Home

Iptables Firewall Script.

#!/bin/sh

# Iptables Firewall --> Joel

IPT=` which iptables`

INSMOD=` which modprobe`

AWK=` which awk`

SED=` which sed`

GREP=`which grep`

LSMOD=`which lsmod`

## FLUSHING THE CURRENT RULES

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

 

$IPT -F

$IPT -t filter -F INPUT

$IPT -t filter -F OUTPUT

$IPT -t filter -F FORWARD

$IPT -t nat -F OUTPUT

$IPT -t nat -F POSTROUTING

$IPT -t mangle -F PREROUTING

$IPT -t mangle -F OUTPUT

 

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

 

echo "Stopping Firewall... [ OK ]"

sleep 1

## PROC CONFIGURATION

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# enable ip forwading

echo 1 > /proc/sys/net/ipv4/ip_forward

# enable sync cookies protection

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# turn on sourse addr vref. i.e spoof protection

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

            echo 1 > $f

done

# disable ICMP redirect

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

            echo 0 > $f

done

# disable source routed packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $f

done

# ignore broadcast

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 0 > /proc/sys/net/ipv4/tcp_ecn

echo "2048 60416 " > /proc/sys/net/ipv4/ip_local_port_range

##### ip_conntrack_ftp

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then

        $INSMOD ip_conntrack_ftp

fi

##### ip_nat_ftp

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then

        $INSMOD ip_nat_ftp

fi

## MANGLE TABLE

$IPT -t mangle -A OUTPUT -p 6 --dport 80 -j TOS --set-tos Maximize-Throughput

$IPT -t mangle -A OUTPUT -p 6 --dport 23 -j TOS --set-tos Minimize-Delay

$IPT -t mangle -A OUTPUT -p 6 --dport 22 -j TOS --set-tos Minimize-Delay

$IPT -t mangle -A OUTPUT -p 6 --dport 20 -j TOS --set-tos Minimize-Cost

$IPT -t mangle -A OUTPUT -p 6 --dport 21 -j TOS --set-tos Minimize-Delay

$IPT -t mangle -A OUTPUT -p 6 --dport 25 -j TOS --set-tos Minimize-Delay

$IPT -t mangle -A OUTPUT -p 6 --dport 110 -j TOS --set-tos Minimize-Delay

$IPT -t mangle -A OUTPUT -p 6 --dport 143 -j TOS --set-tos Minimize-Delay

## LOOPBACK ACCEPTS ALL TRAFFIC

$IPT -A INPUT -i lo -j ACCEPT

## TCP INCOMING RULES

$IPT -I INPUT -p 6 -s 0/0 -m multiport --dport 21,22,25,80,113,3128,143,110,443,1863 -j ACCEPT

$IPT -I INPUT -p ICMP -s 0.0.0.0/0 --icmp-type 8 -j ACCEPT

$IPT -I INPUT -p ICMP -s 0.0.0.0/0 --icmp-type 11 -j ACCEPT

$IPT -A INPUT -s 255.255.255.255 -j DROP

$IPT -A INPUT -s 224.0.0.0/4 -j DROP

$IPT -A INPUT -s 240.0.0.0/5 -j DROP

 

## TCP OUTGOING RULES TO INTERNET

$IPT -I INPUT -p 6 -d 0.0.0.0/0 -m multiport --sport 21,22,25,80,113,3128,143,110,443,1863 -j ACCEPT

$IPT -I INPUT -p ICMP -d 0.0.0.0/0 -j ACCEPT

## UDP INCOMING RULES

$IPT -I INPUT -p UDP -s 0.0.0.0/0 --dport 53 -j ACCEPT

## UDP OUTGOING RULES

$IPT -I INPUT -p UDP -d 0.0.0.0/0 --sport 53 -j ACCEPT

echo "Starting Firewall... [ OK ]"

## Squid transparent proxy

# $IPT -t nat -A PREROUTING -i eth4 -p tcp --dport 80 -j REDIRECT --to-port 3128 -d ! 202.160.161.0/26

 

 1