Linux Iptables Firewall Shell Script For Standalone Server

by

0

WebServer của bạn đang có dấu hiệu bị DoS? Hy vọng đoạn script sư tầm sau đây có thể giúp bạn giải quyết phần nào vấn đề đó:

A shell script on iptables rules for a webserver (no need to use APF or CSF) just run this script from /etc/rc.local and you are done. Save following script as /root/scripts/fw.start:

  1. #!/bin/bash
  2. # A Linux Shell Script with common rules for IPTABLES Firewall.
  3. # By default this script only open port 80, 22, 53 (input)
  4. # All outgoing traffic is allowed (default – output)
  5. # ————————————————————————-
  6. # Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/&gt;
  7. # This script is licensed under GNU GPL version 2.0 or above
  8. # ————————————————————————-
  9. # This script is part of nixCraft shell script collection (NSSC)
  10. # Visit http://bash.cyberciti.biz/ for more information.
  11. # ————————————————————————-
  13. IPT=”/sbin/iptables”
  14. SPAMLIST=”blockedip”
  15. SPAMDROPMSG=”BLOCKED IP DROP”
  17. echo “Starting IPv4 Wall…”
  18. $IPT -F
  19. $IPT -X
  20. $IPT -t nat -F
  21. $IPT -t nat -X
  22. $IPT -t mangle -F
  23. $IPT -t mangle -X
  24. modprobe ip_conntrack
  26. [ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E “^#|^$” /root/scripts/blocked.ips.txt)
  28. PUB_IF=”eth0″
  30. #unlimited
  31. $IPT -A INPUT -i lo -j ACCEPT
  32. $IPT -A OUTPUT -o lo -j ACCEPT
  34. # DROP all incomming traffic
  35. $IPT -P INPUT DROP
  36. $IPT -P OUTPUT DROP
  37. $IPT -P FORWARD DROP
  39. if [ -f /root/scripts/blocked.ips.txt ];
  40. then
  41. # create a new iptables list
  42. $IPT -N $SPAMLIST
  44. for ipblock in $BADIPS
  45. do
  46. $IPT -A $SPAMLIST -s $ipblock -j LOG –log-prefix “$SPAMDROPMSG”
  47. $IPT -A $SPAMLIST -s $ipblock -j DROP
  48. done
  50. $IPT -I INPUT -j $SPAMLIST
  51. $IPT -I OUTPUT -j $SPAMLIST
  52. $IPT -I FORWARD -j $SPAMLIST
  53. fi
  55. # Block sync
  56. $IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Drop Sync”
  57. $IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -j DROP
  59. # Block Fragments
  60. $IPT -A INPUT -i ${PUB_IF} -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fragments Packets”
  61. $IPT -A INPUT -i ${PUB_IF} -f -j DROP
  63. # Block bad stuff
  64. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
  65. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL ALL -j DROP
  67. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL Packets”
  68. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -j DROP # NULL packets
  70. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
  72. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS Packets”
  73. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
  75. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fin Packets Scan”
  76. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
  78. $IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  80. # Allow full outgoing connection but no incomming stuff
  81. $IPT -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
  82. $IPT -A OUTPUT -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
  84. # Allow ssh
  85. $IPT -A INPUT -p tcp –destination-port 22 -j ACCEPT
  87. # allow incomming ICMP ping pong stuff
  88. $IPT -A INPUT -p icmp –icmp-type 8 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
  89. $IPT -A OUTPUT -p icmp –icmp-type 0 -m state –state ESTABLISHED,RELATED -j ACCEPT
  91. # Allow port 53 tcp/udp (DNS Server)
  92. $IPT -A INPUT -p udp –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
  93. $IPT -A OUTPUT -p udp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT
  95. $IPT -A INPUT -p tcp –destination-port 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
  96. $IPT -A OUTPUT -p tcp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT
  98. # Open port 80
  99. $IPT -A INPUT -p tcp –destination-port 80 -j ACCEPT
  100. ##### Add your rules below ######
  102. ##### END your rules ############
  104. # Do not log smb/windows sharing packets – too much logging
  105. $IPT -A INPUT -p tcp -i eth0 –dport 137:139 -j REJECT
  106. $IPT -A INPUT -p udp -i eth0 –dport 137:139 -j REJECT
  108. # log everything else and drop
  109. $IPT -A INPUT -j LOG
  110. $IPT -A FORWARD -j LOG
  111. $IPT -A INPUT -j DROP
  113. exit 0

    How do I install and use this script?

    Type the following command as root server:
    # mkdir /root/scripts
    # cd /root/scripts
    # wget http://bash.cyberciti.biz/dl/381.sh.zip
    # wget http://bash.cyberciti.biz/dl/151.sh.zip
    # unzip 381.sh.zip
    # unzip 151.sh.zip
    # mv 381.sh start.fw
    # mv 151.sh stop.fw
    # chmod +x *.fw
    Now edit firewall as per your requirements:
    # vi /root/scripts/start.fw
    Install firewall:
    # echo '/root/scripts/start.fw' >> /etc/rc.local

    How do I start firewall from a shell prompt?

    # /root/scripts/start.fw

    How do I stop firewall from a shell prompt?

    # /root/scripts/stop.fw

About these ads

Gửi phản hồi

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Thay đổi )

Twitter picture

You are commenting using your Twitter account. Log Out / Thay đổi )

Facebook photo

You are commenting using your Facebook account. Log Out / Thay đổi )

Hủy bỏ

Connecting to %s