Linux - Simple iptables script
To separate iptables' log from messages:
# vi /etc/syslog.conf
add the following lines
#IPTables logging
kern.debug;kern.info /var/log/firewall
# service syslog restart
Write iptable script:
# vi /opt/iptables.sh
add the following lines
#!/bin/ksh
#= Basic System conf ==============#
#==================================#
ip=192.168.1.123
##### Load Modules
modprobe ip_tables
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter
##### Enable broadcast echo Protection
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#= Basic Rules ====================#
#==================================#
##### Flush all tables
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
##### Debug Log
#iptables -A INPUT -j LOG --log-prefix " *** Firewall Log *** "
##### create Chain
iptables -X LOG_ACCEPT
iptables -X LOG_DROP
iptables -N LOG_ACCEPT
iptables -N LOG_DROP
##### Default DROP all connections
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
##### Allow local loopback & eth0 connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 127.0.0.1 -j ACCEPT
##### Drop all invalid connections
iptables -A INPUT -m state --state INVALID -j LOG_DROP
iptables -A OUTPUT -m state --state INVALID -j LOG_DROP
iptables -A FORWARD -m state --state INVALID -j LOG_DROP
##### Allow all established and related connections (Stateful)
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##### Drop all incoming fragments
iptables -A INPUT -f -j LOG_DROP
##### Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG_DROP
##### Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG_DROP
##### Bad incoming source ip address
iptables -A INPUT -s 0.0.0.0/8 -j LOG_DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG_DROP
iptables -A INPUT -s 10.0.0.0/8 -j LOG_DROP
iptables -A INPUT -s 172.16.0.0/12 -j LOG_DROP
iptables -A INPUT -s 192.168.0.0/16 -j LOG_DROP
iptables -A INPUT -s 224.0.0.0/3 -j LOG_DROP
#== Custom Rules ==================#
#==================================#
##### Allow ssh connections
##### Open port 22 for all
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j LOG_ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j LOG_ACCEPT
##### Open Port 80
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT
##### Open Port 443
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT
##### Open Port 25
#ip="xxx.xxx.xxx.xxx"
#iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT
##### Outgoing DNS
##### udp first
NSIP="192.168.1.1" # NS1 NS2 of ISP
for mip in $NSIP
do
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
# tcp next
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
done
##### outgoing ICMP
iptables -A OUTPUT -p icmp -s $ip -d 0/0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d $ip -j ACCEPT
##### outgoing traceroute
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT
##### outgoing SMTP
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT
##### outgoing FTP
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 21 -j LOG_ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 21 -d $ip --dport 1024:65535 -j LOG_ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 1024:65535 -j LOG_ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j LOG_ACCEPT
##### outgoing http and https
##### for up2date and other stuff
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ip --dport 1024:65535 -j ACCEPT
#= Block Rules ====================#
#==================================#
##### Okay Drop everything from here :D
iptables -A INPUT -s 0/0 -j LOG_DROP
iptables -A OUTPUT -d 0/0 -j LOG_DROP
##### EOF SFW
##### Block IPs
#iptables -A INPUT -s xxx.xxx.xxx.xxx -j LOG_DROP
##### Stop flood
iptables -X flood
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j LOG_DROP
##### Spoofing and bad addresses
##### Bad incoming source ip address i.e server IP drop all here
# setup your IPS here
#myIPS="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"
#for myip in $myIPS
#do
# iptables -A INPUT -s $myip -j LOG_DROP
#done
#= Logging === ====================#
#==================================#
##### Logging
iptables -A LOG_DROP -j LOG --log-prefix " *** Firewall DROP *** : " --log-tcp-options --log-ip-options
iptables -A LOG_DROP -j DROP
iptables -A LOG_ACCEPT -j LOG --log-prefix " *** Firewall ACCEPT *** : " --log-tcp-options --log-ip-options
iptables -A LOG_ACCEPT -j ACCEPT
Execute iptable script:
# /opt/iptables.sh
# vi /etc/syslog.conf
add the following lines
#IPTables logging
kern.debug;kern.info /var/log/firewall
# service syslog restart
Write iptable script:
# vi /opt/iptables.sh
add the following lines
#!/bin/ksh
#= Basic System conf ==============#
#==================================#
ip=192.168.1.123
##### Load Modules
modprobe ip_tables
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter
##### Enable broadcast echo Protection
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#= Basic Rules ====================#
#==================================#
##### Flush all tables
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
##### Debug Log
#iptables -A INPUT -j LOG --log-prefix " *** Firewall Log *** "
##### create Chain
iptables -X LOG_ACCEPT
iptables -X LOG_DROP
iptables -N LOG_ACCEPT
iptables -N LOG_DROP
##### Default DROP all connections
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
##### Allow local loopback & eth0 connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 127.0.0.1 -j ACCEPT
##### Drop all invalid connections
iptables -A INPUT -m state --state INVALID -j LOG_DROP
iptables -A OUTPUT -m state --state INVALID -j LOG_DROP
iptables -A FORWARD -m state --state INVALID -j LOG_DROP
##### Allow all established and related connections (Stateful)
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##### Drop all incoming fragments
iptables -A INPUT -f -j LOG_DROP
##### Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG_DROP
##### Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG_DROP
##### Bad incoming source ip address
iptables -A INPUT -s 0.0.0.0/8 -j LOG_DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG_DROP
iptables -A INPUT -s 10.0.0.0/8 -j LOG_DROP
iptables -A INPUT -s 172.16.0.0/12 -j LOG_DROP
iptables -A INPUT -s 192.168.0.0/16 -j LOG_DROP
iptables -A INPUT -s 224.0.0.0/3 -j LOG_DROP
#== Custom Rules ==================#
#==================================#
##### Allow ssh connections
##### Open port 22 for all
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j LOG_ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j LOG_ACCEPT
##### Open Port 80
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT
##### Open Port 443
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT
##### Open Port 25
#ip="xxx.xxx.xxx.xxx"
#iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT
##### Outgoing DNS
##### udp first
NSIP="192.168.1.1" # NS1 NS2 of ISP
for mip in $NSIP
do
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
# tcp next
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
done
##### outgoing ICMP
iptables -A OUTPUT -p icmp -s $ip -d 0/0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d $ip -j ACCEPT
##### outgoing traceroute
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT
##### outgoing SMTP
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT
##### outgoing FTP
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 21 -j LOG_ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 21 -d $ip --dport 1024:65535 -j LOG_ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 1024:65535 -j LOG_ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j LOG_ACCEPT
##### outgoing http and https
##### for up2date and other stuff
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ip --dport 1024:65535 -j ACCEPT
#= Block Rules ====================#
#==================================#
##### Okay Drop everything from here :D
iptables -A INPUT -s 0/0 -j LOG_DROP
iptables -A OUTPUT -d 0/0 -j LOG_DROP
##### EOF SFW
##### Block IPs
#iptables -A INPUT -s xxx.xxx.xxx.xxx -j LOG_DROP
##### Stop flood
iptables -X flood
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j LOG_DROP
##### Spoofing and bad addresses
##### Bad incoming source ip address i.e server IP drop all here
# setup your IPS here
#myIPS="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"
#for myip in $myIPS
#do
# iptables -A INPUT -s $myip -j LOG_DROP
#done
#= Logging === ====================#
#==================================#
##### Logging
iptables -A LOG_DROP -j LOG --log-prefix " *** Firewall DROP *** : " --log-tcp-options --log-ip-options
iptables -A LOG_DROP -j DROP
iptables -A LOG_ACCEPT -j LOG --log-prefix " *** Firewall ACCEPT *** : " --log-tcp-options --log-ip-options
iptables -A LOG_ACCEPT -j ACCEPT
Execute iptable script:
# /opt/iptables.sh
Comments
Post a Comment