skip navigation

www.Hilands.com


Content:: Firewall Shell Script (fw.sh)

Shell - Firewall

This shell script uses iptables as its primary firewall. This script uses proper tcp rejects rather than just dropping packets. It also doesn't drop everything on the system just the primary usage ports. Perhaps it should be changed to drop all data but I expect if you found this script you know what ports are, how to secure your system and would prefer taking chunks of this code logic for your own use!

Usage
# ./fw.sh
Usage: ./fw.sh { start | stop | restart | status | lockdown }
start - Starts IPtables the script
stop - Flushes IPtables records. No firewall protection
restart - runs stop then start status - runs "/$iptables -nxvL --line-numbers |less" to show you what IPtables is doing
lockdown - sets the firewall to deny everything or drop packets by default


You may need to use chmod to set an executable flag on the file.
# chmod 775 fw.sh


The Code
#!/bin/sh
################################################################################
# File Name : fw.sh                                                            #
# Author(s) :                                                                  #
#   Phil Allen <phil@hilands.com>                                              #
# Last Edited By :                                                             #
#   phil@hilands.com                                                           #
# Version : 2013051300                                                         #
#                                                                              #
# Copyright information                                                        #
#                                                                              #
# Copyright (C) 2002-2013 Phil Allen <phil@hilands.com>                        #
#                                                                              #
# This file is free software; you can redistribute it and/or modify            #
# it under the terms of the GNU General Public License as published by         #
# the Free Software Foundation; version 2 of the License.                      #
#                                                                              #
# This program is distributed in the hope that it will be useful,              #
# but WITHOUT ANY WARRANTY; without even the implied warranty of               #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the                #
# GNU General Public License for more details.                                 #
#                                                                              #
# You should have received a copy of the GNU General Public License            #
# along with this program or from the site that you downloaded it              #
# from; if not, write to the Free Software Foundation, Inc., 59 Temple         #
# Place, Suite 330, Boston, MA  02111-1307   USA                               #
#                                                                              #
# General Information (algorithm) :                                            #
#   This script makes use of iptables to create a defacto standard ingress     #
#   firwall configuration.                                                     #
#   We start by reseting iptables configuration to default.                    #
#   By Default all traffic is dropped, configs for use with server stats       #
#   allows data from desired network and logs data to the kern.log (debian).   #
#                                                                              #
#   The server stats portion may need to be re-written to handle proper        #
#   packet drops                                                               #
#                                                                              #
#                                                                              #
# http://oceanpark.com/notes/firewall_example.html                             #
# tarpitting http://www.securityfocus.com/infocus/1723                         #
#                                                                              #
# allow ICMP                                                                   #
# /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT           #
# same as                                                                      #
# /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT                      #
# http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html          #
# 0 echo-reply 8 echo-request                                                  #
# http://www.faqs.org/docs/linux_network/x-087-2-firewall.example.html         #
#                                                                              #
# /etc/syslog.conf change:                                                     #
# Send iptables LOGDROPs to /var/log/iptables                                  #
# kern.=debug                                             /var/log/iptables    #
# http://www.newartisans.com/blog_files/tricks.with.iptables.php               #
################################################################################
################################################################################
# Strings                                                                      #
################################################################################
iptables="/sbin/iptables"
loopback="lo"
iface_ext="eth0" #External interface
iface_int="eth1" #Internal interface
ip_ext="10.10.10.10" #External IP address
ip_int="192.168.1.254" #Internal IP address
# Trusted external IP addresses
trusted_ext="\
10.10.10.0/24 \
"
# Blocked external IP addresses
block_ext="\
72.16.0.0/12 \
"
# Trusted internal IP address
trusted_int="\
192.168.1.0/24 \
"
iface_ext_use="1" # do you want to use the external interface? 1=yes 0=no
iface_int_use="1" # do you want to use the internal interface? 1=yes 0=no
loglvl="alert"
################################################################################
#                                                                              #
################################################################################
if [ ! -x $iptables ]; then
	exit 0
	echo "iptables: $iptables file does not exist"
fi

case "$1" in
	############################################################################
	# Start                                                                    #
	############################################################################
	start)
		$0 flush
		########################################################################
		# Configure Default Policies                                           #
		########################################################################
		echo -n "iptables: Configuring Default Chain Policies"
		$iptables -P INPUT DROP && echo -n "."
		#$iptables -P FORWARD DROP && echo -n "."
		$iptables -P FORWARD ACCEPT && echo -n "."
		$iptables -P OUTPUT ACCEPT && echo -n "."
		########################################################################
		# Create our personal chains here                                      #
		########################################################################
		echo ""
		echo -n "iptables: Populating Chains"
		#echo -n "Creating Allow Chain, "
		$iptables -N EXT && echo -n "."
		$iptables -F EXT && echo -n "."
		#echo -n "Creating Allow Chain, "
		$iptables -N INT && echo -n "."
		$iptables -F INT && echo -n "."
		#start server stat viewage
		$iptables -N traffic-output && echo -n "."
		$iptables -F traffic-output && echo -n "."
		$iptables -N all-traffic && echo -n "."
		$iptables -F all-traffic && echo -n "."
		$iptables -N www-traffic && echo -n "."
		$iptables -F www-traffic && echo -n "."
		$iptables -N ssh-traffic && echo -n "."
		$iptables -F ssh-traffic && echo -n "."
		$iptables -N mysql-traffic && echo -n "."
		$iptables -F mysql-traffic && echo -n "."
		$iptables -N dns-traffic && echo -n "."
		$iptables -F dns-traffic && echo -n "."
		$iptables -N ftp-traffic && echo -n "."
		$iptables -F ftp-traffic && echo -n "."
		$iptables -N smtp-traffic && echo -n "."
		$iptables -F smtp-traffic && echo -n "."
		$iptables -N uoam-traffic && echo -n "."
		$iptables -F uoam-traffic && echo -n "."
		########################################################################
		# Traffic Monitoring for server stats                                  #
		########################################################################
		########################################################################
		# Chain Population - Traffic chain is for packet logging               #
		#   traffic-output is a dummy output to get iptables -nvxL for         #
		#   server stats                                                       #
		#                                                                      #
		# This section creates an input and output monitor, then crams         #
		#   that data into a chain name for easy read access                   #
		#   I bet this could be done similar without the need for so many      #
		#   extra tables                                                       #
		#   The INPUT and OUTPUT -j joins should be done before anything else  #
		#   if they are out of order they won't log properly                   #
		########################################################################
		#log all
		$iptables -A INPUT -j all-traffic && echo -n "."
		$iptables -A OUTPUT -j all-traffic && echo -n "."
		$iptables -A all-traffic -j traffic-output && echo -n "."
		#log ftp
		$iptables -A INPUT -p tcp --dport 21 -j ftp-traffic && echo -n "."
		$iptables -A OUTPUT -p tcp --sport 21 -j ftp-traffic && echo -n "."
		$iptables -A ftp-traffic -j traffic-output && echo -n "."
		#log ssh
		$iptables -A INPUT -p tcp --dport 22 -j ssh-traffic && echo -n "."
		$iptables -A OUTPUT -p tcp --sport 22 -j ssh-traffic && echo -n "."
		$iptables -A ssh-traffic -j traffic-output && echo -n "."
		#log smtp
		$iptables -A INPUT -p tcp --dport 25 -j smtp-traffic && echo -n "."
		$iptables -A OUTPUT -p tcp --sport 25 -j smtp-traffic && echo -n "."
		$iptables -A smtp-traffic -j traffic-output && echo -n "."
		#log dns
		$iptables -A INPUT -p tcp --dport 53 -j dns-traffic && echo -n "."
		$iptables -A OUTPUT -p tcp --sport 53 -j dns-traffic && echo -n "."
		$iptables -A dns-traffic -j traffic-output && echo -n "."
		#log http
		$iptables -A INPUT -p tcp --dport 80 -j www-traffic && echo -n "."
		$iptables -A OUTPUT -p tcp --sport 80 -j www-traffic && echo -n "."
		$iptables -A www-traffic -j traffic-output && echo -n "."
		#log uoam
		$iptables -A INPUT -p tcp --dport 2000 -j uoam-traffic && echo -n "."
		$iptables -A OUTPUT -p tcp --sport 2000 -j uoam-traffic && echo -n "."
		$iptables -A uoam-traffic -j traffic-output && echo -n "."
		#log mysql
		$iptables -A INPUT -p tcp --dport 3306 -j mysql-traffic && echo -n "."
		$iptables -A OUTPUT -p tcp --sport 3306 -j mysql-traffic && echo -n "."
		$iptables -A mysql-traffic -j traffic-output && echo -n "."
		########################################################################
		# Local LO Interface                                                   #
		########################################################################
		$iptables -A INPUT -i lo -j ACCEPT
		$iptables -A OUTPUT -o lo -j ACCEPT
		$iptables -A FORWARD -i lo -j ACCEPT
		########################################################################
		# External block                                                       #
		########################################################################
		echo ""
		echo -n "iptables: Configuring External Interface"
		for IPAddress in $block_ext; do
			# block a specific port
			#$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 80 -j REJECT --reject-with tcp-reset && echo -n
			# block all TCP
			$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp -j REJECT --reject-with tcp-reset && echo -n "."
		done
		########################################################################
		# External Interface                                                   #
		########################################################################
		$iptables -A EXT -i $iface_ext -p tcp -j LOG --log-level $loglvl --log-tcp-options --log-ip-options  --log-prefix '[IPTABLES] : ' && echo -n "."
		# Allow from anyone or anywhere
		#$iptables -A EXT -i $iface_ext -p tcp --dport 80 -j ACCEPT
		# Allow from TRUSTED NETWORK loop
		for IPAddress in $trusted_ext; do
			$iptables -A EXT -i $iface_ext -s $IPAddress -p icmp -j ACCEPT && echo -n "."
			$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 22 -j ACCEPT && echo -n "."
			$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 25 -j ACCEPT && echo -n "."
			$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 80 -j ACCEPT && echo -n "."
			$iptables -A EXT -i $iface_ext -s $IPAddress -p tcp --dport 3306 -j ACCEPT && echo -n "."
		done
		$iptables -A EXT -i $iface_ext -p tcp -j REJECT --reject-with tcp-reset && echo -n "."
		########################################################################
		# Add Chains to INPUT                                                  #
		########################################################################
		$iptables -A INPUT -i $iface_ext -m state --state ESTABLISHED,RELATED -j ACCEPT && echo -n "."
		$iptables -A INPUT -i $iface_ext -j EXT && echo -n "."
		########################################################################
		# Internal Interface                                                   #
		########################################################################
		for IPAddress in $trusted_ext; do
			$iptables -A INT -i $iface_int -s $IPAddress -p tcp -j ACCEPT && echo -n "."
		done
		$iptables -A INPUT -i $iface_int -j INT && echo -n "."
		########################################################################
		# port forwarding                                                      #
		########################################################################
		#$iptables -t nat -A PREROUTING -p tcp -i $iface_ext -d $ext_ip --dport 8888 -j DNAT --to 192.168.1.10:80
		#$iptables -A FORWARD -p tcp -i $iface_ext -d 192.168.1.10 --dport 80 -j ACCEPT
		########################################################################
		# Masquerade stuff                                                     #
		########################################################################
		#$iptables -A FORWARD -i $iface_ext -m state --state NEW,INVALID -j REJECT
		#$iptables -t nat -A POSTROUTING -o $iface_ext -s $trusted_int -j MASQUERADE
		#echo 1 > /proc/sys/net/ipv4/ip_forward
		########################################################################
		# End                                                                  #
		########################################################################
		echo ""
		echo "iptables: Firewall Script Complete"
		;;
	stop | flush)
		echo -n "iptables: Disabling Firewall and Resetting to Defaults"
		$iptables -P INPUT ACCEPT && echo -n "."
		$iptables -P FORWARD ACCEPT && echo -n "."
		$iptables -P OUTPUT ACCEPT && echo -n "."
		$iptables -F && echo -n "."
		$iptables -t nat -F && echo -n "."
		$iptables -t mangle -F && echo -n "."
		$iptables -X && echo -n "."
		$iptables -t nat -X && echo -n "."
		$iptables -t mangle -X && echo -n "."
		echo ""
		echo "iptables: Firewall Disabled"
		;;
	restart)
		$0 stop
		$0 start
		exit $?
		;;
	status)
		/$iptables -nxvL --line-numbers |less
		;;
	lockdown)
		echo -n "iptables: Firewall is Locking down the system (No Traffic IN OR OUT)"
		$iptables -P INPUT DROP && echo -n "."
		$iptables -P FORWARD DROP && echo -n "."
		$iptables -P OUTPUT DROP && echo -n "."
		$iptables -F && echo -n "."
		$iptables -t nat -F && echo -n "."
		$iptables -t mangle -F && echo -n "."
		$iptables -X && echo -n "."
		$iptables -t nat -X && echo -n "."
		$iptables -t mangle -X && echo -n "."
		echo ""
		echo "iptables: Firewall IN Lockdown Mode"
		;;
	*)
	echo "Usage: $0 { start | stop | restart | status | lockdown }"
	exit 1
esac
exit 0


fw.tgz
Download 169 bytes
MD5 - 6ef8911ad2a72d4638d7ac44b9f3d21b *fw.tgz

Last Modified: 2013-05-13