shellscripts:simplefirewall

simplefirewall

Quelle

Hint before enabling it add this to your /etc/crontab:

*/5 *   * * *   root /etc/init.d/simplefirewall stop >> /var/log/firewall.stop

And check /var/log/firewall.stop to make sure it runs. This will open your firewall again after 5 minutes to avoid locking yourself out. When everything works as expected comment it out.

#!/bin/bash
 
# Very simple firewall for a single interface
 
IF="eth0"   #Interface
HIPORT="1024:65535" #Highports (don't change)
 
IPTABLES=`which iptables` || IPTABLES="/usr/sbin/iptables"
 
case $1 in
  close)
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -F INPUT
  $IPTABLES -F OUTPUT
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
  $IPTABLES -A INPUT -i lo -j ACCEPT
  echo "Firewall closed, all connections blocked"
  exit 0
  ;;
 
  stop)
  $IPTABLES -F 
  $IPTABLES -X 
  $IPTABLES -F INPUT
  $IPTABLES -F OUTPUT
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -P OUTPUT ACCEPT
  echo "Firewall closed, all connections allowed"
  exit 0
  ;;
 
  start)
  # First of all, flush all rules
  $IPTABLES -F
  $IPTABLES -F -t nat
  $IPTABLES -X 
  $IPTABLES -F INPUT
  $IPTABLES -F OUTPUT
  $IPTABLES -F FORWARD
 
  # set default policy and create additional chains
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
  $IPTABLES -P FORWARD DROP
  $IPTABLES -N dropchain
 
  # enable additional kernel security
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter
  echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay
  echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians
 
  # local processes:
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
  # icmp stuff:
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-request -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-reply -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type source-quench -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type time-exceeded -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type parameter-problem -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type parameter-problem -j ACCEPT
  $IPTABLES -A INPUT -i $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
  $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
 
  ########### start of custom rules ############
 
  # let HTTP in
  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport http -j ACCEPT
 
  # let SSH in
  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ssh -j ACCEPT
 
  # let FTP in (needs loaded ip_conntrack_ftp module)
  $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ftp -j ACCEPT
 
  # let everything out
  $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o $IF -p tcp -j ACCEPT
  $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED -o $IF -p udp -j ACCEPT
  # let all answers in
  $IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -i $IF -p tcp -j ACCEPT
  $IPTABLES -A INPUT  -m state --state ESTABLISHED -i $IF -p udp -j ACCEPT
 
  ########### end of custom rules ############
 
  # droppe & log everything else
  $IPTABLES -A INPUT  -j dropchain
  $IPTABLES -A OUTPUT -j dropchain
 
  # dropchain: every packet will be dropped, and, if defined logged...
  $IPTABLES -A dropchain -p icmp -j DROP      #don't log outgoing icmp
  $IPTABLES -A dropchain -p tcp -m state --state INVALID -j LOG --log-level info --log-prefix "FW log INVALID: "
  $IPTABLES -A dropchain -j LOG --log-level info --log-prefix "FW log: "      #log everything
  $IPTABLES -A dropchain -j DROP
 
  #done
  echo "Firewall up and running..."
  exit 0
  ;;
 
  *)
  echo "usage: start | stop | close"
  exit 1
  ;;
esac
 
exit 1;