1+ #! /bin/bash
2+
3+ # iptables Script
4+ # by Ray-works.de
5+ # Update: 29.10.2013
6+
7+ # ########################
8+ # Variables
9+ # ########################
10+
11+ IPTABLES=` which iptables`
12+
13+ # Interfaces
14+ ETH=eth0
15+ VPN=tun0
16+
17+ # IP Adresses
18+ IP=` ifconfig $ETH | grep inet | cut -d : -f 2 | cut -d \ -f 1`
19+ VPNIP=` ifconfig $VPN | grep inet | cut -d : -f 2 | cut -d \ -f 1`
20+
21+ # ########################
22+ # Configuration
23+ # ########################
24+
25+ # Allow access to the NFS storage?
26+ NFSSTORAGE=" no"
27+
28+ # NFS Storage
29+ NFSIP=" "
30+
31+ # Do you wanna use VPN Traffic Forwarding?
32+ VPNFORWARD=" no"
33+
34+ # VPN Subnetz
35+ VPNSUB=" "
36+
37+ # Do you have/use fail2ban?
38+ FAIL2BAN=" no"
39+
40+ # TCP & UDP Ports for incoming traffic
41+ INTCPPORTS=" "
42+ INUDPPORTS=" "
43+
44+ # TCP & UDP Ports for outgoing traffic
45+ OUTTCPPORTS=" "
46+ OUTUDPPORTS=" "
47+
48+ # SSH Port for extra protection via limits
49+ SSHPORT=" "
50+
51+ # Activate syn cookies (ddos protection).
52+ # Default: 0
53+ echo 1 > /proc/sys/net/ipv4/tcp_syncookies
54+
55+ # Prevents to be a part of an DDOS attack (smurf).
56+ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
57+
58+ # Required
59+ echo 1 > /proc/sys/net/ipv4/ip_forward
60+
61+ # ########################
62+ # Turn iptables (for IPv4) on
63+ # ########################
64+ function on {
65+
66+ # Flush & default
67+ $IPTABLES -F
68+
69+ # Block Everything
70+ $IPTABLES -P INPUT DROP
71+ $IPTABLES -P OUTPUT DROP
72+ $IPTABLES -P FORWARD DROP
73+
74+ # New Chain for logging
75+ $IPTABLES -N LOGNDROP
76+ $IPTABLES -A LOGNDROP -j LOG -m limit --limit 1/min --log-prefix " [Dropped IPv4]: "
77+ $IPTABLES -A LOGNDROP -j DROP
78+
79+ # New Chain for portscan logging
80+ $IPTABLES -N PORTSCAN
81+ $IPTABLES -A PORTSCAN -j LOG -m limit --limit 1/min --log-prefix " [Portscan IPv4]: "
82+ $IPTABLES -A PORTSCAN -j DROP
83+
84+ # Allow Protocol 4
85+ $IPTABLES -I INPUT 1 -p 4 -j ACCEPT
86+
87+ # Allow internal addresses
88+ $IPTABLES -A INPUT -i lo -j ACCEPT
89+ $IPTABLES -A OUTPUT -o lo -j ACCEPT
90+
91+ # Storage Access
92+ if [ " $NFSSTORAGE " = " yes" ; then
93+ $IPTABLES -A INPUT -i $ETH -p tcp -s $NFSIP -j ACCEPT
94+ $IPTABLES -A INPUT -i $ETH -p udp -s $NFSIP -j ACCEPT
95+
96+ $IPTABLES -A OUTPUT -o $ETH -p tcp -d $NFSIP -j ACCEPT
97+ $IPTABLES -A OUTPUT -o $ETH -p udp -d $NFSIP -j ACCEPT
98+ fi
99+
100+ # VPN Traffic Forwarding
101+ if [ " $VPNFORWARD " = " yes" ; then
102+ $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
103+ $IPTABLES -A FORWARD -s $VPNSUB -j ACCEPT
104+ $IPTABLES -A FORWARD -j REJECT
105+ $IPTABLES -t nat -A POSTROUTING -s $VPNSUB -o $ETH -j MASQUERADE
106+ fi
107+
108+ # Allow established and related connection
109+ $IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
110+ $IPTABLES -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
111+
112+ $IPTABLES -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
113+ $IPTABLES -A OUTPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
114+
115+ # Allow ICMP
116+ $IPTABLES -A INPUT -p icmp -j ACCEPT
117+ $IPTABLES -A OUTPUT -p icmp -j ACCEPT
118+
119+ # Allow DNS Lookup
120+ $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
121+
122+ #
123+ # TCP & UDP Ports for incoming traffic
124+ #
125+
126+ for PORT in $INTCPPORTS ; do
127+ $IPTABLES -A INPUT -p tcp -i $ETH --dport $PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
128+ done ;
129+
130+ for PORT in $INUDPPORTS ; do
131+ $IPTABLES -A INPUT -p udp -i $ETH --dport $PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
132+ done ;
133+
134+ #
135+ # TCP & UDP Ports for outgoing traffic
136+ #
137+
138+ for PORT in $OUTTCPPORTS ; do
139+ $IPTABLES -A OUTPUT -p tcp -o $ETH --dport $PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
140+ done ;
141+
142+ for PORT in $OUTUDPPORTS ; do
143+ $IPTABLES -A OUTPUT -p udp -o $ETH --dport $PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
144+ done ;
145+
146+ # FTPS explicit passive portrange
147+ $IPTABLES -A INPUT -p tcp --dport 40000:40100 -j ACCEPT
148+ $IPTABLES -A INPUT -p udp --dport 40000:40100 -j ACCEPT
149+
150+ # Deny more than 3 connection attempts per 10 minutes (SSH)
151+ $IPTABLES -A INPUT -p tcp --dport $SSHPORT -m state --state NEW -m recent --set --name SSH
152+ $IPTABLES -A INPUT -p tcp --dport $SSHPORT -m state --state NEW -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j LOGNDROP
153+
154+ # Limit connections per minute from single ip to 10 (HTTP)
155+ $IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name http
156+ $IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name http -j LOGNDROP
157+
158+ # Rate limit ICMP (ping) packets
159+ $IPTABLES -I INPUT -p icmp --icmp-type echo-request -m recent --set
160+ $IPTABLES -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 20 --hitcount 10 -j LOGNDROP
161+ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j LOGNDROP
162+ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j LOGNDROP
163+
164+ # Drop all invalid packets
165+ $IPTABLES -A INPUT -m state --state INVALID -j LOGNDROP
166+ $IPTABLES -A FORWARD -m state --state INVALID -j LOGNDROP
167+ $IPTABLES -A OUTPUT -m state --state INVALID -j LOGNDROP
168+
169+ # Drop new connections without the SYN flag set
170+ $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j PORTSCAN
171+
172+ # syn flood limitation
173+ $IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/s --limit-burst 10 -j LOG --log-prefix " SYN flood: "
174+ $IPTABLES -A INPUT -p tcp --syn -j DROP
175+
176+ # Portscan: Drop ALL
177+ $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j PORTSCAN
178+
179+ # Portscan: Drop FIN + URG + PSH
180+ $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j PORTSCAN
181+
182+ # Portscan: Drop nmap Null scan
183+ $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j PORTSCAN
184+
185+ # Portscan: Drop nmap FIN stealth scan
186+ $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j PORTSCAN
187+
188+ # Portscan: Drop XMAS
189+ $IPTABLES -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j PORTSCAN
190+
191+ # Portscan: Other combinations
192+ $IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j PORTSCAN
193+ $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN
194+ $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN
195+ $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PORTSCAN
196+ $IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j PORTSCAN
197+ $IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j PORTSCAN
198+ $IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j PORTSCAN
199+ $IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j PORTSCAN
200+
201+ echo " Firewall ($IPTABLES ): enabled."
202+
203+ # Fail2Ban
204+ if [ " $FAIL2BAN " = " yes" ; then
205+ /etc/init.d/fail2ban start
206+ fi
207+
208+ }
209+
210+
211+ # ########################
212+ # Turn iptables off
213+ # ########################
214+
215+ function off {
216+
217+ $IPTABLES -F
218+ $IPTABLES -t nat -F PREROUTING
219+ $IPTABLES -t nat -F POSTROUTING
220+ $IPTABLES -X
221+ $IPTABLES -P INPUT ACCEPT
222+ $IPTABLES -P OUTPUT ACCEPT
223+ $IPTABLES -P FORWARD ACCEPT
224+
225+ echo " Firewall ($IPTABLES ): disabled. (allowing all access)"
226+
227+ }
228+
229+ # ########################
230+ # Script usage
231+ # ########################
232+
233+ case " $1 " in
234+ start)
235+ on
236+ ;;
237+ stop)
238+ off
239+ ;;
240+ restart)
241+ off
242+ sleep 3;
243+ on
244+ ;;
245+ * )
246+ echo " $0 {start|stop|restart}"
247+ echo " Start executes primary ruleset."
248+ echo " Stop disables all filtering"
249+ echo " restart clears then enables"
250+ ;;
251+ esac
0 commit comments