#!/bin/sh # # Iptables firewall for webserver # emerge iptables # name firewall.sh # chmod 755 firewall.sh # ./firewall.sh (execute) # _____________ ____________ ____ # / ____/ ____/ | / /_ __/ __ \/ __ \ # / / __/ __/ / |/ / / / / / / / / / / #/ /_/ / /___/ /| / / / / /_/ / /_/ / #\____/_____/_/ |_/ /_/ \____/\____/ Hardened 2006.1 # # by ReDNecK # email: rdwest2005@gmail.com # msn: rdwestsr@hotmail.com # icq: 32251187 #______ ___________ _ _ _____ _____ _ __ #| ___ \ ___| _ \ \ | || ___/ __ \| | / / #| |_/ / |__ | | | | \| || |__ | / \/| |/ / #| /| __|| | | | . ` || __|| | | \ #| |\ \| |___| |/ /| |\ || |___| \__/\| |\ \ #\_| \_\____/|___/ \_| \_/\____/ \____/\_| \_/ # # IPTABLES=/sbin/iptables $IPTABLES -F # Flush, Init and Zero the 'built-in' chains $IPTABLES -F INPUT; $IPTABLES -P INPUT ACCEPT; $IPTABLES -Z INPUT $IPTABLES -F FORWARD; $IPTABLES -P FORWARD ACCEPT; $IPTABLES -Z FORWARD $IPTABLES -F OUTPUT; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -Z OUTPUT # Setup user-defined chains $IPTABLES -X $IPTABLES -N ADDRESS-FILTER; $IPTABLES -N CAROLINA-INPUT; $IPTABLES -N REJECT-PKT; $IPTABLES -N SYN-FLOOD; $IPTABLES -A INPUT -j CAROLINA-INPUT ###################################################################### # Allow all loopback interface traffic $IPTABLES -A CAROLINA-INPUT -i lo -j ACCEPT # Block Syn Flood attacks $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp --syn -j SYN-FLOOD # Ensure that TCP connections start with syn packets $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-prefix "SYN-EXPECTED: " $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP # Allow session continuation traffic $IPTABLES -A CAROLINA-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow ICMP ping requests from all hosts $IPTABLES -A CAROLINA-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT # Call the IP and MAC address filtering chain $IPTABLES -A CAROLINA-INPUT -j ADDRESS-FILTER # Allow selected TCP/IP and/or UDP services # Allow only local lan 192.168.xxx.xxx & xxx.xxx.xxx.xxx to access SSH & FTP $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp -s 192.168.xxx.xxx --dport 20:22 -j ACCEPT $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 20:22 -j ACCEPT $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 20:22 -j ACCEPT # Allow all to access HTTP & HTTPS $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp --dport 80 -j ACCEPT $IPTABLES -A CAROLINA-INPUT -p tcp -m tcp --dport 443 -j ACCEPT # Block all other TCP/IP and UDP traffic $IPTABLES -A CAROLINA-INPUT -j REJECT-PKT ###################################################################### # Syn flood filtering chain $IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A SYN-FLOOD -j LOG --log-prefix "SYN-FLOOD: " $IPTABLES -A SYN-FLOOD -j DROP ###################################################################### # Chain used to reject all TCP/IP, UDP and ICMP/PING packets $IPTABLES -A REJECT-PKT -p udp -m udp --sport 137:138 --dport 137:138 -j DROP $IPTABLES -A REJECT-PKT -p tcp -m tcp -j LOG $IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECT-PKT -p udp -m udp -j LOG $IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j LOG $IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable ###################################################################### # IP and MAC address filtering chain # Block IP Addresses and MAC ID's #$IPTABLES -A ADDRESS-FILTER -s 192.168.100.100 -j REJECT-PKT #$IPTABLES -A ADDRESS-FILTER -m mac --mac 00:13:A9:46:BF:4C -j REJECT-PKT $IPTABLES -A ADDRESS-FILTER -j RETURN