#!/bin/bash # 20070330 iptables-lo hse@ukr.net # Distributed under the terms of the GNU General Public License v2 # # Needed for: iptables-workstation, iptables-server, iptables-router # instalations: # /etc/init.d/iptables stop # ./iptables-lo start # /etc/init.d/iptables save # # Also you can stop # ./iptables-lo stop # 0 ******************* VARIABLE setup ***************************** # befor runing this script setup configuration of youre network here: # begin ifconfig='/sbin/ifconfig' iptables='/sbin/iptables' modprobe='/sbin/modprobe' # Check parameters if ? "$1" == 'stop' then # parametr action can be "-A" or "-D" only!!! if ?span> <span class="hl opt"> then action='-A' actionchain='-N' elif ?span> <span class="hl opt"> then action='-D' actionchain='-X' fi else echo 'Usage: iptables-lo <action> Example: iptables-lo start iptables-lo stop' exit 1 fi # befor runing this script setup configuration of yore network here: # begin #Interface setup LoopInterface='lo' LoopIP='127.0.0.0/8' #Check for some kernel modules # # Needed to initially load modules # #/sbin/depmod -a # # Required modules #${modprobe} ip_tables #${modprobe} ip_conntrack #${modprobe} iptable_filter #${modprobe} iptable_mangle #${modprobe} iptable_nat #${modprobe} ipt_LOG #${modprobe} ipt_limit #${modprobe} ipt_state #${modprobe} ipt_owner #${modprobe} ipt_REJECT #${modprobe} ipt_MASQUERADE #${modprobe} ip_conntrack_ftp #${modprobe} ip_conntrack_irc #${modprobe} ip_nat_ftp #${modprobe} ip_nat_irc # Required proc configuration # Enable forwarding #echo 1 > /proc/sys/net/ipv4/ip_forward # no IP spoofing #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] # then # for i in /proc/sys/net/ipv4/conf/*/rp_filter # do # echo 1 > $i # done #fi # Disable Source Routed Packets #for i in /proc/sys/net/ipv4/conf/*/accept_source_route # do # echo 0 > $i # done #echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp #echo 0 > /proc/sys/net/ipv4/ip_dynaddr # fill free to chang next firewall ruls to youre sute # I ******************* FILTERING TABEL ruls **************************** # (0) Policies (default) ${iptables} -t filter -P INPUT DROP ${iptables} -t filter -P OUTPUT DROP ${iptables} -t filter -P FORWARD DROP # (1) User-defined chains if ?span> <span class="hl opt">; then ${iptables} ${actionchain} TCPRules ${iptables} ${actionchain} BadTcp ${iptables} ${actionchain} BadGuy ${iptables} ${actionchain} GoodGuy fi if ?span> <span class="hl opt"> then awk '{print $1}' /proc/net/ipt_recent/BadGuy |awk -F'=' '{print $2}' > /etc/iptables/BadGuy awk '{print $1}' /proc/net/ipt_recent/TmpBan |awk -F'=' '{print $2}' > /etc/iptables/TmpBan fi ${iptables} ${action} TCPRules -p TCP --syn -j ACCEPT ${iptables} ${action} TCPRules -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Loging incorect packets: ${iptables} ${action} TCPRules -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables tcp INPUT " --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} ${action} TCPRules -p TCP -j DROP ${iptables} ${action} BadTcp -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset # Loging incorect packets: ${iptables} ${action} BadTcp -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "iptables New not syn " --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} ${action} BadTcp -p TCP --syn -m state --state NEW -j DROP # Bann all IP which try acces to other ${iptables} ${action} BadGuy -m recent --name BadGuy --set ${iptables} ${action} BadGuy -m recent --name TmpBan --remove -j DROP # You can fogive some one ${iptables} ${action} GoodGuy -m recent --name TmpBan --remove -j RETURN # (2) INPUT chain rules # Attempt to detect TCP and UDP port scans! # Bad Guy list, we will remember them :-) # echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo clear > /proc/net/ipt_recent/DEFAULT if ?span> <span class="hl opt"> then for i in `cat /etc/iptables/BadGuy` do echo $i > /proc/net/ipt_recent/BadGuy done for i in `cat /etc/iptables/TmpBan` do echo $i > /proc/net/ipt_recent/TmpBan done fi # Rules for incoming packets from local computer and broadcast ${iptables} ${action} INPUT -p ALL -i ${LoopInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #(3) FORWARD chain rules # (4) OUTPUT chain rules #Only output packets from local addresses no spoofing ${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # (1 DELETE) User-defined chains if ?span> <span class="hl opt"> then ${iptables} ${actionchain} TCPRules ${iptables} ${actionchain} BadTcp ${iptables} ${actionchain} BadGuy ${iptables} ${actionchain} GoodGuy fi # II ***************** MANGLE TABEL ruls ***************************** # (0) Policies (default) ${iptables} -t mangle -P PREROUTING ACCEPT ${iptables} -t mangle -P INPUT ACCEPT ${iptables} -t mangle -P FORWARD ACCEPT ${iptables} -t mangle -P OUTPUT ACCEPT ${iptables} -t mangle -P POSTROUTING ACCEPT # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # (3) Mangel INPUT chain rules # (4) Mangel FORWARD chain rules # (5) Mangel OUTPUT chain rules # (6) Mangel POSTROUTING chain rules # III ***************** NAT TABEL ruls ******************************* # (0) Policies (default) ${iptables} -t nat -P PREROUTING DROP ${iptables} -t nat -P OUTPUT ACCEPT ${iptables} -t nat -P POSTROUTING ACCEPT # (1) NAT USER define chain rules # (2) PREROUTING chain rles REDIRECTION and PORTMAPING #INPUT # Rules for incoming packets from local computer and broadcast ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LoopInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for incoming packets from Internet # (3) OUTPUT chain rules #Only output packets from local addresses no spoofing # (4) POSTROUTING chain rules NAT or MASQUERADE # IV ***************** TABEL ruls ***************************** # (0) Policies (default) # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # (3) Mangel OUTPUT chain rules exit 0