Skip to content

Instantly share code, notes, and snippets.

@olto

olto/firewall-olto

Last active November 8, 2018 11:14
Show Gist options
  • Save olto/c67fe5c07cb3ac5fcec3 to your computer and use it in GitHub Desktop.
Save olto/c67fe5c07cb3ac5fcec3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
firewall-olto
#!/bin/bash
# Script iptables by olto
# Réinitialisation
iptables -F
echo - Réinitialisation... : [OK]
# Suppression des chaînes utilisateurs
iptables -X
echo - Flush : [OK]
# DROP tout le trafic entrant
iptables -P INPUT DROP
echo - INPUT DROP : [OK]
# DROP tout le trafic sortant
iptables -P OUTPUT DROP
echo - OUTPUT DROP : [OK]
# DROP le forward
iptables -P FORWARD DROP
echo - FORWARD DROP : [OK]
# Permettre à une connexion ouverte de recevoir du trafic en entrée
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo : ACCEPT connexions établies INPUT : [OK]
# Permettre à une connexion ouverte de recevoir du trafic en sortie
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
echo : ACCEPT connexions établies OUTPUT : [OK]
# ACCEPT boucle locale en entrée
iptables -I INPUT -i lo -j ACCEPT
echo : ACCEPT boucle lo : [OK]
# Drop Various Attacks
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
echo - Drop Various Attacks : [OK]
# Prevent source address 127.0.0.1 from sending data through various interfaces
iptables -A INPUT -p all -s localhost -i wlan0 -j DROP
iptables -A INPUT -p all -s localhost -i eth0 -j DROP
echo - Prevent sources addres : [OK]
# Drop Fragments
iptables -A INPUT -f -j DROP
echo - Drop Fragments : [OK]
# Drop ICMP (Ping) Packets
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
echo - Drop Ping Packets : [OK]
# Drop Invalid Packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
echo - Drop Invalid Packets : [OK]
# Drop LAND (Local Area Network Denial) Packets
# In this attack, a packet is spoofed to make the source address appear as the IP-address of the target. In other words, the source and destination IP-addresses are the same.
iptables -A INPUT -s 127.0.0.0/8 -j DROP
echo - Drop LAND Packets : [OK]
# Drop Null Packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
echo - Drop Null Packets : [OK]
# Drop excessive RST Packets to avoid Smurf-Attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
echo - Drop excessive RST Packets to avoid Smurf-Attacks : [OK]
## Drop Smurf-Attacks
# Smurf-Attacks send a large number of ICMP "echo broadcast" packets with a spoofed source IP-address being the target's IP-address. The machines on the network recieve this broadcast message and reply to the target with "echo reply" packets. One way to block this attack is to block all the ICMP packets. However, if that cannot be done, then a limit may be applied to the ICMP packets allowed.
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
echo - Drop Smurf-Attacks : [OK]
# Drop Spank DoS Attacks
# Computers answer TCP packets that are coming from a multicast-address. This can be used for the Spank DoS Attack or stealth-scans.
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
echo - Drop Spank DoS Attacks : [OK]
# Drop SYN Flood Packets
# This is a type of DOS (Denial Of Service) attack.
iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -j DROP
echo - Drop SYN Flood Packets : [OK]
# Drop XMAS Packets
# A Christmas-Tree Packet is a packet that has all flags of any protocol set. The FIN, URG, and PSH bits in the TCP header are set. This packet is called an "Xmas Tree" packet because all the fields of header are "lightened up".
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
echo - Drop XMAS Packets : [OK]
# Prevent Port-scans
# Use only one of the two given port-scan lock-out systems
# Lock-out systems that attempted a port-scan (lock lasts a day)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
echo - Lock-out systems that attempted a port-scan lock lasts a day : [OK]
# Lock-out systems that attempted a port-scan (lock lasts a week)
# iptables -A INPUT -m recent --name portscan --rcheck --seconds 604800 -j DROP
# iptables -A FORWARD -m recent --name portscan --rcheck --seconds 604800 -j DROP
# iptables -A INPUT -m recent --name portscan --remove
# iptables -A FORWARD -m recent --name portscan --remove
# echo - Lock-out systems that attempted a port-scan (lock lasts a day)
# Log Port-Scan Attempts
iptables -A INPUT -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -m recent --name portscan --set -j DROP
iptables -A FORWARD -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -m recent --name portscan --set -j DROP
echo - Log Port-Scan Attempts : [OK]
# Block Packets used by Port-Scans
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
echo - Block Packets used by Port-Scans : [OK]
# Log Burst Limit 5/10
iptables -A logdrop -m limit --limit 5/m --limit-burst 10 -j LOG
echo - Log Burst Limit 5/10 : [OK]
# Save Rules to a File
iptables-save > ~/firewall.txt
echo - Save Rules to a File ~firewall.txt : [OK]
echo
echo "Config .firewall-olto" : [OK]
echo
# Pause
echo "Setting Firewall terminé - Appuyer la touche <Entrée> pour continuer..."
read touche
case $touche in
*) echo "Reprise du script..."
;;
esac
echo
echo .........................
echo "Script Firewall by olto"
echo .........................
echo
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment