1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Linux Iptables Firewall Shell Script For Standalone Server

Discussion in 'Linux' started by Knight, May 21, 2013.

  1. Knight
    Sleepy

    Knight
    GF Admin
    Staff Member

    Messages:
    432
    Likes Received:
    162
    Trophy Points:
    43
    Un semplice shell script basato su regole iptables.
    Salvare il seguente script in /root/scripts/fw.start


    Script (open)

    #!/bin/bash
    # A Linux Shell Script with common rules for IPTABLES Firewall.
    # By default this script only open port 80, 22, 53 (input)
    # All outgoing traffic is allowed (default - output)
    # -------------------------------------------------------------------------
    # Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
    # This script is licensed under GNU GPL version 2.0 or above
    # -------------------------------------------------------------------------
    # This script is part of nixCraft shell script collection (NSSC)
    # Visit http://bash.cyberciti.biz/ for more information.
    # -------------------------------------------------------------------------

    IPT="/sbin/iptables"
    SPAMLIST="blockedip"
    SPAMDROPMSG="BLOCKED IP DROP"

    echo "Starting IPv4 Wall..."
    $IPT -F
    $IPT -X
    $IPT -t nat -F
    $IPT -t nat -X
    $IPT -t mangle -F
    $IPT -t mangle -X
    modprobe ip_conntrack

    [ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.ips.txt)

    PUB_IF="eth0"

    #unlimited
    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT

    # DROP all incomming traffic
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP

    if [ -f /root/scripts/blocked.ips.txt ];
    then
    # create a new iptables list
    $IPT -N $SPAMLIST

    for ipblock in $BADIPS
    do
    $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
    $IPT -A $SPAMLIST -s $ipblock -j DROP
    done

    $IPT -I INPUT -j $SPAMLIST
    $IPT -I OUTPUT -j $SPAMLIST
    $IPT -I FORWARD -j $SPAMLIST
    fi

    # Block sync
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

    # Block Fragments
    $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
    $IPT -A INPUT -i ${PUB_IF} -f -j DROP

    # Block bad stuff
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    # Allow full outgoing connection but no incomming stuff
    $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    # Allow ssh
    $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT

    # allow incomming ICMP ping pong stuff
    $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow port 53 tcp/udp (DNS Server)
    $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Open port 80
    $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
    ##### Add your rules below ######

    ##### END your rules ############

    # Do not log smb/windows sharing packets - too much logging
    $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
    $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT

    # log everything else and drop
    $IPT -A INPUT -j LOG
    $IPT -A FORWARD -j LOG
    $IPT -A INPUT -j DROP

    exit 0



    Come faccio a installare e utilizzare questo script?
    Digitare il seguente comando come root:

    PHP:
    # mkdir /root/scripts
    # cd /root/scripts
    # wget http://bash.cyberciti.biz/dl/381.sh.zip
    # wget http://bash.cyberciti.biz/dl/151.sh.zip
    # unzip 381.sh.zip
    # unzip 151.sh.zip
    # mv 381.sh start.fw
    # mv 151.sh stop.fw
    # chmod +x *.fw

    Ora modificare firewall secondo le vostre esigenze:
    Code:
    # vi /root/scripts/start.fw
    Installare firewall:
    Code:
    # echo '/root/scripts/start.fw' >> /etc/rc.local
    Start Firewall:
    Code:
    # /root/scripts/start.fw
    Stop Firewall:
    Code:
    # /root/scripts/stop.fw
     






    eSports likes this.
  2. Google Advertisement

Share This Page