Iptables Firewall

Joined
Feb 9, 2016
Messages
83
Likes
23
Points
53
Location
Poland IRC
#1
I welcome today I am describing the firewall for you
Code:
#!/bin/sh
#######################################
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $network $named $time $syslog $remote_fs
# Required-Stop: $local_fs $network $named $time $syslog $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Personal Firewall - Preventing attacks/open common ports
### END INIT INFO 

### Module loading ###
/sbin/depmod -a
### Required modules ###
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_REJECT
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
### Non-Required modules ###
#/sbin/modprobe ipt_owner
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_MASQUERADE

# To start the firewall
start()
{
    ### Allow Forward ip ###
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ### Flush any Existing iptable Rules and start afresh ###
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat

    ### Setting up Port Services ###
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT    //incoming mail
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT    //dns - udp for large queries
    iptables -A INPUT -p udp --dport 53 -j ACCEPT    //dns - udp for small queries
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT    //apache
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT    //apache ssl
    iptables -A INPUT -p udp --dport 161 -j ACCEPT   //snmpd
    iptables -A INPUT -p tcp --dport 953 -j ACCEPT    //dns internal
    iptables -A INPUT -p tcp --dport 1080 -j ACCEPT    //dante socks server
    iptables -A INPUT -p all --dport 3020 -j ACCEPT  //cifs-smb
    iptables -A INPUT -p tcp --dport 3128 -j ACCEPT  //squid
    iptables -A INPUT -p tcp --dport 4949 -j ACCEPT   //munin stats

    ### Setting up Local Ports ###
    iptables -A INPUT -d 192.168.1.120 -p udp --dport 9 -j ACCEPT    //WOL (wake on lan)
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 20:21 -j ACCEPT     //ftp
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -j ACCEPT       //sshd
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 139 -j ACCEPT     //samba
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 993 -j ACCEPT    //imaps
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 3306 -j ACCEPT     //mysql
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 8000 -j ACCEPT    //apache on phi
    iptables -A INPUT -s 192.168.1.120 -p tcp --dport 8080 -j ACCEPT   //tomcat
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT       //to speed up mail via courier. Identified via logging
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 143 -j ACCEPT      //squirrelmail

    ### Preventing Attacks ###
    iptables -A INPUT -p icmp -j ACCEPT      //Allow ICMP Ping packets.
    iptables -A INPUT -p tcp --tcp-flags ACK ACK -j ACCEPT      //Accept traffic with the ACK flag set
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP             //Deny all null packets
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP             //Deny all recon packets
    iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP            //nmap FIN stealth scan
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       //SYN + FIN
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP      //SYN + RST
    iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP     //FIN + RST
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP    //FIN + URG + PSH
    iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP       //XMAS
    iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP       //FIN without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP      //PSH without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP     //URG without ACK
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP        //Deny SYN flood attack
    iptables -A INPUT -m state --state ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT     //Accept traffic with ESTABLISHED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT        //Accept traffic with RELATED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state INVALID -j DROP       //Deny traffic with the INVALID flag set
    #################################

    ### PERSONALIZED RULES 80 PORT ###
    iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT       //Protection DDoS attacks
    ### PERSONALIZED RULES 22 PORT ###
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset      //Protection bruteforce SSH
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset

    ########### CLOSE ALL ############
    iptables -A INPUT -j REJECT         //Close up firewall. All else blocked.

    ######### PORT FORWARDING #######
    iptables -t nat -A PREROUTING -p tcp -d 192.168.1.120 --dport 8000 -j DNAT --to 1.2.3.4:80
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4     //for static ip
    #iptables -t nat -A POSTROUTING -d 1.2.3.4 -j MASQUERADE       //for dynamic ip
    #################################

    echo "--------------------------------------------------"
    echo "Firewall Loaded"
    echo "--------------------------------------------------"
    echo "Netstat output:"
    echo ""
    netstat -tuanp
    echo "Verify enabled rules with:"
    echo "filter) iptables -L -nvx"
    echo "nat) iptables -t nat -L -nvx"
    echo "script) firewall.sh status"
    EXT=0
}

### To stop the firewall ###
stop()
{
    ### Deny Forward ip ###
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "--------------------------------------------------"
    echo "Firewall Stopped"
    echo "--------------------------------------------------"
    EXT=0
}

### To clear rules ###
clear()
{
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat
    EXT=0
}

case $1 in
    start)
          clear
          start
    ;;
    stop)
         clear
         stop
    ;;
    restart)
            clear
            sleep 2
            start
    ;;
    status)
           echo "--------------------------------------------------"
           echo "--------------------------------------------------"
           echo "Status Firewall"
           echo "--------------------------------------------------"
           #iptables -L -n
           echo "--------------------------------------------------"
           echo "FILTER"
           echo "--------------------------------------------------"
           iptables -L -nvx
           echo "--------------------------------------------------"
           echo "NAT"
           echo "--------------------------------------------------"          
           iptables -t nat -L -nvx
           EXT=0
    ;;
    *)
      echo "Usage: firewall.sh {start|stop|restart|status}"
      EXT=1
    ;;
esac
exit $EXT
[code]
 
Joined
Sep 12, 2015
Messages
17
Likes
2
Points
35
Age
29
#6
WARNING: could not open /lib/modules/2.6.32-042stab113.11/modules.order: No such file or directory
WARNING: could not open /lib/modules/2.6.32-042stab113.11/modules.builtin: No such file or directory
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ip_tables not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module iptable_filter not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ipt_REJECT not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module iptable_nat not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ipt_LOG not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ipt_limit not found.
./firewall.sh: 57: ./firewall.sh: Syntax error: "(" unexpected (expecting "}")
How i can fix ?
 
Joined
May 11, 2016
Messages
16
Likes
0
Points
33
Age
30
#8
What about making a webgui so you don't need to login to the server all the time?
 
Joined
Jul 13, 2016
Messages
27
Likes
17
Points
50
Age
34
#11
I welcome today I am describing the firewall for you
Code:
#!/bin/sh
#######################################
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $network $named $time $syslog $remote_fs
# Required-Stop: $local_fs $network $named $time $syslog $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Personal Firewall - Preventing attacks/open common ports
### END INIT INFO

### Module loading ###
/sbin/depmod -a
### Required modules ###
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_REJECT
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
### Non-Required modules ###
#/sbin/modprobe ipt_owner
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_MASQUERADE

# To start the firewall
start()
{
    ### Allow Forward ip ###
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ### Flush any Existing iptable Rules and start afresh ###
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat

    ### Setting up Port Services ###
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT    //incoming mail
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT    //dns - udp for large queries
    iptables -A INPUT -p udp --dport 53 -j ACCEPT    //dns - udp for small queries
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT    //apache
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT    //apache ssl
    iptables -A INPUT -p udp --dport 161 -j ACCEPT   //snmpd
    iptables -A INPUT -p tcp --dport 953 -j ACCEPT    //dns internal
    iptables -A INPUT -p tcp --dport 1080 -j ACCEPT    //dante socks server
    iptables -A INPUT -p all --dport 3020 -j ACCEPT  //cifs-smb
    iptables -A INPUT -p tcp --dport 3128 -j ACCEPT  //squid
    iptables -A INPUT -p tcp --dport 4949 -j ACCEPT   //munin stats

    ### Setting up Local Ports ###
    iptables -A INPUT -d 192.168.1.120 -p udp --dport 9 -j ACCEPT    //WOL (wake on lan)
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 20:21 -j ACCEPT     //ftp
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -j ACCEPT       //sshd
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 139 -j ACCEPT     //samba
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 993 -j ACCEPT    //imaps
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 3306 -j ACCEPT     //mysql
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 8000 -j ACCEPT    //apache on phi
    iptables -A INPUT -s 192.168.1.120 -p tcp --dport 8080 -j ACCEPT   //tomcat
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT       //to speed up mail via courier. Identified via logging
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 143 -j ACCEPT      //squirrelmail

    ### Preventing Attacks ###
    iptables -A INPUT -p icmp -j ACCEPT      //Allow ICMP Ping packets.
    iptables -A INPUT -p tcp --tcp-flags ACK ACK -j ACCEPT      //Accept traffic with the ACK flag set
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP             //Deny all null packets
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP             //Deny all recon packets
    iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP            //nmap FIN stealth scan
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       //SYN + FIN
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP      //SYN + RST
    iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP     //FIN + RST
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP    //FIN + URG + PSH
    iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP       //XMAS
    iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP       //FIN without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP      //PSH without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP     //URG without ACK
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP        //Deny SYN flood attack
    iptables -A INPUT -m state --state ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT     //Accept traffic with ESTABLISHED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT        //Accept traffic with RELATED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state INVALID -j DROP       //Deny traffic with the INVALID flag set
    #################################

    ### PERSONALIZED RULES 80 PORT ###
    iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT       //Protection DDoS attacks
    ### PERSONALIZED RULES 22 PORT ###
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset      //Protection bruteforce SSH
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset

    ########### CLOSE ALL ############
    iptables -A INPUT -j REJECT         //Close up firewall. All else blocked.

    ######### PORT FORWARDING #######
    iptables -t nat -A PREROUTING -p tcp -d 192.168.1.120 --dport 8000 -j DNAT --to 1.2.3.4:80
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4     //for static ip
    #iptables -t nat -A POSTROUTING -d 1.2.3.4 -j MASQUERADE       //for dynamic ip
    #################################

    echo "--------------------------------------------------"
    echo "Firewall Loaded"
    echo "--------------------------------------------------"
    echo "Netstat output:"
    echo ""
    netstat -tuanp
    echo "Verify enabled rules with:"
    echo "filter) iptables -L -nvx"
    echo "nat) iptables -t nat -L -nvx"
    echo "script) firewall.sh status"
    EXT=0
}

### To stop the firewall ###
stop()
{
    ### Deny Forward ip ###
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "--------------------------------------------------"
    echo "Firewall Stopped"
    echo "--------------------------------------------------"
    EXT=0
}

### To clear rules ###
clear()
{
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat
    EXT=0
}

case $1 in
    start)
          clear
          start
    ;;
    stop)
         clear
         stop
    ;;
    restart)
            clear
            sleep 2
            start
    ;;
    status)
           echo "--------------------------------------------------"
           echo "--------------------------------------------------"
           echo "Status Firewall"
           echo "--------------------------------------------------"
           #iptables -L -n
           echo "--------------------------------------------------"
           echo "FILTER"
           echo "--------------------------------------------------"
           iptables -L -nvx
           echo "--------------------------------------------------"
           echo "NAT"
           echo "--------------------------------------------------"      
           iptables -t nat -L -nvx
           EXT=0
    ;;
    *)
      echo "Usage: firewall.sh {start|stop|restart|status}"
      EXT=1
    ;;
esac
exit $EXT
[code]
First of all , thanks for share this but If u write firewall configuration u shouldn't use ACCEPT like:
iptables -A INPUT -p tcp --dport 25 -j ACCEPT //incoming mail
iptables -A INPUT -p tcp --dport 53 -j ACCEPT //dns - udp for large queries
iptables -A INPUT -p udp --dport 53 -j ACCEPT //dns - udp for small queries
iptables -A INPUT -p tcp --dport 80 -j ACCEPT //apache
iptables -A INPUT -p tcp --dport 443 -j ACCEPT //apache ssl
iptables -A INPUT -p udp --dport 161 -j ACCEPT //snmpd
iptables -A INPUT -p tcp --dport 953 -j ACCEPT //dns internal
iptables -A INPUT -p tcp --dport 1080 -j ACCEPT //dante socks server
iptables -A INPUT -p all --dport 3020 -j ACCEPT //cifs-smb
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT //squid
iptables -A INPUT -p tcp --dport 4949 -j ACCEPT //munin stats
Please replace "ACCEPT" to "RETURN"

For Example: When I did ddos to ur server/servers like (HTTP / 80 TCP) u can't block that. Please check hashlimit commands and If u want to develop ur firewall config. u have to know "edit sysctl.conf" for SYNPROXY or TCP_SYNCOOKIES
 

FarisDev

Someone loves to help people
Contributor
Joined
Jun 9, 2016
Messages
257
Likes
95
Points
92
Age
28
Location
Saudi Arabia, Dammam
#13
Don't be an idiot and don't spam characters
My VPS is stopped after typing iptables -A INPUT -j REJECT
?
 
Last edited:

Top