Last active
March 1, 2018 10:35
-
-
Save atErik/5234325e31001bde287c to your computer and use it in GitHub Desktop.
A "iptables" secure/safer firewall rules creator, bash shell script. See description inside script file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Codes are still not completed, wait for this line to go away. | |
# | |
# An "iptables" secure/safer firewall rules creator, shell script. | |
# For server host/base, with multiple guest OS VMs & Containers. | |
# | |
# If you need to Add/Change/Update/Modify firewall rules, | |
# THEN ALWAYS CHANGE FIREWALL RULES HERE, FIRST, | |
# Then this shell script will create a firewall ruleset for your | |
# computer which you approved here & need. | |
# | |
# Users : Goto the line in top-most side of this script, which has | |
# the word "TypeOfComputer", and change & select various settings | |
# to adjust to match with your side computer. | |
# | |
# Also install "Fail2ban", for this script to work properly. | |
# | |
# This Script will always make backup-copy of previous iptables | |
# with date & time of change, in filename, before making any changes. | |
# | |
# Original developed by: | |
# (C) copyright 2014, 2015, tErik. [email protected] (remov prev two 8s). | |
# AND: Codes MUST ALWAYS INCLUDE BELOW URL, to get most upto-date | |
# CodeSource: | |
# https://gist.github.com/atErik/5234325e31001bde287c | |
# AND: all these codes are usable or editable or modifiable ONLY WHEN | |
# below ADDITIONAL 12 RULES are followed & applied. | |
# AND: these rules, license notes, code author name, code contribution | |
# date&timee, code-editor aka, author, aka code-author name, | |
# author email-address, etc always must have to be embedded & shown | |
# to all users. | |
# | |
# ADDITIONAL RULES/LICENSE OF USE/TERMS OF USE: | |
# (1) This script's objective is to make servers, computers comparatively | |
# more secured & safer AS MUCH AS POSSIBLE, from various threats, | |
# attacks, exploits, abuses, harmful utilizations, hacking attempts, | |
# backdoors, middle-mans, adversaries, etc. | |
# (2) You must not delete/remove any existing codes or comments. | |
# (3) Create new para or sub paragraph for your own | |
# code & ADD YOUR COMMENTS WITH EXPLANATION IN DETAILS, what that/those | |
# rules will do, and also add info on, different portions actually does | |
# what. Code Editor/Contributor Is Responsible For Their Own Paragraph | |
# or Section. | |
# (4) Really from your heart, try to help+teach others, | |
# what is doing what. | |
# (5) If a firewall rule is not explained, anyone can/allowed-to remove | |
# it. | |
# (6) Code contributor, editor MUST also ADD their contact info in same | |
# paragraph, VISIBLE t ALL, at end of each paragraph, like shown below: | |
# --Name or --NickName 1st-editor's-REAL-email-address-and/or-website-WITH-random-numbers-or-symbols-in-between | |
# @ email-server-name-with-random-num-or-symbols-in-between | |
# (then after that/those, inside braces, mention which num-or-symbols to remove/add/change) | |
# Example: [email protected] (remov all 4s) (Yr-Mn-Dt HH:MM:SS Time-Zone +/-HH:MM). | |
# 2nd-ed:[email protected] (rm - & :, rm all 3s) (Yr-Mn-Dt HH:MM:SS Time-Zone +/-HH:MM) | |
# (7) And, initial code creator/contributor, or any user of this | |
# script, can communicate with any code contributor or editor, | |
# (8) to ask/comment, ONLY about the code, which a contributor person | |
# or an editor person has contributed (MUST send below URL in email), | |
# if it is valid or not, or, if it was added by him/her or not, | |
# as such. | |
# (9) This script's user, can also inform code contributor or editor | |
# with detail explanation, why user/he/she thinks some part (or whole) | |
# is right or wrong, or how it would have been made better, or what | |
# security risks or losses are involved or what it may/will cause | |
# consequentially, etc, | |
# but email comment/request MUST HAVE TO BE VERY MUCH RELATED. | |
# (10) So we are here trying to encourage only those contributors & | |
# editors, who can+will vouch for their own contributed codes when an | |
# email request is received, and also accept related suggestions or | |
# comments. Reckless (code contributing) person or harmful (code | |
# contributing) person or Unverified code contributing person ARE NOT | |
# welcome for contributing/editing/using. | |
# Clearly describe & explain exactly what a code will do. | |
# Be a RESPONSIBLE person for what you are doing. | |
# (11) If harmful or wrong or incorrect codes were added, then code | |
# contributor or editor must take+accept blame & receive emails from | |
# users for it. And code contributor or editor may even have to | |
# financially compensate/pay for losses caused by it. So very clearly | |
# describe & explain exactly what a code will do. | |
# (12) If any user emails/contacts for anything else or UNRELATED, | |
# beside which are permitted here, then email receiver can even take | |
# legal action, or can take other steps to report abuse to whichever | |
# authority he/she seems to be fit/appropriate. | |
# (13) User you MUST READ the entire firewall rules, each entry, all | |
# notes from all contributor, editors, and USER MUST DECIDE, WHICH | |
# RULES USER WANTS TO KEEP ACTIVE OR WHICH USER WANTS TO DISABLE OR | |
# DEACTIVATE. IT IS USERS RESPONSIBILITY TO READ+LEARN MORE ON THESE | |
# AND TAKE EDUCATED DECISION TO ACTIVATE OR DEACTIVATE fiewall rules. | |
# 1st Developed in March, 2013, by atErik/tErik. | |
# Re-Modified in Jun, 2014, by atErik/tErik. | |
# Re-Modification again started in Nov, 2014, by atErik/tErik. | |
# The Published/Shared here, in Dec 29, 2014, Mon 01:43 UTC. | |
# LINE-ENDING SYMBOL/CHARACTER CODES: | |
# CR,LF line-ending symbols are often invisile inside regular | |
# text-editor software like: Notepad, gEdit, vi, etc. | |
# If you download and save in a computer which has Windows/Mac OS, | |
# then web-browser will very likely END each line using two or one | |
# ASCII character code sequence(s), like: CR,LF (\r\n) in Windows, | |
# or CR (\r) in MacOSX. But linux/unix needs just LF (\n) at end of | |
# each line (except last line). | |
# So user of this script, may have to use proper editor software and | |
# convert all CR,LF or LF,CR or CR, into just LF, before using with | |
# linux/unix computers. | |
# Author used Notepad++ in a linux PC with GUI, to achieve this, then | |
# created a SSH tunnel (using PuTTY) into a server computer, and copied | |
# script file (using FileZilla/SCPcopy) etc. What a user will use, | |
# is user's choice. | |
# IF/WHEN there is a \ BACKSLASH SYMBOL AT END OF A CODE-LINE, | |
# THEN NEXT CODE-LINE IS PART OF IT. | |
# So, If USER IS ENABLING/ACTIVATING A FW RULE, by removing the 1st # HASH | |
# or POUND symbol from beginning of a code-line, and IF THAT CODE-LINE | |
# HAS A \ BACKSLASH symbol at end of line, THEN USER MUST also REMOVE | |
# the 1st/beginning # (Hash/Pound) symbol from the next code-line, | |
# to ACTIVATE that NEXT code LINE. | |
# One firewall(FW) rule can use and span across multiple code-lines. | |
# So when USER trying-to/wants-to DISABLE/DEACTIVATE A FW RULE, | |
# by placing a # hash/pound symbol as a 1st symbol in the beginning | |
# of a code line, Then USER MUST ALSO look for a presence of | |
# a \ BACK-SLASH symbol at-end of code-line. And IF THAT NEXT | |
# CODE LINE does have a \ BACK-SLASH symbol at end, then USER MUST | |
# also place a # hash/pound symbol in next line as it's 1st/beginning | |
# symbol, to DISABLE that NEXT LINE, as that line is part of one/single | |
# firewall rule. | |
# | | | | | | | | | |
# 10 20 30 40 50 60 70 80 | |
# Above two lines indicating length & postion (of sentences & words). | |
# Please try to keep comments and notes within 72th column. | |
# No need to break firewall rules in multi-line, but optional choice for | |
# code editor. | |
# LINES WHICH STARTS WITH # HASH SYMBOL, ARE DISABLED LINE OR COMMENTS-LINE. | |
# Read+Learn more onto various services/servers, software. | |
# Enable/use only those firewall rules, which are needed for a | |
# computer, for the USER of this script. | |
# LINES WHICH DOES NOT HAVE # HASH SYMBOL AT BEGINING, ARE CODE-LINES, | |
# aka, ACTIVE FIREWALL(FW) RULE LINE, or ACTIVE BASH SCRIPT CODE-LINES. | |
# Abbreviations / Acronyms / Lingo, etc: | |
# Server = srv = srvr = servr. Service = svc = servc = srvc. | |
# Client = clnt. | |
# Address = adrs = adres. | |
# IP-Address = ipadrs = ip = IP. | |
# Firewall = fw. Forward = fwd. | |
# Router = rtr. Route = rt. | |
# Port = pt. Protocol = p | |
# Destination = dst. Source = src. | |
# opt = Optional. | |
# dport = destination-port = dpt. sport = source-port = spt. | |
# dec = decimal. hex = hexadecimal. | |
# oct = octal. | |
# Var = Variable / Container = var | |
# LOG / RECORD : Network Packets Log entries are helpful for debug, for | |
# finding & solving errors or issues, and also helpful, when computers | |
# are initially configured/setup, it helps to view: authorized and also | |
# unauthorized both inbound and outbound network packet traffic. | |
# HOW TO DISABLE LOG FIREWALL RULE: | |
# Firewall rule code lines, which are used for creating a LOG data | |
# entries, can be disabled, by simply placing a single # <-- hash/pound | |
# symbol, as a 1st symbol/character in those code-lines, which will | |
# have these words: "-j LOG", or, "--log-prefix" | |
# USER MUST ALSO LOOK-at ONE LINE ABOVE, where user found the "-j LOG", | |
# or, the "--log-prefix" word. IF one-line above, has a \ BACK-SLASH | |
# symbol at/as end of line, then that ABOVE-LINE also needs to be | |
# disabled, by placing a # hash/pound symbol as it's 1st symbol. | |
# You may also disable logging, if you want to avoid too much log | |
# entries or when log entires are no longer necessary, or you want to | |
# reduce log entry rates/amounts, or to reduce log file size. | |
# Search for "FwR" (Firewall Rules) section, set appropriate value, | |
# to stop or start creating Log entries/records. | |
# Note: In order to use matches such as destination or source ports | |
# (--dport or --sport), you must first specify the protocol (tcp, udp, | |
# icmp, all). | |
# References, Reading, Learning on iptables/Netfilter: | |
# http://ipset.netfilter.org/iptables-extensions.man.html | |
# http://linuxreviews.org/man/iptables/ | |
# http://linuxreviews.org/man/ip6tables | |
# How packets flow thru iptables: | |
# https://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg | |
# Creating bash shell's environment variables/containers for this | |
# script: | |
v1ipt4Cmd="/sbin/iptables" | |
v1ipt6Cmd="/sbin/ip6tables" | |
v1spmLst="blockedip" # will be obtained from Fail2ban | |
v1spmDrpMsg="Blocked IP Drop" | |
v1sysCtl="/sbin/sysctl" | |
v1blokdIPs="/root/scripts/blocked.ips.txt" # will be obtained from Fail2ban | |
# Network interface name, which connected with Router, | |
# to reach Internet: | |
# Declare here, how many network-adapter this script will work on. | |
v1Nif4Qnty=1 # by default, create IPv4 rules for only 1 wired/1st net-adapter. | |
v1Nif6Qnty=1 # by default, create IPv6 rules for only 1 wired/1st net-adapter. | |
# THIS Script-USER MUST CHANGE below "eth0" to match with what USER's | |
# computer actually uses as its "Wired Network Interface Card/Adapter". | |
# Similarly, change the "wifi0" to match with what USER's computer | |
# actually uses as its "WiFi Network Interface Card/Adapter". Do same | |
# for "tap0", match the name that is actually used inside this | |
# script-USER's computer. | |
declare -a v1Nif4Names # Container for integer indexed array. As its using "-a". | |
declare -a v1Nif6Names | |
# Below is valid, when USER wants to use this script for only/1st NetworkAdapter: | |
# (de-activate these 2 lines, when USER will use this script for two NetAdapters | |
# and see next paragraph for other options). | |
v1Nif4Names=([1]="eth0") # now active | |
v1Nif6Names=([1]="eth0") # now active | |
# Below is valid, when USER wants to use this script for 2 NetworkAdapters: | |
# (to activate: set 2 in above var v1Nif4Qnty & v1Nif6Qnty, and remove | |
# begining # hash symbol from below 2 lines. And de-activate other | |
# v1Nif4Names=(...) and v1Nif6Names=(...) code-lines. | |
# v1Nif4Names=([1]="eth0" [2]="wifi0") | |
# v1Nif6Names=([1]="eth0" [2]="wifi0") | |
# Below is valid, when USER wants to use this script for 3 NetworkAdapters: | |
# (to activate: set 3 in above var v1Nif4Qnty & v1Nif4Qnty, and remove | |
# begining # hash symbol from below 2 lines. And de-activate other | |
# v1Nif4Names=(...) and v1Nif6Names=(...) code-lines. | |
# v1Nif4Names=([1]="eth0" [2]="wifi0" [3]="tap0") | |
# v1Nif6Names=([1]="eth0" [2]="wifi0" [3]="tap0") | |
# Run "nmtui" or other similar tools to get your system Network adapter/interface/card's | |
# actual name, then change shown "eth0"/"wifi0"/"tap0" names, into which | |
# is actually used inside your/USER's system/computer. | |
# COMMAND, COMMAND-SHELL, USER, ROOT ACCOUNT, etc: | |
# When a shown linux command has the "$" symbol as it's 1st character, | |
# it indicates you should use the command from inside a non-root user | |
# account. | |
# When a shown command has the "#" symbol as it's 1st character, it | |
# indicates you should use that command from inside a root user account | |
# or shell. | |
# In linux/unix, it is always best to avoid using "root" account for | |
# general activities. So instead, use "su" or "sudo" command in front | |
# of other command if this other command is needed to be run/executed | |
# as a "root" user. | |
# More details on this "bash"-shell script writing: http://mywiki.wooledge.org/BashFAQ | |
# http://mywiki.wooledge.org/BashGuide | http://wiki.bash-hackers.org/ | |
# http://mywiki.wooledge.org/Quotes | http://mywiki.wooledge.org/Arguments | |
# http://wiki.bash-hackers.org/syntax/words | |
# Below info-line borrowed from bash irc channel @ freenode and slightly modified further by tErik. | |
# "Double quote" every literal that contains spaces/metacharacters | |
# and _every_ expansion, and also any arguments that contains shell | |
# syntax: "$var", "$(command "$var")", "${array[@]}", "a & b", "%F_%H:%M:%S". | |
# Use 'single quotes' for code or literal $'s: 'Costs $5 US', ssh host 'echo "$HOSTNAME"'. | |
# OTHER STEPS, USER of this script should consider to do, but not a MUST: | |
# IF LOGGING, THEN SEND LOG INTO SPECIFIC LOG FILE: | |
# To achieve this, Set a specific word in each LOG related iptables | |
# firewall rules, so it can be identified later, by the rsyslog/syslog | |
# service, for example, like below: | |
# --log-prefix "iptv4: PKT-NAME/TYPE " | |
# --log-prefix "iptv6: PKT-NAME/TYPE " | |
# If you are not going to LOG anything, then above/these steps are not necessary. | |
# Configure your OS (Operating System) to use rsyslog, if your OS is already not using it. | |
# If you are not going to LOG anything, then rsyslog configuration related steps are not necessary. | |
# On CentOS, get+install "rsyslog" with this command: $ sudo yum install rsyslog | |
# Configure "rsyslog" (not syslog) to filter/catch (specific word) | |
# and save in a specific log file, based on specific iptables log-prefix: | |
# create a /etc/rsyslog.d/iptablesLog.conf file, with following 17 lines: | |
# # Log IPv4 related log-prefix messages, which has PKT-TYPE: | |
# :msg, startswith, "iptv4: PKT-TYPE" -/var/log/iptables4n6.log | |
# & ~ | |
# # Log IPv6 related log-prefix messages, which has PKT-TYPE: | |
# :msg, startswith, "iptv6: PKT-TYPE" -/var/log/iptables4n6.log | |
# & ~ | |
# # If you want to use "regex" to catch/filter all ipt v4 & v6 related | |
# # log-prefix messages which does not have timestamp, then do not | |
# # use above/top-side 6 lines of log-rules, and instead include below | |
# # 2 lines: | |
# :msg, regex, "^iptv[46]\: [a-zA-Z0-9\-\_\(\)\:\,\/\ ]+" -/var/log/iptables4n6.log | |
# & ~ | |
# # Use regex to catch/filter related ALL log-prefix messages, including | |
# # those, which have a timestamp before log-prefix msg: | |
# :msg, regex, "^ *\[[0-9]*\.[0-9]*\] iptv[46]\: [a-zA-Z0-9\-\_\(\)\:\,\/\ ]+" -/var/log/iptables4n6.log | |
# & ~ | |
# # Log IPTables related messages: | |
# :msg, startswith, "IPTABLES_" -/var/log/iptables4n6.log | |
# & ~ | |
# # Log IPTables related messages, by using regex, which may have timestamp: | |
# :msg, startswith, "^ *\[[0-9]*\.[0-9]*\] IPTABLES\_" -/var/log/iptables4n6.log | |
# & ~ | |
# # End of /etc/rsyslog.d/iptablesLog.conf file | |
# (Do not use the 1st # symbols shown in above 17 lines, as those are | |
# used here to make these info a note/comment for this script's USER). | |
# When copy-pasting out above 17 lines, make sure the 2nd # hash symbol | |
# remains as 1st # hash symbol, inside the actual active file. | |
# The 2nd line (which starts with ":msg") means, send log messages | |
# which starts with "iptv4: PKT-TYPE " specifically into the | |
# /var/log/iptables4n6.log file. And 3rd line (which starts with "& ~") | |
# is instructing rsyslog to discard log messages which already matched | |
# previous line, so that rsyslog is not duplicating by sending same | |
# log messages into any other files. | |
# As we have used multiple different/various words after "--log-prefix", | |
# in firewall-rules of this script, so USER must create (similar as | |
# above) two lines, for EACH different "--log-prefix" iptables rules. | |
# And to make sure "rsyslog.d" service starts-up this "iptablesLog.conf" | |
# log-rules, before other log-rules, this script's USER may/can/should | |
# add a number before the conf filename, like this: | |
# /etc/rsyslog.d/30-iptablesLog.conf | |
# And USER may/can add below one code-line into /etc/sysctl.conf file | |
# to stop iptables messages & log going into console: | |
# kernel.printk = 4 4 1 7 | |
# If you do above steps, do it before running this script. | |
# WHEN LOG-FILE REACHES 20MB FILESIZE THEN MOVE & BACKUP IT, | |
# AND START USING A NEW LOG FILE: | |
# Configure your OS to use "logrotate", if your OS is already not using it. | |
# If you are not going to LOG anything, then logrotate configuration related steps are not necessary. | |
# More info: https://apps.fedoraproject.org/packages/logrotate | |
# On CentOS, get+install "logrotate" with this command: $ sudo yum install logrotate | |
# Create a /etc/logrotate.d/iptables4n6 file, with following 53 lines: | |
# # Logs are compressed after they are rotated, using gzip: | |
# compress | |
# /var/log/iptables4n6.log | |
# { | |
# # rotate count # Log files are rotated "count" times before being removed or mailed | |
# # to the address specified in a mail directive. If count is 0, old versions are | |
# # removed rather than rotated. | |
# rotate 365 | |
# # daily = Log files are rotated every day. monthly = Log files are rotated the first | |
# # time logrotate is run in a month (this is normally on the first day of the month). yearly. | |
# daily | |
# # size sizeN # Log files are rotated only if they grow bigger than sizeN bytes. | |
# # In "sizeN", "size" is numerical digits, and N is multiplier. k = kilobytes. | |
# # M = megabytes. G = gigabytes. If no multiplier letter exist, then it is "bytes". | |
# # size 20M | |
# # maxsize sizeN # Log files are rotated when they grow bigger than sizeN bytes | |
# # even before the additionally specified time interval: daily, weekly, monthly, yearly. | |
# maxsize 20M | |
# # Archive old versions of log files adding a daily extension like YYYYMMDD instead | |
# # of simply adding a number. Can be configured further using "dateformat" option. | |
# dateext | |
# # dateformat format_string # Only %Y %m %d and %s specifiers are allowed. | |
# # default value is -%Y%m%d. Note that also the character separating log name | |
# # from the extension is part of the dateformat string. | |
# dateformat -%Y-%m-%d-%s | |
# # extension ext # Log files with ext extension can keep it, after the rotation. | |
# # If compression is used, the compression extension (normally .gz) appears after | |
# # ext. For example, you have a logfile named myApp.log and want to rotate it to | |
# # myApp.1.log.gz instead of myApp.log.1.gz. If "dateext" is used, then YYYYMMDD | |
# # will be used instead of numbers like 1. | |
# extension log | |
# # nomail # Don't mail old log files to any address. | |
# nomail | |
# # olddir directory # Logs are moved into directory for rotation. The directory | |
# # must be on the same physical device as the log file being rotated, and is | |
# # assumed to be relative to the directory holding the log file unless an absolute | |
# # path name is specified. | |
# olddir /var/log/IPT/ | |
# # missingok # If log file is missing, go on to next one without issuing error message. | |
# missingok | |
# # delaycompress # Postpone compression of previous log file to next rotation cycle. | |
# # This only has effect when used in combination with "compress". It can be used | |
# # when some program cannot be told to close its logfile and thus might continue | |
# # writing to previous log for some time. | |
# delaycompress | |
# compress | |
# # postrotate/endscript # Lines inbetween "postrotate" & "endscript" are executed | |
# # using /bin/sh, after log file is rotated. | |
# postrotate | |
# invoke-rc.d rsyslog rotate > /dev/null | |
# endscript | |
# } | |
# # End of /etc/logrotate.d/iptables4n6 file | |
# (Do not use the 1st # hash symbols shown in above 53 lines, as those are | |
# used here to make these info, a note/comment, for this script's USER). | |
# When copy-pasting out above 53 lines, make sure the 2nd # hash symbol | |
# remains as 1st # hash symbol, inside the actual active file. | |
# Above 53 lines configures "logrotate" service to rotate the iptables | |
# firewall log file daily, for 365 days, and new log file is used | |
# when a log file each time reaches 20MegaBytes size. Currently used | |
# log file, and last log file, are not compressed immediately. When | |
# older log file is older than last log file, then they are compressed | |
# into a gz file. | |
# If you do above steps, do it before running this script. | |
# TypeOfComputer: | |
# Regular USERs can | |
# TypOfComptr =(custom srvr clnt srvrclnt wrkstn dsktp portbl noin noinnout noinalowout) | |
TypOfComptrNum=(1 0 0 0 0 0 0 0 0 0) | |
# Set in above: 1 = UseThis. 0 = DoNotUseThis. | |
# Be-careful, Do not set contradictory settings: both "noinnout" & | |
# "noinalowout" must not be set to 1 at same time. | |
# custom = use below "FwR" based, custom/your-own chosen firewall-rules. | |
# srvr = server: most common inbound & outbound traffic will be auto permitted. | |
# clnt = client: most common inbound & otbound for local intranet server, will be auto permitted. | |
# srvrclnt = Server & Client, most common inbound & outbound for intranet & internet devices, will be auto permitted. | |
# wrkstn = similar to clnt, but with some specific inbound are allowed for specific services. | |
# dsktp = only outbound traffic will be auto permitted. | |
# portbl = similat to dsktp, but with mobile friendly rules. (ip-adrs is not fixed). | |
# noin = no-inbound traffic is allowed. Most common type of outbound will be allowed. | |
# noinnout = no-inbound and no-outbound internet/routable is allowed. Only local loopback ip-adrs traffic is allowed. | |
# noinalowout = no-inbound traffic is allowed. Allow all type of outbound. | |
# FwR = FirewallRules | |
# This set of variable/container will hold all pre-defined USER's chosen & approved/permitted firewall-rules. | |
# col1 col2 col3 col4 col5 | |
# row1 [row1,col1] [row1,col2] [row1,col3] [row1,col4] [row1,col5] | |
# row2 [row2,col1] [row2,col2] [row2,col3] [row2,col4] [row2,col5] | |
# row3 [row3,col1] [row3,col2] [row3,col3] [row3,col4] [row3,col5] | |
# row4 [row4,col1] [row4,col2] [row4,col3] [row4,col4] [row4,col5] | |
# In above we have 4 rows = totalFirewallRules = 4 | |
# totalParametersForEachFirewallRule = 5 | |
# FwR4=('d1=(v1 v2 v3)' 'd2=(v1 v2 v3)') # Alternative way to declare variables in bash script. | |
declare -A FwR # Associative array data container/variable. As its using "-A". | |
# # Such container's each item position identifier/index | |
# # needs to be a "string", not an integer. | |
declare -A FwR4 # for IPv4. | |
declare -A FwR6 # for IPv6. | |
totalFirewallRules=50 # rows | |
totalParametersForEachFirewallRule=5 # columns: total containers for each row | |
parametersPreDeclaredNonZero=3 # 3 parameters are now set (to something other than 0), | |
# # so 5-3 = remaining 2 var will be set with 0 for now | |
# For example, if you declare four FwR4[$i,N] containers with something | |
# that is not zero, then set parametersPreDeclaredNonZero=4 | |
# Setting default-values for all firewall-rules: | |
# (setting all to "DROP" all packets). | |
FwR["1"]="INPUT,OUTPUT" # Choices: any / INPUT / OUTPUT / IN-OUT | |
FwR["2"]="DROP" # Choices: DROP / ACCEPT | |
FwR["3"]="LOG" # Choices: LOG/ALSOLOG / NOLOG | |
FwR["4"]="iptv" # Choices: must begin with iptv, then 4 or 6, then :, then PKT-TYPE | |
FwR["5"]="0" | |
for ((i=1; i <= "$totalFirewallRules"; i++)); do | |
for key in "${!FwR[@]}"; do | |
if [ "$key" != 4 ]; then | |
FwR4["$i","$key"]="${FwR["$key"]}" | |
FwR6["$i","$key"]="${FwR["$key"]}" | |
else | |
FwR4["$i","$key"]="${FwR["$key"]}4:" | |
FwR6["$i","$key"]="${FwR["$key"]}6:" | |
fi | |
done | |
# For now, below 4 code-lines are disabled: | |
# for ((j=1; j <= "$totalParametersForEachFirewallRule"; j++)); do | |
# FwR4["${i}","${j}"]="0" # setting it to "0" | |
# FwR6["${i}","${j}"]="0" # setting it to "0" | |
# done | |
done | |
# Portion of above 10 code-lines are result of inspiration from codes | |
# written by "glenn jackman" at below location: | |
# http://stackoverflow.com/questions/6149679/bash-need-some-help-with-multidimensional-associative-arrays | |
# Also portion of credit goes to few users at #bash irc channel at freenode.net | |
# Disable or Stop certain attacks: | |
echo "Setting sysctl IPv4 settings, to stop certain attacks..." | |
# TO:DO: Please add notes on each of below rules, what it does: | |
# IPv4 forwarding 0/disbaled: | |
echo iptables net.ipv4.ip_forward=0 | |
"$v1sysCtl" net.ipv4.ip_forward=0 | |
# | |
echo iptables net.ipv4.conf.all.send_redirects=0 | |
"$v1sysCtl" net.ipv4.conf.all.send_redirects=0 | |
# | |
echo iptables net.ipv4.conf.default.send_redirects=0 | |
"$v1sysCtl" net.ipv4.conf.default.send_redirects=0 | |
# | |
echo iptables net.ipv4.conf.all.accept_source_route=0 | |
"$v1sysCtl" net.ipv4.conf.all.accept_source_route=0 | |
# | |
echo iptables net.ipv4.conf.all.accept_redirects=0 | |
"$v1sysCtl" net.ipv4.conf.all.accept_redirects=0 | |
# | |
echo iptables net.ipv4.conf.all.secure_redirects=0 | |
"$v1sysCtl" net.ipv4.conf.all.secure_redirects=0 | |
# | |
echo iptables net.ipv4.conf.all.log_martians=1 | |
"$v1sysCtl" net.ipv4.conf.all.log_martians=1 | |
# | |
echo iptables net.ipv4.conf.default.accept_source_route=0 | |
"$v1sysCtl" net.ipv4.conf.default.accept_source_route=0 | |
# | |
echo iptables net.ipv4.conf.default.accept_redirects=0 | |
"$v1sysCtl" net.ipv4.conf.default.accept_redirects=0 | |
# | |
echo iptables net.ipv4.conf.default.secure_redirects=0 | |
"$v1sysCtl" net.ipv4.conf.default.secure_redirects=0 | |
# | |
echo iptables net.ipv4.icmp_echo_ignore_broadcasts=1 | |
"$v1sysCtl" net.ipv4.icmp_echo_ignore_broadcasts=1 | |
# | |
# echo iptables net.ipv4.icmp_ignore_bogus_error_messages=1 | |
# "$v1sysCtl" net.ipv4.icmp_ignore_bogus_error_messages=1 | |
# | |
echo iptables net.ipv4.tcp_syncookies=1 | |
"$v1sysCtl" net.ipv4.tcp_syncookies=1 | |
# | |
echo iptables net.ipv4.conf.all.rp_filter=1 | |
"$v1sysCtl" net.ipv4.conf.all.rp_filter=1 | |
# | |
echo iptables net.ipv4.conf.default.rp_filter=1 | |
"$v1sysCtl" net.ipv4.conf.default.rp_filter=1 | |
# | |
echo iptables kernel.exec-shield=1 | |
"$v1sysCtl" kernel.exec-shield=1 | |
# | |
echo iptables kernel.randomize_va_space=1 | |
"$v1sysCtl" kernel.randomize_va_space=1 | |
echo "Saving previous firewall-rules..." | |
# Saving (backing-up) previous firewall rules (before we start to | |
# add new rules) inside home directory of current user: | |
# Current Date & time is added into filename, and filename will | |
# have .bak filename-extension at end: | |
# v1dateTimeNow=$(date +"%Y-%m-%d_%H-%M-%S") | |
# user {xmb} from CH contributed %F instead of %Y-%m-%d | |
v1dateTimeNow="$(date +"%F_%H-%M-%S")" | |
"${v1ipt4Cmd}-save" > "$HOME/iptables_${v1dateTimeNow}.bak" | |
"${v1ipt6Cmd}-save" > "$HOME/iptables6_${v1dateTimeNow}.bak" | |
# Thanks to user izabera (@freenode.net), the "~" is changed into "$HOME" | |
# Thanks to user pgas, (@freenode.net) for other improvements. | |
# More/related info: http://mywiki.wooledge.org/Quotes | |
echo " ...done." | |
echo "Starting IPv4 Firewall, and Deleting all previous rules..." | |
"$v1ipt4Cmd" -F # --flush # Deleting (flushing) all the rules | |
"$v1ipt4Cmd" -X # --delete-chain # Delete chain | |
"$v1ipt4Cmd" -t nat -F # --table nat --flush # Select table (called nat or mangle) and delete/flush rules | |
"$v1ipt4Cmd" -t nat -X # --table nat --delete-chain | |
"$v1ipt4Cmd" -t mangle -F # --table mangle --flush # Select table (called nat or mangle) and delete/flush rules | |
"$v1ipt4Cmd" -t mangle -X # --table mangle --delete-chain | |
echo " ...done." | |
# above are for IPv4 | |
echo "Starting IPv6 Firewall, and Deleting all previous rules..." | |
"$v1ipt6Cmd" -F # --flush # Deleting (flushing) all the rules | |
"$v1ipt6Cmd" -X # --delete-chain # Delete chain | |
"$v1ipt6Cmd" -t nat -F # --table nat --flush # Select table (called nat or mangle) and delete/flush rules | |
"$v1ipt6Cmd" -t nat -X # --table nat --delete-chain | |
"$v1ipt6Cmd" -t mangle -F # --table mangle --flush # Select table (called nat or mangle) and delete/flush rules | |
"$v1ipt6Cmd" -t mangle -X # --table mangle --delete-chain | |
echo " ...done." | |
# above are for IPv6 | |
# Load Modules and Info: | |
modprobe ip_conntrack # This module, when combined with connection | |
# tracking, allows access to the connection tracking state for this | |
# packet/connection. | |
# --ctstate statelist statelist is a comma separated list of the | |
# connection states to match. Possible states are listed below. | |
# --ctproto l4proto Layer-4 protocol to match (by number or name) | |
# All connection tracking is handled in the PREROUTING chain, | |
# except locally generated packets which are handled in the OUTPUT | |
# chain. | |
# --ctorigsrc address[/mask] --ctorigdst address[/mask] | |
# --ctreplsrc address[/mask] | |
# --ctrepldst address[/mask] Match against original/reply source/destination address | |
# --ctorigsrcport port[:port] --ctorigdstport port[:port] | |
# --ctreplsrcport port[:port] | |
# --ctrepldstport port[:port] Match against original/reply source/destination | |
# port (TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported | |
# in kernel versions above 2.6.38. | |
# --ctstatus statelist # statuslist is a comma separated list of the connection | |
# statuses to match. Possible statuses are listed below. | |
# --ctexpire time[:time] Match remaining lifetime in seconds against given | |
# value or range of values (inclusive) | |
# --ctdir {ORIGINAL|REPLY} Match packets that are flowing in the specified | |
# direction. If this flag is not specified at all, matches packets in both | |
# directions. | |
# States for --ctstate: INVALID meaning that the packet is associated with | |
# no known connection. NEW meaning that the packet has started a new | |
# connection, or otherwise associated with a connection which has not seen | |
# packets in both directions, and ESTABLISHED meaning that the packet is | |
# associated with a connection which has seen packets in both directions, | |
# RELATED meaning that the packet is starting a new connection, but is | |
# associated with an existing connection, such as an FTP data transfer, | |
# or an ICMP error. UNTRACKED meaning that the packet is not tracked at | |
# all, which happens if you use the NOTRACK target in raw table. | |
# SNAT A virtual state, matching if the original source address differs | |
# from the reply destination. DNAT A virtual state, matching if the original | |
# destination differs from the reply source. | |
# Statuses for --ctstatus: NONE None of the below. EXPECTED This is an | |
# expected connection (i.e. a conntrack helper set it up). SEEN_REPLY Conntrack | |
# has seen packets in both directions. ASSURED Conntrack entry should never be | |
# early-expired. CONFIRMED Connection is confirmed: originating packet has left | |
# box. | |
modprobe xt_pkttype # This module matches the link-layer packet type. | |
# --pkt-type {unicast|broadcast|multicast} | |
modprobe addrtype # This module matches packets based on their address | |
# type. Address types are used within the kernel networking stack and | |
# categorize addresses into various groups. The exact definition of | |
# that group depends on the specific layer three protocol. | |
# types are: UNSPEC an unspecified address (i.e. 0.0.0.0), UNICAST, | |
# LOCAL, BROADCAST, ANYCAST, MULTICAST, BLACKHOLE, UNREACHABLE, | |
# PROHIBIT, THROW, NAT, XRESOLVE. | |
# --src-type type Matches if the source address is of given type. | |
# --dst-type type Matches if the destination address is of given type. | |
# --limit-iface-in The address type checking can be limited to the interface | |
# the packet is coming in. This option is only valid in the PREROUTING, | |
# INPUT and FORWARD chains. It cannot be specified with the --limit-iface-out | |
# option. | |
# --limit-iface-out The address type checking can be limited to the interface | |
# the packet is going out. This option is only valid in the POSTROUTING, | |
# OUTPUT and FORWARD chains. It cannot be specified with the --limit-iface-in | |
# option. | |
modprobe xt_recent # Allows to dynamically create a list of IP addresses | |
# and then match against that list in a few different ways. | |
# --set, --rcheck, --update and --remove are mutually exclusive. | |
# --name name # Specify the list to use for the commands. If no name | |
# is given then DEFAULT will be used. | |
# --set # This will add the source address of the packet to the list. | |
# If the source address is already in the list, this will update the | |
# existing entry. This will always return success (or failure if ! | |
# is passed in). | |
# --rsource # Match/save the source address of each packet in the recent | |
# list table. This is the default. | |
# --rdest # Match/save the destination address of each packet in the | |
# recent list table. | |
# --rcheck # Check if the source address of the packet is currently in the list. | |
# --update # Like --rcheck, except it will update the "last seen" | |
# timestamp if it matches. | |
# --remove # Check if the source address of the packet is currently | |
# in the list and if so that address will be removed from the list | |
# and the rule will return true. If the address is not found, false | |
# is returned. | |
# --seconds seconds # This option must be used in conjunction with one | |
# of --rcheck or --update. When used, this will narrow the match to only | |
# happen when the address is in the list and was seen within the last | |
# given number of seconds. | |
# --hitcount hits # This option must be used in conjunction with one of | |
# --rcheck or --update. When used, this will narrow the match to only | |
# happen when the address is in the list and packets had been received | |
# greater than or equal to the given value. This option may be used along | |
# with --seconds to create an even narrower match requiring a certain | |
# number of hits within a specific time frame. The maximum value for | |
# the hitcount parameter is given by the "ip_pkt_list_tot" parameter | |
# of the xt_recent kernel module. Exceeding this value on the command | |
# line will cause the rule to be rejected. | |
# --rttl # This option may only be used in conjunction with one of --rcheck | |
# or --update. When used, this will narrow the match to only happen when | |
# the address is in the list and the TTL of the current packet matches | |
# that of the packet which hit the --set rule. This may be useful if you | |
# have problems with people faking their source address in order to DoS | |
# you via this module by disallowing others access to your site by sending | |
# bogus packets to you. | |
# Examples: | |
# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP | |
# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP | |
# The /proc/net/xt_recent/* are the current lists of addresses and information | |
# about each entry of each list. Each file in /proc/net/xt_recent/ can be | |
# read from to see the current list or written two using the following | |
# commands to modify the list: | |
# echo +addr >/proc/net/xt_recent/DEFAULT # to add addr to the DEFAULT list | |
# echo -addr >/proc/net/xt_recent/DEFAULT # to remove addr from the DEFAULT list | |
# echo / >/proc/net/xt_recent/DEFAULT # to flush the DEFAULT list (remove all entries). | |
# The module itself accepts parameters, defaults shown: | |
# ip_list_tot=100 # Number of addresses remembered per table. | |
# ip_pkt_list_tot=20 # Number of packets per address remembered. | |
# ip_list_hash_size=0 # Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. | |
# ip_list_perms=0644 # Permissions for /proc/net/xt_recent/* files. | |
# ip_list_uid=0 # Numerical UID for ownership of /proc/net/xt_recent/* files. | |
# ip_list_gid=0 # Numerical GID for ownership of /proc/net/xt_recent/* files. | |
# ipv6header This module matches IPv6 extension headers and/or upper layer header. | |
# --soft Matches if the packet includes any of the headers specified | |
# with --header. | |
# --header header[,header...] Matches the packet which EXACTLY includes all | |
# specified headers. The headers encapsulated with ESP header are out of scope. | |
# Possible header types can be: hop|hop-by-hop Hop-by-Hop Options header. | |
# dst Destination Options header. route Routing header. frag Fragment header. | |
# auth Authentication header. esp Encapsulating Security Payload header. | |
# none No Next header which matches 59 in the 'Next Header field' of IPv6 | |
# header or any IPv6 extension headers. proto which matches any upper layer | |
# protocol header. A protocol name from /etc/protocols and numeric value also | |
# allowed. The number 255 is equivalent to proto. | |
# iprange : This match-extension matches on a given arbitrary range of IP addresses. | |
# --src-range from[-to] Match source IP in the specified range. | |
# --dst-range from[-to] Match destination IP in the specified range. | |
# Info on Match-Extensions: | |
# icmp6 (IPv6-specific) This match-extension can be used if | |
# `--protocol ipv6-icmp' or `--protocol icmpv6' is specified. It | |
# provides the following option: | |
# --icmpv6-type type[/code]|typename This allows specification of | |
# the ICMPv6 type, which can be a numeric ICMPv6 type, type and | |
# code, or one of the ICMPv6 type names shown by this command: | |
# ip6tables -p ipv6-icmp -h | |
# Load/Use TARGET EXTENSIONS: iptables can use extended target modules: | |
# DNAT : This target is only valid in the nat table, in the PREROUTING | |
# and OUTPUT chains, and user-defined chains which are only called from | |
# those chains. It specifies that the destination address of the packet | |
# should be modified (and all future packets in this connection will also | |
# be mangled), and rules should cease being examined. It takes one type of | |
# option: --to-destination [ipaddr[-ipaddr]][:port[-port]] which can | |
# specify a single new destination IP address, an inclusive range of IP | |
# addresses, and optionally, a port range (which is only valid if the rule | |
# also specifies -p tcp or -p udp). If no port range is specified, then the | |
# destination port will never be modified. If no IP address is specified | |
# then only the destination port will be modified. | |
# In Kernels up to 2.6.10 you can add several --to-destination options. | |
# For those kernels, if you specify more than one destination address, | |
# either via an address range or multiple --to-destination options, | |
# a simple round-robin (one after another in cycle) load balancing takes | |
# place between these addresses. | |
# Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple | |
# ranges anymore. | |
# --random If option --random is used then port mapping will be | |
# randomized (kernel >= 2.6.22). | |
# --persistent Gives a client the same source-/destination-address for each | |
# connection. This supersedes the SAME target. Support for persistent mappings | |
# is available from 2.6.29-rc2. | |
# When Establishing connections or Restaring the firewall/iptables | |
# service, then it will drop established connections as it unload | |
# modules from the system under RHEL/Fedora/CentOS Linux. | |
# To not unload modules, edit /etc/sysconfig/iptables-config and set | |
# IPTABLES_MODULES_UNLOAD = no | |
[ -f "$v1blokdIPs" ] && v1badIPs=$(egrep -v -E "^#|^$" "${v1blokdIPs}") | |
echo "Creating rule: Allow All IPv4 Local loopback In & Out" | |
# Handle Traffic for LOCAL LOOPBACK IPv4 interace: | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
FwR4["1","1"]="INPUT" ; FwR4["1","2"]="ACCEPT" | |
# FwR4["1","3"]="NOLOG" | |
FwR4["1","4"]="${FwR4[1,4]} loopback in " | |
FwR4["2","1"]="OUTPUT" ; FwR4["2","2"]="ACCEPT" | |
# FwR4["2","3"]="NOLOG" | |
FwR4["2","4"]="${FwR4[2,4]} loopback out " | |
[ "$FwR4[1,3]" = LOG ] && "$v1ipt4Cmd" -A ${FwR4[1,1]} -i lo -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"${FwR4[1,4]}\"" # IPv4 | |
"$v1ipt4Cmd" -A ${FwR4[1,1]} -i lo -j ${FwR4[1,2]} # Unlimited loopback Input Allowed # IPv4 | |
[ "$FwR4[2,3]" = LOG ] && "$v1ipt4Cmd" -A ${FwR4[2,1]} -o lo -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"${FwR4[2,4]}\"" # IPv4 | |
"$v1ipt4Cmd" -A ${FwR4[2,1]} -o lo -j ${FwR4[2,2]} # Unlimited loopback Output Allowed # IPv4 | |
# If you want to restrict loopback traffic toward/from locally running | |
# servers/services, then do not use above rules, and instead use such | |
# rules which are more specific to your need. | |
# If you do not want to LOG loopback network traffic, then disable only | |
# 2 code-lines in above which has the "LOG", not all 4 code-lines. | |
echo " ...done." | |
echo "Creating rule: Allow All IPv6 Local loopback In & Out" | |
# Handle Traffic for LOCAL LOOPBACK IPv6 interace: | |
# default is FwR6[x,"1"]="INPUT,OUTPUT", FwR6[x,"2"]="DROP", FwR6[x,"3"]="LOG", FwR6[x,"4"]="iptv6:", FwR6[x,"5"]="0" | |
FwR6["1","1"]="INPUT" ; FwR6["1","2"]="ACCEPT" | |
# FwR6["1","3"]="NOLOG" | |
FwR6["1","4"]="${FwR6[1,4]} loopback in " | |
FwR6["2","1"]="OUTPUT" ; FwR6["2","2"]="ACCEPT" | |
# FwR6["2","3"]="NOLOG" | |
FwR6["2","4"]="${FwR6[2,4]} loopback out " | |
[ "$FwR6[1,3]" = LOG ] && "$v1ipt6Cmd" -A ${FwR6[1,1]} -i lo -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"${FwR6[1,4]}\"" # IPv6 | |
"$v1ipt6Cmd" -A ${FwR6[1,1]} -i lo -j ${FwR6[1,2]} # Unlimited loopback Input Allowed # IPv6 | |
[ "$FwR6[2,3]" = LOG ] && "$v1ipt6Cmd" -A ${FwR6[2,1]} -o lo -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"${FwR6[2,4]}\"" # IPv6 | |
"$v1ipt6Cmd" -A ${FwR6[2,1]} -o lo -j ${FwR6[2,2]} # Unlimited loopback Output Allowed # IPv6 | |
# If you want to restrict loopback traffic toward/from locally running | |
# servers/services, then do not use above rules, and instead use such | |
# rules which are more specific to your need. | |
# If you do not want to LOG loopback network traffic, then disable only | |
# 2 code-lines in above which has the "LOG", not all 4 code-lines. | |
echo " ...done." | |
echo "Creating default rules: ..." | |
echo " -P INPUT DROP" | |
echo " -P OUTPUT DROP" | |
echo " -P FORARD DROP" | |
# DROP ALL INCOMING IPv4 TRAFFIC (BY DEFAULT). | |
# (when any firewall rules are not matched for a IP packet). | |
# SO ALL FIREWALL RULES, MUST BE ADJUSTED BASED ON THIS STRATEGY/POLICY. | |
"$v1ipt4Cmd" -P INPUT DROP # IPv4 | |
"$v1ipt4Cmd" -P OUTPUT DROP # IPv4 | |
"$v1ipt4Cmd" -P FORWARD DROP # IPv4 | |
# Above 3 Policy lines (which has -P) declared to DROP all incoming, | |
# outgoing, forwarded traffic, When any below rules have not matched | |
# for a network packet. | |
# *** If user using this script for a linux/unix PC/Desktop, and wants | |
# GUI web browser software/clients or similar apps to use random outbound | |
# network traffic connections with various external websites, then user | |
# may CHANGE the above 2nd code-line, from, -P OUTPUT DROP | |
# into, -P OUTPUT ACCEPT | |
# to by-default allow all OUTPUT/outbound network packets. | |
# DROP ALL INCOMING IPv6 TRAFFIC (BY DEFAULT). | |
# (when any firewall rules are not matched for a IP packet). | |
# SO ALL FIREWALL RULES, MUST BE ADJUSTED BASED ON THIS STRATEGY/POLICY. | |
"$v1ipt6Cmd" -P INPUT DROP # IPv6 | |
"$v1ipt6Cmd" -P OUTPUT DROP # IPv6 | |
"$v1ipt6Cmd" -P FORWARD DROP # IPv6 | |
echo " ...done." | |
# pid-owner.txt - Example rule on how the pid-owner match could be used. | |
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet> and GPL. | |
# PID=`ps aux |grep inetd |head -n 1 |cut -b 10-14` | |
# or PID=`pgrep xinetd` | |
# iptables -A OUTPUT -p TCP -m owner --pid-owner $PID -j ACCEPT | |
# The pid-owner.txt is a small example script that shows how we could | |
# use the PID owner match. It does nothing real, but you should be | |
# able to run the script, and then from the output of iptables -L -v | |
# be able to tell that the rule actually matches. | |
# Above copyright is only applicable on above 9 code-lines. | |
echo "Creating rule: Block those IPs which are detected to be violating our rules or exceeding allowed limitations ..." | |
# Check If IP-Address list is found inside "blocked.ips.txt" file, or not: | |
if [ -f "${v1blokdIPs}" ]; | |
then | |
# create a new iptables list | |
"$v1ipt4Cmd" -N "$v1spmLst" # IPv4 | |
"$v1ipt6Cmd" -N "$v1spmLst" # IPv6 | |
# Log each bad IP and drop those packets | |
for v1ipBlok in "$v1badIPs" | |
do | |
"$v1ipt4Cmd" -A "$v1spmLst" -s "$v1ipBlok" -j LOG --log-prefix "iptv4: ${v1spmDrpMsg} " # IPv4 | |
"$v1ipt4Cmd" -A "$v1spmLst" -s "$v1ipBlok" -j DROP # IPv4 | |
"$v1ipt6Cmd" -A "$v1spmLst" -s "$v1ipBlok" -j LOG --log-prefix "iptv6: ${v1spmDrpMsg} " # IPv6 | |
"$v1ipt6Cmd" -A "$v1spmLst" -s "$v1ipBlok" -j DROP # IPv6 | |
done | |
"$v1ipt4Cmd" -I INPUT -j "$v1spmLst" # IPv4 | |
"$v1ipt4Cmd" -I OUTPUT -j "$v1spmLst" # IPv4 | |
"$v1ipt4Cmd" -I FORWARD -j "$v1spmLst" # IPv4 | |
"$v1ipt6Cmd" -I INPUT -j "$v1spmLst" # IPv6 | |
"$v1ipt6Cmd" -I OUTPUT -j "$v1spmLst" # IPv6 | |
"$v1ipt6Cmd" -I FORWARD -j "$v1spmLst" # IPv6 | |
fi | |
echo " ...done." | |
echo "Creating rule: dropping/blocking all harmful packets..." | |
# Block sync: | |
# The -m limit module can limit the number of log entries created per | |
# time. This is used to prevent flooding your log file. To log and drop | |
# spoofing per 5 minutes, in bursts of at most 7 entries | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
FwR4["11","1"]="INPUT" ; # FwR4["11","2"]="ACCEPT" | |
# FwR4["11","3"]="NOLOG" | |
FwR4["11","4"]="${FwR4[11,4]} Drop Sync " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[11,3]" = LOG ] && "$v1ipt4Cmd" -A ${FwR4[11,1]} -i ${v1Nif4Names[key]} \ | |
-p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"${FwR4[11,4]}\"" | |
"$v1ipt4Cmd" -A ${FwR4[11,1]} -i ${v1Nif4Names[key]} -p tcp ! --syn -m state --state NEW -j ${FwR4[11,2]} | |
done | |
# Block Fragmented Packets: | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
FwR4["13","1"]="INPUT" ; # FwR4["13","2"]="ACCEPT" | |
# FwR4["13","3"]="NOLOG" | |
FwR4["13","4"]="${FwR4[13,4]} Fragmented Packets " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[13,3]" = LOG ] && "$v1ipt4Cmd" -A ${FwR4[13,1]} -i ${v1Nif4Names[key]} \ | |
-f -m limit --limit 5/m --limit-burst 7 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"${FwR4[13,3]}\"" | |
"$v1ipt4Cmd" -A ${FwR4[13,1]} -i ${v1Nif4Names[key]} -f -j ${FwR4[13,2]} | |
done | |
# Block bad stuff: | |
# add comments line for each below rules to clarify. | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
FwR4["15","1"]="INPUT" ; # FwR4["15","2"]="ACCEPT" | |
# FwR4["15","3"]="NOLOG" | |
FwR4["15","4"]="${FwR4[15,4]} BAD (FIN,URG,PSH) " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[15,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[15,1] -i ${v1Nif4Names[key]} \ | |
-p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[15,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[15,1] -i ${v1Nif4Names[key]} -p tcp --tcp-flags ALL FIN,URG,PSH -j $FwR4[15,2] | |
done | |
FwR4["17","1"]="INPUT" ; # FwR4["17","2"]="ACCEPT" | |
# FwR4["17","3"]="NOLOG" | |
FwR4["17","4"]="${FwR4[17,4]} BAD (ALL) " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[17,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[17,3] -i ${v1Nif4Names[key]} \ | |
-p tcp --tcp-flags ALL ALL -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[17,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[17,3] -i ${v1Nif4Names[key]} -p tcp --tcp-flags ALL ALL -j $FwR4[17,2] | |
done | |
FwR4["19","1"]="INPUT" ; # FwR4["19","2"]="ACCEPT" | |
# FwR4["19","3"]="NOLOG" | |
FwR4["19","4"]="${FwR4[19,4]} NULL Packets " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[19,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[19,1] -i ${v1Nif4Names[key]} \ | |
-p tcp --tcp-flags ALL NONE \ | |
-m limit --limit 5/m --limit-burst 7 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[19,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[19,1] -i ${v1Nif4Names[key]} -p tcp --tcp-flags ALL NONE -j $FwR4[19,2] # NULL packets | |
done | |
FwR4["21","1"]="INPUT" ; # FwR4["21","2"]="ACCEPT" | |
# FwR4["21","3"]="NOLOG" | |
FwR4["21","4"]="${FwR4[21,4]} BAD (SYN,RST) " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[21,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[21,1] -i ${v1Nif4Names[key]} \ | |
-p tcp --tcp-flags SYN,RST SYN,RST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[21,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[21,1] -i ${v1Nif4Names[key]} -p tcp --tcp-flags SYN,RST SYN,RST -j $FwR4[21,2] | |
done | |
FwR4["23","1"]="INPUT" ; # FwR4["23","2"]="ACCEPT" | |
# FwR4["23","3"]="NOLOG" | |
FwR4["23","4"]="${FwR4[23,4]} XMAS (SYN,FIN) " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[23,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[23,1] -i ${v1Nif4Names[key]} \ | |
-p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[23,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[23,1] -i ${v1Nif4Names[key]} -p tcp --tcp-flags SYN,FIN SYN,FIN -j $FwR4[23,2] # XMAS | |
done | |
FwR4["25","1"]="INPUT" ; # FwR4["25","2"]="ACCEPT" | |
# FwR4["25","3"]="NOLOG" | |
FwR4["25","4"]="${FwR4[25,4]} Fin Scan (FIN,ACK) " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[25,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[25,1] -i ${v1Nif4Names[key]} \ | |
-p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[25,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[25,1] -i ${v1Nif4Names[key]} -p tcp --tcp-flags FIN,ACK FIN -j $FwR4[25,2] # FIN packet scans | |
done | |
FwR4["27","1"]="INPUT" ; # FwR4["27","2"]="ACCEPT" | |
# FwR4["27","3"]="NOLOG" | |
FwR4["27","4"]="${FwR4[27,4]} BAD (SYN,RST,ACK,FIN) " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[27,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[27,1] -i ${v1Nif4Names[key]} \ | |
-p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[27,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[27,1] -i ${v1Nif4Names[key]} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $FwR4[27,2] | |
done | |
echo " ...done". | |
# Allowing full outgoing IPv4 connection, but no incomming stuff: | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
#FwR4["29","1"]="INPUT" ; FwR4["29","2"]="ACCEPT" | |
# FwR4["29","3"]="NOLOG" | |
#FwR4["29","4"]="${FwR4[29,4]} Out-Full(in) " | |
FwR4["30","1"]="OUTPUT" ; FwR4["30","2"]="ACCEPT" | |
# FwR4["30","3"]="NOLOG" | |
FwR4["30","4"]="${FwR4[30,4]} Out-Full(out) " | |
for key in "${!v1Nif4Names[@]}"; do | |
# [ "$FwR4[29,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[29,1] -i ${v1Nif4Names[key]} \ | |
# -m state --state ESTABLISHED,RELATED -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "\"$FwR4[29,4]\"" | |
# "$v1ipt4Cmd" -A $FwR4[29,1] -i ${v1Nif4Names[key]} -m state --state ESTABLISHED,RELATED -j $FwR4[29,2] | |
[ "$FwR4[30,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[30,1] -o ${v1Nif4Names[key]} \ | |
-m state --state NEW,ESTABLISHED,RELATED -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[30,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[30,1] -o ${v1Nif4Names[key]} -m state --state NEW,ESTABLISHED,RELATED -j $FwR4[30,2] | |
done | |
# Kept activated, as many running services will need outbound IPv4 connection. | |
# Allowing full outgoing IPv6 connection, but no incomming stuff: | |
# default is FwR6[x,"1"]="INPUT,OUTPUT", FwR6[x,"2"]="DROP", FwR6[x,"3"]="LOG", FwR6[x,"4"]="iptv6:", FwR6[x,"5"]="0" | |
#FwR6["29","1"]="INPUT" ; FwR6["29","2"]="ACCEPT" | |
# FwR6["29","3"]="NOLOG" | |
#FwR6["29","4"]="${FwR6[29,4]} Out-Full(in) " | |
FwR6["30","1"]="OUTPUT" ; FwR6["30","2"]="ACCEPT" | |
# FwR6["30","3"]="NOLOG" | |
FwR6["30","4"]="${FwR6[30,4]} Out-Full(out) " | |
for key in "${!v1Nif6Names[@]}"; do | |
# [ "$FwR6[29,3]" = LOG ] && "$v1ipt6Cmd" -A $FwR6[29,1] -i ${v1Nif6Names[key]} \ | |
# -m state --state ESTABLISHED,RELATED -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "\"$FwR6[29,4]\"" | |
# "$v1ipt6Cmd" -A $FwR6[29,1] -i ${v1Nif6Names[key]} -m state --state ESTABLISHED,RELATED -j $FwR6[29,2] | |
[ "$FwR6[30,3]" = LOG ] && "$v1ipt6Cmd" -A $FwR6[30,1] -o $v1Nif6Names[key] \ | |
-m state --state NEW,ESTABLISHED,RELATED -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR6[30,4]\"" | |
"$v1ipt6Cmd" -A $FwR6[30,1] -o $v1Nif6Names[key] -m state --state NEW,ESTABLISHED,RELATED -j $FwR6[30,2] | |
done | |
# Kept activated, as many running services will need outbound IPv6 connection. | |
# SSH Private/Encrypted Connection IPv4: | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp --destination-port 22 -j ACCEPT | |
# If you are unable to limit source IP addresses, and must open the ssh | |
# port globally, then iptables can still help prevent brute-force attacks | |
# by logging and blocking repeated attempts to login from the same IP | |
# address. These below two rules are taken from CentOS wiki site. | |
# In below out of two rules, The first rule records the IP address of | |
# each new attempt to access port 22 using the recent module. The second | |
# rule checks to see if that IP address has attempted to connect 4 or more | |
# times within the last 60 seconds, and if not, then the packet is accepted. | |
# Note this rule would require a default policy of DROP on the input chain. | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
FwR4["31","1"]="INPUT" ; FwR4["31","2"]="ACCEPT" | |
# FwR4["31","3"]="NOLOG" | |
FwR4["31","4"]="${FwR4[31,4]} SSH In " | |
for key in "${!v1Nif4Names[@]}"; do | |
[ "$FwR4[31,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[31,1] \ | |
-p tcp --dport 10022 -m state --state NEW \ | |
-m recent --set --name ssh --rsource -j LOG \ | |
--log-level 6 --log-uid --log-prefix "\"$FwR4[31,4]\"" | |
"$v1ipt4Cmd" -A $FwR4[31,1] \ | |
-p tcp --dport 10022 -m state --state NEW \ | |
-m recent --set --name ssh --rsource | |
"$v1ipt4Cmd" -A $FwR4[31,1] \ | |
-p tcp --dport 10022 -m state --state NEW \ | |
-m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j $FwR4[31,2] | |
# "$v1ipt4Cmd" -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource | |
# "$v1ipt4Cmd" -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck \ | |
# --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT | |
done | |
# DO NOT USE DEFAULT PORT 22 (or port 10022) FOR SSH, which are shown in | |
# above, USER MUST CHANGE port numbers to something else. Why? see below | |
# paragraph. | |
# PRIVACY, SECURITY, SECURED CONFIGURATIONS, BOTS, SCANNERS, SCRIPTS, | |
# HACKERS, HARMFUL ENTITIES/GROUPS/ADVERSARIES, CAT-MOUSE-DOG: | |
# An UNLIMITED NUMBERS of HARMFUL & AUTOMATED BOTS, SCRIPTS, SCANNERS, | |
# unethical/immoral HACKERS or person, group of people, various entity, | |
# etc are out there. Who are always trying to abuse/use those (specific | |
# network) ports (slightly more) and also all other network ports, to | |
# gain access into/inside your computing device, which is/are connected | |
# with internet, or when user connects it with internet. | |
# And "yes", even if you are poor & have only less than $1 or none: those | |
# things and harmful people will still do it, becasue its NOT ABOUT MONEY | |
# all the time for such harmful & automated bots, scanners, scripts, people, | |
# etc. Different harmful people or greedy people ENJOY doing different | |
# type of things & attracted toward different type of things. Not all but | |
# MANY OF SUCH harmful & greedy people/entities/things do not care who you | |
# are OR what amount of money you have. | |
# IF you use computer & computing devices (phone, tablets, network media | |
# center (DLNA), network file storage (NAS/SAN), etc) and keep them | |
# ALWAYS CONNECTED WITH INTERNET and leave it always ON with internet, | |
# and if you do not use hardware or strong FIREWALL (or any FALLBACK or | |
# any FAILSAFE or Backup systems), and if you do not keep those devices | |
# or computers up-to-date with more-&-more secured settings, and security | |
# software, then you are practically inviting those harmful entities. | |
# And when those harmful entities have access to your information, keys, | |
# password, various account numbers, personal pictures, videos, etc, | |
# then some of the harmful entities treats these files/data as extra-tips, | |
# and starts to evaluate these, and then they secretly either slowly or | |
# quickly destroys you and your achivements/money, etc, and some of the | |
# harmful entities may even do it non-secretly, by contacting with you, | |
# directly or indirectly, and they will blackmail/abuse you to do gain | |
# something. | |
# So FIREWALL, properly configured, is a MUST SHIELD YOU MUST HAVE. | |
# You do not leave your CAR/HOME window/DOOR COMPLETELY OPEN or UNLOCKED | |
# WHEN YOU LEAVE OUTSIDE, or do you? May be there was a time or in an | |
# exceptional situation you may not need to CLOSE/LOCK. But now (in | |
# current time), its stupid thing to keep door open, when you leave. | |
# AND NOW MOSTLY NO ONE KEEPS DOOR OPEN WHEN THEY LEAVE. There are many | |
# outsiders who has lost their trust-worthiness, and many also lost or | |
# looses their control, on such opportunity/potential. So you must LOCK | |
# things (with some type of key or with some type of mechanism). | |
# In Internet it means password/passphrase protection. And, Using of a | |
# firewall, properly configured, is your protection shield in Internet, | |
# is like LOCKING a door. | |
# You do not go out to a civilized world location, without WEARING ANY | |
# SHIRT/PANT/DRESS, as a nude, or do you? (Almost) No One does that in | |
# our current time. Its stupid thing to do. Because weather can HARM BODY, | |
# SKIN, etc, and harmful micro-organisms or harmful sunray coming through | |
# thinner ozone layer can attack/harm even more, and harmful people will | |
# (almost) for sure take advantage & do harmful things to your body. Even | |
# normally/generally normal person, may loose their control, and do amazing | |
# or harmful things. | |
# IN INTERNET, "ENCRYPTION" IS YOUR SHIRT/PANT/DRESS/SHIELD. Encryption | |
# creates PRIVACY, and it also creates security shields as a result of | |
# applying "privacy". How? | |
# Encrypted content/data normally cannot be seen or read by someone in | |
# the middle, because data/content are scrambled, by using both, sender | |
# and receiver's encryption keys. "Encryption Keys" are special kind of | |
# mathemetical patterns. Sender & Receiver both side have one private | |
# and one public key. Private key portion is needed to be kept inside | |
# a USB portable drive, or in a flash memory card, and must be kept | |
# disconnected from computer devices, which are connected with Internet. | |
# Public key portion must be pre shared in-early (in between sender and | |
# receiver) before sending any "encrypted" content/data. | |
# By using special and powerful computing/processing equipments and by | |
# using of powerful analyzing processes, a scrambled data can be reverted | |
# back into actual data, after some amount of processing time. | |
# Normally, to decrypt very quickly or to view-actual content very quickly, | |
# public key portion of sender, and receiver's private key portion is | |
# required. | |
# Do you send/post important documents through (snail) mail without using | |
# envelop ? usually no one does that. Do you send your letter without an | |
# envelope? usually no one does that. Ofcourse there are exceptional cases, | |
# when you are sending a gift/celebration card or sending open card or | |
# sending open mail or sending advertisement. | |
# So why you do you send your emails/messages/letters, to someone else | |
# in an open or unencrypted form ? you should not. | |
# Keep/get two usb portable/external drives, or two memory cards, then | |
# keep a portable THUNDERBIRD or other portable email-clients | |
# software in one portable drive/card, and keep "private" key portion | |
# in another. In the 1st portable drive/card, also keep GPG or PGP | |
# software, with Thunderbird. | |
# Email website companies (like: Google, Microsoft, Yahoo, etc) and social | |
# communication websites companies (like: Facebook, MySpace, etc) and | |
# entities which have massive amount of immoral+unethical harmful people | |
# inside them (like: NSA, CIA, FBI, etc), are purposefully not providing | |
# encryption features for messages/emails, so that they can spy on you, | |
# so that they can do "mass-scale bulk data collection"/spying, on all | |
# people, all over the world. | |
# Harmful entities and Internet connection service providers (like: | |
# Verizon, AT&T, etc), made deals with each others, to not-allow SMTP | |
# feature for home internet connections, so that people are forced to | |
# use online/cloud or online-hosting based email service providers, like | |
# google, live, hotmail, yahoo, etc. | |
# SMTP feature (uses network port# 25 and) allows regular users to use | |
# small or old computers in their own home, to use as an email server. | |
# If billions of people start to do so, then it would be much much harder | |
# for these harmful entities to spy or do mass-scale bulk data collection. | |
# Whereas, a very good thing can be done for people and for a country, | |
# if SMTP is allowed & encouraged for home-users, then many job opportunites | |
# will open up related to works on SMTP server computer and services, | |
# etc. | |
# Do not keep personal or private stuff in an un-encrypted form on any | |
# 3rd party online-hosting or cloud stuff or in a device which does not | |
# have a physical-switch to turn internet access off/on, and if its not | |
# disconnected from internet. | |
# Those websites where you have account, or where you visit, if they | |
# cannot keep your various computer files, and your personal files, | |
# in an encrypted form, encrypted with YOUR-OWN encryption key, then | |
# do not use such services/websites. Like: google's gmail, microsoft's | |
# live & hotmail, and, yahoo mail, etc until they allow you to use | |
# your-own encryption key. | |
# Keep your own encryption keys in a personal/private USB tiny drive or | |
# flash storage or flash memory card (like SD card, etc), keep it always | |
# disconnected from any computer which are connected with internet. | |
# Only plugin/connect it, when your software needs it for few seconds, | |
# and disconnect/remove from computer immediately after it read it. | |
# It is also need to be mentioned here, that, there are ethical/good hackers | |
# and person/people, who are also trying to find holes/bugs or weakness in | |
# various systems to actually warn about such problems, and to increase | |
# and protect our privacy & security, so that regular people/users know | |
# more and use more secure systems and more secured configurations. | |
# Such good people also doing this, so that regular users do not become | |
# victim of various abuses/scams/threats etc. | |
# Regular/general Users also need to learn how a (non-secured) regular | |
# style of usage or usage pattern, or regular activity, can actually help | |
# those harmful entities & harmful companies to do more harm or do harmful | |
# things more easily, and regular users must stop such harmful regular | |
# habits/activities. | |
# CAT, MOUSE, and DOG (most of the time) are chasing, and will do so | |
# probably always, normally. So try to STAY NOT ONLY ONE-STEP BUT STAY | |
# FEW-STEPS AHEAD, and/or MAKE-IT NOT ONLY ONE-LEVEL HARDER BUT MAKE-IT | |
# FEW-LEVELS HARDER to solve or reach. | |
# Those who takes only one-step ahead or goes only one-level higher, and | |
# waits for other-side to break/solve last one, such solution/system will | |
# remain in such way, so do not do this. Take their one-step or goto | |
# one-level higher, and then don't stop there, start to find and do | |
# one-more extra steps/level, and you must encourage such group/person | |
# to stay always few-steps ahead. | |
# When other-side/somone breaks a solution, finds a hole/bug/exploitation/ | |
# vulnerability/abuse, that is another side's 1st-STEP (or 1st set of steps), | |
# see the PATTERN & research, what it allows other-side to do in NEXT (1st-NEXT), | |
# and also find out what is/are done (or can be done) in NEXT (that is 2nd-next) | |
# after the 1st-NEXT. | |
# When solving it, fill/solve the hole/bug, that is step-one (or 1st set | |
# of steps) for our side, then take steps also for the (set of weaknesses or for | |
# the) weakness found in 1st-NEXT, and then again take one more step, | |
# for the weakness in 2nd-NEXT. | |
# Buy such device, which has hardware+physical switch for disconnecting | |
# microphone, webcam/camera, each wireless features, etc. Goto nearby | |
# repairing shops, ask them if they can install switch. | |
# ToDo regular user: POLITICAL LEADERS ARE ELECTED BY PEOPLE's VOTE TO BECOME | |
# REGULAR PEOPLE'S REPRESENTATIVE FOR AN AREA/LOCALITY. Do not vote for | |
# POLITICAL LEADERS who are revolving chairs, that is, they were working | |
# in a harmful corporation/company, then they quited temporarily to become | |
# Political leader, to actually (work in legislative branches to) formulate | |
# laws, regulation, codes, acts, etc in favor of harmful corporation/company, | |
# instead of favoring people, instead of people's safety, etc. | |
# Whereas these so called "leaders" or "Lawmakers" got elected, to SERVE/favor | |
# people, they are actually public servant, and they actually most of the | |
# time do not serve people/human, they actually serve/favor harmful corporations | |
# or companies or similar. | |
# After a period, these harmful political leaders get out of politics and | |
# join back into harmful corporation/company where they came from or who | |
# they have favored. And then again goes back to become political leader | |
# to send even more favor to harmful corporation/company. Most of this | |
# harmful political leaders scratch each-other's back, that is, one corrupted | |
# leader helps the other corrupted leader's previous corporation (or | |
# previous working place or their super-pack/conglomerate group. | |
# Do Not buy product, or try to avoid products & services from harmful | |
# corporations, and this is one of the best way to tell them you are | |
# against their wrong activities/policies. And freely express to others | |
# that you do not support such harmful entities. | |
# Some (if not most) Political leaders are connected with WAR related | |
# manufacturing companies/corporations/contractors/vendors etc and connected | |
# with war-monger & war-profiteer countries, and connected with war supporting | |
# NEWS-MEDIAs, etc. You MUST not vote for such person. | |
# It is your(every human's/people's) own responsibilty before giving vote | |
# to find out about a leader, who is trying get re-elected, in which exact | |
# Laws, Acts, Codes, Regulations this leader has previously voted yes or | |
# voted no, where funding/donations came from, and find out in which exact | |
# companies and corporations that "leader" had worked for previously. | |
# Try to understand pattern. See which companies/corporations he/she is | |
# favoring more. | |
# And (luckily) according to laws, these yes/no & work info, etc are still | |
# all public information, accessible to all public. | |
# So people/public has no excuse, that he/she did not know about this | |
# leader's pattern & history, before voting. | |
# Do not expect someone else (or some journalist) will (always) give it | |
# in a spoon and bring such info in front of your mouth, so you can just | |
# move your neck to eat it. | |
# If a person is trying to get elected for 1st time, they must release | |
# various info to public, so do same, find/dig out more info, work locations, | |
# income amount, funding/donation sources, etc and try to understand the | |
# pattern this person usually did, and what those means. | |
# These corrupted "politcal leaders" take countries into war, with false | |
# documents, and they do secretly and openly, whatever needs to be done, | |
# to take countries into War/"operations", promote+instigate war, promote | |
# hate, promote violance, they even secretly pay & train & hire people to | |
# do harm in their own-country and also in other country. And in their | |
# mouth, you will hear, they are saying, they are doing it for doing some | |
# good for this/that cause. | |
# If you allow these activities done by harmful entities & harmful "leaders" | |
# or representative, and if you do not do something to stop or against | |
# such harmful entities & "leaders" & representative, then you are "actually" | |
# supporting them by doing nothing against them. | |
# And as a consequence, harmful things will come back to you, as you or your | |
# representative have done unjust activities. So then, you must not blame | |
# the other side, you must first blame yourself, that, you have not done | |
# anything to stop it in the first place, or when it was your turn to do | |
# something against them. | |
# Because now that these harmful leaders and harmful corporations, have | |
# joined their hands: they are now involved in many many unethical spying, | |
# and involved in many types of abuse on different types of people+classes, | |
# and races, and they are also doing all these simultaneously & continously, | |
# and systematically. | |
# People's problems are increasing, as these harmful groups are also | |
# increasing their amount/level of harmful products and harmful services. | |
# These groups keeping mass population un-educated and less informed about | |
# how harmful leaders & corporations are jointly doing various things in | |
# favor of each other & doing things against humanity & against earth+nature. | |
# Why? so that, less informed, or less smarter people, or gullible/dumb & | |
# uneducated people: can be easily taken into war, easily talked-into | |
# beliving wrong things as right things, and easily recruited for war | |
# supporting systems, as systematically no other choices are given or made | |
# avialble for people. | |
# They do these, to easily get people's support or vote for election & war, | |
# and to encourage & allow these people to take wrong & incorrect decisions, | |
# based on uninformed imotional irrational false reasons and justifications | |
# and information. | |
# Portions of lines & ideas of above, are taken from many other people's | |
# articles on these. And also contributed by few others on irc channel | |
# discussions. | |
# SSH Private/Encrypted Connection IPv6: | |
# default is FwR6[x,"1"]="INPUT,OUTPUT", FwR6[x,"2"]="DROP", FwR6[x,"3"]="LOG", FwR6[x,"4"]="iptv6:", FwR6[x,"5"]="0" | |
# FwR6["31","1"]="INPUT" ; FwR6["31","2"]="ACCEPT" | |
# FwR6["31","3"]="NOLOG" | |
# FwR6["31","4"]="${FwR6[31,4]} SSH In " | |
# "$v1ipt6Cmd" -A $FwR6[31,1] -p tcp --dport 22 \ | |
# -m state --state NEW -m recent --set --name ssh --rsource -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "\"$FwR6[31,4]\"" | |
# "$v1ipt6Cmd" -A $FwR6[31,1] -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource | |
# "$v1ipt6Cmd" -A $FwR6[31,1] -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck \ | |
# --seconds 60 --hitcount 4 --name ssh --rsource -j $FwR6[31,2] | |
# IPv4 http / https (open port 80 / 443) Web Srvr Ports, Inbound traffic: | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
# FwR4["35","1"]="INPUT" ; FwR4["35","2"]="ACCEPT" | |
# FwR4["35","3"]="NOLOG" | |
# FwR4["35","4"]="${FwR4[35,4]} http In " | |
# FwR4["36","1"]="INPUT" ; FwR4["36","2"]="ACCEPT" | |
# FwR4["36","3"]="NOLOG" | |
# FwR4["36","4"]="${FwR4[36,4]} https In " | |
# for key in "${!v1Nif4Names[@]}"; do | |
# [ "$FwR4[35,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[35,1] -i ${v1Nif4Names[key]} \ | |
# -p tcp --destination-port 80 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "\"$FwR4[35,4]\"" | |
# "$v1ipt4Cmd" -A $FwR4[35,1] -i ${v1Nif4Names[key]} -p tcp --destination-port 80 -j $FwR4[35,2] # Allow Port 80 | |
# [ "$FwR4[36,3]" = LOG ] && "$v1ipt4Cmd" -A $FwR4[36,1] -i ${v1Nif4Names[key]} \ | |
# -p tcp --destination-port 443 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "\"$FwR4[36,4]\"" | |
# "$v1ipt4Cmd" -A $FwR4[36,1] -i ${v1Nif4Names[key]} -p tcp --destination-port 443 -j $FwR4[36,2] # Allow Port 443 | |
# done | |
# Kept deactivated. As this computer will not have IPv4 Web srvr/srvc. | |
# IPv6 http / https (open port 80 / 443) Web Srvr Ports, Inbound traffic: | |
# default is FwR6[x,"1"]="INPUT,OUTPUT", FwR6[x,"2"]="DROP", FwR6[x,"3"]="LOG", FwR6[x,"4"]="iptv6:", FwR6[x,"5"]="0" | |
# FwR6["35","1"]="INPUT" ; FwR6["35","2"]="ACCEPT" | |
# FwR6["35","3"]="NOLOG" | |
# FwR6["35","4"]="${FwR6[35,4]} http In " | |
# FwR6["36","1"]="INPUT" ; FwR6["36","2"]="ACCEPT" | |
# FwR6["36","3"]="NOLOG" | |
# FwR6["36","4"]="${FwR6[36,4]} https In " | |
# for key in "${!v1Nif6Names[@]}"; do | |
# [ "$FwR6[35,3]" = LOG ] && "$v1ipt6Cmd" -A $FwR6[35,1] -i $v1Nif6Names[key] \ | |
# -p tcp --destination-port 80 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "\"$FwR6[35,4]\"" | |
# "$v1ipt6Cmd" -A $FwR6[35,1] -i $v1Nif6Names[key] -p tcp --destination-port 80 -j $FwR6[35,2] # Allow Port 80 | |
# [ "$FwR6[36,3]" = LOG ] && "$v1ipt6Cmd" -A $FwR6[36,1] -i $v1Nif6Names[key] \ | |
# -p tcp --destination-port 443 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "\"$FwR6[35,4]\"" | |
# "$v1ipt6Cmd" -A $FwR6[36,1] -i $v1Nif6Names[key] -p tcp --destination-port 443 -j $FwR6[36,2] # Allow Port 443 | |
# done | |
# Kept deactivated. As this computer will not have IPv6 Web srvr/srvc. | |
# Port 53 tcp/udp IPv4 (for DNS Srvr), and DNSSEC enabled srvr tcp port 53: | |
# default is FwR4[x,"1"]="INPUT,OUTPUT", FwR4[x,"2"]="DROP", FwR4[x,"3"]="LOG", FwR4[x,"4"]="iptv4:", FwR4[x,"5"]="0" | |
# FwR4["35","1"]="INPUT" ; FwR4["35","2"]="ACCEPT" | |
# FwR4["35","3"]="NOLOG" | |
# FwR4["35","4"]="${FwR4[35,4]} http In " | |
# FwR4["36","1"]="INPUT" ; FwR4["36","2"]="ACCEPT" | |
# FwR4["36","3"]="NOLOG" | |
# FwR4["36","4"]="${FwR4[36,4]} https In " | |
# for key in "${!v1Nif4Names[@]}"; do | |
# [ "$FwR4[35,3]" = LOG ] && | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p udp --dport 53 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j ACCEPT | |
# "$v1ipt4Cmd" -A OUTPUT -o ${v1Nif4Names[key]} -p udp --sport 53 -m state \ | |
# --state ESTABLISHED,RELATED -j ACCEPT | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp --destination-port 53 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j ACCEPT | |
# "$v1ipt4Cmd" -A OUTPUT -o ${v1Nif4Names[key]} -p tcp --sport 53 -m state \ | |
# --state ESTABLISHED,RELATED -j ACCEPT | |
# To open dns server ports for all | |
# "$v1ipt4Cmd" -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT | |
# "$v1ipt4Cmd" -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT | |
# Kept activated. As this computer will have "Unbound" or "BIND", both | |
# are full IPv4 dnssec capable DNS-Resolver srvr/srvc. | |
# --sports/--dports 53,1024:65535 (only with -p tcp or -p udp) | |
# Port 53 tcp/udp IPv6 (for DNS Srvr), and DNSSEC enabled srvr tcp port 53: | |
"$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p udp --dport 53 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j ACCEPT | |
# "$v1ipt6Cmd" -A OUTPUT -o $v1Nif6Names[key] -p udp --sport 53 -m state \ | |
# --state ESTABLISHED,RELATED -j ACCEPT | |
"$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp --destination-port 53 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j ACCEPT | |
# "$v1ipt6Cmd" -A OUTPUT -o $v1Nif6Names[key] -p tcp --sport 53 -m state \ | |
# --state ESTABLISHED,RELATED -j ACCEPT | |
# Kept activated. As this computer will have "Unbound" or "BIND", both | |
# are full IPv6 dnssec capable DNS-Resolver srvr/srvc. | |
# Open IPv4 Email related Inbound port 110 (pop3) / 143 (imap), | |
# port 995 (pops) / 993 (imaps) for server/services in this computer: | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 110 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: POP In " | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 995 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: POPS In " | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 143 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: IMAP In " | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 993 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: IMAPS In " | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT | |
# Kept deactivated. As this computer will not have any IPv4 Email srvr/srvc. | |
# Do not use 110, 143 as those do not use any encryptions/privacy-protocols. | |
# Use 995, 993, as pops, imaps services uses encrypted/private secured connections. | |
# Open IPv6 Email related Inbound port 110 (pop3) / 143 (imap), | |
# port 995 (pops) / 993 (imaps) for server/services in this computer: | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 110 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv6: POP In " | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 995 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv6: POPS In " | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 143 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv6: IMAP In " | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 993 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv6: IMAPS In " | |
# "$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT | |
# Kept deactivated. As this computer will not have any IPv6 Email srvr/srvc. | |
# Do not use 110, 143 as those do not use any encryptions/privacy-protocols. | |
# Use 995, 993, as pops, imaps services uses encrypted/private secured connections. | |
# Drop or Accept Traffic From very specific Computer (using Mac Address) | |
# "$v1ipt4Cmd" -A INPUT -m mac --mac-source 00:50:8D:FD:E6:32 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: MAC:FD:E6:32 In " | |
# "$v1ipt4Cmd" -A INPUT -m mac --mac-source 00:50:8D:FD:E6:32 -j DROP | |
# Only accept traffic for TCP port # 8080 from mac 00:50:8D:FD:E6:32 | |
# "$v1ipt4Cmd" -A INPUT -p tcp --destination-port 8080 -m mac \ | |
# --mac-source 00:50:8D:FD:E6:32 -j LOG --log-level 6 \ | |
# --log-uid --log-prefix "iptv4: MAC:FD:E6:32 In " | |
# "$v1ipt4Cmd" -A INPUT -p tcp --destination-port 8080 -m mac \ | |
# --mac-source 00:50:8D:FD:E6:32 -j ACCEPT | |
# If Local computer's IP address is known then Local spoofing can be blocked: | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT | |
# Thanks to https://wiki.centos.org/HowTos/Network/IPTables for the above fw-rule. | |
# To open cups (printing service) udp/tcp port 631 for LAN devices: | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: PRINTN In " | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: PRINTN In " | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT | |
# Kept deactivated. As this computer will not have a Printing srvr/srvc. | |
# To allow time sync via NTP for lan devices (open udp port 123) | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: NTP In " | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \ | |
# --dport 123 -j ACCEPT | |
# Kept deactivated. As this computer will not have a NTP srvr/srvc. | |
# To open inbound IPv4 tcp to port 25 (smtp) for receiving/exchanging emails | |
# from/with other remote email servers: | |
# "$v1ipt4Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: SMTP In " | |
# "$v1ipt4Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT | |
# Kept deactivated. As this computer will not have a IPv4 SMTP srvr/srvc. | |
# To open IPv4 SMTP related other port 587 (submission), port 465: | |
# "$v1ipt4Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: Submission In " | |
# "$v1ipt4Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT | |
# "$v1ipt4Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: SMTP submit In " | |
# "$v1ipt4Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT | |
# Kept deactivated. As this computer will not have a IPv4 SMTP related srvr/srvc. | |
# To open inbound IPv6 tcp to port 25 (smtp) for receiving/exchanging emails | |
# from/with other remote email servers: | |
# "$v1ipt6Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv6: SMTP In " | |
# "$v1ipt6Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT | |
# Kept deactivated. As this computer will not have a IPv6 SMTP srvr/srvc. | |
# To open IPv6 SMTP related other port 587 (submission), port 465: | |
# "$v1ipt6Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv6: Submission In " | |
# "$v1ipt6Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT | |
# "$v1ipt6Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv6: SMTP submit In " | |
# "$v1ipt6Cmd" -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT | |
# Kept deactivated. As this computer will not have a IPv6 SMTP related srvr/srvc. | |
# To open inbound access to proxy server, for lan devices only: | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: ProxySrvr In " | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT | |
# Kept deactivated. As this computer will not have a proxy srvr/srvc. | |
# To open inbound IPv4 access to mysql server, for lan devices only: | |
# "$v1ipt4Cmd" -I INPUT -p tcp --dport 3306 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: MySql Inbound " | |
# "$v1ipt4Cmd" -I INPUT -p tcp --dport 3306 -j ACCEPT | |
# Kept deactivated. As this computer will not have a MySQL IPv4 srvr/srvc. | |
# To open inbound IPv6 access to mysql server, for lan devices only: | |
# "$v1ipt6Cmd" -I INPUT -p tcp --dport 3306 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: MySql Inbound " | |
# "$v1ipt6Cmd" -I INPUT -p tcp --dport 3306 -j ACCEPT | |
# Kept deactivated. As this computer will not have a MySQL IPv6 srvr/srvc. | |
# To Restrict the Number of Incoming Parallel Connections In-To a Server Per Client IP | |
# You can use connlimit module to put such restrictions. | |
# To allow maximum 3 ssh connections per client host, use | |
# "$v1ipt4Cmd" -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT | |
# For HTTP requests, set max 20 parallel connection limitations | |
# "$v1ipt4Cmd" -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP | |
# In above, --connlimit-above 3 : Match if the number of existing connections is above 3. | |
# --connlimit-mask 24 : Group hosts using the prefix length. | |
# For IPv4, --connlimit-mask must be a number between (including) 0 and 32. | |
# The "Next Header" field number of IPv6 packets, or "Protocol" number field | |
# of IPv4 packets, are commonly called "IP" (Internet Protocol) number. For | |
# example, the ICMP v4, it's "IP" number is 1 dec (0x01 hex), and ICMPv6 has | |
# "IP" number 58 dec (0x3A hex). | |
# ICMP v4: | |
# https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol | |
# https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml | |
# ICMP v4 Type code field : 0 Echo Reply [RFC792], 1 Unassigned, 2 Unassigned, 3 Destination Unreachable [RFC792], | |
# 4 Source Quench (Deprecated) [RFC792] [RFC6633], 5 Redirect [RFC792], 6 Alternate Host Address (Deprecated) | |
# [RFC6918], 7 Unassigned, 8 Echo [RFC792], 9 Router Advertisement [RFC1256], 10 Router Solicitation [RFC1256], | |
# 11 Time Exceeded [RFC792], 12 Parameter Problem [RFC792], 13 Timestamp [RFC792], 14 Timestamp Reply [RFC792], | |
# 15 Information Request (Deprecated) [RFC792] [RFC6918], 16 Information Reply (Deprecated) [RFC792] [RFC6918], | |
# 17 Address Mask Request (Deprecated) [RFC950] [RFC6918], 18 Address Mask Reply (Deprecated) [RFC950] [RFC6918], | |
# 19 Reserved (for Security) [Solo], 20-29 Reserved (for Robustness Experiment) [ZSu], 30 Traceroute (Deprecated) | |
# [RFC1393] [RFC6918], 31 Datagram Conversion Error (Deprecated) [RFC1475] [RFC6918], 32 Mobile Host Redirect | |
# (Deprecated) [David_Johnson] [RFC6918], 33 IPv6 Where-Are-You (Deprecated) [Simpson] [RFC6918], 34 IPv6 I-Am-Here | |
# (Deprecated) [Simpson] [RFC6918], 35 Mobile Registration Request (Deprecated) [Simpson] [RFC6918], 36 Mobile | |
# Registration Reply (Deprecated) [Simpson] [RFC6918], 37 Domain Name Request (Deprecated) [RFC1788] [RFC6918], | |
# 38 Domain Name Reply (Deprecated) [RFC1788] [RFC6918], 39 SKIP (Deprecated) [Markson] [RFC6918], 40 Photuris | |
# [RFC2521], 41 ICMP messages utilized by experimental mobility protocols such as Seamoby [RFC4065], | |
# 42-252 Unassigned, 253 RFC3692-style Experiment 1 [RFC4727], 254 RFC3692-style Experiment 2 [RFC4727], | |
# 255 Reserved [JBP]. | |
# Most important & common-case widely used are: Type 0, 8, 11, 3 & its "code" variants. | |
# Incomming ICMP v4 ping (8=Echo) Request, | |
# and a Outgoing pong (0=Echo Reply) for that ping: | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p icmp --icmp-type 8 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: ICMPv4 In " | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -p icmp --icmp-type 8 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j ACCEPT # Echo Request | |
"$v1ipt4Cmd" -A OUTPUT -o ${v1Nif4Names[key]} -p icmp --icmp-type 0 -m state \ | |
--state ESTABLISHED,RELATED -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: ICMPv4 Out " | |
"$v1ipt4Cmd" -A OUTPUT -o ${v1Nif4Names[key]} -p icmp --icmp-type 0 -m state \ | |
--state ESTABLISHED,RELATED -j ACCEPT # Echo Reply | |
# Kept enabled, as Usually above two icmp v4 types are suffice for most use cases. | |
# To only accept limited types of ICMP (v4) requests, | |
# it is assumed here that default INPUT policy is set to DROP: | |
# "$v1ipt4Cmd" -A INPUT -p icmp --icmp-type 0 -j ACCEPT # Echo Reply | |
# "$v1ipt4Cmd" -A INPUT -p icmp --icmp-type 3 -j ACCEPT # Destination Unreachable | |
# "$v1ipt4Cmd" -A INPUT -p icmp --icmp-type 11 -j ACCEPT # Time Exceeded | |
# To response-back to all ping requests | |
# "$v1ipt4Cmd" -A INPUT -p icmp --icmp-type 8 -j ACCEPT # echo request | |
# Kept deactivated, because type 11 & 3 are not used for most use cases. | |
# ICMP v6: | |
# https://en.wikipedia.org/wiki/ICMPv6 | |
# https://www.iana.org/assignments/icmpv6-parameters | |
# The "Type" code field numbers : 0 Reserved, 1 Destination Unreachable [RFC4443], 2 Packet Too Big [RFC4443], | |
# 3 Time Exceeded [RFC4443], 4 Parameter Problem [RFC4443], 100 Private experimentation [RFC4443], 101 Private | |
# experimentation [RFC4443], 102-126 Unassigned, 127 Reserved for expansion of ICMPv6 error messages [RFC4443], | |
# 128 Echo Request [RFC4443], 129 Echo Reply [RFC4443], 130 Multicast Listener Query [RFC2710], 131 Multicast | |
# Listener Report [RFC2710], 132 Multicast Listener Done [RFC2710], 133 Router Solicitation [RFC4861], 134 Router | |
# Advertisement [RFC4861], 135 Neighbor Solicitation [RFC4861], 136 Neighbor Advertisement [RFC4861], 137 Redirect | |
# Message [RFC4861], 138 Router Renumbering [Matt_Crawford], 139 ICMP Node Information Query [RFC4620], 140 ICMP | |
# Node Information Response [RFC4620], 141 Inverse Neighbor Discovery Solicitation Message [RFC3122], 142 Inverse | |
# Neighbor Discovery Advertisement Message [RFC3122], 143 Version 2 Multicast Listener Report [RFC3810], 144 Home | |
# Agent Address Discovery Request Message [RFC6275], 145 Home Agent Address Discovery Reply Message [RFC6275], | |
# 146 Mobile Prefix Solicitation [RFC6275], 147 Mobile Prefix Advertisement [RFC6275], 148 Certification Path | |
# Solicitation Message [RFC3971], 149 Certification Path Advertisement Message [RFC3971], 150 ICMP messages | |
# utilized by experimental mobility protocols such as Seamoby [RFC4065], 151 Multicast Router Advertisement | |
# [RFC4286], 152 Multicast Router Solicitation [RFC4286], 153 Multicast Router Termination [RFC4286], 154 FMIPv6 | |
# Messages [RFC5568], 155 RPL Control Message [RFC6550], 156 ILNPv6 Locator Update Message [RFC6743], 157 Duplicate | |
# Address Request [RFC6775], 158 Duplicate Address Confirmation [RFC6775], 159-199 Unassigned, 200 Private | |
# experimentation [RFC4443], 201 Private experimentation [RFC4443], 255 Reserved for expansion of ICMPv6 | |
# informational messages [RFC4443]. | |
# Most important & common-case widely used ICMPv6 are: Type 1, 3, 128, 129. | |
# Incomming ICMP v6 ping (Type128=Echo) Request, | |
# and a Outgoing pong (Type129=Echo Reply) for that ping: | |
"$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p icmpv6 --icmp-type 128 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 In " | |
"$v1ipt6Cmd" -A INPUT -i $v1Nif6Names[key] -p icmpv6 --icmp-type 128 -m state \ | |
--state NEW,ESTABLISHED,RELATED -j ACCEPT # ICMPv6 Echo Request | |
"$v1ipt6Cmd" -A OUTPUT -o $v1Nif6Names[key] -p icmpv6 --icmp-type 129 -m state \ | |
--state ESTABLISHED,RELATED -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 Out " | |
"$v1ipt6Cmd" -A OUTPUT -o $v1Nif6Names[key] -p icmpv6 --icmp-type 129 -m state \ | |
--state ESTABLISHED,RELATED -j ACCEPT # ICMPv6 Echo Reply | |
# Kept enabled, as Usually above two icmp v6 types are suffice for most | |
# use cases. | |
# To reject all IPv4 Multicast (Level3) traffic: | |
"$v1ipt4Cmd" -A INPUT -m addrtype --src-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Multicast(L3) src in " | |
"$v1ipt4Cmd" -A INPUT -m addrtype --src-type MULTICAST -j DROP # Multicast(L3) src in | |
"$v1ipt4Cmd" -A INPUT -m addrtype --dst-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Multicast(L3) dst in " | |
"$v1ipt4Cmd" -A INPUT -m addrtype --dst-type MULTICAST -j DROP # Multicast(L3) dst in | |
"$v1ipt4Cmd" -A OUTPUT -m addrtype --src-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Multicast(L3) src out " | |
"$v1ipt4Cmd" -A OUTPUT -m addrtype --src-type MULTICAST -j DROP # Multicast(L3) src out | |
"$v1ipt4Cmd" -A OUTPUT -m addrtype --dst-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Multicast(L3) dst out " | |
"$v1ipt4Cmd" -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP # Multicast(L3) dst out | |
# Kept activated. If users wants to connect with (or use) IPv4 multicast | |
# L3 servers or services, then do not use above 4 DROP rules, change | |
# above 4 DROP into ACCEPT. | |
# To stop logging, add # symbol as 1st symbol at beginning of above 8 | |
# lines, which lines have either the word "LOG" or "log-prefix" in it. | |
# To reject all IPv4 Multicast (Level2) traffic: | |
"$v1ipt4Cmd" -A INPUT -m pkttype --pkt-type multicast -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Multicast(L2) In " | |
"$v1ipt4Cmd" -A INPUT -m pkttype --pkt-type multicast -j DROP # Multicast(L2) In | |
"$v1ipt4Cmd" -A OUTPUT -m pkttype --pkt-type multicast -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Multicast(L2) Out " | |
"$v1ipt4Cmd" -A OUTPUT -m pkttype --pkt-type multicast -j DROP # Multicast(L2) Out | |
# Kept activated. If users wants to connect with (or use) IPv4 multicast | |
# L2 servers or services, then do not use above 2 DROP rules, change | |
# above 2 DROP into ACCEPT. | |
# To stop logging, add # symbol as 1st symbol at beginning of above 4 | |
# lines, which lines have either the word "LOG" or "log-prefix" in it. | |
# To reject all IPv6 Multicast (Level3) traffic: | |
"$v1ipt6Cmd" -A INPUT -m addrtype --src-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: Multicast(L3) src in " | |
"$v1ipt6Cmd" -A INPUT -m addrtype --src-type MULTICAST -j DROP # Multicast(L3) src in | |
"$v1ipt6Cmd" -A INPUT -m addrtype --dst-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: Multicast(L3) dst in " | |
"$v1ipt6Cmd" -A INPUT -m addrtype --dst-type MULTICAST -j DROP # Multicast(L3) dst in | |
"$v1ipt6Cmd" -A OUTPUT -m addrtype --src-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: Multicast(L3) src out " | |
"$v1ipt6Cmd" -A OUTPUT -m addrtype --src-type MULTICAST -j DROP # Multicast(L3) src out | |
"$v1ipt6Cmd" -A OUTPUT -m addrtype --dst-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: Multicast(L3) dst out " | |
"$v1ipt6Cmd" -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP # Multicast(L3) dst out | |
# Kept activated. If users wants to connect with (or use) IPv6 multicast | |
# L3 servers or services, then do not use above 4 DROP rules, change | |
# above 4 DROP into ACCEPT, to enable. | |
# To stop logging, add # symbol as 1st symbol at beginning of above 8 | |
# lines, which lines have either the word "LOG" or "log-prefix" in it. | |
# To reject all IPv6 Multicast (Level2) traffic: | |
"$v1ipt6Cmd" -A INPUT -m pkttype --pkt-type multicast -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: Multicast(L2) In " | |
"$v1ipt6Cmd" -A INPUT -m pkttype --pkt-type multicast -j DROP # Multicast(L2) In | |
"$v1ipt6Cmd" -A OUTPUT -m pkttype --pkt-type multicast -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: Multicast(L2) Out " | |
"$v1ipt6Cmd" -A OUTPUT -m pkttype --pkt-type multicast -j DROP # Multicast(L2) Out | |
# Kept activated. If USERs want to connect with (or use) IPv6 multicast | |
# L2 servrs/services, then do not use above 2 DROP rules, | |
# change above 2 DROP into ACCEPT. And if USER wants to disable LOGging, | |
# then add # symbol as 1st symbol at beginning of above 4 lines, which | |
# lines have either the word "LOG" or "log-prefix" in it. | |
# To reject all ICMPv6 toward/from any IPv6 Multicast srvr/clnt (Level3) computers: | |
"$v1ipt6Cmd" -A INPUT -p icmpv6 -m addrtype --src-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 Multicast-L3 src in " | |
"$v1ipt6Cmd" -A INPUT -p icmpv6 -m addrtype --src-type MULTICAST -j DROP # ICMPv6 Multicast-L3 src in | |
"$v1ipt6Cmd" -A INPUT -p icmpv6 -m addrtype --dst-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 Multicast-L3 dst in " | |
"$v1ipt6Cmd" -A INPUT -p icmpv6 -m addrtype --dst-type MULTICAST -j DROP # ICMPv6 Multicast-L3 dst in | |
"$v1ipt6Cmd" -A OUTPUT -p icmpv6 -m addrtype --src-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 Multicast-L3 src out " | |
"$v1ipt6Cmd" -A OUTPUT -p icmpv6 -m addrtype --src-type MULTICAST -j DROP # ICMPv6 Multicast-L3 src out | |
"$v1ipt6Cmd" -A OUTPUT -p icmpv6 -m addrtype --dst-type MULTICAST -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 Multicast-L3 dst out " | |
"$v1ipt6Cmd" -A OUTPUT -p icmpv6 -m addrtype --dst-type MULTICAST -j DROP # ICMPv6 Multicast-L3 dst out | |
# Kept activated. If USERs wants to send ICMPv6 ping for connecting with | |
# (or using) IPv6 multicast (L3) servrs/servcs, then do not use above 4 | |
# DROP rules/code-lines, change 4 DROP into ACCEPT. | |
# To disable logging, add # symbol as 1st symbol at above 8 lines, | |
# which lines have the word "LOG" or "log-prefix" in it. | |
# To reject all ICMPv6 toward/from any IPv6 Multicast srvr/clnt (Level2) computers: | |
"$v1ipt6Cmd" -A INPUT -p icmpv6 -m pkttype --pkt-type multicast -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 Multicast-L2 In " | |
"$v1ipt6Cmd" -A INPUT -p icmpv6 -m pkttype --pkt-type multicast -j DROP # ICMPv6 Multicast(L2) In | |
"$v1ipt6Cmd" -A OUTPUT -p icmpv6 -m pkttype --pkt-type multicast -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv6: ICMPv6 Multicast-L2 Out " | |
"$v1ipt6Cmd" -A OUTPUT -p icmpv6 -m pkttype --pkt-type multicast -j DROP # ICMPv6 Multicast(L2) Out | |
# Kept activated. If USERs wants to send ICMPv6 ping for connecting with | |
# (or using) IPv6 multicast (L2) srvrs/srvcs, then do not use above 2 | |
# DROP rules/code-lines, change 2 DROP into ACCEPT. | |
# To disable logging, add # symbol as 1st symbol at above 4 lines, | |
# which lines have the word "LOG" or "log-prefix" in it. | |
# Drop/Reject all Private Network Address, on Public Interface: | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 10.0.0.0/8 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Class-A-src " | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 10.0.0.0/8 -j DROP # entire Class-A | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 172.16.0.0/12 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Class-B-src " | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 172.16.0.0/12 -j DROP # entire Class-B | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 192.168.0.0/16 -j LOG \ | |
# --log-level 6 --log-uid --log-prefix "iptv4: Class-C-src " | |
# "$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 192.168.0.0/16 -j DROP # entire Class-C | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 224.0.0.0/4 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Class-D-src " | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 224.0.0.0/4 -j DROP # entire Multicast/Class-D broadcast | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -d 224.0.0.0/4 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Class-A-dst " | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -d 224.0.0.0/4 -j DROP # entire Multicast/Class-D broadcast | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 240.0.0.0/5 -j LOG \ | |
--log-level 6 --log-uid --log-prefix "iptv4: Class-E-src " | |
"$v1ipt4Cmd" -A INPUT -i ${v1Nif4Names[key]} -s 240.0.0.0/5 -j DROP # entire Class-E broadcast | |
# Droping/Rejecting packets from these networks: 10.0.0.0/8, 172.16.0.0/12, | |
# 224.0.0.0/4, 240.0.0.0/5, because we will not do anything or want to | |
# do anything in/with those networks. | |
# But USER, if doing something with/in those networks, then disable | |
# related above lines. | |
# Logging can be disabled anytime by placing # symbol as 1st symbol in | |
# those lines, which has the word "-j LOG" or "--log-prefix". | |
# For example, if USER's network is 192.168.10.0/24, | |
# then disable network traffic from 192.168.0.0/24 to 192.168.9.0/24, | |
# and 192.168.11.0/24 to 192.168.254.0/24, | |
# and 192.168.255.1/24 to 192.168.255.254/24 | |
##### Add your rules below ###### | |
# | |
# | |
##### END your rules ############ | |
# SAMBA Server / NetBIOS / File-Sharing: | |
# To open access into Samba file server for lan users only: | |
# (Avoid log for SMB/Windows sharing packets - to avoid too much | |
# logging). | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW \ | |
# -p tcp --dport 137 -j REJECT | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW \ | |
# -p udp --dport 137 -j REJECT | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW \ | |
# -p tcp --dport 138 -j REJECT | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW \ | |
# -p udp --dport 138 -j REJECT | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW \ | |
# -p tcp --dport 139 -j REJECT | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW \ | |
# -p udp --dport 139 -j REJECT | |
# "$v1ipt4Cmd" -A INPUT -s 192.168.1.0/24 -m state --state NEW \ | |
# -p tcp --dport 445 -j REJECT | |
# Kept deactivated, because we will not have a Samba Servr in This | |
# computer, and, we will not access a LAN/another Samba servr either. | |
# If USER's case is different then adjust above codes, IP-address. | |
# To connect with another Samba servr or allow others to use Samba | |
# servr in this computer, change above 7 REJECT into ACCEPT, and | |
# remove 1st # symbols, from above 14 code-lines. | |
"$v1ipt4Cmd" -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A INPUT -p tcp -d 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A INPUT -p udp -d 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A OUTPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A OUTPUT -p tcp -d 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A OUTPUT -p udp -s 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A OUTPUT -p udp -d 192.168.1.0/24 --dport 137:139 -j REJECT | |
"$v1ipt4Cmd" -A INPUT -p tcp -s 192.168.1.0/24 --dport 445 -j REJECT | |
"$v1ipt4Cmd" -A INPUT -p tcp -d 192.168.1.0/24 --dport 445 -j REJECT | |
"$v1ipt4Cmd" -A OUTPUT -p tcp -s 192.168.1.0/24 --dport 445 -j REJECT | |
"$v1ipt4Cmd" -A OUTPUT -p tcp -d 192.168.1.0/24 --dport 445 -j REJECT | |
# Kept deactivated, because we will not have a Samba Servr in This | |
# computer, and, we will not access a LAN/another Samba servr either. | |
# If USER's case is different then adjust above codes, IP-address. | |
# To connect with another Samba servr or allow others to use Samba | |
# servr in this computer, change above 12 REJECT into ACCEPT. | |
# LOG | |
# --log-level 0 emerg, 1 alert, 2 crit, 3 err, 4 warning, 5 notice, | |
# 6 info, 7 debug. | |
# --log-tcp-options Log options from the TCP packet header. | |
# --log-ip-options Log options from the IP packet header. | |
# --log-uid Log the userid of the process which generated the | |
# packet. | |
# Log everything else, and then also, drop everything else, | |
# for packets which did not match any of the above rules. | |
# "$v1ipt4Cmd" -A INPUT -j LOG | |
"$v1ipt4Cmd" -A INPUT -j LOG --log-level 6 --log-uid \ | |
--log-prefix "IPTABLES_INPUT: " | |
# "$v1ipt4Cmd" -A FORWARD -j LOG | |
"$v1ipt4Cmd" -A FORWARD -j LOG --log-level 6 --log-uid \ | |
--log-prefix "IPTABLES_FORWARD: " | |
"$v1ipt4Cmd" -A OUTPUT -j LOG --log-level 6 --log-uid \ | |
--log-prefix "IPTABLES_OUTPUT: " | |
"$v1ipt4Cmd" -A INPUT -j DROP | |
"$v1ipt4Cmd" -A FORWARD -j DROP | |
"$v1ipt4Cmd" -A OUTPUT -j DROP | |
unset -v FwR | |
unset -v FwR4 | |
unset -v FwR6 | |
unset -v v1Nif4Names | |
# done, now go back to the shell which executed this script: | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment