heartnet/iptables.sh

## iptables.sh
#!/bin/bash
# @(#) iptables.sh - Script for configuring firewall with iptables
# Based on: http://centossrv.com/

#
# Configuration part
#
##############################

## External Interface
EXTERNAL_IF="eth0"

## Define full path of functions
IPTBLS_FUNC="/root/scripts/lib/iptables_functions"

## Define full path of blacklist
DENY_HOSTS_LIST="/root/scripts/misc/blacklist"

## Define full path of whitelist
ALLOW_HOSTS_LIST="/root/scripts/misc/whitelist"

## set PATH
export PATH=/sbin:/bin:/usr/sbin:/usr/bin


#
# Main routines
#
##############################

## Obtain netmask from target interface
LOCALNET_MASK=`ifconfig ${EXTERNAL_IF} | sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`

## Obtain network address from target interface
LOCALNET_ADDR=`netstat -rn | grep ${EXTERNAL_IF} | grep ${LOCALNET_MASK} | cut -f1 -d' '`
LOCALNET=${LOCALNET_ADDR}/${LOCALNET_MASK}

## Reset all rules
iptables -F
iptables -Z
iptables -X

## Stop running iptables
/etc/init.d/iptables stop

## Default policy
## (These policies will be applied to rules which do not match any rules.)
iptables -P INPUT   DROP   # All discard incoming packets
iptables -P OUTPUT  ACCEPT # All permit outgoing packets
iptables -P FORWARD DROP   # All discard forwarding packets

## Permit all packets from loopback interface
iptables -A INPUT -i lo -j ACCEPT

## Permit all packets from private network
iptables -A INPUT -s ${LOCALNET} -j ACCEPT

## Permit all packets via private network interface card
iptables -A INPUT ! -i ${EXTERNAL_IF} -j ACCEPT

## Permit all return packets from private network
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Enable SYN Cookies
## (*) for TCP SYN Flood attack
sysctl -w net.ipv4.tcp_syncookies=1 >/dev/null
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >>/etc/sysctl.conf

## Do not reply to broadcast ping packets
## (*) for Smurf attack
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >>/etc/sysctl.conf

## Deny all ICMP Redirect packets
sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
for DEV in `ls /proc/sys/net/ipv4/conf/`
do
    sysctl -w net.ipv4.conf.${DEV}.accept_redirects=0 >/dev/null
    echo "net.ipv4.conf.${DEV}.accept_redirects=0" >>/etc/sysctl.conf
done

## Deny all Source-Routed packets
sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
for DEV in `ls /proc/sys/net/ipv4/conf/`
do
    sysctl -w net.ipv4.conf.${DEV}.accept_source_route=0 >/dev/null
    echo "net.ipv4.conf.${DEV}.accept_source_route=0" >>/etc/sysctl.conf
done

## Discard all packets of new sessions which do not start from SYN flag
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

## Deny all packets of new sessions which start from SYN/ACK flag
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

## Discard all fragmented packets after logging
iptables -A INPUT -f -j LOG --log-level debug --log-prefix '[FRAGMENT] : '
iptables -A INPUT -f -j DROP

## Discard all packets which are related to NetBIOS from external network without logging
## (*) for not logging unnecessary packets
iptables -A INPUT  ! -s ${LOCALNET} -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT  ! -s ${LOCALNET} -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT ! -d ${LOCALNET} -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -A OUTPUT ! -d ${LOCALNET} -p udp -m multiport --sports 135,137,138,139,445 -j DROP

## Discard all private packets including multicast packets from external network after logging
## (*) for IP Spoofing
iptables -N IP_SPOOFING
iptables -A IP_SPOOFING -j LOG --log-level debug --log-prefix '[IP SPOOFING]: '
iptables -A IP_SPOOFING -j DROP
iptables -A INPUT -i ${EXTERNAL_IF} -s 127.0.0.0/8    -j IP_SPOOFING
iptables -A INPUT -i ${EXTERNAL_IF} -s 10.0.0.0/8     -j IP_SPOOFING
iptables -A INPUT -i ${EXTERNAL_IF} -s 172.16.0.0/12  -j IP_SPOOFING
iptables -A INPUT -i ${EXTERNAL_IF} -s 192.168.0.0/16 -j IP_SPOOFING

## Discard all ping packets which request over 4 times per second after logging
## (*) for Ping of Death attack
iptables -N PING_OF_DEATH
iptables -A PING_OF_DEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A PING_OF_DEATH -j LOG --log-level debug --log-prefix '[PING OF DEATH]: '
iptables -A PING_OF_DEATH -j DROP
iptables -A INPUT         -p icmp --icmp-type echo-request -j PING_OF_DEATH

## Discard all packets for all host (broadcast, multicast) without logging
## (*) for not logging unnecessary packets
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 224.0.0.1       -j DROP

## Deny all pakcets to port 113 (IDENT)
## (*) for not delaying responses from mail servers
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

## Definition of "ACCEPT_COUNTRY_MAKE" function
## Define user-defined chain to permit all pakcets from specified country
ACCEPT_COUNTRY_MAKE(){
    for ADDR in `cat /tmp/cidr.txt | grep ^$1 | awk '{print $2}'`
    do
        iptables -A ACCEPT_COUNTRY -s ${ADDR} -j ACCEPT
    done
}

## Definition of "DROP_COUNTRY_MAKE" function
## Define user-defined chain to discard all packets from specified country
DROP_COUNTRY_MAKE(){
    for ADDR in `cat /tmp/cidr.txt | grep ^$1 | awk '{print $2}'`
    do
        iptables -A DROP_COUNTRY -s ${ADDR} -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DENIED COUNTRY]: '
        iptables -A DROP_COUNTRY -s ${ADDR} -j DROP
    done
}

## Obtain the list of IP addresses
. ${IPTBLS_FUNC}
IPLISTGET

## Create user-defined chain ("ACCEPT_COUNTRY") to permit all packets from Japan
iptables -N ACCEPT_COUNTRY
ACCEPT_COUNTRY_MAKE JP

## From below, If you need to permit all packets from Japan,
## you can specify "ACCEPT_COUNTRY" instead of "ACCEPT".

## Discard all packets from China, Korea, Taiwan (*) after logging
## (*) Top 3 countries (except Japan, USA) of attacking to all Japan police facilities
## Reference: http://www.cyberpolice.go.jp/detect/observation.html
iptables -N DROP_COUNTRY
DROP_COUNTRY_MAKE CN
DROP_COUNTRY_MAKE KR
DROP_COUNTRY_MAKE TW
DROP_COUNTRY_MAKE KP
iptables -A INPUT -j DROP_COUNTRY


#
# Configuration for public servecies [beginning]
#

## Permit all packets to TCP port 22 (SSH) only from accepted country
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT_COUNTRY

## Permit all packets to TCP/UDP port 53 (DNS)
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

## Permit all packets to TCP port 80 (HTTP)
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

## Permit all packets to TCP port 443 (HTTPS)
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

## Permit all packets to TCP port 25 (SMTP)
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

## Permit all packets to TCP port 587 (SMTP Submission)
iptables -A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

## Permit all packets to TCP port 465 (SMTPS) only from accepted country
iptables -A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT_COUNTRY

## Permit all packets to TCP port 110 (POP3) only from accepted country
iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT_COUNTRY

## Permit all packets to TCP port 995 (POP3S) only from accepted country
iptables -A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT_COUNTRY

## Permit all packets to TCP port 143 (IMAP) only from accepted country
iptables -A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT_COUNTRY

## Permit all packets to TCP port 993 (IMAPS) only from accepted country
iptables -A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT_COUNTRY


#
# Configuration for public servecies [end]
#


## Discard all packets from denied IP addresses after logging
if [ -s ${DENY_HOSTS_LIST} ]; then
	iptables -N BLACKLIST
	iptables -A BLACKLIST -j LOG --log-level debug --log-prefix '[BLACKLIST]: '
	iptables -A BLACKLIST -j DROP

    for ADDR in `cat ${DENY_HOSTS_LIST}`
    do
        iptables -I INPUT -s ${ADDR} -j BLACKLIST
    done
fi

## Permit all packets from allowed IP addresses
if [ -s ${ALLOW_HOSTS_LIST} ]; then
	for ADDR in `cat ${ALLOW_HOSTS_LIST}`
	do
		iptables -I INPUT -s ${ADDR} -j ACCEPT
	done
fi

## Discard all packets which did not match any rules above after logging
iptables -A INPUT   -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DROPPED INPUT]: '
iptables -A INPUT   -j DROP
iptables -A FORWARD -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DROPPED FORWARD]: '
iptables -A FORWARD -j DROP

## Save rules
/etc/init.d/iptables save

## Start iptables
/etc/init.d/iptables start

# [EOF]
	#!/bin/bash
	# @(#) iptables.sh - Script for configuring firewall with iptables
	# Based on: http://centossrv.com/

	#
	# Configuration part
	#
	##############################

	## External Interface
	EXTERNAL_IF="eth0"

	## Define full path of functions
	IPTBLS_FUNC="/root/scripts/lib/iptables_functions"

	## Define full path of blacklist
	DENY_HOSTS_LIST="/root/scripts/misc/blacklist"

	## Define full path of whitelist
	ALLOW_HOSTS_LIST="/root/scripts/misc/whitelist"

	## set PATH
	export PATH=/sbin:/bin:/usr/sbin:/usr/bin


	#
	# Main routines
	#
	##############################

	## Obtain netmask from target interface
	LOCALNET_MASK=`ifconfig ${EXTERNAL_IF} \| sed -e 's/^.Mask:\([^ ]\)$/\1/p' -e d`

	## Obtain network address from target interface
	LOCALNET_ADDR=`netstat -rn \| grep ${EXTERNAL_IF} \| grep ${LOCALNET_MASK} \| cut -f1 -d' '`
	LOCALNET=${LOCALNET_ADDR}/${LOCALNET_MASK}

	## Reset all rules
	iptables -F
	iptables -Z
	iptables -X

	## Stop running iptables
	/etc/init.d/iptables stop

	## Default policy
	## (These policies will be applied to rules which do not match any rules.)
	iptables -P INPUT DROP # All discard incoming packets
	iptables -P OUTPUT ACCEPT # All permit outgoing packets
	iptables -P FORWARD DROP # All discard forwarding packets

	## Permit all packets from loopback interface
	iptables -A INPUT -i lo -j ACCEPT

	## Permit all packets from private network
	iptables -A INPUT -s ${LOCALNET} -j ACCEPT

	## Permit all packets via private network interface card
	iptables -A INPUT ! -i ${EXTERNAL_IF} -j ACCEPT

	## Permit all return packets from private network
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	## Enable SYN Cookies
	## (*) for TCP SYN Flood attack
	sysctl -w net.ipv4.tcp_syncookies=1 >/dev/null
	sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
	echo "net.ipv4.tcp_syncookies=1" >>/etc/sysctl.conf

	## Do not reply to broadcast ping packets
	## (*) for Smurf attack
	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null
	sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
	echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >>/etc/sysctl.conf

	## Deny all ICMP Redirect packets
	sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
	for DEV in `ls /proc/sys/net/ipv4/conf/`
	do
	sysctl -w net.ipv4.conf.${DEV}.accept_redirects=0 >/dev/null
	echo "net.ipv4.conf.${DEV}.accept_redirects=0" >>/etc/sysctl.conf
	done

	## Deny all Source-Routed packets
	sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
	for DEV in `ls /proc/sys/net/ipv4/conf/`
	do
	sysctl -w net.ipv4.conf.${DEV}.accept_source_route=0 >/dev/null
	echo "net.ipv4.conf.${DEV}.accept_source_route=0" >>/etc/sysctl.conf
	done

	## Discard all packets of new sessions which do not start from SYN flag
	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

	## Deny all packets of new sessions which start from SYN/ACK flag
	iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

	## Discard all fragmented packets after logging
	iptables -A INPUT -f -j LOG --log-level debug --log-prefix '[FRAGMENT] : '
	iptables -A INPUT -f -j DROP

	## Discard all packets which are related to NetBIOS from external network without logging
	## (*) for not logging unnecessary packets
	iptables -A INPUT ! -s ${LOCALNET} -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
	iptables -A INPUT ! -s ${LOCALNET} -p udp -m multiport --dports 135,137,138,139,445 -j DROP
	iptables -A OUTPUT ! -d ${LOCALNET} -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
	iptables -A OUTPUT ! -d ${LOCALNET} -p udp -m multiport --sports 135,137,138,139,445 -j DROP

	## Discard all private packets including multicast packets from external network after logging
	## (*) for IP Spoofing
	iptables -N IP_SPOOFING
	iptables -A IP_SPOOFING -j LOG --log-level debug --log-prefix '[IP SPOOFING]: '
	iptables -A IP_SPOOFING -j DROP
	iptables -A INPUT -i ${EXTERNAL_IF} -s 127.0.0.0/8 -j IP_SPOOFING
	iptables -A INPUT -i ${EXTERNAL_IF} -s 10.0.0.0/8 -j IP_SPOOFING
	iptables -A INPUT -i ${EXTERNAL_IF} -s 172.16.0.0/12 -j IP_SPOOFING
	iptables -A INPUT -i ${EXTERNAL_IF} -s 192.168.0.0/16 -j IP_SPOOFING

	## Discard all ping packets which request over 4 times per second after logging
	## (*) for Ping of Death attack
	iptables -N PING_OF_DEATH
	iptables -A PING_OF_DEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
	iptables -A PING_OF_DEATH -j LOG --log-level debug --log-prefix '[PING OF DEATH]: '
	iptables -A PING_OF_DEATH -j DROP
	iptables -A INPUT -p icmp --icmp-type echo-request -j PING_OF_DEATH

	## Discard all packets for all host (broadcast, multicast) without logging
	## (*) for not logging unnecessary packets
	iptables -A INPUT -d 255.255.255.255 -j DROP
	iptables -A INPUT -d 224.0.0.1 -j DROP

	## Deny all pakcets to port 113 (IDENT)
	## (*) for not delaying responses from mail servers
	iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

	## Definition of "ACCEPT_COUNTRY_MAKE" function
	## Define user-defined chain to permit all pakcets from specified country
	ACCEPT_COUNTRY_MAKE(){
	for ADDR in `cat /tmp/cidr.txt \| grep ^$1 \| awk '{print $2}'`
	do
	iptables -A ACCEPT_COUNTRY -s ${ADDR} -j ACCEPT
	done
	}

	## Definition of "DROP_COUNTRY_MAKE" function
	## Define user-defined chain to discard all packets from specified country
	DROP_COUNTRY_MAKE(){
	for ADDR in `cat /tmp/cidr.txt \| grep ^$1 \| awk '{print $2}'`
	do
	iptables -A DROP_COUNTRY -s ${ADDR} -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DENIED COUNTRY]: '
	iptables -A DROP_COUNTRY -s ${ADDR} -j DROP
	done
	}

	## Obtain the list of IP addresses
	. ${IPTBLS_FUNC}
	IPLISTGET

	## Create user-defined chain ("ACCEPT_COUNTRY") to permit all packets from Japan
	iptables -N ACCEPT_COUNTRY
	ACCEPT_COUNTRY_MAKE JP

	## From below, If you need to permit all packets from Japan,
	## you can specify "ACCEPT_COUNTRY" instead of "ACCEPT".

	## Discard all packets from China, Korea, Taiwan (*) after logging
	## (*) Top 3 countries (except Japan, USA) of attacking to all Japan police facilities
	## Reference: http://www.cyberpolice.go.jp/detect/observation.html
	iptables -N DROP_COUNTRY
	DROP_COUNTRY_MAKE CN
	DROP_COUNTRY_MAKE KR
	DROP_COUNTRY_MAKE TW
	DROP_COUNTRY_MAKE KP
	iptables -A INPUT -j DROP_COUNTRY


	#
	# Configuration for public servecies [beginning]
	#

	## Permit all packets to TCP port 22 (SSH) only from accepted country
	iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT_COUNTRY

	## Permit all packets to TCP/UDP port 53 (DNS)
	iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
	iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

	## Permit all packets to TCP port 80 (HTTP)
	iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

	## Permit all packets to TCP port 443 (HTTPS)
	iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

	## Permit all packets to TCP port 25 (SMTP)
	iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

	## Permit all packets to TCP port 587 (SMTP Submission)
	iptables -A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

	## Permit all packets to TCP port 465 (SMTPS) only from accepted country
	iptables -A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT_COUNTRY

	## Permit all packets to TCP port 110 (POP3) only from accepted country
	iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT_COUNTRY

	## Permit all packets to TCP port 995 (POP3S) only from accepted country
	iptables -A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT_COUNTRY

	## Permit all packets to TCP port 143 (IMAP) only from accepted country
	iptables -A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT_COUNTRY

	## Permit all packets to TCP port 993 (IMAPS) only from accepted country
	iptables -A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT_COUNTRY


	#
	# Configuration for public servecies [end]
	#


	## Discard all packets from denied IP addresses after logging
	if [ -s ${DENY_HOSTS_LIST} ]; then
	iptables -N BLACKLIST
	iptables -A BLACKLIST -j LOG --log-level debug --log-prefix '[BLACKLIST]: '
	iptables -A BLACKLIST -j DROP

	for ADDR in `cat ${DENY_HOSTS_LIST}`
	do
	iptables -I INPUT -s ${ADDR} -j BLACKLIST
	done
	fi

	## Permit all packets from allowed IP addresses
	if [ -s ${ALLOW_HOSTS_LIST} ]; then
	for ADDR in `cat ${ALLOW_HOSTS_LIST}`
	do
	iptables -I INPUT -s ${ADDR} -j ACCEPT
	done
	fi

	## Discard all packets which did not match any rules above after logging
	iptables -A INPUT -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DROPPED INPUT]: '
	iptables -A INPUT -j DROP
	iptables -A FORWARD -m limit --limit 1/s -j LOG --log-tcp-options --log-ip-options --log-level debug --log-prefix '[DROPPED FORWARD]: '
	iptables -A FORWARD -j DROP

	## Save rules
	/etc/init.d/iptables save

	## Start iptables
	/etc/init.d/iptables start

	# [EOF]