Created
April 20, 2011 20:26
-
-
Save stamm/932750 to your computer and use it in GitHub Desktop.
Put in /etc/init.d/rc.firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/sh | |
### BEGIN INIT INFO | |
# Provides: rc.firewall | |
# Required-Start: $all | |
# Required-Stop: $all | |
# Default-Start: 2 3 4 5 | |
# Default-Stop: 0 1 6 | |
# Short-Description: starts the firewall, NAT | |
# Description: starts the firewall, NAT | |
### END INIT INFO | |
# Author: Rustam Zagirov <rustam@zagirov.name> | |
# | |
# Do NOT "set -e" | |
# PATH should only include /usr/* if it runs after the mountnfs.sh script | |
PATH=/sbin:/usr/sbin:/bin:/usr/bin | |
DESC="Firewall" | |
NAME=rc.firewall | |
SCRIPTNAME=/etc/init.d/$NAME | |
IPTABLES="/sbin/iptables" | |
# | |
# Function that starts the daemon/service | |
# | |
do_start() | |
{ | |
# Open for this subnet all access! | |
HOME_MASKS="192.168.0.0/24" | |
OPEN_PORTS="22,80,443" | |
WHITE_IP="##" | |
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
modprobe ip_conntrack | |
modprobe ip_conntrack_ftp | |
modprobe nf_nat_pptp | |
modprobe nf_conntrack_pptp | |
modprobe nf_conntrack_proto_gre | |
modprobe nf_nat_proto_gre | |
modprobe iptable_nat | |
modprobe ip_nat_ftp | |
modprobe ipt_LOG | |
$IPTABLES -P INPUT DROP | |
$IPTABLES -P OUTPUT ACCEPT | |
$IPTABLES -P FORWARD DROP | |
$IPTABLES -F | |
$IPTABLES -X | |
$IPTABLES -t nat -F PREROUTING | |
$IPTABLES -t nat -F POSTROUTING | |
############ DELETE IF ALL WORKING FINE ###### | |
$IPTABLES -A INPUT -j ACCEPT | |
############################################## | |
# DENY SECTIONS | |
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP | |
## local interface, allow all | |
$IPTABLES -A INPUT -i lo -j ACCEPT | |
## ALLOW PACKETS IF CONNECTION ESTABLISHED | |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
## access from home net | |
for i in $HOME_MASKS; do | |
$IPTABLES -A INPUT -s $i -j ACCEPT | |
done | |
## Deny nmap | |
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "Stealth scan" | |
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
## access from white ip | |
$IPTABLES -A INPUT -s $WHITE_IP -j ACCEPT | |
## defence for ssh for server | |
$IPTABLES -N ssh_brute_check | |
$IPTABLES -A ssh_brute_check -m recent --update --seconds 600 --hitcount 5 -j DROP | |
$IPTABLES -A ssh_brute_check -m recent --set -j ACCEPT | |
# for this ip, don't check brute | |
$IPTABLES -A INPUT -p tcp ! -s #IP#/32 -m conntrack --ctstate NEW --dport 22 -j ssh_brute_check | |
# Open ports | |
$IPTABLES -A INPUT -p tcp --syn -m multiport --destination-ports $OPEN_PORTS -j ACCEPT | |
#################################### | |
## ping | |
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j ACCEPT | |
## deny other ICMP packets | |
$IPTABLES -A INPUT -p icmp -j DROP | |
## other reject | |
$IPTABLES -A INPUT -j DROP | |
$IPTABLES -A FORWARD -j DROP | |
} | |
do_stop() | |
{ | |
$IPTABLES -F | |
$IPTABLES -X | |
$IPTABLES -t nat -F PREROUTING | |
$IPTABLES -t nat -F POSTROUTING | |
} | |
# | |
# Function that sends a SIGHUP to the daemon/service | |
# | |
do_reload() { | |
do_stop | |
do_start | |
return 0 | |
} | |
case "$1" in | |
start) | |
do_start | |
;; | |
stop) | |
do_stop | |
;; | |
restart) | |
do_reload | |
;; | |
*) | |
echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2 | |
exit 3 | |
;; | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment