A iptables script that is useful to IPCop

Source: Internet
Author: User
Tags ack definition empty log net return domain iptables

A useful iptables script for IPCop (written by a friend), do not remember which one is written, please mail (ayihu@qq.com) under the Tell me:

#!/bin/sh
#
# Firewall Starting Firewall
#
# chkconfig:2345 98 01
# description:setting Firewall
##########################################################################
# Set parameters
##########################################################################
INNER_NET=192.168.0.0/24 # LAN LAN free set
fwall_ip=192.168.0.1 # Firewall IP The real IP of your machine
INNER_PORT=ETH1 # LAN End IP
OUTER_PORT=PPP0 # WAN End IP
Iptables= "/sbin/iptables" # IPTABLES command
Modprobe= "/sbin/modprobe" # modprobe command
##########################################################################
# Module loading and setting for kernel work
##########################################################################
$MODPROBE Ip_tables
$MODPROBE Iptable_filter
$MODPROBE Ip_conntrack
$MODPROBE Iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack_ftp
$MODPROBE ipt_state
$MODPROBE Ipt_masquerade
$MODPROBE Ipt_log
$MODPROBE Ipt_reject
$MODPROBE Ipt_limit
# Allow IP Masquerade (transform)
Echo 1 >/proc/sys/net/ipv4/ip_forward
# ignoring Ping's broadcast
Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Check Source IP
for f In/proc/sys/net/ipv4/conf/*/rp_filter; Do echo 1 > $f; Done
# record Impossible (false) IP
for f In/proc/sys/net/ipv4/conf/*/log_martians; Do echo "1" > $f; Done
# Ignore ICMP Redirect message
for f in/proc/sys/net/ipv4/conf/*/accept_redirects; Do echo 1 > $f; Done
##########################################################################
# initialization Rules
##########################################################################
$IPTABLES-P Input DROP # empty INPUT original definition
$IPTABLES-P OUTPUT DROP # empty ouput original definition
$IPTABLES-P FORWARD DROP # empty FORWARD original definition
$IPTABLES-F # Flash Chain
$IPTABLES-F-t NAT
$IPTABLES-X # Delete user-defined chain
##########################################################################
# User-defined chain
##########################################################################
#
# record and discard illegal packages
#
Generation of $IPTABLES-N droppacket # Droppackt Chain
$IPTABLES-A droppacket-j LOG--log-prefix "Invalid_packet:"
--log-level=3-m limit--limit 1/s--limit-burst 10
$IPTABLES-A droppacket-j DROP
#
# Check the chain of the Synflood attack
#
Generation of $IPTABLES-N Synflood # Synflood Chain
# return without exceeding the limit
$IPTABLES-A synflood-m limit--limit 10/s--limit-burst 20-j return
# exceeding the limit, as Synflood attack, record and discard
$IPTABLES-A synflood-m limit--limit 1/s--limit-burst 10-j LOG
--log-level=1--log-prefix "Synflood:"
$IPTABLES-A synflood-j DROP
#
# record illegal flag TCP, and discard
#
Generation of $IPTABLES-N dropflags # dropflags Chain
$IPTABLES-A dropflags-j LOG--log-prefix "Invalid_flags:"
--log-level=3-m limit--limit 1/s--limit-burst 10
$IPTABLES-A dropflags-j DROP
#
# Check for illegal combination of TCP flag
#
$IPTABLES-N Chkflags
$IPTABLES-A chkflags-p tcp--tcp-flags ack,fin fin-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags ack,psh psh-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags Ack,urg urg-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags fin,rst fin,rst-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags syn,fin syn,fin-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags syn,rst syn,rst-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all all-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all none-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all fin,psh,urg-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all syn,fin,psh,urg-j dropflags
$IPTABLES-A chkflags-p tcp--tcp-flags all syn,rst,ack,fin,urg-j dropflags
#
# Reject Microsoft Network-related forward
#
$IPTABLES-N chkmsnet
$IPTABLES-A chkmsnet-p tcp--dport 42-j DROP # wins DUP
$IPTABLES-A chkmsnet-p tcp--dport 135-j DROP # MS-RPC
$IPTABLES-A chkmsnet-p UDP--dport 135-j DROP # MS-RPC
$IPTABLES-A chkmsnet-p UDP--dport 137:138-j DROP # MS Browse
$IPTABLES-A chkmsnet-p UDP--dport 137:138-j DROP # MS Browse
$IPTABLES-A chkmsnet-p tcp--dport 139-j DROP # SMB
$IPTABLES-A chkmsnet-p tcp--dport 445-j DROP # DHSMB
##########################################################################
# INPUT Chain
##########################################################################
# localhost, all permission.
$IPTABLES-A input-i lo-j ACCEPT
# Check the package for correctness
$IPTABLES-A input-m State--state invalid-j Droppacket
# Check if the package is a SYN attack
$IPTABLES-A input-p TCP--syn-j Synflood
# TCP Flag Check
$IPTABLES-A input-p tcp-j chkflags
# license connections within the LAN
$IPTABLES-A input-i $INNER _port-s $INNER _net-j ACCEPT
# License already established connections
$IPTABLES-A input-m State--state established,related-j ACCEPT
# Check if it's IP camouflage
$IPTABLES-A input-i $OUTER _port-s $INNER _net-j DROP
#
# Licensed services (for externally exposed services, documented below)
#
$IPTABLES-A input-p TCP--dport 22-m State--state new-j ACCEPT # SSH
$IPTABLES-A input-p TCP--dport 80-m State--state new-j ACCEPT # HTTP
$IPTABLES-A input-p TCP--dport 443-m State--state new-j ACCEPT # HTTPS
$IPTABLES-A input-p TCP--dport 53-m State--state new-j ACCEPT # DOMAIN (DNS)
$IPTABLES-A input-p UDP--dport 53-m State--state new-j ACCEPT # DOMAIN (DNS)
# Reject Auth Request
$IPTABLES-A input-p tcp--dport 113-j REJECT--reject-with tcp-reset
# ICMP (in)
$IPTABLES-A input-p ICMP--icmp-type echo-request-s $INNER _net-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type echo-reply-s $INNER _net-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type destination-unreachable-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type source-quench-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type time-exceeded-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type parameter-problem-j ACCEPT
# all the packages except above are recorded and discarded by default policy
$IPTABLES-A input-j LOG--log-prefix "Undefind_input:"
--log-level=3-m limit--limit 1/s--limit-burst 10
##########################################################################
# OUTPUT Chain
##########################################################################
# License a bag from localhost
$IPTABLES-A output-o lo-j ACCEPT
# TCP Flag Check
$IPTABLES-A output-p tcp-j chkflags
# License connections from server to LAN
$IPTABLES-A output-o $INNER _port-s $FWALL _ip-j ACCEPT
# Check the Microsoft Network
$IPTABLES-A output-j chkmsnet
# License packages that are already connected
$IPTABLES-A output-m State--state established,related-j ACCEPT
# License new connections from server to Internet
$IPTABLES-A output-m State--state new-j ACCEPT
# ICMP (out)
$IPTABLES-A output-p ICMP--icmp-type echo-request-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type echo-reply-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type destination-unreachable-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type fragmentation-needed-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type source-quench-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type parameter-problem-j ACCEPT
# all the packages except above are recorded and discarded by default policy
$IPTABLES-A output-j LOG--log-prefix "undefind_icmp:"--log-level=3
-M limit--limit 1/s--limit-burst 10
##########################################################################
# IP Transform
##########################################################################
# Check the Microsoft Network
$IPTABLES-A forward-j chkmsnet
# Allow IP transformation of machines in LAN
$IPTABLES-T nat-a postrouting-o $OUTER _port-s $INNER _net-j Masquerade
# from external to LAN connection, license already connected Froward
$IPTABLES-A forward-i $OUTER _port-o $INNER _port-d $INNER _net-m State
--state established,related-j ACCEPT
# license LAN to external connections
$IPTABLES-A forward-i $INNER _port-o $OUTER _port-s $INNER _net-m State
--state new,established,related-j ACCEPT
Exit 0



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.