HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Firewall script (http://www.howtoforge.com/forums/showthread.php?t=4152)

ColdDoT 8th May 2006 20:34

Firewall script
 
Hello

atlast i have found a nice firewall script.
after custemizing it it wil not work for everything. it only works for ssh(ppff and i'm happy that that isn't blocked) and ftp(so far i have tested it)

this is my script
Code:

#!/bin/bash
NAME="firewall"
IPTABLES="/sbin/iptables"
case "$1" in
start)
echo -n "Starting firewall.."
#Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

# For ping and traceroute
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 30 -j ACCEPT

# For traceroute
$IPTABLES -A INPUT -i eth0 -p udp --source-port 32769:65535 \
--destination-port 33434:33523 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --source-port 32769:65535 \
--destination-port 33434:33523 -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 30 -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

############################################################################################################
#Custom ports from low to high
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################################################################
#query                #Soort                  #poort        #accpet/deny      #Protecol
$IPTABLES -A INPUT -p tcp --destination-port  20:21 -j      ACCEPT            # FTP
$IPTABLES -A INPUT -p tcp --destination-port  22 -j        ACCEPT            # SSH
$IPTABLES -A INPUT -p tcp --destination-port  25 -j        ACCEPT            # SMTP
$IPTABLES -A INPUT -p tcp --destination-port  53 -j        ACCEPT            # DNS
$IPTABLES -A INPUT -p udp --destination-port  53 -j        ACCEPT            # DNS
$IPTABLES -A INPUT -p tcp --destination-port  143 -j        ACCEPT            # IMAP
$IPTABLES -A INPUT -p tcp --destination-port  443 -j        ACCEPT            # HTTPS
$IPTABLES -A INPUT -p tcp --destination-port  666 -j        ACCEPT            # HTTPS monit
$IPTABLES -A INPUT -p udp --destination-port  666 -j        ACCEPT            # TeamSpeak cold server
$IPTABLES -A INPUT -p udp --destination-port  7777 -j      ACCEPT            # Tactical Ops server
$IPTABLES -A INPUT -p udp --destination-port  7778 -j      ACCEPT            # Tactical Ops server query
$IPTABLES -A INPUT -p udp --destination-port  32768 -j      ACCEPT            # DNS
$IPTABLES -A INPUT -p tcp --dport auth --j                  REJECT            # Reject sunrpc 111
############################################################################################################
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################################################################
#query                #Soort                  #poort        #accpet/deny      #Protecol
$IPTABLES -A OUTPUT -p tcp --destination-port  20:21 -j      ACCEPT            # FTP
$IPTABLES -A OUTPUT -p tcp --destination-port  25 -j        ACCEPT            # SMTP
$IPTABLES -A OUTPUT -p tcp --destination-port  80 -j        ACCEPT            # HTTP
$IPTABLES -A OUTPUT -p tcp --destination-port  110 -j        ACCEPT            # POP
$IPTABLES -A OUTPUT -p tcp --destination-port  143 -j        ACCEPT            # IMAP
$IPTABLES -A OUTPUT -p tcp --destination-port  666 -j        ACCEPT            # HTTPS monit
$IPTABLES -A OUTPUT -p udp --destination-port  666 -j        ACCEPT            # TeamSpeak cold server
$IPTABLES -A OUTPUT -p tcp --destination-port  993 -j        ACCEPT            # SIMAP
$IPTABLES -A OUTPUT -p tcp --destination-port  995 -j        ACCEPT            # SPOP
$IPTABLES -A OUTPUT -p udp --destination-port  7777 -j      ACCEPT            # Tactical Ops server
$IPTABLES -A OUTPUT -p udp --destination-port  7778 -j      ACCEPT            # Tactical Ops server query
$IPTABLES -A OUTPUT -p tcp --destination-port  8090 -j      ACCEPT            # FrontPage extension
$IPTABLES -A OUTPUT -p tcp --destination-port  14534 -j      ACCEPT            # TeamSpeak admin page
############################################################################################################
#End custom ports
############################################################################################################
$IPTABLES -A INPUT -p tcp --dport auth --j REJECT # Reject sunrpc 111
$IPTABLES -A INPUT -p tcp -i lo -d 0/0 -j ACCEPT
echo "..done"
;;
stop)
echo -n "Stopping firewall.."
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
echo "done"
;;
*)
echo "Usage: $NAME {start|stop}"
exit 1
;;
esac

i run this script with this command after chmod 755
/etc/init.d/firewall start ; sleep 30 ; /etc/init.d/firewall stop(just in case)

does any1 now what wrong with it
i can't acces my site with the firewall on
www.colddot.nl
or any of my client sites.

greets kevin valk

falko 8th May 2006 23:50

I can't find
Code:

$IPTABLES -A INPUT -p tcp --destination-port  80 -j        ACCEPT
in that script...


All times are GMT +2. The time now is 20:59.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.