#!/bin/bash #my iptables Firewall with Portscan Blocking and Redjuce of DDos. PATH=$PATH:/usr/sbin:/sbin:/usr/bin:/bin #config interface='br0' ping='0' trace='0' gateway='0' # iptables suchen iptables=`which iptables` # wenn iptables nicht installiert abbrechen test -f $iptables || exit 0 case "$1" in start) echo "Starte Firewall..." # alle Regeln löschen $iptables -F $iptables -X $iptables -t nat -F $iptables -t nat -X $iptables -t mangle -F $iptables -t mangle -X $iptables -P INPUT DROP $iptables -P FORWARD ACCEPT $iptables -P OUTPUT ACCEPT # über Loopback alles erlauben $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT # chains für kvm $iptables -N 'LIBVIRT_FWI' $iptables -N 'LIBVIRT_FWO' $iptables -N 'LIBVIRT_FWX' $iptables -N 'LIBVIRT_INP' $iptables -N 'LIBVIRT_OUT' # bestehende Verbindungen akzeptieren $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #finger #$iptables -A INPUT -p tcp --dport 79 -j ACCEPT #pptp GRE #$iptables -A INPUT -p gre -j ACCEPT $iptables -A INPUT -m state --state NEW -s 0.0.0.0/0 -m recent --set $iptables -A INPUT -m state --state NEW -s 0.0.0.0/0 -m recent --update --seconds 15 --hitcount 5 -j DROP if [ -f "/root/ports.conf" ]; then cat "/root/ports.conf" | while read line; do echo "Open Port $line" $iptables -A INPUT -p tcp --dport "$line" -m state --state NEW -m recent --set $iptables -A INPUT -p tcp --dport "$line" -m state --state NEW -m recent --update --seconds 15 --hitcount 5 -j DROP $iptables -A INPUT -p tcp --dport "$line" -j ACCEPT $iptables -A INPUT -p tcp --sport "$line" -j ACCEPT $iptables -A INPUT -p udp --dport "$line" -m state --state NEW -m recent --set $iptables -A INPUT -p udp --dport "$line" -m state --state NEW -m recent --update --seconds 15 --hitcount 5 -j DROP $iptables -A INPUT -p udp --dport "$line" -j ACCEPT $iptables -A INPUT -p udp --sport "$line" -j ACCEPT done fi #anti PortScan $iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #anti smurf $iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Ping-of-Death $iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT # SYN-Flood-Schutz $iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # SYN und RST gleichzeitig gesetzt $iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN und FIN gesetzt $iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #fin und urg und psh gesetzt $iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #all syn $iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP #all $iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP $iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP #Keine Flags gesetzt nmap 0 scan $iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP #nmap fin stealth scan $iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP $iptables -A FORWARD -p tcp --tcp-flags ALL FIN -j DROP #xmas $iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP $iptables -A FORWARD -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP # FIN und RST gleichzeitig gesetzt $iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN ohne ACK $iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP $iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH ohne ACK $iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP $iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG ohne ACK $iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP $iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP # All TCP sessions should begin with SYN $iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP #traceroute erlauben if [ $trace -eq "1" ]; then echo "accept trace" $iptables -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT fi #Limiting the incoming icmp ping request: if [ $ping -eq "1" ]; then echo "accept icmp ping" $iptables -A INPUT -p icmp --icmp-type echo-request -m recent --set $iptables -A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 3 --hitcount 20 -j DROP $iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT fi ##################################################### # Forwarding/Routing echo 0 > /proc/sys/net/ipv4/ip_forward 2> /dev/null #Activate Gateway Mode: if [ $gateway -eq "1" ]; then echo "activate gateway" echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null $iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356 $iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE fi #SYN-Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null #Stop Source-Routing for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done #Stop Redirecting for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done #Reverse-Path-Filter for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done #Log Martians for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done #BOOTP-Relaying ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done #Proxy-ARP ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done #Ungültige ICMP-Antworten ignorieren echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null #ICMP Echo-Broadcasts ignorieren echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null #Max. 500/Sekunde (5/Jiffie) senden echo 5 > /proc/sys/net/ipv4/icmp_ratelimit #Speicherallozierung und -timing für IP-De/-Fragmentierung echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 30 > /proc/sys/net/ipv4/ipfrag_time #TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout #Maximal 3 Antworten auf ein TCP-SYN echo 3 > /proc/sys/net/ipv4/tcp_retries1 #TCP-Pakete maximal 15x wiederholen echo 15 > /proc/sys/net/ipv4/tcp_retries2 ;; stop) echo "Stoppe Firewall..." # alle Regeln löschen $iptables -F $iptables -X $iptables -t nat -F $iptables -t nat -X $iptables -t mangle -F $iptables -t mangle -X $iptables -P INPUT ACCEPT $iptables -P FORWARD ACCEPT $iptables -P OUTPUT ACCEPT ;; test) $0 start sleep 2m $0 stop ;; *) echo "Usage: /etc/init.d/firewall (start|stop|test)" exit 1 ;; esac exit 0