Iptables Firewall

Anonims

Member
Joined
Feb 9, 2016
Messages
81
Points
53
Location
Poland IRC
I welcome today I am describing the firewall for you
Code:
#!/bin/sh
#######################################
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $network $named $time $syslog $remote_fs
# Required-Stop: $local_fs $network $named $time $syslog $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Personal Firewall - Preventing attacks/open common ports
### END INIT INFO 

### Module loading ###
/sbin/depmod -a
### Required modules ###
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_REJECT
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
### Non-Required modules ###
#/sbin/modprobe ipt_owner
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_MASQUERADE

# To start the firewall
start()
{
    ### Allow Forward ip ###
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ### Flush any Existing iptable Rules and start afresh ###
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat

    ### Setting up Port Services ###
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT    //incoming mail
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT    //dns - udp for large queries
    iptables -A INPUT -p udp --dport 53 -j ACCEPT    //dns - udp for small queries
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT    //apache
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT    //apache ssl
    iptables -A INPUT -p udp --dport 161 -j ACCEPT   //snmpd
    iptables -A INPUT -p tcp --dport 953 -j ACCEPT    //dns internal
    iptables -A INPUT -p tcp --dport 1080 -j ACCEPT    //dante socks server
    iptables -A INPUT -p all --dport 3020 -j ACCEPT  //cifs-smb
    iptables -A INPUT -p tcp --dport 3128 -j ACCEPT  //squid
    iptables -A INPUT -p tcp --dport 4949 -j ACCEPT   //munin stats

    ### Setting up Local Ports ###
    iptables -A INPUT -d 192.168.1.120 -p udp --dport 9 -j ACCEPT    //WOL (wake on lan)
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 20:21 -j ACCEPT     //ftp
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -j ACCEPT       //sshd
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 139 -j ACCEPT     //samba
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 993 -j ACCEPT    //imaps
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 3306 -j ACCEPT     //mysql
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 8000 -j ACCEPT    //apache on phi
    iptables -A INPUT -s 192.168.1.120 -p tcp --dport 8080 -j ACCEPT   //tomcat
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT       //to speed up mail via courier. Identified via logging
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 143 -j ACCEPT      //squirrelmail

    ### Preventing Attacks ###
    iptables -A INPUT -p icmp -j ACCEPT      //Allow ICMP Ping packets.
    iptables -A INPUT -p tcp --tcp-flags ACK ACK -j ACCEPT      //Accept traffic with the ACK flag set
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP             //Deny all null packets
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP             //Deny all recon packets
    iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP            //nmap FIN stealth scan
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       //SYN + FIN
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP      //SYN + RST
    iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP     //FIN + RST
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP    //FIN + URG + PSH
    iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP       //XMAS
    iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP       //FIN without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP      //PSH without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP     //URG without ACK
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP        //Deny SYN flood attack
    iptables -A INPUT -m state --state ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT     //Accept traffic with ESTABLISHED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT        //Accept traffic with RELATED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state INVALID -j DROP       //Deny traffic with the INVALID flag set
    #################################

    ### PERSONALIZED RULES 80 PORT ###
    iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT       //Protection DDoS attacks
    ### PERSONALIZED RULES 22 PORT ###
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset      //Protection bruteforce SSH
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset

    ########### CLOSE ALL ############
    iptables -A INPUT -j REJECT         //Close up firewall. All else blocked.

    ######### PORT FORWARDING #######
    iptables -t nat -A PREROUTING -p tcp -d 192.168.1.120 --dport 8000 -j DNAT --to 1.2.3.4:80
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4     //for static ip
    #iptables -t nat -A POSTROUTING -d 1.2.3.4 -j MASQUERADE       //for dynamic ip
    #################################

    echo "--------------------------------------------------"
    echo "Firewall Loaded"
    echo "--------------------------------------------------"
    echo "Netstat output:"
    echo ""
    netstat -tuanp
    echo "Verify enabled rules with:"
    echo "filter) iptables -L -nvx"
    echo "nat) iptables -t nat -L -nvx"
    echo "script) firewall.sh status"
    EXT=0
}

### To stop the firewall ###
stop()
{
    ### Deny Forward ip ###
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "--------------------------------------------------"
    echo "Firewall Stopped"
    echo "--------------------------------------------------"
    EXT=0
}

### To clear rules ###
clear()
{
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat
    EXT=0
}

case $1 in
    start)
          clear
          start
    ;;
    stop)
         clear
         stop
    ;;
    restart)
            clear
            sleep 2
            start
    ;;
    status)
           echo "--------------------------------------------------"
           echo "--------------------------------------------------"
           echo "Status Firewall"
           echo "--------------------------------------------------"
           #iptables -L -n
           echo "--------------------------------------------------"
           echo "FILTER"
           echo "--------------------------------------------------"
           iptables -L -nvx
           echo "--------------------------------------------------"
           echo "NAT"
           echo "--------------------------------------------------"          
           iptables -t nat -L -nvx
           EXT=0
    ;;
    *)
      echo "Usage: firewall.sh {start|stop|restart|status}"
      EXT=1
    ;;
esac
exit $EXT
[code]
 

applestar

Member
Joined
Sep 12, 2015
Messages
17
Points
35
Age
29
WARNING: could not open /lib/modules/2.6.32-042stab113.11/modules.order: No such file or directory
WARNING: could not open /lib/modules/2.6.32-042stab113.11/modules.builtin: No such file or directory
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ip_tables not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module iptable_filter not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ipt_REJECT not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module iptable_nat not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ipt_LOG not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/2.6.32-042stab113.11/modules.builtin.bin'
FATAL: Module ipt_limit not found.
./firewall.sh: 57: ./firewall.sh: Syntax error: "(" unexpected (expecting "}")
How i can fix ?
 

AAA777

Member
Joined
May 11, 2016
Messages
16
Points
33
Age
30
What about making a webgui so you don't need to login to the server all the time?
 

adonradon

Member
Joined
Jul 13, 2016
Messages
27
Points
50
Age
34
I welcome today I am describing the firewall for you
Code:
#!/bin/sh
#######################################
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $network $named $time $syslog $remote_fs
# Required-Stop: $local_fs $network $named $time $syslog $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Personal Firewall - Preventing attacks/open common ports
### END INIT INFO

### Module loading ###
/sbin/depmod -a
### Required modules ###
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_REJECT
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
### Non-Required modules ###
#/sbin/modprobe ipt_owner
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_MASQUERADE

# To start the firewall
start()
{
    ### Allow Forward ip ###
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ### Flush any Existing iptable Rules and start afresh ###
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat

    ### Setting up Port Services ###
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT    //incoming mail
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT    //dns - udp for large queries
    iptables -A INPUT -p udp --dport 53 -j ACCEPT    //dns - udp for small queries
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT    //apache
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT    //apache ssl
    iptables -A INPUT -p udp --dport 161 -j ACCEPT   //snmpd
    iptables -A INPUT -p tcp --dport 953 -j ACCEPT    //dns internal
    iptables -A INPUT -p tcp --dport 1080 -j ACCEPT    //dante socks server
    iptables -A INPUT -p all --dport 3020 -j ACCEPT  //cifs-smb
    iptables -A INPUT -p tcp --dport 3128 -j ACCEPT  //squid
    iptables -A INPUT -p tcp --dport 4949 -j ACCEPT   //munin stats

    ### Setting up Local Ports ###
    iptables -A INPUT -d 192.168.1.120 -p udp --dport 9 -j ACCEPT    //WOL (wake on lan)
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 20:21 -j ACCEPT     //ftp
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -j ACCEPT       //sshd
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 139 -j ACCEPT     //samba
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 993 -j ACCEPT    //imaps
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 3306 -j ACCEPT     //mysql
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 8000 -j ACCEPT    //apache on phi
    iptables -A INPUT -s 192.168.1.120 -p tcp --dport 8080 -j ACCEPT   //tomcat
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT       //to speed up mail via courier. Identified via logging
    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 143 -j ACCEPT      //squirrelmail

    ### Preventing Attacks ###
    iptables -A INPUT -p icmp -j ACCEPT      //Allow ICMP Ping packets.
    iptables -A INPUT -p tcp --tcp-flags ACK ACK -j ACCEPT      //Accept traffic with the ACK flag set
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP             //Deny all null packets
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP             //Deny all recon packets
    iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP            //nmap FIN stealth scan
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       //SYN + FIN
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP      //SYN + RST
    iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP     //FIN + RST
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP    //FIN + URG + PSH
    iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP       //XMAS
    iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP       //FIN without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP      //PSH without ACK
    iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP     //URG without ACK
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP        //Deny SYN flood attack
    iptables -A INPUT -m state --state ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT     //Accept traffic with ESTABLISHED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT        //Accept traffic with RELATED flag set (limit - DDoS prevent)
    iptables -A INPUT -m state --state INVALID -j DROP       //Deny traffic with the INVALID flag set
    #################################

    ### PERSONALIZED RULES 80 PORT ###
    iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT       //Protection DDoS attacks
    ### PERSONALIZED RULES 22 PORT ###
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset      //Protection bruteforce SSH
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
    iptables -A INPUT -d 192.168.1.120 -p tcp --dport 22 -m tcp -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset

    ########### CLOSE ALL ############
    iptables -A INPUT -j REJECT         //Close up firewall. All else blocked.

    ######### PORT FORWARDING #######
    iptables -t nat -A PREROUTING -p tcp -d 192.168.1.120 --dport 8000 -j DNAT --to 1.2.3.4:80
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4     //for static ip
    #iptables -t nat -A POSTROUTING -d 1.2.3.4 -j MASQUERADE       //for dynamic ip
    #################################

    echo "--------------------------------------------------"
    echo "Firewall Loaded"
    echo "--------------------------------------------------"
    echo "Netstat output:"
    echo ""
    netstat -tuanp
    echo "Verify enabled rules with:"
    echo "filter) iptables -L -nvx"
    echo "nat) iptables -t nat -L -nvx"
    echo "script) firewall.sh status"
    EXT=0
}

### To stop the firewall ###
stop()
{
    ### Deny Forward ip ###
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "--------------------------------------------------"
    echo "Firewall Stopped"
    echo "--------------------------------------------------"
    EXT=0
}

### To clear rules ###
clear()
{
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat
    EXT=0
}

case $1 in
    start)
          clear
          start
    ;;
    stop)
         clear
         stop
    ;;
    restart)
            clear
            sleep 2
            start
    ;;
    status)
           echo "--------------------------------------------------"
           echo "--------------------------------------------------"
           echo "Status Firewall"
           echo "--------------------------------------------------"
           #iptables -L -n
           echo "--------------------------------------------------"
           echo "FILTER"
           echo "--------------------------------------------------"
           iptables -L -nvx
           echo "--------------------------------------------------"
           echo "NAT"
           echo "--------------------------------------------------"      
           iptables -t nat -L -nvx
           EXT=0
    ;;
    *)
      echo "Usage: firewall.sh {start|stop|restart|status}"
      EXT=1
    ;;
esac
exit $EXT
[code]
First of all , thanks for share this but If u write firewall configuration u shouldn't use ACCEPT like:
iptables -A INPUT -p tcp --dport 25 -j ACCEPT //incoming mail
iptables -A INPUT -p tcp --dport 53 -j ACCEPT //dns - udp for large queries
iptables -A INPUT -p udp --dport 53 -j ACCEPT //dns - udp for small queries
iptables -A INPUT -p tcp --dport 80 -j ACCEPT //apache
iptables -A INPUT -p tcp --dport 443 -j ACCEPT //apache ssl
iptables -A INPUT -p udp --dport 161 -j ACCEPT //snmpd
iptables -A INPUT -p tcp --dport 953 -j ACCEPT //dns internal
iptables -A INPUT -p tcp --dport 1080 -j ACCEPT //dante socks server
iptables -A INPUT -p all --dport 3020 -j ACCEPT //cifs-smb
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT //squid
iptables -A INPUT -p tcp --dport 4949 -j ACCEPT //munin stats
Please replace "ACCEPT" to "RETURN"

For Example: When I did ddos to ur server/servers like (HTTP / 80 TCP) u can't block that. Please check hashlimit commands and If u want to develop ur firewall config. u have to know "edit sysctl.conf" for SYNPROXY or TCP_SYNCOOKIES
 

FarisDev

Someone loves to help people
Contributor
Joined
Jun 9, 2016
Messages
255
Points
92
Age
28
Location
Saudi Arabia, Dammam
Don't be an idiot and don't spam characters
My VPS is stopped after typing iptables -A INPUT -j REJECT
?
 
Last edited:

Top