Матеріал з docs.linux.org.ua — збірника документації з Unix/Linux українською мовою.
#!/bin/bash
# 20070330 iptables-lo hse@ukr.net
# Distributed under the terms of the GNU General Public License v2
#
# Needed for: iptables-workstation, iptables-server, iptables-router
# instalations:
# /etc/init.d/iptables stop
# ./iptables-lo start
# /etc/init.d/iptables save
#
# Also you can stop
# ./iptables-lo stop
# 0 ******************* VARIABLE setup *****************************
# befor runing this script setup configuration of youre network here:
# begin
ifconfig='/sbin/ifconfig'
iptables='/sbin/iptables'
modprobe='/sbin/modprobe'
# Check parameters
if [[ "$1" == 'stop' || "$1" == 'start' ]]
then
# parametr action can be "-A" or "-D" only!!!
if [[ "$1" == 'start' ]]
then
action='-A'
actionchain='-N'
elif [[ "$1" == 'stop' ]]
then
action='-D'
actionchain='-X'
fi
else
echo 'Usage:
iptables-lo <action>
Example:
iptables-lo start
iptables-lo stop'
exit 1
fi
# befor runing this script setup configuration of yore network here:
# begin
#Interface setup
LoopInterface='lo'
LoopIP='127.0.0.0/8'
#Check for some kernel modules
#
# Needed to initially load modules
#
#/sbin/depmod -a
#
# Required modules
#${modprobe} ip_tables
#${modprobe} ip_conntrack
#${modprobe} iptable_filter
#${modprobe} iptable_mangle
#${modprobe} iptable_nat
#${modprobe} ipt_LOG
#${modprobe} ipt_limit
#${modprobe} ipt_state
#${modprobe} ipt_owner
#${modprobe} ipt_REJECT
#${modprobe} ipt_MASQUERADE
#${modprobe} ip_conntrack_ftp
#${modprobe} ip_conntrack_irc
#${modprobe} ip_nat_ftp
#${modprobe} ip_nat_irc
# Required proc configuration
# Enable forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward
# no IP spoofing
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
# then
# for i in /proc/sys/net/ipv4/conf/*/rp_filter
# do
# echo 1 > $i
# done
#fi
# Disable Source Routed Packets
#for i in /proc/sys/net/ipv4/conf/*/accept_source_route
# do
# echo 0 > $i
# done
#echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo 0 > /proc/sys/net/ipv4/ip_dynaddr
# fill free to chang next firewall ruls to youre sute
# I ******************* FILTERING TABEL ruls ****************************
# (0) Policies (default)
${iptables} -t filter -P INPUT DROP
${iptables} -t filter -P OUTPUT DROP
${iptables} -t filter -P FORWARD DROP
# (1) User-defined chains
if [[ "${actionchain}" == '-N' ]]; then
${iptables} ${actionchain} TCPRules
${iptables} ${actionchain} BadTcp
${iptables} ${actionchain} BadGuy
${iptables} ${actionchain} GoodGuy
fi
if [[ "${action}" == '-D' ]]
then
awk '{print $1}' /proc/net/ipt_recent/BadGuy |awk -F'=' '{print $2}' > /etc/iptables/BadGuy
awk '{print $1}' /proc/net/ipt_recent/TmpBan |awk -F'=' '{print $2}' > /etc/iptables/TmpBan
fi
${iptables} ${action} TCPRules -p TCP --syn -j ACCEPT
${iptables} ${action} TCPRules -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Loging incorect packets:
${iptables} ${action} TCPRules -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables tcp INPUT " --log-tcp-options --log-ip-options
# Bann all IP which try acces to other
${iptables} ${action} TCPRules -p TCP -j DROP
${iptables} ${action} BadTcp -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
# Loging incorect packets:
${iptables} ${action} BadTcp -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "iptables New not syn " --log-tcp-options --log-ip-options
# Bann all IP which try acces to other
${iptables} ${action} BadTcp -p TCP --syn -m state --state NEW -j DROP
# Bann all IP which try acces to other
${iptables} ${action} BadGuy -m recent --name BadGuy --set
${iptables} ${action} BadGuy -m recent --name TmpBan --remove -j DROP
# You can fogive some one
${iptables} ${action} GoodGuy -m recent --name TmpBan --remove -j RETURN
# (2) INPUT chain rules
# Attempt to detect TCP and UDP port scans!
# Bad Guy list, we will remember them :-)
# echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo clear > /proc/net/ipt_recent/DEFAULT
if [[ "${action}" == '-A' ]]
then
for i in `cat /etc/iptables/BadGuy`
do
echo $i > /proc/net/ipt_recent/BadGuy
done
for i in `cat /etc/iptables/TmpBan`
do
echo $i > /proc/net/ipt_recent/TmpBan
done
fi
# Rules for incoming packets from local computer and broadcast
${iptables} ${action} INPUT -p ALL -i ${LoopInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#(3) FORWARD chain rules
# (4) OUTPUT chain rules
#Only output packets from local addresses no spoofing
${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
# (1 DELETE) User-defined chains
if [[ "${actionchain}" == '-X' ]]
then
${iptables} ${actionchain} TCPRules
${iptables} ${actionchain} BadTcp
${iptables} ${actionchain} BadGuy
${iptables} ${actionchain} GoodGuy
fi
# II ***************** MANGLE TABEL ruls *****************************
# (0) Policies (default)
${iptables} -t mangle -P PREROUTING ACCEPT
${iptables} -t mangle -P INPUT ACCEPT
${iptables} -t mangle -P FORWARD ACCEPT
${iptables} -t mangle -P OUTPUT ACCEPT
${iptables} -t mangle -P POSTROUTING ACCEPT
# (1) Mangel USER define chain rules
# (2) Mangel PREROUTING chain rules
# (3) Mangel INPUT chain rules
# (4) Mangel FORWARD chain rules
# (5) Mangel OUTPUT chain rules
# (6) Mangel POSTROUTING chain rules
# III ***************** NAT TABEL ruls *******************************
# (0) Policies (default)
${iptables} -t nat -P PREROUTING DROP
${iptables} -t nat -P OUTPUT ACCEPT
${iptables} -t nat -P POSTROUTING ACCEPT
# (1) NAT USER define chain rules
# (2) PREROUTING chain rles REDIRECTION and PORTMAPING
#INPUT
# Rules for incoming packets from local computer and broadcast
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LoopInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
# Rules for incoming packets from Internet
# (3) OUTPUT chain rules
#Only output packets from local addresses no spoofing
# (4) POSTROUTING chain rules NAT or MASQUERADE
# IV ***************** TABEL ruls *****************************
# (0) Policies (default)
# (1) Mangel USER define chain rules
# (2) Mangel PREROUTING chain rules
# (3) Mangel OUTPUT chain rules
exit 0
