Документація українською/ Адміністрування/ Iptables - мережевий екран netfilter firewall/ iptables acc dev.sh 
    
#!/bin/bash
# 20070330 iptables-workstation hse@ukr.net
# Distributed under the terms of the GNU General Public License v2 or later

# Like workstation in local lan only on spesial interface!

# !!!!!!!!!!!!!!!!!
# need iptables-lo
# !!!!!!!!!!!!!!!!!

# Exampel of iptables script for ppp
# start in: /etc/ppp/ip-up.local
# stop in: /etc/ppp/ip-down.local
# usage: /etc/ppp/iptables-workstation <dev> <action>
# parametr <action> can be "start" in /etc/ppp/ip-up.local, or "stop" in /etc/ppp/ip-down.local
# parametr <dev> for ppp is "ppp0", for eth0 is eth0..

#  0  *******************       VARIABLE setup   *****************************
ifconfig='/sbin/ifconfig'
iptables='/sbin/iptables'
modprobe='/sbin/modprobe'

# Check parameters
if ? "$2" == 'stop' 
  then
    if ? `ls /dev/$1 2>&1 
      then
    echo "Device /dev/$1 not exist!!!"
#  exit 1
    fi

    # parametr action can be "-A" or "-D" only!!!
    if ?span> <span class="hl opt">
      then
    action='-A'
    actionchain='-N'
    elif ?span> <span class="hl opt">
      then
    action='-D'
    actionchain='-X'
    fi

  else
    echo 'Usage:
    iptables-workstation <device> <action>

Example:
    iptables-workstation eth0 start
    iptables-workstation eth0 stop'
    exit 1
fi

# befor runing this script setup configuration of yore network here:
# begin

#Interface setup
Interface="$1"
Device='modem'

#Ip Address setup
LoopInterface='lo'
LoopIP='127.0.0.0/8'

#Interface setup
#Figure out curent ip configuretion
if ?span> <span class="hl opt">
  then
    HostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'`
    BroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'`
    NetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${Interface} |grep 'inet addr' |awk -F: '{ print $4 } '`
    mkdir -p /etc/iptables/${Interface}
    echo ${HostIP} > /etc/iptables/${Interface}/HostIP
    echo ${BroadcastIP} > /etc/iptables/${Interface}/BroadcastIP
    echo ${NetMask} > /etc/iptables/${Interface}/NetMask
  else
    HostIP=`cat /etc/iptables/${Interface}/HostIP`
    BroadcastIP=`cat /etc/iptables/${Interface}/BroadcastIP`
    NetMask=`cat /etc/iptables/${Interface}/NetMask`
fi
LocalNet="${HostIP}/${NetMask}"

#SpoofingHostIP="10.0.0.10"

# ISP Servers setup

# ISP Servers setup
# DHCP can be: "server", "client" or "static"
DHCP='static'
# If DHCP='client' you must setup DHCP_SERVER:
DHCP_SERVER='10.0.0.10'
#ns_1='10.0.0.10'
#TimeServer='10.0.0.10'
#POP_Server='10.0.0.10'
#IMAP_Server='10.0.0.10'
#SMTP_Server='10.0.0.10'
monitoring_Server='10.0.0.10'

#Check for some kernel modules
#
# Needed to initially load modules
#
#/sbin/depmod -a
#
# Required modules
#${modprobe} ip_tables
#${modprobe} ip_conntrack
#${modprobe} iptable_filter
#${modprobe} iptable_mangle
#${modprobe} iptable_nat
#${modprobe} ipt_LOG
#${modprobe} ipt_limit
#${modprobe} ipt_state
#${modprobe} ipt_owner
#${modprobe} ipt_REJECT
#${modprobe} ipt_MASQUERADE
#${modprobe} ip_conntrack_ftp
#${modprobe} ip_conntrack_irc
#${modprobe} ip_nat_ftp
#${modprobe} ip_nat_irc

# Required proc configuration
# Enable forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward
# no IP spoofing
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
#  then
#    for i in /proc/sys/net/ipv4/conf/*/rp_filter
#      do
#       echo 1 > $i
#      done
#fi
# Disable Source Routed Packets
#for i in /proc/sys/net/ipv4/conf/*/accept_source_route
#  do
#    echo 0 > $i
#  done
#echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo 0 > /proc/sys/net/ipv4/ip_dynaddr

echo " Machine type: ${MACHTYPE}  hostname:  ${HOSTNAME}.${DOMAINNAME}
 Interface=${Interface}  HostIP=${HostIP}  BroadcastIP=${BroadcastIP}  NetMask=${NetMask}"

# end

# fill free to chang next firewall ruls to yore sute

#   I  *******************       FILTERING TABEL ruls           ****************************

# (0) Policies (default)

${iptables} -t filter -P INPUT DROP
${iptables} -t filter -P OUTPUT DROP
${iptables} -t filter -P FORWARD DROP

# (1) User-defined chains

#if ? &quot;${action}chain&quot; == '-N' 
#  then
#    ${iptables} ${action}chain TCPRules_${Interface}
#fi

#${iptables} ${action} TCPRules_${Interface} -p TCP --syn -j ACCEPT
#${iptables} ${action} TCPRules_${Interface} -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Loging incorect packets:
#${iptables} ${action} TCPRules_${Interface} -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables tcp INPUT " --log-tcp-options --log-ip-options
# Bann all IP which try acces to other
#${iptables} ${action} TCPRules_${Interface} -p TCP -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP

# (2) INPUT chain rules

# Attempt to detect TCP and UDP port scans!

# Bad Guy list, we will remember them :-)
# echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo clear > /proc/net/ipt_recent/DEFAULT
# Forever
${iptables} ${action} INPUT -i ${Interface} -m recent --name BadGuy --rcheck -j DROP
# Cache bad guy TCP
${iptables} ${action} INPUT -p TCP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 20,21,22,23,79,135,139,311,389,445,593,1025,1026,3128 -m recent --name BadGuy --set -j DROP
# List of temporiary banned, we will remember them too :)
# When seen last 60 seconds
${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --seconds 60 -j DROP
# When seen 5 time during 600 seconds it's enoph
${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --rcheck --seconds 600 --hitcount 7 -j BadGuy
# When seen 1 time during 1200 seconds it's good
${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --rcheck --seconds 3600 --hitcount 1 -j GoodGuy
# When TTL of the current packet matches that of the packet which hit the --set rule. DoS!
${iptables} ${action} INPUT -i ${Interface} -m recent --name TmpBan --update --rttl -j DROP

# Bad TCP packets we don't want.
${iptables} ${action} INPUT -p TCP -j BadTcp

# Rules for incoming packets from local computer:
${iptables} ${action} INPUT -p ALL -i ${LoopInterface} -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -p ALL -i ${Interface} -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for broadcast
if ?span> <span class="hl opt">
  then
    # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs.
    ${iptables} ${action} INPUT -p UDP -i ${Interface} -d ${BroadcastIP} --dport 135:139 -j DROP

    ${iptables} ${action} INPUT -p ALL -i ${Interface} -d ${BroadcastIP} -j ACCEPT
fi

# Rules for multicasts
# If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs
${iptables} ${action} INPUT -i ${Interface} -d 224.0.0.0/8 -j DROP

# Cache bad guy UDP
${iptables} ${action} INPUT -p UDP -i ${Interface} -s ! ${LocalNet} -d ${HostIP} -m multiport --dport 20,21,22,23,135,139,1025,1026 -m recent --name BadGuy --set -j DROP

# Packets for established conections
# Rules for incoming packets from Internet
${iptables} ${action} INPUT -p ALL -i ${Interface} -s 0/0 -d ${HostIP} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#TCP rules

#Internet:
### FTP 21 # SHH 22 # MTA 25 # DNS 53 # HTTP 80 HTTPS 443 # ICQ 4000
#${iptables} ${action} INPUT -p TCP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport 53,4000 -j TCPRules

#Local:
### TFTP 69,1758 # NFS 111,2049 # CUPS 631 # SWAT 901 # rndc 953 # mysql 3306 # distccd 3632 # privoxy 8118 # tor 9050
${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 111,631,901,2049,3632 -j TCPRules   #TCPRules_${Interface}

# for monitoring
${iptables} ${action} INPUT -p TCP -i ${Interface} -s ${monitoring_Server} -d ${HostIP} -m multiport --dport 9045,9046,9047,9048,9049 -j TCPRules   #TCPRules_${Interface}

# Loging acces to other TCP ports
${iptables} ${action} INPUT -p TCP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options

# UDP rules

#Internet:
### DNS 53 # ICQ 4000
#${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --dport 53,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

###incoming from:# DNS 53 # NTP 123 # multimedia appl 2074,4000
#${iptables} ${action} INPUT -p UDP -i ${Interface} -s 0/0 -d ${HostIP} -m multiport --sport 53,123,2074,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

### DHCP
case "${DHCP}" in
    'server' )
    # For DHCP server
    ${iptables} ${action} INPUT -p UDP -i ${Interface} --dport 67 --sport 68 -j ACCEPT
    ;;
    'client' )
    # Information pertaining to DHCP over the Internet, if needed.
    ${iptables} ${action} INPUT -p UDP -i ${Interface} -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
    ;;
    'static' )
    # If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged.
    ${iptables} ${action} INPUT -p UDP -i ${Interface} -d 255.255.255.255 --dport 67:68 -j DROP
    ;;
esac

#Local:
### TFTP 69,1758 # NFS 111,2049 # NTP 123 # CUPS 631  # multimedia appl 2074,4000 # distccd 3632
${iptables} ${action} INPUT -p UDP -i ${Interface} -s ${LocalNet} -d ${HostIP} -m multiport --dport 111,123,631,2049,2074,3632,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

# Loging acces to other UDP ports
${iptables} ${action} INPUT -p UDP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options

#ICMP rules

#Internet:

#Local:
# echo reply (ping)
${iptables} ${action} INPUT -p ICMP -i ${Interface} -s ${LocalNet} -d ${HostIP} --icmp-type 8 -j ACCEPT

# time to live (traceroute)
${iptables} ${action} INPUT -p ICMP -i ${Interface} -s ${LocalNet} -d ${HostIP} --icmp-type 11 -j ACCEPT

# Loging other ICMP
${iptables} ${action} INPUT -p ICMP -i ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables icmp? INPUT " --log-ip-options

# Bann all IP which try acces to other
${iptables} ${action} INPUT -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP

#(3) FORWARD chain rules

# Bad TCP packets we don't want.
#${iptables} ${action} FORWARD -p TCP -j BadTcp

# ACCEPT packets we wont to forward

# Loging incorect FORWARD
${iptables} ${action} FORWARD -i ${Interface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options

# Bann all IP which try acces to other
${iptables} ${action} FORWARD -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP

# (4) OUTPUT chain rules

# Bad TCP packets we don't want.
#${iptables} ${action} OUTPUT -p TCP -j BadTcp

#Only output packets from local addresses no spoofing
${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#Only output packets from tor & named services!!!
${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner named -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#Allow some other output
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --uid-owner ebuild -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#Output packets from all local appl
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${HostIP} -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#for spoofing edit next line
#${iptables} ${action} OUTPUT -p ALL -o ${Interface} -s ${SpoofingHostIP} -j ACCEPT

# Loging incorect OUTPUT
${iptables} ${action} OUTPUT -o ${Interface} -m limit --limit 5/m -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options

# (1 Delete) User-defined chains

#if ? &quot;${action}chain&quot; == '-X' 
#  then
#    ${iptables} ${action}chain TCPRules_${Interface}
#fi

#  II   *****************       MANGLE TABEL ruls         *****************************

# (0) Policies (default)

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer

# Rules for incoming packets from Internet

# (3) Mangel INPUT chain rules

# (4) Mangel FORWARD chain rules

# (5) Mangel OUTPUT chain rules

# (6) Mangel POSTROUTING chain rules

#Only output packets from local addresses no spoofing

#for spoofing edit next line

# Rules for outgoing packets to Internet

#  III  *****************         NAT TABEL ruls          *******************************

# (0) Policies (default)

${iptables} -t nat -P PREROUTING DROP
#${iptables} -t nat -P OUTPUT DROP
#${iptables} -t nat -P POSTROUTING DROP

# (1) NAT USER define chain rules

# (2) PREROUTING chain rles REDIRECTION and PORTMAPING

#Pacets from INTERNET

# Maping to external address use socks5

#Redirection to different port on this server

#Packet from internet (Interface)

#INPUT
# Rules for incoming packets from local computer and broadcast
# Rules for incoming packets from Internet
${iptables} -t nat ${action} PREROUTING -p ALL -d ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#OUTPUT
#Only output packets from local addresses no spoofing
${iptables} -t nat ${action} PREROUTING -p ALL -s ${HostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#for spoofing edit next line
#${iptables} -t nat ${action} PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT

# Loging incorect acces
${iptables} -t nat ${action} PREROUTING -p ALL -i ${Interface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options

# Bann all IP which try acces to other
${iptables} -t nat ${action} PREROUTING -i ${Interface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP

# (3) OUTPUT chain rules
#Only output packets from local addresses no spoofing
#for spoofing edit next line

# (4) POSTROUTING chain rules NAT or MASQUERADE

# NetWork address translation (NAT or MASQUERADE)

#INPUT

# Rules for incoming packets from local computer:

# Rules for broadcast:

# Rules for incoming packets from Internet

#OUTPUT
#Only output packets from local addresses no spoofing

#for spoofing edit next line

#  IV  *****************         RAW TABEL ruls          *******************************

# (0) Policies (default)

#${iptables} -t raw -P PREROUTING ACCEPT
#${iptables} -t raw -P OUTPUT ACCEPT

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer

# Rules for incoming packets from Internet

# (3) Mangel OUTPUT chain rules

exit 0