Re: Default Policy = DROP. Help-me

To: Debian Firewall <debian-firewall@lists.debian.org>
Subject: Re: Default Policy = DROP. Help-me
From: Yuri Rodrigues <yurirbraz@gmail.com>
Date: Wed, 24 Oct 2007 15:57:08 -0200
Message-id: <[🔎] 471F8774.2070204@gmail.com>
In-reply-to: <[🔎] 471F53A3.9070602@whylee.at>
References: <[🔎] 471F28C6.3050102@gmail.com> <[🔎] 471F53A3.9070602@whylee.at>

#!/bin/sh

# Firewall System
# Author - Yuri Rodrigues
# Mail - yurirbraz@gmail.com
#
# It is recognized that:
# Eth0 = Intranet
# Eth1 = Internet

intranet="eth0"
iptables="/sbin/iptables"
internet="eth1"
rede="192.168.121.0/24"

echo "-----------------======= Firewall =======------------------"
echo "                    By: Yuri Rodrigues      "
echo "LOGS: [ /var/log/kern.log ]                 "
echo ""
echo "Starting the script                                         "
echo ""

#### Policing ####
# Filter Table
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
# Nat Table
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
# Mangle Table
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
echo "Policing .......................................... [ OK ]"

#### Loading Modules ####
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "Loading Modules ................................... [ OK ]"

#### Flush Rules ####
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo "Flush Rules ....................................... [ OK ]"

echo "1" > /proc/sys/net/ipv4/ip_forward

#### Allowing already established connections ####
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing already established connections .......... [ OK ]"

#### LoopBack Traffic Accepted ####
$iptables -A INPUT -i lo -j ACCEPT

echo ">>>>>>>>>>>>>>>>>> Regras para usuarios <<<<<<<<<<<<<<<<<<"

#### Debugging ####

#$iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix"[INPUT] : "#$iptables -A OUTPUT -m limit --limit 3/minute -j LOG --log-prefix"[OUTPUT] : "

#$iptables -A FORWARD -j LOG --log-prefix "[FORWARD] : "

#### SSH Access ####
## LAN 2 FIREWALL

$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LOG--log-prefix "[IPTABLES SSH] : " --log-level 6 --log-tcp-options--log-ip-options$iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW -j LOG--log-prefix "[IPTABLES SSH] : " --log-level 6 --log-tcp-options--log-ip-options

$iptables -A INPUT -p tcp --dport 22 -i $intranet -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $intranet -j ACCEPT
$iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
$iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
## FIREWALL 2 INTERNET
$iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
## INTERNET 2 FIREWALL
$iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
echo "SSH Access ........................................ [ OK ]"

#### Internet Sharing ####
$iptables -A FORWARD -i $intranet -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i $internet -p tcp --sport 80 -j ACCEPT

$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state NEW-j ACCEPT

$iptables -t nat -A POSTROUTING -j MASQUERADE
echo "Internet Sharing .................................. [ OK ]"

echo "<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"

#### SynFloods Protection ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
echo "SynFloods Protection .............................. [ OK ]"

#### Ping Limit ####

$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit1/s -j ACCEPT

echo "Ping of Death Protection .......................... [ OK ]"

#### Locking fragmented packets ####
$iptables -A INPUT -f -i $internet -j LOG --log-prefix "Fragmentos: "
$iptables -A INPUT -f -i $internet -j REJECT
echo "Locking fragmented packets ........................ [ OK ]"

#### ICMP Limit ####
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
echo "ICMP Limit ........................................ [ OK ]"

#### Local Conections ####
$iptables -t nat -A POSTROUTING -o lo -j ACCEPT
echo "Local Conections Accepted ......................... [ OK ]"

#### QOS Terminal Service ####

#$iptables -t mangle -A OUTPUT -o $internet -p tcp --dport 3389 -j TOS--set-tos 0x10#$iptables -t mangle -A INPUT -i $internet -p tcp --dport 3389 -j TOS--set-tos 0x10#$iptables -t mangle -A FORWARD -o $internet -p tcp --dport 3389 -j TOS--set-tos 0x10

#echo "QoS Terminal Service ............................... [ OK ]"

echo ""
echo "-------------====== Firewall  Enabled ======--------------"

Reply to:

Follow-Ups:
- Re: Default Policy = DROP. Help-me
  - From: Paolo <oopla@users.sf.net>
- Re: Default Policy = DROP. Help-me
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>

References:
- Default Policy = DROP. Help-me
  - From: Yuri Rodrigues <yurirbraz@gmail.com>
- Re: Default Policy = DROP. Help-me
  - From: Stefan Weilhartner <whylee@whylee.at>

Prev by Date: Re: Default Policy = DROP. Help-me
Next by Date: Re: Default Policy = DROP. Help-me
Previous by thread: Re: Default Policy = DROP. Help-me
Next by thread: Re: Default Policy = DROP. Help-me
Index(es):
- Date
- Thread