Commit b5735ad8 authored by jcsh's avatar jcsh

Add new file

parents
#!/bin/bash --
# /usr/local/sbin/fw-mbl_core.v4
# miphix@insomnia247.nl
# tested with: iptables v1.6.0
# Purpose: To bring up a robust firewall at bootup.
# 'Cleanup and reset'
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t raw -F
/sbin/iptables -t raw -X
# 'User Chains'
/sbin/iptables -N TCP
/sbin/iptables -N UDP
/sbin/iptables -N SSH_IN
/sbin/iptables -N fw-interfaces
/sbin/iptables -N fw-open
# 'Defaulting'
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P INPUT DROP
# 'INPUT'
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
#/sbin/iptables -I INPUT -m set --match-set block src -j DROP
#/sbin/iptables -I INPUT -m set --match-set ipdeny src -j DROP
#/sbin/iptables -I INPUT -m set --match-set fullbogons-ipv4 src -j DROP
# -- NEW --
/sbin/iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j DROP
# .` TCP `.
/sbin/iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
/sbin/iptables -I INPUT -p tcp -m recent --update --rsource --seconds 60 \
--name TCP-PSCAN -j DROP
/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j SSH_IN
# `. UDP .`
/sbin/iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# '.SSH_IN.'
/sbin/iptables -A SSH_IN -m recent --name sshbf --rttl --rcheck --hitcount 3 \
--seconds 10 -j DROP
/sbin/iptables -A SSH_IN -m recent --name sshbf --rttl --rcheck --hitcount 4 \
--seconds 1800 -j DROP
/sbin/iptables -A SSH_IN -m recent --name sshbf --set -j ACCEPT
# -- ! NEW --
/sbin/iptables -A INPUT -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -i enp0s9 -p udp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --dport 22 -j ACCEPT
#/sbin/iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 443 -j ACCEPT
# 'OUTPUT'
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT ! -o lo -d 127.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp -o enp0s9 --sport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --sport 22 -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 443 -j ACCEPT
# 'FORWARD'
#/sbin/iptables -A FORWARD -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#/sbin/iptables -A FORWARD -j fw-interfaces
#/sbin/iptables -A FORWARD -j fw-open
#/sbin/iptables -A FORWARD -j DROP
#/sbin/iptables -A fw-interfaces -i enp0s9 -j ACCEPT
#/sbin/iptables -t nat -A POSTROUTING -s 192.168.232.0/24 -o enp0s8 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT
# 'PREROUTING'
/sbin/iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
# 'LOG'
/sbin/iptables -A FORWARD -m limit --limit 3/min -j LOG --log-prefix \
"ipt_FORWARD_denied: " --log-level 4
/sbin/iptables -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix \
"ipt_OUTPUT_denied: " --log-level 4
/sbin/iptables -A INPUT -m limit --limit 3/min -j LOG --log-prefix \
"ipt_INPUT_denied: " --log-level 4
# 'Terminate'
/sbin/iptables -A INPUT -p tcp -m recent --set --rsource --name TCP-PSCAN -j DROP
/sbin/iptables -A INPUT -p udp -m recent --set --rsource --name UDP-PSCAN -j DROP
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment