Hi All,
Following is the policy that my firewall generation script gives, but my system hangs when i execute this, I am using ssh to execute this script. My aim is very simple to close all unused ports. My entire scripts goes like this. Can you please help me in correcting the script. ############################################################################ ####### # IPTABLES Firewalll script # written by ts ############################################################################ ####### #!/bin/sh IPTABLES="//sbin/iptables" echo "Flushing rules..." $IPTABLES -F $IPTABLES -X #Set default policies to DROP $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT LOOP_IF="lo" ########################################################################### #----Set network sysctl options-----# echo "--Setting sysctl options--" echo "Disabling IP Spoofing attacks" echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter echo "Disabling respond to broadcast pings" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "Blocking source routing" echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo "Kill timestamps" echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo "Enable SYN Cookies" echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo "Kill redirects" echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo "Enabling bad error message protection" echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "Logging martians (packets with impossible addresses)" echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo "Reducing DoS'ing ability by reducing timeouts" echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo "Done..." ######################################################################### echo "--Setting up standard rules--" echo "Allow unlimited traffic on the loopback interface" $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT echo "Enabling SYN-FLOODING PROTECTION" $IPTABLES -N syn-flood $IPTABLES -A INPUT -p tcp --syn -j syn-flood $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood -j DROP echo "Making sure NEW tcp connections are SYN packets" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP echo "Logging fragments caught" $IPTABLES -N fragments $IPTABLES -A INPUT -f -j fragments $IPTABLES -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:" $IPTABLES -A fragments -j DROP echo "Refusing spoofed packets pretending to be from your IP address" #$IPTABLES -A INPUT -s $NET_IPADDR -j DROP echo "Done..." ########################################################################## echo "--Setting up user defined chains--" echo "Allow SSH(22/tcp)" $IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT echo "Allow ftp" $IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT echo "Active ftp" $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT echo "Passive ftp" $IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT echo "Allow DNS(53/tcp&udp)" $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT echo "Allow SFTP(115/tcp)to the internet" $IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT echo "Allow IMAP2" $IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT echo "Allow HTTP(80)(tcp&udp)to the internet" $IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT echo "Allow https" $IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT echo "Allow plesk admin" $IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 8443 -j ACCEPT echo "Rejecting all connections to 137:139" $IPTABLES -N NETBIOS $IPTABLES -A INPUT -p udp --sport 137:139 -j NETBIOS $IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: " $IPTABLES -A NETBIOS -j DROP echo "Allowing SMTP" $IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT echo "Allowing POP3" $IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT echo "Allowing Ident" $IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT echo "Rejecting all other packets" $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j DROP echo "Done..." ############################################################################ ##### echo "Firewall construction completed" |