Skip to content

Instantly share code, notes, and snippets.

@aeris

aeris/gist:1078590

Created July 12, 2011 18:17
Show Gist options
  • Save aeris/1078590 to your computer and use it in GitHub Desktop.
Save aeris/1078590 to your computer and use it in GitHub Desktop.
Download ZIP
Firewall
Raw
gistfile1.bash
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
#!/bin/sh
if [ `id -u` -ne 0 ]; then
echo "You are not root"
exit -1
fi
IP4TABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
IPv4=true
IPv6=true
BANIP=/usr/local/bin/banip
FAIL2BAN=/etc/init.d/fail2ban
fw4() {
$IPv4 && $IP4TABLES $*
}
fw6() {
$IPV6 && $IP6TABLES $*
}
fw() {
fw4 $*
fw6 $*
}
start() {
# Broadcast echo
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#$IPV6 && echo 1 > /proc/sys/net/ipv6/icmp_echo_ignore_broadcasts
# Bogus message
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#$IPV6 && echo 1 > /proc/sys/net/ipv6/icmp_ignore_bogus_error_responses
# Disable response to ping
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#$IPV6 && echo 1 > /proc/sys/net/ipv6/icmp_echo_ignore_all
# IP forwarding
#echo 0 > /proc/sys/net/ipv4/ip_forward
#$IPV6 && echo 0 > /proc/sys/net/ipv6/ip_forward
# SYN flood
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#$IPV6 && echo 1 > /proc/sys/net/ipv6/tcp_syncookies
# Initialisation de la table FILTER
fw -t filter -F
fw -t filter -X
fw -t filter -P INPUT DROP
fw -t filter -P OUTPUT DROP
fw -t filter -P FORWARD DROP
# Initialisation de la table NAT
fw4 -t nat -F
fw4 -t nat -X
fw4 -t nat -P PREROUTING ACCEPT
fw4 -t nat -P POSTROUTING ACCEPT
fw4 -t nat -P OUTPUT ACCEPT
# Initialisation de la table MANGLE
fw -t mangle -F
fw -t mangle -X
fw -t mangle -P PREROUTING ACCEPT
fw -t mangle -P INPUT ACCEPT
fw -t mangle -P OUTPUT ACCEPT
fw -t mangle -P FORWARD ACCEPT
fw -t mangle -P POSTROUTING ACCEPT
# Autorise les connexions locales
fw -A OUTPUT -o lo -j ACCEPT
fw -A INPUT -i lo -j ACCEPT
# Node-Local Scope Multicast Addresses
#ifw6 -A INPUT -s fe80::/10 -j ACCEPT
fw6 -A INPUT -d ff02::1 -j ACCEPT
fw4 -A INPUT -p icmp -j DROP
fw4 -A OUTPUT -p icmp -j DROP
fw6 -A OUTPUT -p icmpv6 -j ACCEPT
fw6 -A INPUT -p icmpv6 -j ACCEPT
# Autorise les connexions etablies
fw -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
fw -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
fw -A INPUT -p tcp --dport ssh -j ACCEPT
fw -A INPUT -p tcp --dport http -j ACCEPT
fw -A INPUT -p tcp --dport https -j ACCEPT
# DNS
fw4 -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.0/24 --dport domain -j ACCEPT
fw4 -A INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.0/24 --dport domain -j ACCEPT
fw6 -A INPUT -p tcp -s fe80::/10 -d fe80::/10 --dport domain -j ACCEPT
fw6 -A INPUT -p udp -s fe80::/10 -d fe80::/10 --dport domain -j ACCEPT
[ -e "$BANIP" ] && "$BANIP" install
}
stop() {
# Initialisation de la table FILTER
fw -t filter -F
fw -t filter -X
fw -t filter -P INPUT ACCEPT
fw -t filter -P OUTPUT ACCEPT
fw -t filter -P FORWARD ACCEPT
# Initialisation de la table NAT
fw4 -t nat -F
fw4 -t nat -X
fw4 -t nat -P PREROUTING ACCEPT
fw4 -t nat -P POSTROUTING ACCEPT
fw4 -t nat -P OUTPUT ACCEPT
# Initialisation de la table MANGLE
fw -t mangle -F
fw -t mangle -X
fw -t mangle -P PREROUTING ACCEPT
fw -t mangle -P INPUT ACCEPT
fw -t mangle -P OUTPUT ACCEPT
fw -t mangle -P FORWARD ACCEPT
fw -t mangle -P POSTROUTING ACCEPT
}
case "$1" in
start)
start
exit 0
;;
stop)
stop
exit 0
;;
restart)
stop
start
[ -e "$FAIL2BAN" ] && "$FAIL2BAN" reload
exit 0
;;
open)
fw -A INPUT -p tcp --dport $2 -j ACCEPT
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment