas packet"
	${IPTABLES} -A SECURITY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -m comment --comment "Xmas packet"
	echo "- Protection XMAS : [`color 32 "OK"`]"

	## No FIN packet scans
	${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j ${LOGFLAGS} "[iptables] [:finpacketsscan:]" -m comment --comment "Fin packet"
	${IPTABLES} -A SECURITY -p tcp --tcp-flags FIN,ACK FIN -j DROP -m comment --comment "Fin packet"
	${IPTABLES} -A SECURITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -m comment --comment "Fin packet"
	echo "- Protection FIN packet scans : [`color 32 "OK"`]"

	## No Broadcast / Multicast / Invalid and Bogus
	${IPTABLES} -A SECURITY -m pkttype --pkt-type broadcast -j ${LOGFLAGS} "[iptables] [:broadcast:]" -m comment --comment "No broadcast"
	${IPTABLES} -A SECURITY -m pkttype --pkt-type broadcast -j DROP -m comment --comment "No Broadcast"
	${IPTABLES} -A SECURITY -m pkttype --pkt-type multicast -j ${LOGFLAGS} "[iptables] [:multicast:]" -m comment --comment "No multicast"
	${IPTABLES} -A SECURITY -m pkttype --pkt-type multicast -j DROP -m comment --comment "No multicast"
	${IPTABLES} -A SECURITY -m state --state INVALID -j ${LOGFLAGS} "[iptables] [:invalid:]" -m comment --comment "Invalid"
	${IPTABLES} -A SECURITY -m state --state INVALID -j DROP -m comment --comment "Invalid"
	${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j ${LOGFLAGS} "[iptables] [:bogus:]" -m comment --comment "Invalid"
	${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -m comment --comment "Invalid"
	${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j ${LOGFLAGS} "[iptables] [:bogus:]" -m comment --comment "Invalid"
	${IPTABLES} -A SECURITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -m comment --comment "Invalid"
	echo "- No Broadcast / Multicast / Invalid and Bogus : [`color 32 "OK"`]"

	## REJECT les fausses connex pretendues s'initialiser et sans syn
	${IPTABLES} -A SECURITY -p tcp ! --syn -m state --state NEW,INVALID -j ${LOGFLAGS} "[iptables] [:falsenosyn:]" -m comment --comment "NoSyn"
	${IPTABLES} -A SECURITY -p tcp ! --syn -m state --state NEW,INVALID -j DROP -m comment --comment "NoSyn"
	echo "- Rejeter les fakes de connection, pas de syn : [`color 32 "OK"`]"

	## Ne pas casser les connexions etablies
	${IPTABLES} -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	echo "- Ne pas casser les connexions etablies : [`color 32 "OK"`]"

	#----- Whitelisted nets -------------------------------------------------#

	${IPTABLES} -A LOVELYPEOPLES -s 46.105.40.109 -j ACCEPT -m comment --comment "photon.cdfr.net"
	${IPTABLES} -A LOVELYPEOPLES -s 46.105.40.182 -j ACCEPT -m comment --comment "higgs.cdfr.net"

	#----- Banned nets ------------------------------------------------------#

	${IPTABLES} -A FUCKINGASSHOLES -s 82.227.212.85 -j DROP -m comment --comment "Scanned me"
	${IPTABLES} -A FUCKINGASSHOLES -s 83.206.67.226 -j DROP -m comment --comment "Scanned me"
	${IPTABLES} -A FUCKINGASSHOLES -s 38.104.205.222 -j DROP -m comment --comment "Bruteforced me"
	${IPTABLES} -A FUCKINGASSHOLES -s 38.121.56.1 -j DROP -m comment --comment "Bruteforced me"
	${IPTABLES} -A FUCKINGASSHOLES -s 85.133.135.130 -j DROP -m comment --comment "Bruteforced me"
	${IPTABLES} -A FUCKINGASSHOLES -s 218.15.33.20 -j DROP -m comment --comment "Strange ssh attemps"

	#----- Debut des regles ------------------------------------------------#

	# Autoriser ICMP
	${IPTABLES} -I SERVICES -p icmp -j ACCEPT -m comment --comment "Ping"
	echo "- ICMP : [`color 32 "OK"`]"

	# Autoriser SSH
	${IPTABLES} -A SERVICES -p tcp --dport 22 -j ACCEPT -m comment --comment "sshd"
	echo "- Autoriser SSH (ipv4) : [`color 32 "OK"`]"

	# Autoriser les requetes HTTP
	${IPTABLES} -A SERVICES -p tcp --dport 80 -j ACCEPT -m comment --comment "http"
	${IPTABLES} -A SERVICES -p tcp --dport 443 -j ACCEPT -m comment --comment "https"
	echo "- Autoriser les requetes HTTP/S (ipv4) : [`color 32 "OK"`]"

	# Autoriser NTP
	${IPTABLES} -A SERVICES -p udp --dport 123 -j ACCEPT -m comment --comment "ntpd"
	echo "- Autoriser NTP (ipv4) : [`color 32 "OK"`]"

	# Mail
	${IPTABLES} -A SERVICES -p tcp --dport 25 -j ACCEPT -m comment --comment "smtp"
	#${IPTABLES} -A SERVICES -p tcp --dport 110 -j ACCEPT -m comment --comment "pop3"
	${IPTABLES} -A SERVICES -p tcp --dport 143 -j ACCEPT -m comment --comment "imap"
	${IPTABLES} -A SERVICES -p tcp --dport 993 -j ACCEPT -m comment --comment "imaps"
	echo "- Autoriser serveur Mail (ipv4) : [`color 32 "OK"`]"

	#----- Fin des regles --------------------------------------------------#


	# Ecriture de la politique de log
	# Ici on affiche [IPTABLES DROP] dans /var/log/messages a chaque paquet rejette par iptables
	${IPTABLES} -N LOG_DROP
	${IPTABLES} -A LOG_DROP -j ${LOGFLAGS} '[iptables] [:finaldrop:]'
	${IPTABLES} -A LOG_DROP -j DROP

	# On met en place les logs en entree, sortie et routage selon la politique LOG_DROP ecrit avant
	${IPTABLES} -A FORWARD -j LOG_DROP
	${IPTABLES} -A INPUT -j LOG_DROP
	#
	${IPTABLES} -I INPUT -i ${IF_EXT} -j SERVICES
	${IPTABLES} -I INPUT -i ${IF_EXT} -j SECURITY
	${IPTABLES} -I INPUT -j FUCKINGASSHOLES
	${IPTABLES} -I INPUT -j LOVELYPEOPLES
	echo "- Mise en place des politiques prededement d?finies : [`color 32 "OK"`]"

	##
	echo ">Starting Fail2Ban"
	sleep 5
	/etc/init.d/fail2ban start
	sleep 1

	echo "- Fail2Ban actives modules: "
	echo `iptables -L -nv --line-numbers \| grep -e "Chain fail2ban-"`

	echo "`color 32 ">Firewall mis a jour avec succes !"`"

	######################################################################
	log_end_msg $?
	;;



	stop)
	log_begin_msg "Flushing rules..."
	## Vider les tables actuelles
	${IPTABLES} -t filter -F
	${IPTABLES} -t filter -X
	${IPTABLES} -t mangle -F
	${IPTABLES} -t mangle -X
	${IPTABLES} -t nat -F
	${IPTABLES} -t nat -X
	${IPTABLES} -F
	${IPTABLES} -X
	${IPTABLES} -Z
	${IPTABLES} -P INPUT ACCEPT
	${IPTABLES} -A INPUT -j ACCEPT
	${IPTABLES} -P OUTPUT ACCEPT
	${IPTABLES} -A OUTPUT -j ACCEPT
	${IPTABLES} -P FORWARD ACCEPT
	${IPTABLES} -A FORWARD -j ACCEPT
	log_end_msg $?
	;;


	restart)
	$0 stop
	$0 start
	;;



	status)
	${IPTABLES} -nvL
	;;


	*)
	log_success_msg "Usage: /etc/init.d/firewall {start\|stop\|restart\|status}"
	exit 1
	;;
	esac

	exit 0