· 7 years ago · Apr 16, 2018, 03:56 PM
1#!/bin/bash
2#
3# Watch me mess this up.
4#
5# Topology ftw
6#
7# +----------+
8# | PC 1 +<---+
9# +----------+ |
10# | +------------------+
11# +----------+ | +-----------+ 192.168.1.1:eth0 | |
12# | PC 2 +<---+------>+ Switch +<----------------->+ Linux Firewall | +--+pr0n
13# +----------+ | +-----------+ (LAN) | | Ethernet +-------+ |
14# | | DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
15# +----------+ | | (WAN) | +-------+ |
16# | PC 3 +<---+ +------------------+ +--+lolcatz
17# +----------+
18#
19# /Topolgy ftl
20#
21# Scripting ftw
22#
23echo "Flush tables"
24#
25iptables -F
26iptables -t nat -F
27iptables -t mangle -F
28iptables -X
29
30
31echo "Limit chains"
32iptables -N limit1 2> /dev/null
33iptables -N limit10 2> /dev/null
34iptables -N limit50 2> /dev/null
35iptables -N limit100 2> /dev/null
36iptables -N limit1000 2> /dev/null
37
38
39echo "Deny all invalid packets"
40#iptables -A all-in -m state --state INVALID -j DROP
41#iptables -A all-in -m unclean -j DROP
42
43echo "Allow esdtablished connections"
44iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
45iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
46
47iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
48
49echo "Allow loopback (127.0.01) traffic"
50iptables -A INPUT -i lo -j ACCEPT
51iptables -A OUTPUT -o lo -j ACCEPT
52
53echo "Allow established connections, and those not coming from the outside"
54
55#
56echo "WAN emergency stop"
57
58#iptables -A INPUT -i eth2 -j DROP
59
60echo "Accept DHCP requests"
61iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
62
63#
64#
65echo "Drops"
66#
67#
68
69
70echo "Kazaa probes"
71iptables -A INPUT -p tcp --dport 1214 -j DROP
72iptables -A INPUT -p udp --dport 1214 -j DROP
73
74echo "send all denied tcp packages a tcp reset"
75#iptables -A deny -p tcp -j REJECT --reject-with tcp-reset
76
77echo "all other connections get a host unreachable :P"
78#iptables -A deny -p udp -j REJECT --reject-with icmp-port-closed
79#iptables -A deny -j DROP
80
81
82
83#
84#
85echo "Logs"
86#
87#
88
89echo "LOW/HIGH TCP/UDP CONNECTION (log'd)"
90#iptables -A INPUT -p udp -m state --state NEW --dport 0:1023 -j LOG --log-prefix "LOW PORT UDP CONNECTION: "
91#iptables -A INPUT -p tcp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION: "
92
93iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
94
95iptables -A INPUT -p udp -m state --state NEW --dport 1024:43066 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
96echo "OMIT TORRENT UDP PORTS 43067:43092"
97iptables -A INPUT -p udp -m state --state NEW --dport 43093:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
98
99echo "IMPROPER TAG FRAME (log'd)"
100#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
101
102echo "Log pings"
103iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: (PING,PONG) "
104
105#
106#
107echo "Accepts"
108#
109#
110
111echo "ALL ACCEPT: ntp"
112iptables -A INPUT -p udp --destination-port 123 -j limit10
113iptables -A INPUT -p udp --source-port 123 -j ACCEPT
114
115echo "INT ACCEPT: NetBEUI"
116iptables -A FORWARD -p tcp --destination-port 135:139 -j limit1000
117iptables -A FORWARD -p udp --destination-port 135:139 -j ACCEPT
118iptables -A FORWARD -p tcp --destination-port 445 -j limit10
119
120
121echo "ALL ACCEPT: ssh"
122iptables -A FORWARD -p tcp --destination-port 22 -j limit100
123iptables -A INPUT -p tcp --source-port 22 ! --syn -j ACCEPT
124
125echo "LOCAL ACCEPT: dns"
126iptables -A FORWARD -p tcp --destination-port 53 -j limit1000
127iptables -A FORWARD -p udp --destination-port 53 -j ACCEPT
128
129echo "INT ACCEPT: http"
130iptables -A FORWARD -p tcp --destination-port 80 -j limit1000
131
132echo "INT ACCEPT: irc"
133iptables -A FORWARD -p tcp --destination-port 6667 -j limit50
134
135echo "INT ACCEPT: irc Server-2-Server"
136#iptables -A FORWARD -p tcp --destination-port 7000 -j limit10
137
138echo "ALL ACCEPT: ftp-data & ftp-control"
139#iptables -A FORWARD -p tcp --destination-port 20:21 -j limit100
140
141echo "ALL ACCEPT: identd"
142iptables -A FORWARD -p tcp --destination-port 113 -j limit10
143iptables -A FORWARD -p tcp --destination-port 113 -j ACCEPT
144
145echo "Accept BitTorrent"
146#iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
147#iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
148
149echo "Accept BitTorrent Traffic"
150#iptables -A FORWARD -i eth0 -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
151iptables -A FORWARD -i eth0 -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
152
153
154echo "The limit chains (synfloodprotection)"
155echo "Deny Synflood, only accept 1 new connection per second"
156iptables -A limit1 -p tcp --syn -m limit --limit 1/s -j ACCEPT
157iptables -A limit1 -p tcp ! --syn -j ACCEPT
158
159echo "Deny Synflood, only accept 10 new connection per second"
160iptables -A limit10 -p tcp --syn -m limit --limit 10/s -j ACCEPT
161iptables -A limit10 -p tcp ! --syn -j ACCEPT
162
163echo "Deny Synflood, only accept 50 new connection per second"
164iptables -A limit50 -p tcp --syn -m limit --limit 50/s -j ACCEPT
165iptables -A limit50 -p tcp ! --syn -j ACCEPT
166
167echo "Deny Synflood, only accept 100 new connection per second"
168iptables -A limit100 -p tcp --syn -m limit --limit 100/s -j ACCEPT
169iptables -A limit100 -p tcp ! --syn -j ACCEPT
170
171echo "Deny Synflood, only accept 1000 new connection per second"
172iptables -A limit1000 -p tcp --syn -m limit --limit 1000/s -j ACCEPT
173iptables -A limit1000 -p tcp ! --syn -j ACCEPT
174
175echo "Set policy"
176iptables -P INPUT DROP
177iptables -P FORWARD DROP
178iptables -P OUTPUT ACCEPT
179
180echo "NAT"
181iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
182iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
183iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
184
185echo "Ok forwarding with the system"
186echo 1 > /proc/sys/net/ipv4/ip_forward
187
188echo "Ignore all Broadcasts pings"
189echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
190
191echo "Decrease tcp timeouts to prevent DoS"
192echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
193echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
194echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
195echo 0 > /proc/sys/net/ipv4/tcp_sack
196
197echo "Ignore dead errors"
198echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
199
200echo "Log impossible packets"
201echo 0 >/proc/sys/net/ipv4/conf/all/log_martians