Re: creating script for init.d

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



 For some reason, this e-mail was only sent to me.  Make sure you send to
Centos mailing list.

Try to run the script on the command line (not during the standard init
process).

Put 

#!/bin/bash

as it does look like it's bash (but hey I could be wrong).

Try to figure out where the script is hanging by using the -v or -x options,
one at a time.

#!/bin/bash -v

#!/bin/bash -x

You definitely need to provide more info.

Michael


> -----Original Message-----
> From: Linux Man [mailto:linuxman.uru@xxxxxxxxx] 
> Sent: Tuesday, December 19, 2006 12:30 AM
> To: mikev777@xxxxxxxxxxx
> Subject: here is the scrpit
> 
> 2006/12/18, Michael Velez <mikev777@xxxxxxxxxxx>:
> 
> 
> > -----Original Message-----
> > From: centos-bounces@xxxxxxxxxx <mailto:centos-bounces@xxxxxxxxxx>
> > [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Linux Man
> > Sent: Sunday, December 17, 2006 8:30 PM
> > To: centos@xxxxxxxxxx <mailto:centos@xxxxxxxxxx>
> > Subject:  creating script for init.d
> >
> > Hello.
> > I'm moving from a very old Fedora Core 1 to CentOS 4.4, what a 
> > change!!
> > Three year ago, I wrote some script (network related) and 
> worked very 
> > well. Now, I can put into init.d by means of chkconfig and 
> I restarted 
> > the system, but always hang when executing my srcipt (in my 
> new centos 
> > 4.4 ).
> > There a manual for making scripts for init.d?
> > there is some new requirement by which it does not work anymore?
> > Thanks a lots!!!!
> >
> >
> 
> Are you using the 'su' command in your script?
> 
> This happenned to me when I moved to RHEL4/Centos 4.  My 
> problem was due to SELinux.  I was using the 'su' command.  
> When I changed it to use the 'runuser' command instead, it 
> worked fine.  The reason it was hanging for me is that using 
> the su command produces a context question on the console 
> (during password checking) for which I had to press enter.  
> With 'runuser', you don't get the SELinux context question.
> 
> Michael
> 
> ______________________________
> 
> 	_________________
> 	CentOS mailing list
> 	CentOS@xxxxxxxxxx
> 	http://lists.centos.org/mailman/listinfo/centos
> 
> 
>  
> 
>  
> 
> This is the scrpit that I use, there's somethig wrong?
> 
> 
> #Script configurado y optimizado para el servidor SunSet #
> #chkconfig: 35 98 27
> #
> #Description: Firewall
> 
> 
> # Hubicacion de los binarios de IPTABLES y sus comandos 
> IPTABLES="/sbin/iptables"
> 
> 
> case "$1" in
>    stop)
>       echo "Shutting down firewall..."
>       $IPTABLES -F 
>       $IPTABLES -F -t mangle
>       $IPTABLES -F -t nat
>       $IPTABLES -X
>       $IPTABLES -X -t mangle
>       $IPTABLES -X -t nat
>       
>       $IPTABLES -P INPUT ACCEPT
>       $IPTABLES -P OUTPUT ACCEPT 
>       $IPTABLES -P FORWARD ACCEPT
>       echo "...done"
>       ;;
>    status)
>       echo $"Table: filter"
>       iptables --list
>       echo $"Table: nat"
>       iptables -t nat --list 
>       echo $"Table: mangle"
>       iptables -t mangle --list
>       ;;
>    restart|reload)
>       $0 stop
>       $0 start
>       ;;
>    start)
>     echo "Starting Firewall..."
>     echo "" 
> 
> 
> ##--------------------------Inicio del 
> Firewall---------------------------------##
> 
> 
> #----Interfaces por Defecto-----#
> 
> ## Interface Externa (a Internet)
> DEFAULT_EXTIF="eth0"
> 
> ## Interface Interna (a Lan)
> DEFAULT_INTIF="eth1"
> 
> ## Interface Interna (a CAMARA)
> DEFAULT_CAMIF="eth2"
> 
> #----Variables Especiales-----#
> 
> # IP y Mascara para todas las IP (all)
> UNIVERSE="0.0.0.0/0"
> 
> # Specification of the high unprivileged IP ports.
> UNPRIVPORTS="1024:65535"
> 
> # Specification of X Window System (TCP) ports.
> XWINPORTS="6000:6063" 
> 
> # Ports for IRC-Connection-Tracking
> IRCPORTS="6665,6666,6667,6668,6669,7000"
> 
> # Maquinas del Cyber
> A1="192.168.0.3"
> A2=" 192.168.0.4 <http://192.168.0.4> "
> A3="192.168.0.5"
> A4="192.168.0.6"
> A5="192.168.0.7"
> A6=" 192.168.0.8"
> A7="192.168.0.9"
> A8="192.168.0.10"
> B1=" 192.168.0.11 <http://192.168.0.11> "
> B2="192.168.0.12"
> B3="192.168.0.13"
> B4="192.168.0.14"
> B5="192.168.0.15"
> B6="192.168.0.16"
> J1="192.168.0.100"
> J2=" 192.168.0.101 <http://192.168.0.101> "
> J3="192.168.0.103"
> J4="192.168.0.105"
> J5="192.168.0.104" 
> J6="192.168.0.102"
> JEJE="192.168.0.2"
> 
> # Casa
> # Almaceno en la variable "actual" el valor de la IP actual 
> ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 
> 63.208.196.90 | grep address | awk '{ print $4}')
> 
> # Pruebo por si no hubo respuesta del servidor y en ese caso 
> uso ns2 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
> latinloveruy.homelinux.net 204.13.249.81 | grep address | awk 
> '{ print $4}') fi
> 
> # Pruebo por si no hubo respuesta del servidor y en ese caso 
> uso ns3 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
> latinloveruy.homelinux.net 204.13.250.81 | grep address | awk 
> '{ print $4}') fi
> 
> # Pruebo por si no hubo respuesta del servidor y en ese caso 
> uso ns4 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
> latinloveruy.homelinux.net 213.155.150.205 | grep address | 
> awk '{ print $4}') fi
> 
> # Pruebo por si no hubo respuesta del servidor y en ese caso 
> uso ns5 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
> latinloveruy.homelinux.net 63.170.10.81 | grep address | awk 
> '{ print $4}') fi
> 
> 
> #-----Port-Forwarding Variables-----#
> 
> 
> #IP's a Forewardear
>  
> #MUNDAKA="172.16.1.191"
> CAMARA="192.168.15.50 "
> 
> #----Flood Variables-----#
> 
> # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s"
> # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10"
> 
> # Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s"
> # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10"
> 
> #Overall Limit for Ping-Flood-Detection
> PINGLIMIT="5/s"
> # Burst Limit for Ping-Flood-Detection
> PINGLIMITBURST="10"
> 
> 
> 
> #----Determinacion Automatica de la informacion para las 
> Interfaces-----#
> 
> #Permite la determinacion de datos de configuracion de las interfaces 
> #de forma automatica permitiendo adaptarce a los cambios 
> logicos de la red 
> #sin necesidad de editar el script
> ### Interface Externa (Internet-IPpublica):
> 
> ## Obtener informacion de la Interface Externa
> ## Si no encuentra una interface se pondra el valor por 
> defecto: DEFAULT_EXTIF como EXTIF 
> if [ "x$2" != "x" ]; then
>    EXTIF=$2
> else
>    EXTIF=$DEFAULT_EXTIF
> fi
> echo External Interface: $EXTIF
> 
> ## Determinacion de la IP externa (publica)
> EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d 
> \  -f 1`" 
>   if [ "$EXTIP" = '' ]; then
>      echo "Aborting: Unable to determine the IP-address of $EXTIF !"
>      exit 1
>   fi
> echo External IP: $EXTIP
> 
> ## Determincion del Gateway Externo
> EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
> echo Default GW: $EXTGW
> 
> 
> echo " --- "
> 
> 
> ### Interface Interna (Lan-IPprivada):
> 
> ## Obtener informacion de la Interface InternaGet internal 
> interface from command-line 
> ## Si no encuentra una interface de pondra el valor por 
> defecto: $DEFAULT_INTIF as INTIF
> if [ "x$3" != "x" ]; then
>    INTIF=$3
> else
>    INTIF=$DEFAULT_INTIF
> fi
> echo Internal Interface: $INTIF 
> 
> ## Determinacion de IP Interna
> INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
>   if [ "$INTIP" = '' ]; then
>      echo "Aborting: Unable to determine the IP-address of $INTIF !" 
>      exit 1
>   fi  
> echo Internal IP: $INTIP
> 
> ## Determinacion de Mascara Interna
> INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
> echo Internal Netmask: $INTMASK
> 
> ## Determinacion de la Network Interna 
> INTLAN=$INTIP'/'$INTMASK
> echo Internal LAN: $INTLAN
> 
> echo ""
> 
> ###--- Interface hacia la CAMARA ---
> 
> CAMIF="eth2"
> CAMIFIP="192.168.15.5 "
> CAMMASK="255.255.255.0"
> 
> ##--- Reparo problemas de ruteo ---
> if [ "$(route | grep 169.254.0.0)" != "" ]; then 
> ip route del 169.254.0.0/16
> fi
>  
> 
> #----Cargando Modulos de IPTABLES-----#
> 
> 
> #Insert modules- should be done automatically if needed
> 
> #If the IRC-modules are available, uncomment them below 
> 
> echo "Loading IPTABLES modules"
> 
> dmesg -n 1 #Kill copyright display on module load
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_filter
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp 
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
> /sbin/modprobe ip_nat_irc ports=$IRCPORTS
> #dmesg -n 6
> 
> echo " --- "
> 
> 
> #----Clear/Reset all chains-----#
> 
> #Clear all IPTABLES-chains
> 
> #Flush everything, start from scratch
> $IPTABLES -F
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -X -t mangle
> $IPTABLES -X -t nat
> 
> #Set default policies to DROP 
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> 
> 
> #----Set network sysctl options-----#
> 
> 
> echo "Setting sysctl options"
> 
> #Enable forwarding in kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> #Disabling IP Spoofing attacks.
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
> 
> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
> 
> #Block source routing
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> 
> #Kill timestamps
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> 
> #Enable SYN Cookies
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
> 
> #Kill redirects
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> 
> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> 
> #Log martians (packets with impossible addresses) 
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> 
> #Set out local port range
> echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range
> 
> #Reduce DoS'ing ability by reducing timeouts
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout 
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
> 
> 
> echo " --- "
> 
> echo "Creating user-chains" 
> 
> 
> 
> #----Create logging chains-----#
> 
> ##These are the logging-chains. They all have a certain limit 
> of log-entries/sec to prevent log-flooding
> ##The syslog-entries will be fireparse-compatible (see 
> http://www.fireparse.com <http://www.fireparse.com> )
> 
> 
> #Invalid packets (not ESTABLISHED,RELATED or NEW)
>     $IPTABLES -N LINVALID
>     $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix 
> "fp=INVALID:1 a=DROP " --log-level info 
>     $IPTABLES -A LINVALID -j DROP
> 
> #TCP-Packets with one ore more bad flags
>     $IPTABLES -N LBADFLAG
>     $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix 
> "fp=BADFLAG:1 a=DROP " --log-level info 
>     $IPTABLES -A LBADFLAG -j DROP
> 
> #Acceso no permitido a la Camara
>     $IPTABLES -N LNOCAM
>     $IPTABLES -A LNOCAM -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=NOCAM:1 a=DROP " 
>     $IPTABLES -A LNOCAM -j DROP
> 
> #Logging of connection attempts on special ports (Trojan 
> portscans, special services, etc.)
>     $IPTABLES -N LSPECIALPORT
>     $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix 
> "fp=SPECIALPORT:1 a=DROP " --log-level info 
>     $IPTABLES -A LSPECIALPORT -j DROP
>     
> #Logging of possible TCP-SYN-Floods
>     $IPTABLES -N LSYNFLOOD
>     $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix 
> "fp=SYNFLOOD:1 a=DROP " --log-level info 
>     $IPTABLES -A LSYNFLOOD -j DROP
>     
> #Logging of possible Ping-Floods
>     $IPTABLES -N LPINGFLOOD
>     $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix 
> "fp=PINGFLOOD:1 a=DROP " --log-level info 
>     $IPTABLES -A LPINGFLOOD -j DROP
> 
> 
> #All other dropped packets
>     $IPTABLES -N LDROP
>     $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 
> a=DROP " --log-level info 
>     $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 
> a=DROP " --log-level info
>     $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 
> a=DROP " --log-level info 
>     $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix 
> "fp=FRAGMENT:4 a=DROP " --log-level info
>     $IPTABLES -A LDROP -j DROP
> 
> #All other rejected packets 
>     $IPTABLES -N LREJECT
>     $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 
> a=REJECT " --log-level info
>     $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 
> a=REJECT " --log-level info 
>     $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 
> a=REJECT " --log-level info
>     $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT 
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix 
> "fp=FRAGMENT:4 a=REJECT " --log-level info 
>     $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
>     $IPTABLES -A LREJECT -p udp -j REJECT --reject-with 
> icmp-port-unreachable
>     $IPTABLES -A LREJECT -j REJECT
> 
> #passtrue
> 
> #  $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT 
> #  $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
> 
> 
> 
> 
> 
> #----Create Accept-Chains-----#
> 
> 
> #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
>     
>     $IPTABLES -N TCPACCEPT 
>     $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit 
> $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
>     $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
>     $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT 
> 
> 
> #----Create special User-Chains-----#
> 
> 
> #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with 
> impossible flag-combinations (Some port-scanners use these, 
> eg. nmap Xmas,Null,etc.-scan)
> 
>     $IPTABLES -N CHECKBADFLAG 
>     $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL 
> FIN,URG,PSH -j LBADFLAG
>     $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL 
> SYN,RST,ACK,FIN,URG -j LBADFLAG
>     $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG 
>     $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
>     $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST 
> SYN,RST -j LBADFLAG
>     $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN 
> SYN,FIN -j LBADFLAG 
> 
> 
> 
> #FILTERING FOR SPECIAL PORTS
> 
> 
>     #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't 
> want in our Logs)
> 
>         #SMB-Traffic
>         $IPTABLES -N SMB
>         
>         $IPTABLES -A SMB -p tcp --dport 137 -j DROP 
>         $IPTABLES -A SMB -p tcp --dport 138 -j DROP
>         $IPTABLES -A SMB -p tcp --dport 139 -j DROP
>         $IPTABLES -A SMB -p tcp --dport 445 -j DROP
>         $IPTABLES -A SMB -p udp --dport 137 -j DROP
>         $IPTABLES -A SMB -p udp --dport 138 -j DROP
>         $IPTABLES -A SMB -p udp --dport 139 -j DROP
>         $IPTABLES -A SMB -p udp --dport 445 -j DROP
>   
>         $IPTABLES -A SMB -p tcp --sport 137 -j DROP 
>         $IPTABLES -A SMB -p tcp --sport 138 -j DROP
>         $IPTABLES -A SMB -p tcp --sport 139 -j DROP
>         $IPTABLES -A SMB -p tcp --sport 445 -j DROP
>         $IPTABLES -A SMB -p udp --sport 137 -j DROP
>         $IPTABLES -A SMB -p udp --sport 138 -j DROP
>         $IPTABLES -A SMB -p udp --sport 139 -j DROP
>         $IPTABLES -A SMB -p udp --sport 445 -j DROP
> 
> 
>     #Inbound Special Ports
>     
>         $IPTABLES -N SPECIALPORTS 
>         
>         #Deepthroat Scan
>           $IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j 
> LSPECIALPORT
>   
>           #Subseven Scan
>           $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j 
> LSPECIALPORT 
>                 $IPTABLES -A SPECIALPORTS -p udp --dport 1243 
> -j LSPECIALPORT
>                 $IPTABLES -A SPECIALPORTS -p tcp --dport 
> 27374 -j LSPECIALPORT
>                 $IPTABLES -A SPECIALPORTS -p udp --dport 
> 27374 -j LSPECIALPORT 
>           $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 
> -j LSPECIALPORT  
>   
>           #Netbus Scan
>           $IPTABLES -A SPECIALPORTS -p tcp --dport 
> 12345:12346 -j LSPECIALPORT
>           $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j 
> LSPECIALPORT 
>   
>           #Back Orifice scan
>           $IPTABLES -A SPECIALPORTS -p udp --dport 
> 31337:31338 -j LSPECIALPORT
>   
>           #X-Win
>           $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS 
>  -j LSPECIALPORT 
> 
>         #Hack'a'Tack 2000
>         $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
> 
> 
> #ICMP/TRACEROUTE FILTERING
> 
> 
>     #Inbound ICMP/Traceroute
>     
>         $IPTABLES -N ICMPINBOUND 
>         
>         #Ping Flood protection. Accept $PINGLIMIT 
> echo-requests/sec, rest will be logged/dropped
>           $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
> echo-request -m limit --limit $PINGLIMIT --limit-burst 
> $PINGLIMITBURST -j ACCEPT 
>           #
>           $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
> echo-request -j LPINGFLOOD
> 
>           #Block ICMP-Redirects (Should already be catched by 
> sysctl-options, if enabled)
>           $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
> redirect -j LDROP 
>   
>           #Block ICMP-Timestamp (Should already be catched by 
> sysctl-options, if enabled)
>           $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
> timestamp-request -j LDROP
>           $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
> timestamp-reply -j LDROP 
> 
>           #Block ICMP-address-mask (can help to prevent 
> OS-fingerprinting)
>           $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
> address-mask-request -j LDROP
>           $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
> address-mask-reply -j LDROP 
> 
> 
>           #Allow all other ICMP in
>           $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
>     
>     
>     
>     
>     #Outbound ICMP/Traceroute
>     
>         $IPTABLES -N ICMPOUTBOUND
>     
>         #Block ICMP-Redirects (Should already be catched by 
> sysctl-options, if enabled)
>           $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> redirect -j LDROP
>   
>           #Block ICMP-TTL-Expired
>         #MS Traceroute (MS uses ICMP instead of UDp for tracert) 
>         $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> ttl-zero-during-transit -j LDROP
>           $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> ttl-zero-during-reassembly -j LDROP
>   
>           #Block ICMP-Parameter-Problem 
>           $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> parameter-problem -j LDROP
>   
>           #Block ICMP-Timestamp (Should already be catched by 
> sysctl-options, if enabled)
>           $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> timestamp-request -j LDROP 
>           $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> timestamp-reply -j LDROP
> 
>           #Block ICMP-address-mask (can help to prevent 
> OS-fingerprinting)
>           $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> address-mask-request -j LDROP 
>           $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
> address-mask-reply -j LDROP
> 
> 
>           ##Accept all other ICMP going out
>           $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
> 
>     
> # CHAIN PARA LA SEPARACION DE TRAFICO BASADO EN LA IP DE 
> ORIGEN DE LA LAN 
>     
>     $IPTABLES -t mangle -N SETEAMARCA
>     $IPTABLES -t mangle -A SETEAMARCA -s $A1 -j MARK --set-mark 1
>     $IPTABLES -t mangle -A SETEAMARCA -s $A2 -j MARK --set-mark 2
>     $IPTABLES -t mangle -A SETEAMARCA -s $A3 -j MARK --set-mark 3 
>     $IPTABLES -t mangle -A SETEAMARCA -s $A4 -j MARK --set-mark 4
>     $IPTABLES -t mangle -A SETEAMARCA -s $A5 -j MARK --set-mark 5
>     $IPTABLES -t mangle -A SETEAMARCA -s $A6 -j MARK --set-mark 6
>     $IPTABLES -t mangle -A SETEAMARCA -s $A7 -j MARK --set-mark 7 
>     $IPTABLES -t mangle -A SETEAMARCA -s $A8 -j MARK --set-mark 8
>     $IPTABLES -t mangle -A SETEAMARCA -s $B1 -j MARK --set-mark 9
>     $IPTABLES -t mangle -A SETEAMARCA -s $B2 -j MARK --set-mark 10
>     $IPTABLES -t mangle -A SETEAMARCA -s $B3 -j MARK --set-mark 11 
>     $IPTABLES -t mangle -A SETEAMARCA -s $B4 -j MARK --set-mark 12
>     $IPTABLES -t mangle -A SETEAMARCA -s $B5 -j MARK --set-mark 13
>     $IPTABLES -t mangle -A SETEAMARCA -s $B6 -j MARK --set-mark 14
>     $IPTABLES -t mangle -A SETEAMARCA -s $J1 -j MARK --set-mark 15 
>     $IPTABLES -t mangle -A SETEAMARCA -s $J2 -j MARK --set-mark 16
>     $IPTABLES -t mangle -A SETEAMARCA -s $J3 -j MARK --set-mark 17
>     $IPTABLES -t mangle -A SETEAMARCA -s $J4 -j MARK --set-mark 18
>     $IPTABLES -t mangle -A SETEAMARCA -s $J5 -j MARK --set-mark 19 
>     $IPTABLES -t mangle -A SETEAMARCA -s $J6 -j MARK --set-mark 20
>     $IPTABLES -t mangle -A SETEAMARCA -s $JEJE -j MARK --set-mark 21
> #    $IPTABLES -t mangle -A SETEAMARCA -s $CAMARA -j MARK 
> --set-mark 22
> 
> 
> #----End User-Chains-----#    
> 
> 
> 
> echo " --- "
> 
> 
> #----Start Ruleset-----#
> 
> echo "Implementing firewall rules..."
> 
> 
> #################
> ## INPUT-Chain ## (everything that is addressed to the 
> firewall itself) 
> #################
> 
> 
> ##GENERAL Filtering
> 
>   # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
>   $IPTABLES -A INPUT -m state --state INVALID -j LINVALID
>   
>   # Check TCP-Packets for Bad Flags 
>   $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
> 
> 
> ##Packets FROM FIREWALL-BOX ITSELF
> 
>   #Local IF
>   $IPTABLES -A INPUT -i lo -j ACCEPT
>   #
>   #Kill connections to the local interface from the outside 
> world (--> Should be already catched by kernel/rp_filter) 
>   $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT
> 
> 
> ##Packets FROM INTERNAL NET
> 
> 
>  ##Allow unlimited traffic from internal network using legit 
> addresses to firewall-box
>  ##If protection from the internal interface is needed, alter it
>  
>   $IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
>   #Kill anything from outside claiming to be from internal 
> network (Address-Spoofing --> Should be already catched by rp_filter) 
>   $IPTABLES -A INPUT -s $INTLAN -j LREJECT
>   $IPTABLES -A INPUT -i $EXTIF -s $INTLAN -j LREJECT 
> 
> 
> 
> ##Packets FROM EXTERNAL NET
> 
> 
>  ##ICMP & Traceroute filtering
>   
>   #Filter ICMP
>   $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND 
> 
>   #Block UDP-Traceroute
>   $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
> 
> 
>  ##Silent Drops/Rejects (Things we don't want in our logs)
> 
>   #Drop all SMB-Traffic
>   $IPTABLES -A INPUT -i $EXTIF -j SMB 
>   
>   #Silently reject Ident (Don't DROP ident, because of 
> possible delays when establishing an outbound connection)
>   $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT 
> --reject-with tcp-reset
> 
> 
>  ##Public services running ON FIREWALL-BOX (comment out to activate):
> 
> 
> 
>   # ftp-data
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 20 -j TCPACCEPT
>   
>   # ftp
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 21 -j TCPACCEPT 
> 
>   # ssh
>   $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
> 
>   #telnet
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
>   
> 
>   # smtp
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT 
>   
>   # webmail
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 26 -j TCPACCEPT
> 
>   # DNS
>   $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
>   $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT 
> 
>   # http
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT
> 
>   # https
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT
> 
>   # POP-3
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT 
> 
>   # Bnc
>   #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31337 -j TCPACCEPT
> 
> 
>  ##Separate logging of special portscans/connection attempts
>   
>   $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
> 
> 
> 
>  ##Allow ESTABLISHED/RELATED connections in
>   
>   $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
>   $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m 
> state --state RELATED -j TCPACCEPT 
>   $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m 
> state --state RELATED -j ACCEPT
> 
> 
>  ##Catch all rule
>   $IPTABLES -A INPUT -j LDROP
> 
> 
> 
> 
> 
> ##################
> ## Output-Chain ## (everything that comes directly from the 
> Firewall-Box) 
> ##################
> 
> 
> 
> ##Packets TO FIREWALL-BOX ITSELF
> 
>   #Local IF
>   $IPTABLES -A OUTPUT -o lo -j ACCEPT
>   
> 
> ##Packets TO INTERNAL NET
> 
>   #Allow unlimited traffic to internals networks using legit 
> addresses 
>   $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -s $INTIP -j ACCEPT
>   $IPTABLES -A OUTPUT -o $CAMIF -d $CAMARA -s $CAMIFIP -j ACCEPT
> 
> 
> 
> ##Packets TO EXTERNAL NET
> 
> 
>  ##ICMP & Traceroute
> 
>   $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND 
>   
> 
> 
>  ##Silent Drops/Rejects (Things we don't want in our logs)
> 
>   #SMB
>   $IPTABLES -A OUTPUT -o $EXTIF -j SMB
> 
>   #Ident
>   $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT 
> --reject-with tcp-reset 
> 
> 
> 
>  ##Public services running ON FIREWALL-BOX (comment out to activate):
> 
>   # ftp-data
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 20 -j ACCEPT
>   
>   # ftp
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 21 -j ACCEPT 
> 
>   # ssh
>   $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state 
> --state ESTABLISHED -j ACCEPT
> 
>   #telnet
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state 
> --state ESTABLISHED -j ACCEPT
> 
>   # smtp
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state 
> --state ESTABLISHED -j ACCEPT
> 
>   # webmail 
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 88 -j ACCEPT
> 
>   # DNS
>   $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT 
>   $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT
> 
>   # http
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state 
> --state ESTABLISHED -j ACCEPT
> 
>   # https
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state 
> --state ESTABLISHED -j ACCEPT 
> 
>   # POP-3
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state 
> --state ESTABLISHED -j ACCEPT
> 
>   #Netmeeting
>   $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1720 -j ACCEPT
>   $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 1720 -j ACCEPT 
>   
>   #BNC
>   #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 31337 -j ACCEPT 
> 
> 
> 
>  ##Accept all tcp/udp traffic on unprivileged ports going out
> 
>   $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport 
> $UNPRIVPORTS -j ACCEPT 
>   $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport 
> $UNPRIVPORTS -j ACCEPT
> 
> 
> ##Darle una via privada de salida a paquetes del firewall itself
>   $IPTABLES -t mangle -A OUTPUT -o $EXTIF -s $EXTIP -j MARK 
> --set-mark 23 
> 
> 
> ##Catch all rule
> 
> $IPTABLES -A OUTPUT -j LDROP
> 
> 
> 
> 
> ####################
> ## FORWARD-Chain  ## (everything that passes the firewall)
> ####################
> 
> 
> ##GENERAL Filtering 
> 
>   #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
>   $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
>  
>   # Check TCP-Packets for Bad Flags 
>   $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG 
> 
> ##Filtering FROM INTERNAL NET
>   
> 
>   ##Silent Drops/Rejects (Things we don't want in our logs)
> 
>    #SMB
>    $IPTABLES -A FORWARD -o $EXTIF -j SMB
> 
>   
>   ##Special Drops/Rejects
>    # - To be done - 
>   
>   
>   ##Filter for some Trojans communicating to outside
>    # - To be done -
> 
>   
>   ##Port-Forwarding from Ports < 1024 [outbound] (--> Also 
> see chain PREROUTING)
> 
>    #Forwarding a mundaka 
>    #$IPTABLES -A FORWARD -o $EXTIF -s $SAND2002 -p tcp 
> --sport 25 -j ACCEPT
> 
> 
> 
>   ##Allow all other forwarding (from Ports > 1024) from 
> Internals Net's to External Net
>   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp 
> --sport $UNPRIVPORTS -j ACCEPT 
>   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp 
> --sport $UNPRIVPORTS -j ACCEPT
>   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp 
> -j ACCEPT
>   $IPTABLES -A FORWARD -i $CAMIF -o $EXTIF -s $CAMARA -d 
> $ACTUAL -p tcp --sport 9090 -j ACCEPT 
> 
> 
> ##Filtering FROM EXTERNAL NET
>  
>  
>   ##Silent Drops/Rejects (Things we don't want in our logs)
>   
>   #SMB
>   $IPTABLES -A FORWARD -i $EXTIF -j SMB
>  
>   
>   ##Allow replies coming in
>   $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED 
> -j ACCEPT 
>   $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS 
> -m state --state RELATED -j TCPACCEPT
>   $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS 
> -m state --state RELATED -j ACCEPT
>   $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state 
> RELATED -j ACCEPT 
>   
> 
> ##Port-Forwarding [inbound] (--> Also see chain PREROUTING)
> 
>   #Forwarding
>   #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 
> 80 -j ACCEPT
>   #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 
> 22 -j ACCEPT 
>   #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SAND2002 --dport 
> 25 -j ACCEPT
>   $IPTABLES -A FORWARD -i $EXTIF -o $CAMIF -s $ACTUAL -d 
> $CAMARA -p tcp --dport 9090 -j ACCEPT
> 
> ##Some ip forward
> 
>  # $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT 
>  # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
> 
> ## Forward entre las redes internas
>   $IPTABLES -A FORWARD -s $CAMARA -i $CAMIF -o $INTIF -d 
> $INTLAN -p tcp --sport 9090 -j ACCEPT
>   $IPTABLES -A FORWARD -d $CAMARA -o $CAMIF -i $INTIF -s 
> $INTLAN -p tcp --dport 9090 -j ACCEPT 
> 
> ## Cortar comunicacion Cyber-Cam (todo lo que vaya o venga a 
> la Cam, y que no me halla
> ## interesado admitir antes, es logeado y luego muere)
>   $IPTABLES -A FORWARD -o $CAMIF -j LNOCAM
>   $IPTABLES -A FORWARD -i $CAMIF -j LNOCAM 
> 
> ##Catch all rule/Deny every other forwarding
> 
> $IPTABLES -A FORWARD -j LDROP
> 
> ################
> ## PREROUTING ##
> ################
> 
> ##Port-Forwarding (--> Also see chain FORWARD)
> 
>   #Puertos Trasladados 
> #  $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP 
> --dport 25 -j DNAT --to-destination $SAND2002
>   $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -s 
> $ACTUAL -p tcp --dport 9090 -j DNAT --to-destination $CAMARA 
> 
> 
> 
> ###################
> ##  POSTROUTING  ##
> ###################
> 
>   #Seteo de marca basado en la dirección de origen
>   $IPTABLES -t mangle -A POSTROUTING -s $INTLAN -o $EXTIF -j 
> SETEAMARCA
>   $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -s $CAMARA -j 
> MARK --set-mark 22 
> 
>   #Masquerade from Internal Net to External Net
>   
>   $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j 
> SNAT --to-source $EXTIP
>   $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $CAMARA -j 
> SNAT --to-source $EXTIP 
>   #$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
> 
> 
> 
> #------End Ruleset------#
> 
> echo "...done"
> echo ""
> 
> 
> echo "--> IPTABLES firewall loaded/activated <--" 
> 
> 
> ##--------------------------------End 
> Firewall---------------------------------##
> 
> 
> 
>    ;;
>    *)
>       echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
>       exit 1 
> esac
> 
> exit 0
> 
> 
> 
> 

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux