#!/bin/bash # # firewall This script takes care of the iptables firewall # # chkconfig: 2345 11 89 # description: Handy script for loading an iptables firewall, courtesy of www.luckydragon.net # version: 20070508 # ######################################################### ######################################################### ######################################################### start() { IPTABLES="/sbin/iptables" echo # Turn on IP forwarding # echo -n "Enabling IP forwarding..." # echo 1 > /proc/sys/net/ipv4/ip_forward # echo "Done" # Flush all Chains echo -n "Flushing all chains..." ${IPTABLES} -t filter -F ${IPTABLES} -t nat -F ${IPTABLES} -t mangle -F echo "Done" # Create new chains echo -n "Creating/Recreating LTDROP..." ${IPTABLES} -t filter -F LTDROP > /dev/null 2>&1 ${IPTABLES} -t filter -X LTDROP > /dev/null 2>&1 ${IPTABLES} -t filter -N LTDROP echo "Done" # Default Policies echo -n "Setting Default Policies..." ${IPTABLES} -t filter -P INPUT DROP ${IPTABLES} -t filter -P OUTPUT ACCEPT ${IPTABLES} -t filter -P FORWARD DROP echo "Done" # Load Modules - Required for passive-mode FTP to work # If you run this script after the modules are already loaded, # it will produce a harmless error message that looks like: # insmod: a module named ip_nat_ftp already exists # I should probably add some logic here to deal with that. echo -n "Loading FTP-related modules..." /sbin/insmod ip_conntrack_ftp /sbin/insmod ip_nat_ftp echo "Done" ######################################################### echo -n "Adding rules to chains..." # NAT #echo -n " NAT " #${IPTABLES} -t nat -A POSTROUTING -s 192.168.101.0/24 -o eth1 -j MASQUERADE ######################################################### # LTDROP (Log Then Drop) Logging Chain echo -n "LTDROP " ${IPTABLES} -t filter -A LTDROP -p tcp -m limit --limit 4 -j LOG --log-level info --log-prefix "TCP Dropped " ${IPTABLES} -t filter -A LTDROP -p udp -m limit --limit 4 -j LOG --log-level info --log-prefix "UDP Dropped " ${IPTABLES} -t filter -A LTDROP -f -m limit --limit 4 -j LOG --log-level warning --log-prefix "FRAGMENT Dropped " ${IPTABLES} -t filter -A LTDROP -p icmp -m limit --limit 4 -j LOG --log-level info --log-prefix "ICMP Rejected " ${IPTABLES} -t filter -A LTDROP -p icmp -j REJECT --reject-with icmp-port-unreachable ${IPTABLES} -t filter -A LTDROP -j DROP ######################################################### #INPUT Chain - For traffic entering the server that is going TO a local IP address echo -n "INPUT " # Spammers / Bad People / Naughty Servers: ${IPTABLES} -t filter -A INPUT -s 81.67.64.154/32 -j LTDROP ${IPTABLES} -t filter -A INPUT -s 66.68.44.217/32 -j LTDROP # Log and drop invalid packets: ${IPTABLES} -t filter -A INPUT -m state --state INVALID -j LTDROP # Enable statefulness: ${IPTABLES} -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Things allowed in: ${IPTABLES} -t filter -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p icmp -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p tcp --dport 20 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p tcp --dport 21 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p tcp --dport 25 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p tcp --dport 53 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p udp --dport 53 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT ${IPTABLES} -t filter -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # Everything else gets dropped: ${IPTABLES} -t filter -A INPUT -j LTDROP ######################################################### #OUTPUT Chain - For traffic leaving the server that originated FROM a local IP address echo -n "OUTPUT " # Log and drop invalid packets: ${IPTABLES} -t filter -A OUTPUT -m state --state INVALID -j LTDROP # Enable statefulness: ${IPTABLES} -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Things allowed out: ${IPTABLES} -t filter -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT ${IPTABLES} -t filter -A OUTPUT -s 192.168.101.55/32 -p icmp -j ACCEPT ${IPTABLES} -t filter -A OUTPUT -s 192.168.101.55/32 -p tcp --dport 22 -j ACCEPT ${IPTABLES} -t filter -A OUTPUT -s 192.168.101.55/32 -p tcp --dport 25 -j ACCEPT ${IPTABLES} -t filter -A OUTPUT -s 192.168.101.55/32 -p tcp --dport 53 -j ACCEPT ${IPTABLES} -t filter -A OUTPUT -s 192.168.101.55/32 -p udp --dport 53 -j ACCEPT ${IPTABLES} -t filter -A OUTPUT -s 192.168.101.55/32 -p tcp --dport 80 -j ACCEPT ${IPTABLES} -t filter -A OUTPUT -s 192.168.101.55/32 -p tcp --dport 443 -j ACCEPT # Everything else gets dropped: ${IPTABLES} -t filter -A OUTPUT -j LTDROP ######################################################### #FORWARD Chain - For traffic passing through the server # (Coming FROM a non-local IP address and going TO a non-local IP address) echo "FORWARD" # No forwarding allowed ${IPTABLES} -t filter -A FORWARD -j LTDROP echo "The firewall has been activated" echo } ######################################################### ######################################################### ######################################################### stop() { # Flush all Chains echo echo -n "Flushing all chains..." /sbin/iptables -t filter -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F echo "Done" # Default Policies echo -n "Setting Default Policies to ACCEPT..." /sbin/iptables -t filter -P INPUT ACCEPT /sbin/iptables -t filter -P OUTPUT ACCEPT /sbin/iptables -t filter -P FORWARD ACCEPT echo "Done" echo "The firewall has been disabled." echo } ######################################################### ######################################################### ######################################################### open() { # Flush all Chains echo echo -n "Flushing Chains..." /sbin/iptables -t filter -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F echo "Done" # Default Policies echo -n "Setting Default Policies to ACCEPT..." /sbin/iptables -t filter -P INPUT ACCEPT /sbin/iptables -t filter -P OUTPUT ACCEPT /sbin/iptables -t filter -P FORWARD ACCEPT echo "Done" echo -n "Adding rules to chains..." # NAT #echo -n " NAT " #/sbin/iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -o eth0 -j MASQUERADE #INPUT Chain echo -n "INPUT " /sbin/iptables -t filter -A INPUT -j ACCEPT #OUTPUT Chain echo -n "OUTPUT " /sbin/iptables -t filter -A OUTPUT -j ACCEPT #FORWARD Chain echo "FORWARD" /sbin/iptables -t filter -A FORWARD -j ACCEPT echo "The firewall has been fully opened" echo } ######################################################### ######################################################### ######################################################### check() { # Print out a list of the rules attached to each chain echo echo "############################### NAT Table ###########################################" echo /sbin/iptables -t nat -L -n -v echo echo "############################# Filter Table ##########################################" echo /sbin/iptables -t filter -L -n -v echo echo "############################# Mangle Table ##########################################" echo /sbin/iptables -t mangle -L -n -v echo echo "#####################################################################################" echo } ######################################################### ######################################################### ######################################################### case "$1" in start) start ;; stop) stop ;; restart|reload) start ;; open) open ;; status|check) check ;; *) echo $"Usage: $0 {start|stop|restart|open|check}" exit 1 esac exit