#!/bin/sh
# DMZ WEB
DMZ_IF="eth1"
PUBLIC_IF="eth0"
PORT_FORWARD='80 123 443 25 110 995 143 22 21 20 194 5050 6667 3142'
PUBLIC_PORT_ALLOW='10000 22 21 137 135 139 445 3306'
# internet port in, local network always allow
PORT_IN='123 443 10000 25 110 995 143 22 21 20 5050 6667 3142'
## load modules
MODPROBE="/sbin/modprobe"
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE iptable_mangle
$MODPROBE ipt_LOG
$MODPROBE ipt_limit
$MODPROBE ipt_state
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
firewall_basic()
{
echo 1 > /proc/sys/net/ipv4/ip_forward
# No spoofing !!!
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then
# for f in /proc/sys/net/ipv4/conf/*/rp_filter do
# echo 1 > $f
# done
#fi
}
firewall_flush()
{
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Set the default policy for the NAT table
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Delete all rules
iptables -F
iptables -t nat -F
# Delete all chains
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
}
firewall_input()
{
# A. DEFAULT AND BASIC
# A.1. Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP
# A.2. Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# A.3. buat chain baru untuk bad packets, TCP, UDp dan ICMP
iptables -N bad_tcp_packets
iptables -N allowed
iptables -N icmp_packets
#A.4.LOG bad packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# A.5. Allow UDP, DNS and Passive FTP dari internet interface
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
#A.6. Allow ping for all interfaces
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#B. INPUT CHAIN
#B.1. bad packets
iptables -A INPUT -p tcp -j bad_tcp_packets
#B.2. ICMP
iptables -A INPUT -p ICMP -s 0/0 -j icmp_packets
#iptables -A FORWARD -p ICMP -s 0/0 -j icmp_packets
#B.3. allow input from local
#iptables -A INPUT -i $DMZ_IF -j DROP
# TEMPORARY
iptables -A INPUT -i $PUBLIC_IF -j ACCEPT
# DROP UNLISTED IP
iptables -A INPUT -s 192.168.2.1 -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -j ACCEPT
iptables -A INPUT -s 192.168.2.4 -j ACCEPT
#B.4. PORT RULES FOR PUBLIC NET
# for PORT in $PUBLIC_PORT_ALLOW; do
# iptables -A INPUT -i $PUBLIC_IF -p tcp --dport $PORT -j allowed
# done
#B.5 Paket dari internet ke firewall
iptables -A INPUT -i $PUBLIC_IF -m state --state ESTABLISHED,RELATED
-j ACCEPT
#B.6 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG\
--log-prefix "IPT INPUT packet died: "
#C. FORWARD CHAIN
#C.1 Bad packets
iptables -A FORWARD -p tcp -j bad_tcp_packets
#C.2 Forward akses ke PUBLIC NET dari DMZ NET
# for PORT in $PORT_FORWARD; do
# iptables -A FORWARD -p tcp -i $DMZ_IF --dport $PORT -j allowed
# done
#C.3 Forward akses ke PUBLIC dari localhost
iptables -A FORWARD -p ALL -s 127.0.0.1 -o $PUBLIC_IF -j ACCEPT
#C.4 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG\
--log-prefix "IPT FORWARD packet died: "
#D. OUTPUT CHAIN
#D.1 Bad packets
iptables -A OUTPUT -p tcp -j bad_tcp_packets
#D.2 Allow OUTPUT dari semua interface, toh yang dibatasi hanya INPUT
iptables -A OUTPUT -o $PUBLIC_IF -j ACCEPT
#D.3 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG\
--log-prefix "IPT FORWARD packet died: "
#F.2 Set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $PUBLIC_IF -j MASQUERADE
}
## Main routines
firewall_start() {
firewall_basic
firewall_flush
firewall_input
return 0
}
firewall_stop()
{
firewall_flush
return 0
}
case "$1" in
start)
echo "Starting firewall ..."
firewall_start
;;
stop)
echo "Stopping firewall ..."
firewall_stop
;;
frestart)
echo "Only restart firewall ..."
firewall_basic
firewall_flush
firewall_input
;;
restart)
echo "Restarting firewall ..."
## Restarting should not stop the firewall
## Since stopping opens the ports for a moment
firewall_start
;;
reload)
echo "Reloading firewall ..."
firewall_start
;;
status)
iptables -nL
echo
iptables -t nat -nL
;;
*)
echo "Usage $0 {start|stop|frestart|restart|reload|status}"
esac
--
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id
Arsip dan info milis selengkapnya di http://linux.or.id/milis