| The code is as follows | |
| #!/bin/sh #------------------------------------------------------------------------------ # for debugging use Iptables-v. Iptables= "/sbin/iptables" Ip6tables= "/sbin/ip6tables" Modprobe= "/sbin/modprobe" Rmmod= "/sbin/rmmod" arp= "/usr/sbin/arp" # Logging Options. #------------------------------------------------------------------------------ log= "LOG--log-level debug--log-tcp-sequence--log-tcp-options" log= "$LOG--log-ip-options" # Defaults for rate limiting #------------------------------------------------------------------------------ Rlimit= "-M limit--limit 3/s--limit-burst 8" # unprivileged ports. #------------------------------------------------------------------------------ Phigh= "1024:65,535" Pssh= "1000:1023" # Load Required kernel modules #------------------------------------------------------------------------------ $MODPROBE ip_conntrack_ftp $MODPROBE Ip_conntrack_irc # mitigate ARP spoofing/poisoning and similar attacks. #------------------------------------------------------------------------------ # hardcode static ARP cache entries here # $ARP-S ip-address mac-address # Kernel configuration. #------------------------------------------------------------------------------ # Disable IP forwarding. # on => off = (reset) Echo 1 >/proc/sys/net/ipv4/ip_forward echo 0 >/proc/sys/net/ipv4/ip_forward # Enable IP Spoofing Protection For I in/proc/sys/net/ipv4/conf/*/rp_filter; Do echo 1 > $i; Done # Protect against SYN flood attacks Echo 1 >/proc/sys/net/ipv4/tcp_syncookies # Ignore all incoming ICMP echo requests echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all # Ignore ICMP echo requests to broadcast Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # LOG packets with impossible addresses. For I In/proc/sys/net/ipv4/conf/*/log_martians; Do echo 1 > $i; Done # Don ' t log invalid responses to broadcast Echo 1 >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Don ' t accept or send ICMP redirects. For I in/proc/sys/net/ipv4/conf/*/accept_redirects; Do echo 0 > $i; Done For I in/proc/sys/net/ipv4/conf/*/send_redirects; Do echo 0 > $i; Done # Don ' t accept source routed packets. For I in/proc/sys/net/ipv4/conf/*/accept_source_route; Do echo 0 > $i; Done # Disable Multicast Routing # #for I in/proc/sys/net/ipv4/conf/*/mc_forwarding; Do echo 0 > $i; Done # Disable Proxy_arp. For I in/proc/sys/net/ipv4/conf/*/proxy_arp; Do echo 0 > $i; Done # Enable secure redirects, i.e. only accept ICMP redirects for gateways # helps against MITM attacks. For I in/proc/sys/net/ipv4/conf/*/secure_redirects; Do echo 1 > $i; Done # Disable Bootp_relay For I in/proc/sys/net/ipv4/conf/*/bootp_relay; Do echo 0 > $i; Done # Default policies. #------------------------------------------------------------------------------ # Drop everything by default. $IPTABLES-P INPUT DROP $IPTABLES-P FORWARD DROP $IPTABLES-P OUTPUT DROP # Set The Nat/mangle/raw tables ' chains to ACCEPT $IPTABLES-T nat-p prerouting ACCEPT $IPTABLES-T nat-p OUTPUT ACCEPT $IPTABLES-T nat-p postrouting ACCEPT $IPTABLES-T mangle-p prerouting ACCEPT $IPTABLES-T mangle-p INPUT ACCEPT $IPTABLES-T mangle-p FORWARD ACCEPT $IPTABLES-T mangle-p OUTPUT ACCEPT $IPTABLES-T mangle-p postrouting ACCEPT # Cleanup. #------------------------------------------------------------------------------ # Delete All $IPTABLES-F $IPTABLES-T Nat-f $IPTABLES-T Mangle-f # Delete All $IPTABLES-X $IPTABLES-T Nat-x $IPTABLES-T Mangle-x # Zero all packets and counters. $IPTABLES-Z $IPTABLES-T Nat-z $IPTABLES-T Mangle-z # completely disable IPv6. #------------------------------------------------------------------------------ # Block all IPV6 traffic # If The Ip6tables command is available, try to block all IPV6 traffic. If Test-x $IP 6TABLES; Then # Set The default policies # drop Everything $IP 6tables-p INPUT DROP 2>/dev/null $IP 6tables-p FORWARD DROP 2>/dev/null $IP 6tables-p OUTPUT DROP 2>/dev/null # The Mangle table can pass everything $IP 6tables-t mangle-p prerouting ACCEPT 2>/dev/null $IP 6tables-t mangle-p INPUT ACCEPT 2>/dev/null $IP 6tables-t mangle-p FORWARD ACCEPT 2>/dev/null $IP 6tables-t mangle-p OUTPUT ACCEPT 2>/dev/null $IP 6tables-t mangle-p postrouting ACCEPT 2>/dev/null # Delete all rules. $IP 6tables-f 2>/dev/null $IP 6tables-t mangle-f 2>/dev/null # Delete all chains. $IP 6tables-x 2>/dev/null $IP 6tables-t Mangle-x 2>/dev/null # Zero all packets and counters. $IP 6tables-z 2>/dev/null $IP 6tables-t mangle-z 2>/dev/null Fi # Custom user-defined chains. #------------------------------------------------------------------------------ # LOG packets, then ACCEPT. $IPTABLES-N Acceptlog $IPTABLES-A acceptlog-j $LOG $RLIMIT--log-prefix "ACCEPT" $IPTABLES-A acceptlog-j ACCEPT # LOG packets, then DROP. $IPTABLES-N Droplog $IPTABLES-A droplog-j $LOG $RLIMIT--log-prefix "DROP" $IPTABLES-A droplog-j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IPTABLES-N Rejectlog $IPTABLES-A rejectlog-j $LOG $RLIMIT--log-prefix "REJECT" $IPTABLES-A rejectlog-p tcp-j REJECT--reject-with tcp-reset $IPTABLES-A rejectlog-j REJECT # only allows RELATED ICMP types # (Destination-unreachable, time-exceeded, and Parameter-problem). # Todo:rate-limit This traffic? # Todo:allow fragmentation-needed? # todo:test. $IPTABLES-N related_icmp $IPTABLES-A related_icmp-p ICMP--icmp-type destination-unreachable-j ACCEPT $IPTABLES-A related_icmp-p ICMP--icmp-type time-exceeded-j ACCEPT $IPTABLES-A related_icmp-p ICMP--icmp-type parameter-problem-j ACCEPT $IPTABLES-A related_icmp-j Droplog # make It even harder to multi-ping $IPTABLES-A input-p icmp-m limit--limit 1/s--limit-burst 2-j ACCEPT $IPTABLES-A input-p icmp-m limit--limit 1/s--limit-burst 2-j LOG--log-prefix ping-drop: $IPTABLES-A input-p icmp-j DROP $IPTABLES-A output-p icmp-j ACCEPT # only allow the minimally required/recommended parts of ICMP. Block the rest. #------------------------------------------------------------------------------ # Todo:this section needs a lot of testing! # A, drop all fragmented ICMP packets (almost always malicious). $IPTABLES-A input-p ICMP--fragment-j droplog $IPTABLES-A output-p ICMP--fragment-j droplog $IPTABLES-A forward-p ICMP--fragment-j droplog # Allow all established ICMP traffic. $IPTABLES-A input-p icmp-m State--state established-j ACCEPT $RLIMIT $IPTABLES-A output-p icmp-m State--state established-j ACCEPT $RLIMIT # Allow Some parts of the RELATED ICMP traffic, block the rest. $IPTABLES-A input-p icmp-m State--state related-j related_icmp $RLIMIT $IPTABLES-A output-p icmp-m State--state related-j related_icmp $RLIMIT # Allow incoming ICMP echo requests (ping), but only rate-limited. $IPTABLES-A input-p ICMP--icmp-type echo-request-j ACCEPT $RLIMIT # Allow Outgoing ICMP echo requests (ping), but only rate-limited. $IPTABLES-A output-p ICMP--icmp-type echo-request-j ACCEPT $RLIMIT # Drop any other ICMP traffic. $IPTABLES-A input-p icmp-j Droplog $IPTABLES-A output-p icmp-j Droplog $IPTABLES-A forward-p icmp-j Droplog # selectively allow certain special types of traffic. #------------------------------------------------------------------------------ # Allow Loopback interface to do anything. $IPTABLES-A input-i lo-j ACCEPT $IPTABLES-A output-o lo-j ACCEPT # Allow Incoming connections related to existing allowed. $IPTABLES-A input-m State--state established,related-j ACCEPT # Allow Outgoing Connections EXCEPT invalid $IPTABLES-A output-m State--state new,established,related-j ACCEPT # Miscellaneous. #------------------------------------------------------------------------------ # We don ' t care about Milkosoft, Drop smb/cifs/etc. $IPTABLES-A input-p tcp-m multiport--dports 135,137,138,139,445,1433,1434-j DROP $IPTABLES-A input-p udp-m multiport--dports 135,137,138,139,445,1433,1434-j DROP # explicitly drop invalid incoming traffic $IPTABLES-A input-m State--state invalid-j DROP # Drop Invalid outgoing traffic, too. $IPTABLES-A output-m State--state invalid-j DROP # If We would use NAT, INVALID packets would pass-block them anyways $IPTABLES-A forward-m State--state invalid-j DROP # PORT Scanners (Stealth also) $IPTABLES-A input-m State--state new-p TCP--tcp-flags all all-j DROP $IPTABLES-A input-m State--state new-p TCP--tcp-flags all none-j DROP # todo:some more anti-spoofing rules? For example: # $IPTABLES-A input-p tcp--tcp-flags all fin,urg,psh-j DROP # $IPTABLES-A input-p tcp--tcp-flags syn,rst syn,rst-j DROP # $IPTABLES-A input-p tcp--tcp-flags syn,fin syn,fin-j DROP $IPTABLES-N Syn_flood $IPTABLES-A input-p TCP--syn-j Syn_flood $IPTABLES-A syn_flood-m limit--limit 2/s--limit-burst 6-j return $IPTABLES-A syn_flood-j DROP # Todo:block Known-bad IPs (http://www.dshield.org/top10.php). # $IPTABLES-A input-s insert-bad-ip-here-j Droplog # Drop any traffic from iana-reserved IPs. #------------------------------------------------------------------------------ $IPTABLES-A input-s 0.0.0.0/7-j DROP $IPTABLES-A input-s 2.0.0.0/8-j DROP $IPTABLES-A input-s 5.0.0.0/8-j DROP $IPTABLES-A input-s 7.0.0.0/8-j DROP $IPTABLES-A input-s 10.0.0.0/8-j DROP $IPTABLES-A input-s 23.0.0.0/8-j DROP $IPTABLES-A input-s 27.0.0.0/8-j DROP $IPTABLES-A input-s 31.0.0.0/8-j DROP $IPTABLES-A input-s 36.0.0.0/7-j DROP $IPTABLES-A input-s 39.0.0.0/8-j DROP $IPTABLES-A input-s 42.0.0.0/8-j DROP $IPTABLES-A input-s 49.0.0.0/8-j DROP $IPTABLES-A input-s 50.0.0.0/8-j DROP $IPTABLES-A input-s 77.0.0.0/8-j DROP $IPTABLES-A input-s 78.0.0.0/7-j DROP $IPTABLES-A input-s 92.0.0.0/6-j DROP $IPTABLES-A input-s 96.0.0.0/4-j DROP $IPTABLES-A input-s 112.0.0.0/5-j DROP $IPTABLES-A input-s 120.0.0.0/8-j DROP $IPTABLES-A input-s 169.254.0.0/16-j DROP $IPTABLES-A input-s 172.16.0.0/12-j DROP $IPTABLES-A input-s 173.0.0.0/8-j DROP $IPTABLES-A input-s 174.0.0.0/7-j DROP $IPTABLES-A input-s 176.0.0.0/5-j DROP $IPTABLES-A input-s 184.0.0.0/6-j DROP $IPTABLES-A input-s 192.0.2.0/24-j DROP $IPTABLES-A input-s 197.0.0.0/8-j DROP $IPTABLES-A input-s 198.18.0.0/15-j DROP $IPTABLES-A input-s 223.0.0.0/8-j DROP $IPTABLES-A input-s 224.0.0.0/3-j DROP # selectively allow certain outbound connections, block the rest. #------------------------------------------------------------------------------ # Allow outgoing DNS requests. Few things would work without this. $IPTABLES-A output-m State--state new-p UDP--dport 53-j ACCEPT $IPTABLES-A output-m State--state new-p TCP--dport 53-j ACCEPT # Allow outgoing HTTP requests. Unencrypted with care. $IPTABLES-A output-m State--state new-p TCP--dport 80-j ACCEPT # Allow outgoing HTTPS requests. $IPTABLES-A output-m State--state new-p TCP--dport 443-j ACCEPT # Allow outgoing SMTPS requests. Do not allow unencrypted smtp! # $IPTABLES-A output-m State--state new-p TCP--dport 465-j ACCEPT # Allow Outgoing "Submission" (RFC 2476) requests. $IPTABLES-A output-m State--state new-p TCP--dport 587-j ACCEPT # Allow outgoing pop3s requests. $IPTABLES-A output-m State--state new-p TCP--dport 995-j ACCEPT # Allow outgoing SSH requests. $IPTABLES-A output-m State--state new-p TCP--dport 22-j ACCEPT # Allow outgoing FTP requests. Unencrypted with care. $IPTABLES-A output-m State--state new-p TCP--dport 21-j ACCEPT # Allow outgoing NNTP requests. Unencrypted with care. # $IPTABLES-A output-m State--state new-p TCP--dport 119-j ACCEPT # Allow outgoing NTP requests. Unencrypted with care. # $IPTABLES-A output-m State--state new-p UDP--dport 123-j ACCEPT # Allow outgoing IRC requests. Unencrypted with care. # note:this usually needs the IP_CONNTRACK_IRC kernel module. # $IPTABLES-A output-m State--state new-p TCP--dport 6667-j ACCEPT # Allow outgoing requests to various proxies. Unencrypted with care. # $IPTABLES-A output-m State--state new-p TCP--dport 8080-j ACCEPT # $IPTABLES-A output-m State--state new-p TCP--dport 8090-j ACCEPT # Allow outgoing DHCP requests. Unencrypted with care. # Todo:this is completely untested, I have no idea whether it works! # todo:i can be tightened a bit more. $IPTABLES-A output-m State--state new-p UDP--sport 67:68--dport 67:68-j ACCEPT # Allow outgoing CVS requests. Unencrypted with care. # $IPTABLES-A output-m State--state new-p TCP--dport 2401-j ACCEPT # Allow outgoing MySQL requests. Unencrypted with care. # $IPTABLES-A output-m State--state new-p TCP--dport 3306-j ACCEPT # Allow outgoing SVN requests. Unencrypted with care. # $IPTABLES-A output-m State--state new-p TCP--dport 3690-j ACCEPT # Allow outgoing PLESK requests. Unencrypted with care. # $IPTABLES-A output-m State--state new-p TCP--dport 8443-j ACCEPT # Allow Outgoing Tor (http://tor.eff.org) requests. # Note:do _not_ Use unencrypted protocols over Tor (sniffing is possible)! # $IPTABLES-A output-m State--state new-p TCP--dport 9001-j ACCEPT # $IPTABLES-A output-m State--state new-p TCP--dport 9002-j ACCEPT # $IPTABLES-A output-m State--state new-p TCP--dport 9030-j ACCEPT # $IPTABLES-A output-m State--state new-p TCP--dport 9031-j ACCEPT # $IPTABLES-A output-m State--state new-p TCP--dport 9090-j ACCEPT # $IPTABLES-A output-m State--state new-p TCP--dport 9091-j ACCEPT # Allow outgoing OpenVPN requests. $IPTABLES-A output-m State--state new-p UDP--dport 1194-j ACCEPT # Todo:icq, MSN, GTalk, Skype, Yahoo, etc ... # selectively allow certain inbound connections, block the rest. #------------------------------------------------------------------------------ # Allow incoming DNS requests. $IPTABLES-A input-m State--state new-p UDP--dport 53-j ACCEPT $IPTABLES-A input-m State--state new-p TCP--dport 53-j ACCEPT # Allow incoming HTTP requests. $IPTABLES-A input-m State--state new-p TCP--dport 80-j ACCEPT # Allow incoming HTTPS requests. $IPTABLES-A input-m State--state new-p TCP--dport 443-j ACCEPT # Allow incoming POP3 requests. $IPTABLES-A input-m State--state new-p TCP--dport 110-j ACCEPT # Allow incoming IMAP4 requests. $IPTABLES-A input-m State--state new-p TCP--dport 143-j ACCEPT # Allow incoming pop3s requests. $IPTABLES-A input-m State--state new-p TCP--dport 995-j ACCEPT # Allow incoming SMTP requests. $IPTABLES-A input-m State--state new-p TCP--dport 25-j ACCEPT # Allow incoming SSH requests. $IPTABLES-A input-m State--state new-p TCP--dport 22-j ACCEPT # Allow incoming FTP requests. $IPTABLES-A input-m State--state new-p TCP--dport 21-j ACCEPT # Allow incoming NNTP requests. # $IPTABLES-A input-m State--state new-p TCP--dport 119-j ACCEPT # Allow incoming MySQL requests. # $IPTABLES-A input-m State--state new-p TCP--dport 3306-j ACCEPT # Allow incoming PLESK requests. # $IPTABLES-A input-m State--state new-p TCP--dport 8843-j ACCEPT # Allow incoming BitTorrent requests. # Todo:are These already handled by accepting established/related traffic? # $IPTABLES-A input-m State--state new-p TCP--dport 6881-j ACCEPT # $IPTABLES-A input-m State--state new-p UDP--dport 6881-j ACCEPT # Allow incoming NC requests. # $IPTABLES-A input-m State--state new-p TCP--dport 2030-j ACCEPT # $IPTABLES-A input-m State--state new-p UDP--dport 2030-j ACCEPT # explicitly log and reject everything else. #------------------------------------------------------------------------------ # use REJECT instead of the rejectlog if you don ' t need/want logging. $IPTABLES-A input-j Rejectlog $IPTABLES-A output-j Rejectlog $IPTABLES-A forward-j Rejectlog #------------------------------------------------------------------------------ # Testing the firewall. #------------------------------------------------------------------------------ # You should check/test this firewall really works, using # IPTABLES-VNL, Nmap, Ping, Telnet, ... # Exit gracefully. #------------------------------------------------------------------------------ Exit 0 |
|
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
