Thread: Firewall script
View Single Post
  #1  
Old 8th May 2006, 21:34
ColdDoT ColdDoT is offline
Senior Member
 
Join Date: Jan 2006
Location: Netherland
Posts: 178
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via MSN to ColdDoT
Default Firewall script

Hello

atlast i have found a nice firewall script.
after custemizing it it wil not work for everything. it only works for ssh(ppff and i'm happy that that isn't blocked) and ftp(so far i have tested it)

this is my script
Code:
#!/bin/bash
NAME="firewall"
IPTABLES="/sbin/iptables"
case "$1" in
start)
echo -n "Starting firewall.."
#Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

# For ping and traceroute
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 30 -j ACCEPT

# For traceroute
$IPTABLES -A INPUT -i eth0 -p udp --source-port 32769:65535 \
--destination-port 33434:33523 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --source-port 32769:65535 \
--destination-port 33434:33523 -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 30 -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

############################################################################################################
#Custom ports from low to high
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################################################################
#query                #Soort                   #poort        #accpet/deny      #Protecol
$IPTABLES -A INPUT -p tcp --destination-port   20:21 -j      ACCEPT            # FTP
$IPTABLES -A INPUT -p tcp --destination-port   22 -j         ACCEPT            # SSH
$IPTABLES -A INPUT -p tcp --destination-port   25 -j         ACCEPT            # SMTP
$IPTABLES -A INPUT -p tcp --destination-port   53 -j         ACCEPT            # DNS
$IPTABLES -A INPUT -p udp --destination-port   53 -j         ACCEPT            # DNS
$IPTABLES -A INPUT -p tcp --destination-port   143 -j        ACCEPT            # IMAP
$IPTABLES -A INPUT -p tcp --destination-port   443 -j        ACCEPT            # HTTPS
$IPTABLES -A INPUT -p tcp --destination-port   666 -j        ACCEPT            # HTTPS monit
$IPTABLES -A INPUT -p udp --destination-port   666 -j        ACCEPT            # TeamSpeak cold server
$IPTABLES -A INPUT -p udp --destination-port   7777 -j       ACCEPT            # Tactical Ops server
$IPTABLES -A INPUT -p udp --destination-port   7778 -j       ACCEPT            # Tactical Ops server query
$IPTABLES -A INPUT -p udp --destination-port   32768 -j      ACCEPT            # DNS
$IPTABLES -A INPUT -p tcp --dport auth --j                   REJECT            # Reject sunrpc 111
############################################################################################################
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################################################################
#query                 #Soort                   #poort        #accpet/deny      #Protecol
$IPTABLES -A OUTPUT -p tcp --destination-port   20:21 -j      ACCEPT            # FTP
$IPTABLES -A OUTPUT -p tcp --destination-port   25 -j         ACCEPT            # SMTP
$IPTABLES -A OUTPUT -p tcp --destination-port   80 -j         ACCEPT            # HTTP
$IPTABLES -A OUTPUT -p tcp --destination-port   110 -j        ACCEPT            # POP
$IPTABLES -A OUTPUT -p tcp --destination-port   143 -j        ACCEPT            # IMAP
$IPTABLES -A OUTPUT -p tcp --destination-port   666 -j        ACCEPT            # HTTPS monit
$IPTABLES -A OUTPUT -p udp --destination-port   666 -j        ACCEPT            # TeamSpeak cold server
$IPTABLES -A OUTPUT -p tcp --destination-port   993 -j        ACCEPT            # SIMAP
$IPTABLES -A OUTPUT -p tcp --destination-port   995 -j        ACCEPT            # SPOP
$IPTABLES -A OUTPUT -p udp --destination-port   7777 -j       ACCEPT            # Tactical Ops server
$IPTABLES -A OUTPUT -p udp --destination-port   7778 -j       ACCEPT            # Tactical Ops server query
$IPTABLES -A OUTPUT -p tcp --destination-port   8090 -j       ACCEPT            # FrontPage extension
$IPTABLES -A OUTPUT -p tcp --destination-port   14534 -j      ACCEPT            # TeamSpeak admin page
############################################################################################################
#End custom ports
############################################################################################################
$IPTABLES -A INPUT -p tcp --dport auth --j REJECT # Reject sunrpc 111
$IPTABLES -A INPUT -p tcp -i lo -d 0/0 -j ACCEPT
echo "..done"
;;
stop)
echo -n "Stopping firewall.."
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
echo "done"
;;
*)
echo "Usage: $NAME {start|stop}"
exit 1
;;
esac
i run this script with this command after chmod 755
/etc/init.d/firewall start ; sleep 30 ; /etc/init.d/firewall stop(just in case)

does any1 now what wrong with it
i can't acces my site with the firewall on
www.colddot.nl
or any of my client sites.

greets kevin valk
__________________
2B or not 2B (a pro)
Reply With Quote
Sponsored Links