jHTsmSx1

1#!/bin/bash
2#
3# Watch me mess this up.
4#
5# Topology ftw
6#
7#       +----------+
8#       | PC 1     +<---+                                       
9#       +----------+    |                                       
10#                       |                                       +------------------+
11#       +----------+    |       +-----------+  192.168.1.1:eth0 |                  |
12#       | PC 2     +<---+------>+ Switch    +<----------------->+ Linux Firewall   |                                            +--+pr0n
13#       +----------+    |       +-----------+           (LAN)   |                  | Ethernet   +-------+                       |
14#                       |                                       |         DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
15#       +----------+    |                                       |           (WAN)  |            +-------+                       |
16#       | PC 3     +<---+                                       +------------------+                                            +--+lolcatz
17#       +----------+
18#
19# /Topolgy ftl
20#       
21# Scripting ftw
22#
23echo "Flush tables"
24#
25iptables -F
26iptables -t nat -F
27iptables -t mangle -F
28iptables -X
29
30
31echo "Limit chains"
32iptables -N limit1 2> /dev/null
33iptables -N limit10 2> /dev/null
34iptables -N limit50 2> /dev/null
35iptables -N limit100 2> /dev/null
36iptables -N limit1000 2> /dev/null
37
38
39echo "Deny all invalid packets"
40#iptables -A all-in -m state --state INVALID -j DROP
41#iptables -A all-in -m unclean -j DROP
42    
43# "Allow esdtablished connections"
44iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
45iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
46
47iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
48
49# "Allow loopback (127.0.01) traffic"
50iptables -A INPUT -i lo -j ACCEPT
51iptables -A OUTPUT -o lo -j ACCEPT
52
53# "Allow established connections, and those not coming from the outside"
54
55#
56# "WAN emergency stop"
57
58#iptables -A INPUT -i eth2 -j DROP
59
60# "Accept DHCP requests"
61iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
62
63#
64#
65# "Drops"
66#
67#
68
69
70# "Kazaa probes"
71iptables -A INPUT -p tcp --dport 1214 -j DROP
72iptables -A INPUT -p udp --dport 1214 -j DROP
73
74# "send all denied tcp packages a tcp reset"
75#iptables -A deny -p tcp -j REJECT --reject-with tcp-reset
76
77# "all other connections get a host unreachable :P"
78#iptables -A deny -p udp -j REJECT --reject-with icmp-port-closed
79#iptables -A deny -j DROP
80
81
82
83#
84#
85# "Logs"
86#
87#
88
89# "LOW/HIGH TCP/UDP CONNECTION (log'd)"
90iptables -A INPUT -p udp -m state --state NEW --dport 0:52 -j LOG --log-prefix "LOW UDP: "
91iptables -A INPUT -p udp -m state --state NEW --dport 54:1023 -j LOG --log-prefix "LOW UDP: "
92
93iptables -A INPUT -p udp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH UDP: "
94
95#iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW TCP: "
96
97iptables -A INPUT -p tcp -m state --state NEW --dport 1024:2699 -j LOG --log-prefix "HIGH TCP:"
98# "OMIT TORRENT UDP PORTS"
99
100iptables -A INPUT -p tcp -m state --state NEW --dport 2721:6881 -j LOG --log-prefix "HIGH TCP:"
101
102iptables -A INPUT -p tcp -m state --state NEW --dport 6889:43065 -j LOG --log-prefix "HIGH TCP:"
103
104iptables -A INPUT -p tcp -m state --state NEW --dport 43067:65535 -j LOG --log-prefix "HIGH TCP:"
105
106
107# "IMPROPER TAG FRAME (log'd)"
108#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
109
110# "Log pings"
111iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: (PING,PONG) "
112
113#
114#
115# "Accepts"
116#
117#
118
119# "ALL ACCEPT: ntp"
120iptables -A INPUT -p udp --destination-port 123 -j limit10
121iptables -A INPUT -p udp --source-port 123  -j ACCEPT  
122      
123# "INT ACCEPT: NetBEUI"
124iptables -A FORWARD -p tcp --destination-port 135:139 -j limit1000
125iptables -A FORWARD -p udp --destination-port 135:139 -j ACCEPT
126iptables -A FORWARD -p tcp --destination-port 445 -j limit10
127      
128      
129# "ALL ACCEPT: ssh"
130iptables -A FORWARD -p tcp --destination-port 22 -j limit100
131iptables -A INPUT -p tcp --source-port 22 ! --syn -j ACCEPT
132      
133# "LOCAL ACCEPT: dns"
134iptables -A FORWARD -p tcp --destination-port 53 -j limit1000
135iptables -A FORWARD -p tcp --destination-port 53 -j ACCEPT
136      
137# "INT ACCEPT: http"
138iptables -A FORWARD -p tcp --destination-port 80 -j limit1000
139   
140# "INT ACCEPT: irc"
141iptables -A FORWARD -p tcp --destination-port 6667 -j limit50
142      
143# "INT ACCEPT: irc Server-2-Server"
144#iptables -A FORWARD -p tcp --destination-port 7000 -j limit10
145      
146# "ALL ACCEPT: ftp-data & ftp-control"
147#iptables -A FORWARD -p tcp --destination-port 20:21 -j limit100
148      
149# "ALL ACCEPT: identd"
150iptables -A FORWARD -p tcp --destination-port 113 -j limit10
151iptables -A FORWARD -p tcp --destination-port 113 -j ACCEPT
152
153# "Accept BitTorrent"
154#iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
155#iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
156
157# "Accept BitTorrent Traffic"
158#iptables -A FORWARD -i eth0 -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
159iptables -A FORWARD -i eth0 -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
160#iptables -A FORWARD -i eth2 -s 10.35.160.1 -j DROP
161
162
163# "The limit chains (synfloodprotection)"
164# "Deny Synflood, only accept 1 new connection per second"
165iptables -A limit1 -p tcp --syn -m limit --limit 1/s -j ACCEPT
166iptables -A limit1 -p tcp ! --syn -j ACCEPT
167      
168# "Deny Synflood, only accept 10 new connection per second"
169iptables -A limit10 -p tcp --syn -m limit --limit 10/s -j ACCEPT
170iptables -A limit10 -p tcp ! --syn -j ACCEPT
171      
172# "Deny Synflood, only accept 50 new connection per second"
173iptables -A limit50 -p tcp --syn -m limit --limit 50/s -j ACCEPT
174iptables -A limit50 -p tcp ! --syn -j ACCEPT
175      
176# "Deny Synflood, only accept 100 new connection per second"
177iptables -A limit100 -p tcp --syn -m limit --limit 100/s -j ACCEPT
178iptables -A limit100 -p tcp ! --syn -j ACCEPT
179      
180# "Deny Synflood, only accept 1000 new connection per second"
181iptables -A limit1000 -p tcp --syn -m limit --limit 1000/s -j ACCEPT
182iptables -A limit1000 -p tcp ! --syn -j ACCEPT
183
184# "Set policy"
185iptables -P INPUT ACCEPT
186iptables -P FORWARD ACCEPT
187iptables -P OUTPUT ACCEPT
188
189# "NAT"
190iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
191iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
192iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
193
194# "Ok forwarding with the system"
195echo 1 > /proc/sys/net/ipv4/ip_forward
196
197# "Ignore all Broadcasts pings"
198#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
199
200# "Decrease tcp timeouts to prevent DoS"
201echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
202echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
203echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
204echo 0 > /proc/sys/net/ipv4/tcp_sack
205
206# "Ignore dead errors"
207echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
208
209# "Log impossible packets"
210echo 0 >/proc/sys/net/ipv4/conf/all/log_martians