Created
February 15, 2009 22:03
-
-
Save yendor/64870 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Exit if an undefined variable is referenced | |
| set -o nounset. | |
| # Exit if there is an error | |
| # set -o errexit | |
| if ( set -o noclobber; echo "$$" > "$lockfile") 2> /dev/null; | |
| then | |
| trap 'rm -f "$lockfile"; exit $?' INT TERM EXIT | |
| critical-section | |
| rm -f "$lockfile" | |
| trap - INT TERM EXIT | |
| else | |
| echo "Failed to acquire lockfile: $lockfile." | |
| echo "Held by $(cat $lockfile)" | |
| fi | |
| cleanup() { | |
| } | |
| trap cleanup INT TERM EXIT | |
| dpkg --get-selections "*" | |
| mysqldump -A -Qq > backup.sql | |
| nice gzip backup.sql | |
| trap - INT TERM EXIT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| #set -x | |
| #set -u | |
| source "/etc/firewall.conf" | |
| $IPTABLES -F DYNAMIC_INPUT | |
| $IPTABLES -F DYNAMIC_FORWARD | |
| $IPTABLES -F DYNAMIC_OUTPUT | |
| # Fetch the IPs for anything in the PRIVATE_ACCESS_HOSTS and add the IP to PRIVATE_ACCESS | |
| for myhost in $PRIVATE_ACCESS_HOSTS; do | |
| hostip=`host ${myhost}` | |
| if [ $? -eq 0 ]; then | |
| ip=`echo $hostip | awk -F' ' '{ print ($NF) }' | awk '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/'` | |
| if [ "$ip" != "" ]; then | |
| $IPTABLES -A DYNAMIC_INPUT --source $ip -j PRIVATE_PORTS | |
| fi | |
| fi | |
| done | |
| # Explicitly deny all incoming traffic on the external interface | |
| # We'll be allowing certain things below | |
| $IPTABLES -A DYNAMIC_INPUT -i $EXTERNAL_IF -j RETURN |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IPTABLES="/sbin/iptables" | |
| EXTERNAL_IF="eth1" | |
| PRIVATE_ACCESS="192.168.1.0/24 10.1.1.1" | |
| PRIVATE_PORTS="22 20 21 3306" | |
| TCP_PUBLIC_PORTS="25 80 443 53 110 143 123 993 465" | |
| UDP_PUBLIC_PORTS="53 123" | |
| CONNTRACK_MODS="ftp" | |
| BAN_IPS="10.1.1.2" | |
| PRIVATE_ACCESS_HOSTS="localhost" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| source "/etc/firewall.conf" | |
| for i in $CONNTRACK_MODS; do | |
| /sbin/modprobe "ip_conntrack_$i" | |
| done | |
| $IPTABLES -F | |
| $IPTABLES -Z | |
| $IPTABLES -P INPUT DROP | |
| $IPTABLES -P FORWARD ACCEPT | |
| $IPTABLES -P OUTPUT ACCEPT | |
| # Create custom chains | |
| $IPTABLES -N DYNAMIC_INPUT | |
| $IPTABLES -N DYNAMIC_OUTPUT | |
| $IPTABLES -N DYNAMIC_FORWARD | |
| $IPTABLES -N PRIVATE_PORTS | |
| # Allow all loopback traffic | |
| $IPTABLES -A INPUT -i lo -j ACCEPT | |
| # We are done so let the good times roll | |
| echo 0 > /proc/sys/net/ipv4/ip_forward | |
| # Ban some ips. | |
| for banip in $BAN_IPS; do | |
| $IPTABLES -A INPUT -p tcp -s $banip -d 0/0 -j DROP | |
| $IPTABLES -A INPUT -p udp -s $banip -d 0/0 -j DROP | |
| done | |
| # Rate limit icmp | |
| $IPTABLES -A INPUT -p icmp -m limit --limit 10/s --icmp-type 0 -j ACCEPT | |
| $IPTABLES -A INPUT -p icmp -m limit --limit 10/s --icmp-type 3 -j ACCEPT | |
| $IPTABLES -A INPUT -p icmp -m limit --limit 10/s --icmp-type 8 -j ACCEPT | |
| $IPTABLES -A INPUT -p icmp -m limit --limit 10/s --icmp-type 11 -j ACCEPT | |
| # Accept packets all packets coming in that are NOT initiating a connection | |
| # otherwise connections will allowed to be started but after the initial handshake the traffic will be blocked. | |
| $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Create our chain with the private ports in it | |
| for port in $PRIVATE_PORTS; do | |
| $IPTABLES -A PRIVATE_PORTS -p tcp --destination-port $port -j ACCEPT | |
| done | |
| $IPTABLES -A PRIVATE_PORTS -j RETURN | |
| # Open private ports for the private networks. | |
| for ip in $PRIVATE_ACCESS; do | |
| $IPTABLES -A INPUT -s $ip -j PRIVATE_PORTS | |
| done | |
| # Now we open the public TCP ports. | |
| for port in $TCP_PUBLIC_PORTS; do | |
| $IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port $port -j ACCEPT | |
| done | |
| # ..then open public UDP ports. | |
| for port in $UDP_PUBLIC_PORTS; do | |
| $IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --destination-port $port -j ACCEPT | |
| done | |
| # Forward to the dynamic input and forward chains | |
| $IPTABLES -A INPUT -i $EXTERNAL_IF -j DYNAMIC_INPUT | |
| $IPTABLES -A FORWARD -i $EXTERNAL_IF -j DYNAMIC_FORWARD | |
| if [ -f /etc/fail2ban/jail.local ]; then | |
| /etc/init.d/fail2ban restart | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment