diff options
Diffstat (limited to 'core/conf/iptables/ipt-firewall.sh')
| -rw-r--r-- | core/conf/iptables/ipt-firewall.sh | 175 |
1 files changed, 111 insertions, 64 deletions
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh index 086b864..a216fe3 100644 --- a/core/conf/iptables/ipt-firewall.sh +++ b/core/conf/iptables/ipt-firewall.sh @@ -1,63 +1,79 @@ #!/bin/bash +. /etc/iptables/ipt-conf.sh + ipt_clear () { echo "clear all iptables tables" - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X - iptables -N blocker - - iptables -N srv_dhcp - iptables -N srv_rip - iptables -N srv_icmp - iptables -N srv_ntp - iptables -N srv_dns_in - iptables -N srv_dns_out - iptables -N srv_http_in - iptables -N srv_http_out - iptables -N srv_https_in - iptables -N srv_https_out - iptables -N srv_ssh_in - iptables -N srv_ssh_out - iptables -N srv_git_in - iptables -N srv_git_out - iptables -N srv_db_in - iptables -N srv_db_out - - - iptables -N cli_dns_in - iptables -N cli_dns_out - iptables -N cli_http_in - iptables -N cli_http_out - iptables -N cli_https_in - iptables -N cli_https_out - iptables -N cli_ssh_in - iptables -N cli_ssh_out - iptables -N cli_pops_in - iptables -N cli_pops_out - iptables -N cli_smtps_in - iptables -N cli_smtps_out - iptables -N cli_irc_in - iptables -N cli_irc_out - iptables -N cli_ftp_in - iptables -N cli_ftp_out - iptables -N cli_git_in - iptables -N cli_git_out - iptables -N cli_gpg_in - iptables -N cli_gpg_out + $IPT -F + $IPT -X + $IPT6 -F + $IPT6 -X + #$PIT4 -Z + #$PIT6 -Z + $IPT -t nat -F + $IPT -t nat -X + $IPT -t mangle -F + $IPT -t mangle -X + $IPT -t raw -F + $IPT -t raw -X + $IPT -t security -F + $IPT -t security -X + $IPT -N blocker + $IPT -N blockip_in + $IPT -N blockip_out + + $IPT -N srv_dhcp + $IPT -N srv_rip + $IPT -N srv_icmp + $IPT -N srv_ntp + $IPT -N srv_dns_in + $IPT -N srv_dns_out + $IPT -N srv_http_in + $IPT -N srv_http_out + $IPT -N srv_https_in + $IPT -N srv_https_out + $IPT -N srv_smtp_in + $IPT -N srv_smtp_out + $IPT -N srv_ssh_in + $IPT -N srv_ssh_out + $IPT -N srv_git_in + $IPT -N srv_git_out + $IPT -N srv_db_in + $IPT -N srv_db_out + + + $IPT -N cli_dns_in + $IPT -N cli_dns_out + $IPT -N cli_http_in + $IPT -N cli_http_out + $IPT -N cli_https_in + $IPT -N cli_https_out + $IPT -N cli_ssh_in + $IPT -N cli_ssh_out + $IPT -N cli_pops_in + $IPT -N cli_pops_out + $IPT -N cli_smtps_in + $IPT -N cli_smtps_out + $IPT -N cli_irc_in + $IPT -N cli_irc_out + $IPT -N cli_ftp_in + $IPT -N cli_ftp_out + $IPT -N cli_git_in + $IPT -N cli_git_out + $IPT -N cli_gpg_in + $IPT -N cli_gpg_out + + # Set Default Rules + $IPT -P INPUT DROP + $IPT -P FORWARD DROP + $IPT -P OUTPUT DROP # Set Default Rules - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP + $IPT6 -P INPUT DROP + $IPT6 -P FORWARD DROP + $IPT6 -P OUTPUT DROP + } ipt_log () { @@ -65,11 +81,27 @@ ipt_log () { $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -} + $IPT6 -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + $IPT6 -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + $IPT6 -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +} ipt_tables () { echo "start adding tables..." + # Filter out comments and blank lines + # store each ip or subnet in $ip + egrep -v "^#|^$" x | while IFS= read -r ip + do + # Append everything to droplist + #echo "adding ${ip} to blockip" + $IPT -A blockip_in -s $ip -j LOG --log-prefix "${SPAMDROPMSG}" + $IPT -A blockip_in -s $ip -j DROP + $IPT -A blockip_out -d $ip -j LOG --log-prefix "${SPAMDROPMSG}" + $IPT -A blockip_out -d $ip -j DROP + done <"${SPAMLIST}" + + echo "blockip_in and blockip_out added" ####### blocker Chain ###### ## Block google dns @@ -103,6 +135,7 @@ ipt_tables () { #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller $IPT -A blocker -j RETURN @@ -123,6 +156,9 @@ ipt_tables () { $IPT -A srv_db_out -j RETURN ####### SSH Server + + $IPT -A srv_ssh_in -p tcp --dport 2222 -s ${BR_NET} -m state --state NEW -j ACCEPT + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -j LOG --log-prefix "iptables: SSH NEW": $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ @@ -134,22 +170,30 @@ ipt_tables () { $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT + #$IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT - $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + #$IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ + # --update --seconds 60 --hitcount 4 --rttl \ + # --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" - $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP + #$IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ + # --hitcount 4 --rttl --name SSH -j DROP - $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + #$IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_in -j RETURN + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -d ${BR_NET} -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -p tcp --tcp-flags SYN,ACK SYN,ACK --sport 2222 -j LOG --log-prefix "iptables: SSH OUT": $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + #$IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_out -j RETURN + ####### smtp Server + $IPT -A srv_smtp_in -p tcp --dport 25 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_smtp_in -j RETURN + $IPT -A srv_smtp_out -p tcp --sport 25 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_smtp_out -j RETURN + ####### HTTP Server $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_http_in -j RETURN @@ -200,8 +244,10 @@ ipt_tables () { $IPT -A cli_ftp_out -j RETURN ######## GIT client + $IPT -A cli_git_in -p tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_git_in -j RETURN + $IPT -A cli_git_out -p tcp --dport 873 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_git_out -j RETURN @@ -229,6 +275,9 @@ ipt_tables () { $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ssh_in -j RETURN + + $IPT -A cli_ssh_out -p tcp -d ${BR_NET} --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --tcp-flags SYN,ACK SYN,ACK --dport 2222 -j LOG --log-prefix "iptables: SSH OUT": $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ssh_out -j RETURN @@ -258,5 +307,3 @@ ipt_tables () { $IPT -A srv_ntp -j RETURN } - - |