symbio*nix: firewall iptables

#!/bin/sh

ipt=/sbin/iptables

ip6t=/sbin/ip6tables

# czyszczonko

${ipt} -F

${ipt} -X

${ipt} -t nat -F

${ipt} -t nat -X

${ipt} -t mangle -F

${ipt} -t mangle -X

${ipt} -P INPUT ACCEPT

${ipt} -P OUTPUT ACCEPT

${ipt} -P FORWARD ACCEPT

${ip6t} -F

${ip6t} -X

#${ip6t} -t nat -F

#${ip6t} -t nat -X

${ip6t} -t mangle -F

${ip6t} -t mangle -X

${ip6t} -P INPUT ACCEPT

${ip6t} -P OUTPUT ACCEPT

${ip6t} -P FORWARD ACCEPT

# nowe dwie reguły

${ipt} -N TCP

${ipt} -N UDP

# polityka

${ipt} -P FORWARD DROP

${ipt} -P OUTPUT ACCEPT

${ipt} -P INPUT DROP

# puszczam wszystkie nawiązane połączenia

${ipt} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# dostęp dla lo

${ipt} -A INPUT -i lo -j ACCEPT

# drop invalid ;)

# Note: ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike.

# Keep this in mind, and accept them before this rule! ${ipt} -A INPUT -p 41 -j ACCEPT

#${ipt} -A INPUT -p 41 -j ACCEPT

${ipt} -A INPUT -m conntrack --ctstate INVALID -j DROP

# włączam odpowiedzi na pingi

${ipt} -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# ograniczam ilość ping req

${ipt} -I INPUT -p icmp --icmp-type 8 -m recent --set

${ipt} -I INPUT -p icmp --icmp-type 8 -m recent --update --seconds 10 --hitcount 5 -j DROP

# podłączenie nowych regół

${ipt} -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

${ipt} -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# cała reszta 'OUT!'

${ipt} -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

${ipt} -A INPUT -p tcp -j REJECT --reject-with tcp-rst

${ipt} -A INPUT -j REJECT --reject-with icmp-proto-unreachable

# www

${ipt} -A TCP -p tcp -m tcp --dport 80 -j ACCEPT

echo allow www 80

${ipt} -A UDP -p udp -m udp -s 172.17.0.0/24 --dport 137 -j ACCEPT

${ipt} -A UDP -p udp -m udp -s 172.17.0.0/24 --dport 138 -j ACCEPT

${ipt} -A TCP -p tcp -m tcp -s 172.17.0.0/24 --dport 139 -j ACCEPT

${ipt} -A TCP -p tcp -m tcp -s 172.17.0.0/24 --dport 445 -j ACCEPT

echo allow samba in localnet 137,138,139,445

# ftp from localnet allow

${ipt} -A TCP -s 172.17.0.0/24 -p tcp --dport 21 -j ACCEPT

${ipt} -A TCP -s 172.17.0.0/24 -p tcp -m tcp --dport 50000:50100 -j ACCEPT

echo allow ftp from localnet

echo allow ftp passive 50000:50100

1 gru 2015

firewall iptables