Guida Linux Linux Iptables Firewall Shell Script For Standalone Server

Discussione in 'Linux' iniziata da Knight, 21 Maggio 2013.

Tags:
  1. Knight
    Roflmao

    Knight
    GF Admin
     Membro dello Staff

    Messaggi:
    445
    Likes Received:
    180
    Punteggio:
    43
    Un semplice shell script basato su regole iptables.
    Salvare il seguente script in /root/scripts/fw.start


    Script (open)

    #!/bin/bash
    # A Linux Shell Script with common rules for IPTABLES Firewall.
    # By default this script only open port 80, 22, 53 (input)
    # All outgoing traffic is allowed (default - output)
    # -------------------------------------------------------------------------
    # Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
    # This script is licensed under GNU GPL version 2.0 or above
    # -------------------------------------------------------------------------
    # This script is part of nixCraft shell script collection (NSSC)
    # Visit http://bash.cyberciti.biz/ for more information.
    # -------------------------------------------------------------------------

    IPT="/sbin/iptables"
    SPAMLIST="blockedip"
    SPAMDROPMSG="BLOCKED IP DROP"

    echo "Starting IPv4 Wall..."
    $IPT -F
    $IPT -X
    $IPT -t nat -F
    $IPT -t nat -X
    $IPT -t mangle -F
    $IPT -t mangle -X
    modprobe ip_conntrack

    [ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.ips.txt)

    PUB_IF="eth0"

    #unlimited
    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT

    # DROP all incomming traffic
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP

    if [ -f /root/scripts/blocked.ips.txt ];
    then
    # create a new iptables list
    $IPT -N $SPAMLIST

    for ipblock in $BADIPS
    do
    $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
    $IPT -A $SPAMLIST -s $ipblock -j DROP
    done

    $IPT -I INPUT -j $SPAMLIST
    $IPT -I OUTPUT -j $SPAMLIST
    $IPT -I FORWARD -j $SPAMLIST
    fi

    # Block sync
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

    # Block Fragments
    $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
    $IPT -A INPUT -i ${PUB_IF} -f -j DROP

    # Block bad stuff
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

    $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    # Allow full outgoing connection but no incomming stuff
    $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    # Allow ssh
    $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT

    # allow incomming ICMP ping pong stuff
    $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow port 53 tcp/udp (DNS Server)
    $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Open port 80
    $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
    ##### Add your rules below ######

    ##### END your rules ############

    # Do not log smb/windows sharing packets - too much logging
    $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
    $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT

    # log everything else and drop
    $IPT -A INPUT -j LOG
    $IPT -A FORWARD -j LOG
    $IPT -A INPUT -j DROP

    exit 0



    Come faccio a installare e utilizzare questo script?
    Digitare il seguente comando come root:

    PHP:
    # mkdir /root/scripts
    # cd /root/scripts
    # wget http://bash.cyberciti.biz/dl/381.sh.zip
    # wget http://bash.cyberciti.biz/dl/151.sh.zip
    # unzip 381.sh.zip
    # unzip 151.sh.zip
    # mv 381.sh start.fw
    # mv 151.sh stop.fw
    # chmod +x *.fw

    Ora modificare firewall secondo le vostre esigenze:
    Codice:
    # vi /root/scripts/start.fw
    Installare firewall:
    Codice:
    # echo '/root/scripts/start.fw' >> /etc/rc.local
    Start Firewall:
    Codice:
    # /root/scripts/start.fw
    Stop Firewall:
    Codice:
    # /root/scripts/stop.fw
     






    Knight, 21 Maggio 2013
    #1
    A eSports piace questo elemento.

  2. Google Advertisement