Przedstawiam Firewalla. [code] #!/bin/sh #######################################
BEGIN INIT INFO
Provides: firewall
Required-Start: $local_fs $network $named $time $syslog $remote_fs
Required-Stop: $local_fs $network $named $time $syslog $remote_fs
Default-Start: 2 3 4 5
Default-Stop: 0 1 6
Description: Personal Firewall - Preventing attacks/open common ports
END INIT INFO
Module loading
/sbin/depmod -a
Required modules
/sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ipt_REJECT /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit
Non-Required modules
#/sbin/modprobe ipt_owner #/sbin/modprobe iptable_mangle #/sbin/modprobe ip_conntrack #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc #/sbin/modprobe ipt_MASQUERADE
To start the firewall
start() { ### Allow Forward ip ### echo 1 > /proc/sys/net/ipv4/ip_forward ### Flush any Existing iptable Rules and start afresh ### iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F POSTROUTING -t nat iptables -F PREROUTING -t nat
### Setting up Port Services ###
iptables -A INPUT -p tcp --dport 25 -j ACCEPT //incoming mail
iptables -A INPUT -p tcp --dport 53 -j ACCEPT //dns - udp for large queries
iptables -A INPUT -p udp --dport 53 -j ACCEPT //dns - udp for small queries
iptables -A INPUT -p tcp --dport 80 -j ACCEPT //apache
iptables -A INPUT -p tcp --dport 443 -j ACCEPT //apache ssl
iptables -A INPUT -p udp --dport 161 -j ACCEPT //snmpd
iptables -A INPUT -p tcp --dport 953 -j ACCEPT //dns internal
iptables -A INPUT -p tcp --dport 1080 -j ACCEPT //dante socks server
iptables -A INPUT -p all --dport 3020 -j ACCEPT //cifs-smb
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT //squid
iptables -A INPUT -p tcp --dport 4949 -j ACCEPT //munin stats
### Setting up Local Ports ###
iptables -A INPUT -d 192.168.1.120 -p udp --dport 9 -j ACCEPT //WOL (wake on lan)
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 20:21 -j ACCEPT //ftp
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -j ACCEPT //sshd
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 139 -j ACCEPT //samba
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 993 -j ACCEPT //imaps
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 3306 -j ACCEPT //mysql
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 8000 -j ACCEPT //apache on phi
iptables -A INPUT -s 192.168.1.120 -p tcp --dport 8080 -j ACCEPT //tomcat
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT //to speed up mail via courier. Identified via logging
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 143 -j ACCEPT //squirrelmail
### Preventing Attacks ###
iptables -A INPUT -p icmp -j ACCEPT //Allow ICMP Ping packets.
iptables -A INPUT -p tcp --tcp-flags ACK ACK -j ACCEPT //Accept traffic with the ACK flag set
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP //Deny all null packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP //Deny all recon packets
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP //nmap FIN stealth scan
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP //SYN + FIN
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP //SYN + RST
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP //FIN + RST
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP //FIN + URG + PSH
iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP //XMAS
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP //FIN without ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP //PSH without ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP //URG without ACK
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP //Deny SYN flood attack
iptables -A INPUT -m state --state ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT //Accept traffic with ESTABLISHED flag set (limit - DDoS prevent)
iptables -A INPUT -m state --state RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT //Accept traffic with RELATED flag set (limit - DDoS prevent)
iptables -A INPUT -m state --state INVALID -j DROP //Deny traffic with the INVALID flag set
#################################
### PERSONALIZED RULES 80 PORT ###
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT //Protection DDoS attacks
### PERSONALIZED RULES 22 PORT ###
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset //Protection bruteforce SSH
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
########### CLOSE ALL ############
iptables -A INPUT -j REJECT //Close up firewall. All else blocked.
######### PORT FORWARDING #######
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.120 --dport 8000 -j DNAT --to 1.2.3.4:80
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 //for static ip
#iptables -t nat -A POSTROUTING -d 1.2.3.4 -j MASQUERADE //for dynamic ip
#################################
echo "--------------------------------------------------"
echo "Firewall Loaded"
echo "--------------------------------------------------"
echo "Netstat output:"
echo ""
netstat -tuanp
echo "Verify enabled rules with:"
echo "filter) iptables -L -nvx"
echo "nat) iptables -t nat -L -nvx"
echo "script) firewall.sh status"
EXT=0}
To stop the firewall
stop() { ### Deny Forward ip ### echo 0 > /proc/sys/net/ipv4/ip_forward echo "--------------------------------------------------" echo "Firewall Stopped" echo "--------------------------------------------------" EXT=0 }
To clear rules
clear() { iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F POSTROUTING -t nat iptables -F PREROUTING -t nat EXT=0 }
case $1 in
start)
clear
start
;;
stop)
clear
stop
;;
restart)
clear
sleep 2
start
;;
status)
echo "--------------------------------------------------"
echo "--------------------------------------------------"
echo "Status Firewall"
echo "--------------------------------------------------"
#iptables -L -n
echo "--------------------------------------------------"
echo "FILTER"
echo "--------------------------------------------------"
iptables -L -nvx
echo "--------------------------------------------------"
echo "NAT"
echo "--------------------------------------------------"
iptables -t nat -L -nvx
EXT=0
;;
*)
echo "Usage: firewall.sh {start|stop|restart|status}"
EXT=1
;;
esac
exit $EXT
[/code]