#!/bin/bash
#
## firewall (Debian) -- Walter A. Iglesias.
#
## WARNING: This is another example of bash script. I have just a
## basic knowledge of iptables so surely these rules could be
## improved/optimized and, of course, customized to feet your needs.
#
if [ "$(whoami)" != "root" ] ; then
echo "You must be root"
exit 1
fi
args=1
usage()
{
echo "Usage `basename $0` {on|off}"
}
## Checking general args
if [ $# -ne $args ]; then
usage
exit 1
fi
## Change this to the name of your (external) interface
ext=eth0
case "$1" in
off) # In case firewall "off" clean policy and rules
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
echo "Cleaned all firewall rules"
exit 0
;;
on) # In case firewall "on" apply rules.
## Saving your ip address to a variable:
IP=$(ifconfig $ext | awk '/inet\ addr.*/ { print $2 }' \
| tr -d addr:)
if [ "$IP" = "" ] ; then
echo "`basename $0`: Couldn't read your ip.
Please set your ip address and run firewall again."
exit 1
fi
## Cleaning old rules
iptables --flush
iptables --delete-chain
iptables --table nat --flush
## Policies
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
## For for FOWARDING comment the following line and read below
iptables --policy FORWARD DROP
## FOWARDING:
## Comment FORWARD DROP in polices section above and uncomment this:
# iptables --policy FORWARD ACCEPT
#
## Change this for the name of your second interface:
# int=eth1
#
# iptables --table nat --append POSTROUTING \
# --out-interface $ext --jump MASQUERADE
#
# iptables --append INPUT --in-interface $int --jump ACCEPT
# iptables --append OUTPUT --out-interface $int --jump ACCEPT
#
## NOTE: To enable ipforwarding in kernel run
## "echo 1 > /proc/sys/net/ipv4/ip_forward"
## In Debian to enabling ipforwarding at boot time you will need to
## uncomment the line "net.ipv4.ip_forward=1" in /etc/sysctl.conf
#
## Allowing loopback traffic (localhost).
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT
## We ACCEPT INPUT in our IP:
iptables --append INPUT --source $IP --jump ACCEPT
## We ACCEPT from 1 to 1024 ports, from all IP, INPUT with TCP
## protocol.
iptables --append INPUT --source 0/0 --protocol tcp \
--source-port 1:1024 --jump ACCEPT
## We ACCEPT INPUT of TCP packets, only preestablished connections (!
## --syn) to (--destination-port) 1025:65535 ports, from all IPs
## (--source 0/0).
iptables --append INPUT --source 0/0 --protocol tcp \
--destination-port 1025:65535 ! --syn --jump ACCEPT
## We ACCEPT INPUT of UDP packets from 1:1024 ports from all IPs.
iptables --append INPUT --source 0/0 --protocol udp \
--source-port 1:1024 --jump ACCEPT
## We ACCEPT OUTPUT from our IP.
iptables --append OUTPUT --destination $IP --jump ACCEPT
## We ACCEPT OUTPUT of TCP packets from 1025:65535 ports to all IPs.
iptables --append OUTPUT --destination 0/0 --protocol tcp \
--source-port 1025:65535 --jump ACCEPT
## We ACCEPT INPUT of UDP only from prestablished connections (It is
## necessary load the module with '-m' o '--match').
iptables --append INPUT --protocol udp --match state \
--state ESTABLISHED --jump ACCEPT
## We ACCEPT OUTPUT of NEW connections.
iptables --append OUTPUT --protocol udp --match state \
--state NEW,ESTABLISHED --jump ACCEPT
## We DROP INPUT of TCP packets from NEW connections we had not (!
## --syn) asked for.
iptables --append INPUT --protocol tcp ! --syn --match state \
--state NEW --jump DROP
## But ACCEPT the ESTABLISHED ones.
iptables --append INPUT --protocol tcp --match state \
--state ESTABLISHED --jump ACCEPT
## And OUTPUT of requests from our machine.
iptables --append OUTPUT --protocol tcp --match state \
--state NEW,ESTABLISHED -j ACCEPT
## Open apache to internet (only if your machine is a web server).
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
## Open SSH server.
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
## Open SMTP server (if your machine is a mail server you can choose
## from this).
# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
#
# iptables -A INPUT -p tcp --dport 995 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 995 -j ACCEPT
#
# iptables -A INPUT -p tcp --dport 587 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 587 -j ACCEPT
## Linsing rules
iptables -L -n -v
iptables -t nat -L -n -v
## Saving chages to the next boot:
iptables-save > /etc/firewall.conf
## Creating a file that debian will run at boot time after (and only
## if) network interface is started. This will restore iptables rules
## from /etc/firewall.conf:
if [ ! -x /etc/network/if-up.d/iptables ] ; then
echo '#!/bin/sh
iptables-restore < /etc/firewall.conf' >/etc/network/if-up.d/iptables
chmod 755 /etc/network/if-up.d/iptables
fi
echo "Firewall rules applied"
exit 0
;;
*) # In case user include non or a no specified option:
usage
exit 1
;;
esac
## End firewall
| <= Prev | Next => |
You can mail me to eloi at roquesor.com
.