Content:: Firewall Shell Script (fw.sh)
Shell - Firewall
This shell script uses iptables as its primary firewall. This script uses proper tcp rejects rather than just dropping packets. It also doesn't drop everything on the system just the primary usage ports. Perhaps it should be changed to drop all data but I expect if you found this script you know what ports are, how to secure your system and would prefer taking chunks of this code logic for your own use!
Usage
# ./fw.sh
Usage: ./fw.sh { start | stop | restart | status | lockdown }
start - Starts IPtables the scriptstop - Flushes IPtables records. No firewall protection
restart - runs stop then start status - runs "/$iptables -nxvL --line-numbers |less" to show you what IPtables is doing
lockdown - sets the firewall to deny everything or drop packets by default
You may need to use chmod to set an executable flag on the file.
# chmod 775 fw.sh
The Code
#!/bin/sh
################################################################################
# File Name : fw.sh #
# Author(s) : #
# Phil Allen <phil@hilands.com> #
# Last Edited By : #
# phil@hilands.com #
# Version : 2009101300 #
# #
# Copyright information #
# #
# Copyright (C) 2002-2009 Phil Allen <phil@hilands.com> #
# #
# This file is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; version 2 of the License. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program or from the site that you downloaded it #
# from; if not, write to the Free Software Foundation, Inc., 59 Temple #
# Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# General Information (algorithm) : #
# This script makes use of iptables to create a defacto standard ingress #
# firwall configuration. #
# We start by reseting iptables configuration to default. #
# By Default all traffic is dropped, configs for use with server stats #
# allows data from desired network and logs data to the kern.log (debian). #
# #
# The server stats portion may need to be re-written to handle proper #
# packet drops #
# #
# #
# http://oceanpark.com/notes/firewall_example.html #
# tarpitting http://www.securityfocus.com/infocus/1723 #
# #
# allow ICMP #
# /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #
# same as #
# /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT #
# http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html #
# 0 echo-reply 8 echo-request #
# http://www.faqs.org/docs/linux_network/x-087-2-firewall.example.html #
# #
# /etc/syslog.conf change: #
# Send iptables LOGDROPs to /var/log/iptables #
# kern.=debug /var/log/iptables #
# http://www.newartisans.com/blog_files/tricks.with.iptables.php #
################################################################################
################################################################################
# Strings #
################################################################################
iptables="/sbin/iptables"
loopback="lo"
iface_ext="eth0" #External interface
iface_int="eth1" #Internal interface
ip_ext="10.10.10.10" #External IP address
ip_int="192.168.1.254" #Internal IP address
trusted_ext="
10.10.10.0/24
"
trusted_int="
192.168.1.0/24
"
iface_ext_use="1" # do you want to use the external interface? 1=yes 0=no
iface_int_use="1" # do you want to use the internal interface? 1=yes 0=no
loglvl="alert"
################################################################################
# #
################################################################################
if [ ! -x $iptables ]; then
exit 0
echo "iptables: $iptables file does not exist"
fi
case "$1" in
############################################################################
# Start #
############################################################################
start)
$0 flush
########################################################################
# Configure Default Policies #
########################################################################
echo -n "iptables: Configuring Default Chain Policies"
$iptables -P INPUT DROP && echo -n "."
#$iptables -P FORWARD DROP && echo -n "."
$iptables -P FORWARD ACCEPT && echo -n "."
$iptables -P OUTPUT ACCEPT && echo -n "."
################################################################################
# Create our personal chains here #
################################################################################
echo ""
echo -n "iptables: Populating Chains"
#echo -n "Creating Allow Chain, "
$iptables -N EXT && echo -n "."
$iptables -F EXT && echo -n "."
#echo -n "Creating Allow Chain, "
$iptables -N INT && echo -n "."
$iptables -F INT && echo -n "."
#start server stat viewage
$iptables -N traffic-output && echo -n "."
$iptables -F traffic-output && echo -n "."
$iptables -N all-traffic && echo -n "."
$iptables -F all-traffic && echo -n "."
$iptables -N www-traffic && echo -n "."
$iptables -F www-traffic && echo -n "."
$iptables -N ssh-traffic && echo -n "."
$iptables -F ssh-traffic && echo -n "."
$iptables -N mysql-traffic && echo -n "."
$iptables -F mysql-traffic && echo -n "."
$iptables -N dns-traffic && echo -n "."
$iptables -F dns-traffic && echo -n "."
$iptables -N ftp-traffic && echo -n "."
$iptables -F ftp-traffic && echo -n "."
$iptables -N smtp-traffic && echo -n "."
$iptables -F smtp-traffic && echo -n "."
$iptables -N uoam-traffic && echo -n "."
$iptables -F uoam-traffic && echo -n "."
########################################################################
# Traffic Monitoring for server stats #
########################################################################
########################################################################
# Chain Population - Traffic chain is for packet logging #
# traffic-output is a dummy output to get iptables -nvxL for #
# server stats #
# #
# This section creates an input and output monitor, then crams #
# that data into a chain name for easy read access #
# I bet this could be done similar without the need for so many #
# extra tables #
# The INPUT and OUTPUT -j joins should be done before anything else #
# if they are out of order they won't log properly #
########################################################################
#log all
$iptables -A INPUT -j all-traffic && echo -n "."
$iptables -A OUTPUT -j all-traffic && echo -n "."
$iptables -A all-traffic -j traffic-output && echo -n "."
#log ftp
$iptables -A INPUT -p tcp --dport 21 -j ftp-traffic && echo -n "."
$iptables -A OUTPUT -p tcp --sport 21 -j ftp-traffic && echo -n "."
$iptables -A ftp-traffic -j traffic-output && echo -n "."
#log ssh
$iptables -A INPUT -p tcp --dport 22 -j ssh-traffic && echo -n "."
$iptables -A OUTPUT -p tcp --sport 22 -j ssh-traffic && echo -n "."
$iptables -A ssh-traffic -j traffic-output && echo -n "."
#log smtp
$iptables -A INPUT -p tcp --dport 25 -j smtp-traffic && echo -n "."
$iptables -A OUTPUT -p tcp --sport 25 -j smtp-traffic && echo -n "."
$iptables -A smtp-traffic -j traffic-output && echo -n "."
#log dns
$iptables -A INPUT -p tcp --dport 53 -j dns-traffic && echo -n "."
$iptables -A OUTPUT -p tcp --sport 53 -j dns-traffic && echo -n "."
$iptables -A dns-traffic -j traffic-output && echo -n "."
#log http
$iptables -A INPUT -p tcp --dport 80 -j www-traffic && echo -n "."
$iptables -A OUTPUT -p tcp --sport 80 -j www-traffic && echo -n "."
$iptables -A www-traffic -j traffic-output && echo -n "."
#log uoam
$iptables -A INPUT -p tcp --dport 2000 -j uoam-traffic && echo -n "."
$iptables -A OUTPUT -p tcp --sport 2000 -j uoam-traffic && echo -n "."
$iptables -A uoam-traffic -j traffic-output && echo -n "."
#log mysql
$iptables -A INPUT -p tcp --dport 3306 -j mysql-traffic && echo -n "."
$iptables -A OUTPUT -p tcp --sport 3306 -j mysql-traffic && echo -n "."
$iptables -A mysql-traffic -j traffic-output && echo -n "."
########################################################################
# Local LO Interface #
########################################################################
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A FORWARD -i lo -j ACCEPT
########################################################################
# External Interface #
########################################################################
$iptables -A EXT -i $iface_ext -p tcp -j LOG --log-level $loglvl --log-tcp-options --log-ip-options --log-prefix '[IPTABLES] : ' && echo -n "."
# Allow from anyone or anywhere
#$iptables -A EXT -i $iface_ext -p tcp --dport 80 -j ACCEPT
# Allow from TRUSTED NETWORK loop
for IPAddress in $trusted_ext; do
$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 22 -j ACCEPT && echo -n "."
$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 25 -j ACCEPT && echo -n "."
$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 80 -j ACCEPT && echo -n "."
$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 3306 -j ACCEPT && echo -n "."
done
$iptables -A EXT -i $iface_ext -p tcp -j REJECT --reject-with tcp-reset && echo -n "."
################################################################################
# Add Chains to INPUT #
################################################################################
$iptables -A INPUT -i $iface_ext -m state --state ESTABLISHED,RELATED -j ACCEPT && echo -n "."
$iptables -A INPUT -i $iface_ext -j EXT && echo -n "."
########################################################################
# Internal Interface #
########################################################################
for IPAddress in $trusted_ext; do
$iptables -A INT -i $iface_int -s $IPAddress -p tcp -j ACCEPT && echo -n "."
done
$iptables -A INPUT -i $iface_int -j INT && echo -n "."
########################################################################
# port forwarding #
########################################################################
#$iptables -t nat -A PREROUTING -p tcp -i $iface_ext -d $ext_ip --dport 8888 -j DNAT --to 192.168.1.10:80
#$iptables -A FORWARD -p tcp -i $iface_ext -d 192.168.1.10 --dport 80 -j ACCEPT
########################################################################
# Masquerade stuff #
########################################################################
#$iptables -A FORWARD -i $iface_ext -m state --state NEW,INVALID -j REJECT
#$iptables -t nat -A POSTROUTING -o $iface_ext -s $trusted_int -j MASQUERADE
#echo 1 > /proc/sys/net/ipv4/ip_forward
########################################################################
# End #
########################################################################
echo ""
echo "iptables: Firewall Script Complete"
;;
stop | flush)
echo -n "iptables: Disabling Firewall and Resetting to Defaults"
$iptables -P INPUT ACCEPT && echo -n "."
$iptables -P FORWARD ACCEPT && echo -n "."
$iptables -P OUTPUT ACCEPT && echo -n "."
$iptables -F && echo -n "."
$iptables -t nat -F && echo -n "."
$iptables -t mangle -F && echo -n "."
$iptables -X && echo -n "."
$iptables -t nat -X && echo -n "."
$iptables -t mangle -X && echo -n "."
echo ""
echo "iptables: Firewall Disabled"
;;
restart)
$0 stop
$0 start
exit $?
;;
status)
/$iptables -nxvL --line-numbers |less
;;
lockdown)
echo -n "iptables: Firewall is Locking down the system (No Traffic IN OR OUT)"
$iptables -P INPUT DROP && echo -n "."
$iptables -P FORWARD DROP && echo -n "."
$iptables -P OUTPUT DROP && echo -n "."
$iptables -F && echo -n "."
$iptables -t nat -F && echo -n "."
$iptables -t mangle -F && echo -n "."
$iptables -X && echo -n "."
$iptables -t nat -X && echo -n "."
$iptables -t mangle -X && echo -n "."
echo ""
echo "iptables: Firewall IN Lockdown Mode"
;;
*)
echo "Usage: $0 { start | stop | restart | status | lockdown }"
exit 1
esac
exit 0
fw.tgz
Download 169 bytesMD5 - 6ef8911ad2a72d4638d7ac44b9f3d21b *fw.tgz
