#!/bin/bash IPT="/usr/sbin/iptables" ipt_clear () { echo "clear all iptables tables" iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t raw -F iptables -t raw -X iptables -t security -F iptables -t security -X iptables -N blocker iptables -N srv_dhcp iptables -N srv_rip iptables -N srv_icmp iptables -N srv_dns_in iptables -N srv_dns_out iptables -N srv_http_in iptables -N srv_http_out iptables -N srv_https_in iptables -N srv_https_out iptables -N srv_ssh_in iptables -N srv_ssh_out iptables -N srv_git_in iptables -N srv_git_out iptables -N srv_db_in iptables -N srv_db_out iptables -N cli_dns_in iptables -N cli_dns_out iptables -N cli_http_in iptables -N cli_http_out iptables -N cli_https_in iptables -N cli_https_out iptables -N cli_ssh_in iptables -N cli_ssh_out iptables -N cli_pops_in iptables -N cli_pops_out iptables -N cli_smtps_in iptables -N cli_smtps_out iptables -N cli_irc_in iptables -N cli_irc_out iptables -N cli_ftp_in iptables -N cli_ftp_out iptables -N cli_git_in iptables -N cli_git_out iptables -N cli_gpg_in iptables -N cli_gpg_out # Set Default Rules iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP } ipt_log () { ## log everything else and drop $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " } ipt_tables () { echo "start adding tables..." ####### blocker Chain ###### ## Block google dns #$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " #$IPT -A blocker -s 8.8.0.0/24 -j DROP ## Block sync $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP ## Block Fragments $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " $IPT -A blocker -f -j DROP $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP ## Return to caller $IPT -A blocker -j RETURN ######## DNS Server #echo "server_in chain: Allow input to DNS Server" $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_dns_in -j RETURN #echo "srv_dns_out chain: Allow output from DNS server" $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A srv_dns_out -j RETURN ####### Database Server $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_db_in -j RETURN $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_db_out -j RETURN ####### SSH Server $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ --update --seconds 60 --hitcount 4 --rttl \ --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ --hitcount 4 --rttl --name SSH -j DROP $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ --update --seconds 60 --hitcount 4 --rttl \ --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ --hitcount 4 --rttl --name SSH -j DROP $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_in -j RETURN $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_out -j RETURN ####### HTTP Server $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_http_in -j RETURN $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A srv_http_out -j RETURN ####### HTTPS Server $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_https_in -j RETURN $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A srv_https_out -j RETURN ###### GIT server $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_git_in -j RETURN $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A srv_git_out -j RETURN ######## DNS Client $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -j ACCEPT $IPT -A cli_dns_out -j RETURN $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -j ACCEPT $IPT -A cli_dns_in -j RETURN ######## HTTP Client #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_http_in -j RETURN $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_http_out -j RETURN ######## IRC client $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_irc_in -j RETURN $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_irc_out -j RETURN ######## FTP client $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ftp_in -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A cli_ftp_in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ftp_in -j RETURN $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A cli_ftp_out -j RETURN ######## GIT client $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_git_in -j RETURN $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_git_out -j RETURN ######## POP3S client $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_pops_in -j RETURN $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_pops_out -j RETURN ######## SMTPS client $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_smtps_in -j RETURN $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_smtps_out -j RETURN ######## HTTPS client $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_https_in -j RETURN $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_https_out -j RETURN ######## SSH client $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ssh_in -j RETURN $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ssh_out -j RETURN ######## GPG key client $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_gpg_in -j RETURN $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_gpg_out -j RETURN ######## DHCP Server $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT $IPT -A srv_dhcp -j RETURN ####### RIP Server $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT $IPT -A srv_rip -j RETURN ####### ICMP Server $IPT -A srv_icmp -p icmp -j ACCEPT $IPT -A srv_icmp -j RETURN }