[root@eloise ~]# cat /usr/bin/firewall
#!/bin/sh
IPT="/sbin/iptables"
xxx="x.x.x.x/28"
home="x.x.x.x/32"
anywhere="$anywhere/0"
extip="x.x.x.x/32"
extif="eth0"
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT ACCEPT
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -F -t nat
# Flush the user chain.. if it exists
if [ "`$IPT -L | grep drop-and-log-it`" ]; then
$IPT -F drop-and-log-it
fi
# Delete all User-specified chains
$IPT -X
# Reset all IPTABLES counters
$IPT -Z
# Creating a DROP chain
$IPT -N drop-and-log-it
$IPT -A drop-and-log-it -j LOG --log-level info
$IPT -A drop-and-log-it -j REJECT
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s $anywhere -j DROP
# Allow any related traffic coming back to the MASQ server in
#iptables -A INPUT -i eth0 -s $anywhere -d $extip -m state --state ESTABLISHED,RELATED -j ACCEPT
# inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state NEW -s $xxx-j ACCEPT
$IPT -A INPUT -p tcp -m state --state NEW -s $home -j ACCEPT
$IPT -A INPUT -p tcp --dport 20 -m state --state NEW -s $anywhere -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW -s $anywhere -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 -m state --state NEW -s $anywhere -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -m state --state NEW -s $home -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s $anywhere -j ACCEPT
$IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s $anywhere -j ACCEPT
$IPT -A INPUT -p tcp --dport 143 -m state --state NEW -s $anywhere -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -s $anywhere -j ACCEPT
# inbound UDP packets
#$IPT -A INPUT -p udp -m udp --dport 123 -s $anywhere -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 53 -s $anywhere -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 21 -s $anywhere -j ACCEPT
# inbound ICMP messages
$IPT -A INPUT -p ICMP --icmp-type 8 -s $xxx-j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -s $home -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s $xxx-j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s $home -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $anywhere -d $anywhere -j drop-and-log-it
# Accept outbound packets if you DROP OUTPUT traffic
#$IPT -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
#$IPT -A OUTPUT -o $extif -s $extip -d $anywhere -j ACCEPT
# anything else outgoing on remote interface is valid
$IPT -A OUTPUT -o $extif -s $extip -d $anywhere -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
$IPT -A OUTPUT -s $anywhere -d $anywhere -j drop-and-log-it
echo "DONE"
Hiç yorum yok:
Yorum Gönder