( emre33 | 2006. 07. 25., k – 20:46 )

oks, kösszi,átírtam, de még mindig nem jó valami :(

#!/bin/sh

echo -n 'Configuring firewall '
echo "1" > /proc/sys/net/ipv4/ip_forward
#allandok
NET_INT=192.168.0.0/255.255.0.0 #belsĂµ halozatot lefedĂµ teljes cimtartomany
IFACE_INT=eth0 #belsĂµ csatolo
IFACE_EXT=eth1 #kulsĂµ csatolo
IP_GW=192.168.1.1

PORT_SSH_EXT=10000 #SSH external port
MORE_F_TCP_PORTS="544 1755 2628 6881 81"
MORE_F_UDP_PORTS="544 1755"
#544-RealMedia 1755-WindowsMedia 2628-JDictionary 6880-BitTorrent

#regi szabalyok tĂµrlese
iptables -F
iptables --delete-chain
iptables -t nat -F
iptables -t nat --delete-chain
iptables -Z

#alapertelemzetten mindent eldob
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#visszahurkolo engedĂ©lyezĂ©se
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#tovabbi lancok letrehozasa:
iptables -N security
iptables -N dosattack
iptables -N sinput
iptables -N portscan

#gw elerhetĂµsege
iptables -A INPUT -s $IP_GW -j ACCEPT
iptables -A OUTPUT -d $IP_GW -j ACCEPT

#Portscan & PoD loggolas
iptables -A security -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "FW: Xmas-tree scan (?) "
iptables -A security -p tcp --tcp-flags ALL NONE -m state --state ! ESTABLISHED -j LOG --log-prefix "FW: Null scan (?) "
iptables -A security -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A security -p icmp --icmp-type echo-request -j LOG --log-prefix "FW: PingofDeath attack (?) "
iptables -A security -p icmp --icmp-type echo-request -j DROP

iptables -A INPUT -j security
iptables -A FORWARD -j security

#DoS tamadasok & portscanek szurese, loggolasa
iptables -A dosattack -p tcp --syn -m limit --limit 8/s -j sinput
iptables -A dosattack -p tcp --syn -j LOG --log-prefix "FW: Syn-Flood attack (?) "
iptables -A dosattack -p tcp --syn -j DROP
iptables -A dosattack -j sinput

#bejovo szabalyok

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED #jovahagyott kapcsolatok elfogadasa
iptables -A INPUT -j dosattack

iptables -A sinput -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "FW: hidded portscan ? "
iptables -A sinput -p tcp ! --syn -m state --state NEW -j DROP

iptables -A sinput -i $IFACE_INT -p tcp -s $NET_INT -m multiport --dport 20,21,25,53,80,3128 -m state --state NEW -j ACCEPT
iptables -A sinput -i $IFACE_INT -p udp -s $NET_INT -m multiport --dport 20,21,25,53,80,3128 -m state --state NEW -j ACCEPT

iptables -A sinput -p tcp --dport 443 -j ACCEPT
iptables -A sinput -p icmp -j ACCEPT
#iptables -A sinput -j LOG --log-prefix "FW: Rejected default (in) "
iptables -A sinput -j REJECT

#kimenĂµ szabalyok
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --dport 20,21,25,53,80,110,443 -m state --state NEW,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dport 20,21,25,53,80,110,443 -m state --state NEW,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp -d $NET_INT --sport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -d $NET_INT --sport 25 -j ACCEPT

iptables -A OUTPUT -j LOG --log-prefix "FW: Rejected default (out) "
iptables -A OUTPUT -j REJECT

#tovabbitt szabalyok
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 16/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
iptables -A FORWARD -p icmp -j ACCEPT

iptables -A FORWARD -i $IFACE_INT -p tcp -m multiport --dport 20,21,53,80,110,123,443 -m state --state NEW,RELATED -j ACCEPT
iptables -A FORWARD -i $IFACE_INT -p udp -m multiport --dport 20,21,53,80,110,123,44

#Tovabbitasra a MORE_F_TCP_PORTS tombben tarolt portok kinyitasa
if test -n "$MORE_F_TCP_PORTS"
then
for i in $MORE_F_TCP_PORTS
do iptables -A FORWARD -i $IFACE_INT -p tcp --dport $i -m state --state NEW,RELATED -j ACCEPT
done
fi
if test -n "$MORE_F_UDP_PORTS"
then
for i in $MORE_F_UDP_PORTS
do iptables -A FORWARD -i $IFACE_INT -p udp --dport $i -m state --state NEW,RELATED -j ACCEPT
done
fi

#iptables -A FORWARD -j LOG --log-prefix "FW: Rejected default (fwd) "
iptables -A FORWARD -j REJECT

#NAT
iptables -t nat -A POSTROUTING -o $IFACE_EXT -j MASQUERADE

#transzparens proxy engedalyezase
iptables -t nat -A PREROUTING -i $IFACE_INT -s $NET_INT -p tcp --dport 80 -j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -m limit --limit 60/hour -j LOG --log-prefix "FW: Permitted SSH connect "
iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -m limit --limit 60/hour -j DNAT --to $IP_INT:10000
iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -j LOG --log-prefix "FW: Unpermitted SSH Connect "
iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -j DROP
iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT -j DNAT --to $IP_INT:10000

echo 'Done'

Friss hozzászólások

Az ilyen UI kinézet… 2025-07-05T05:39:19+0200
> Pár perc mosoly (egy szűk… 2025-07-05T02:43:34+0200
en dns-bol blokkolom a… 2025-07-05T01:38:00+0200
Te magad írtad feljebb, hogy… 2025-07-05T01:08:51+0200
Továbbra is azt gondolom,… 2025-07-05T01:05:41+0200
Mindenhol lehetett bármennyi… 2025-07-05T01:00:25+0200
Egyelőre nem derült ki, hogy… 2025-07-05T00:59:01+0200
Mindenki maga eldönti, hogy… 2025-07-05T00:58:17+0200
Ez a betegjog. Csak… 2025-07-05T00:55:31+0200
Igen, pl. a Red Hat és… 2025-07-05T00:53:36+0200