|
Hi
check the Iptables Place
is this correct, suppose to be /sbin/iptables
( depend on distro using)
IPTABLES="//sbin/iptables"
better you run the script from console, so you will
find, if any errors in the script
hare
----- Original Message -----
Sent: Monday, December 23, 2002 6:02
PM
Subject: Firewalll script
Hi All,
Following is the policy that my firewall
generation script gives, but my system hangs when i execute this, I am using
ssh to execute this script. My aim is very simple to close all unused
ports. My entire scripts goes like this. Can you please help me in correcting
the
script.
############################################################################
#######
#
IPTABLES Firewalll script
# written by
ts
############################################################################
#######
#!/bin/sh
IPTABLES="//sbin/iptables"
echo
"Flushing rules..."
$IPTABLES -F
$IPTABLES -X
#Set default
policies to DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F
FORWARD
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT
ACCEPT
LOOP_IF="lo"
###########################################################################
#----Set
network sysctl options-----#
echo "--Setting sysctl options--"
echo
"Disabling IP Spoofing attacks"
echo 2 >
/proc/sys/net/ipv4/conf/all/rp_filter
echo "Disabling respond to
broadcast pings"
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Blocking source
routing"
echo 0 >
/proc/sys/net/ipv4/conf/all/accept_source_route
echo "Kill
timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo
"Enable SYN Cookies"
echo 1 >
/proc/sys/net/ipv4/tcp_syncookies
echo "Kill redirects"
echo 0 >
/proc/sys/net/ipv4/conf/all/accept_redirects
echo "Enabling bad error
message protection"
echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Logging
martians (packets with impossible addresses)"
echo 1 >
/proc/sys/net/ipv4/conf/all/log_martians
echo "Reducing DoS'ing ability
by reducing timeouts"
echo 30 >
/proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 >
/proc/sys/net/ipv4/tcp_keepalive_time
echo 0 >
/proc/sys/net/ipv4/tcp_window_scaling
echo 0 >
/proc/sys/net/ipv4/tcp_sack
echo
"Done..."
#########################################################################
echo
"--Setting up standard rules--"
echo "Allow unlimited traffic on the
loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A
OUTPUT -o lo -j ACCEPT
echo "Enabling SYN-FLOODING
PROTECTION"
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j
syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j
RETURN
$IPTABLES -A syn-flood -j DROP
echo "Making sure NEW tcp
connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state
--state NEW -j DROP
echo "Logging fragments caught"
$IPTABLES -N
fragments
$IPTABLES -A INPUT -f -j fragments
$IPTABLES -A fragments -j
LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPTABLES -A fragments -j
DROP
echo "Refusing spoofed packets pretending to be from your IP
address"
#$IPTABLES -A INPUT -s $NET_IPADDR -j DROP
echo
"Done..."
##########################################################################
echo
"--Setting up user defined chains--"
echo "Allow
SSH(22/tcp)"
$IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
$IPTABLES -A
OUTPUT -p tcp --dport 22 -j ACCEPT
echo "Allow ftp"
$IPTABLES -A
INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A
OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
-j
ACCEPT
echo "Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20
-m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A OUTPUT -p
tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
echo "Passive
ftp"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535
-m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp
--sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED,RELATED
-j ACCEPT
echo "Allow DNS(53/tcp&udp)"
$IPTABLES -A INPUT -p
tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j
ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT
-p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j
ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A
OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j
ACCEPT
echo "Allow SFTP(115/tcp)to the internet"
$IPTABLES -A OUTPUT
-p tcp --dport 115 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 115 -j
ACCEPT
echo "Allow IMAP2"
$IPTABLES -A OUTPUT -p tcp --dport 143 -j
ACCEPT
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
echo "Allow
HTTP(80)(tcp&udp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 80
-j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
echo
"Allow https"
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES
-A INPUT -p tcp --sport 443 -j ACCEPT
echo "Allow plesk
admin"
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT
$IPTABLES -A
INPUT -p tcp --sport 8443 -j ACCEPT
echo "Rejecting all connections
to 137:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -p udp --sport
137:139 -j NETBIOS
$IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES
NETBIOS: "
$IPTABLES -A NETBIOS -j DROP
echo "Allowing
SMTP"
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT
-p tcp --sport 25 -j ACCEPT
echo "Allowing POP3"
$IPTABLES -A OUTPUT
-p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 110 -j
ACCEPT
echo "Allowing Ident"
$IPTABLES -A OUTPUT -p tcp --dport 113
-j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT
echo
"Rejecting all other packets"
$IPTABLES -A INPUT -j DROP
$IPTABLES -A
OUTPUT -j DROP
echo
"Done..."
############################################################################
#####
echo
"Firewall construction
completed"
| 