#!/bin/sh
INTERFACES="lo eth0"
UPLINK="eth0"
SERVICE="80"
ALLOW_PORTS="23"
DENYTCPPORTS="23 139 445 3389"
DENYUDPPORT="23 139 455 3389"
if [ "$1" = "start" ]
then
echo "Starting Firewall......"
echo "Now prepareing kernel for use,please wait......"
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo "Enable the syn cook flood protection......"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
then
echo " Setting local port range for TCP/UDP connection......"
echo -e "32768/t61000" > /proc/sys/net/ipv4/ip_local_port_range
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo "Enable bad error message protection......"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo "Disabling tcp_ecn,please wait......"
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo " OK !!!! "
fi
for x in ${INTERFACES}
do #
echo "Enabling rp_filter on ${x} ,please wait......"
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
echo " ${x} OK !!!! "
done
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo "Ignore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " OK !!!! "
fi
echo "OK,the kernel is now prepared to use for building a firewall!!!"
echo "Now Flushing the rules......"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
echo " OK!!!"
echo "Now starting the new tables......"
iptables -N CHECK_FLAGS
iptables -N denyports
iptables -N insrv
iptables -N outsrv
iptables -N inusrlist
iptables -N outusrlist
echo " OK!!!"
echo "Now Starting the new rules......"
iptables -A INPUT -j CHECK_FLAGS
iptables -A OUTPUT -j CHECK_FLAGS
iptables -A INPUT -j denyports
iptables -A INPUT -i ${UPLINK} -j insrv
iptables -A INPUT -i ${UPLINK} -j inusrlist
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o ${UPLINK} -j outsrv
iptables -A OUTPUT -o ${UPLINK} -j outusrlist
iptables -A OUTPUT -p tcp -o ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p udp -o ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
echo "Now starting the check_flag rules,please wait...."
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
echo " OK !!!! Finished check_flags rules...."
echo "Now Starting the denyports's rules......"
for x in ${DENYTCPPORTS}
do
iptables -A denyports -p tcp --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"
iptables -A denyports -p tcp --dport ${x} -j REJECT --reject-with tcp-reset
done
for x in ${DENYUDPPORTS}
do
iptables -A denyports -p udp --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A denyports -p udp --dport ${x} -j REJECT --reject-with icmp-port-unreachable
done
echo " OK!!!"
for x in ${SERVICE}
do
iptables -A insrv -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A outsrv -p tcp --sport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
done
for x in ${ALLOW_PORTS}
do
iptables -A inusrlist -i ${UPLINK} -p tcp --sport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A outusrlist -o ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
echo " OK!!!"
echo "The firewall has successful Started up!!!"
INEOR="error"
while [ "$INEOR" = "error" ]
do
echo ""
read -p "Now would you like save the rules for the firewall? [ y/n ]"
if [ "$REPLY" = "y" ]
then
iptables-save
INEOR=""
elif [ "$REPLY" = "n" ]
then
echo "If you want to save the rules by yourself,please read the man page for the iptables-save."
INEOR=""
else
echo "Please type y or n!"
fi
done
elif [ "$1" = "stop" ]
then
echo "Stopping firewall......"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
echo "The firewall has successful shuted down!!! Be careful!!!"
INEOR="error"
while [ "$INEOR" = "error" ]
do
echo ""
read -p "Now would you like save the rules for the firewall? [ y/n ]"
if [ "$REPLY" = "y" ]
then
iptables-save
INEOR=""
elif [ "$REPLY" = "n" ]
then
echo "If you want to save the rules by yourself,please read the man page for the iptables-save."
INEOR=""
else
echo "Please type y or n!"
fi
done
else
echo "Usage: $0 {start|stop|}"
fi