Re: Default Policy = DROP. Help-me
#!/bin/sh
# Firewall System
# Author - Yuri Rodrigues
# Mail - yurirbraz@gmail.com
#
# It is recognized that:
# Eth0 = Intranet
# Eth1 = Internet
intranet="eth0"
iptables="/sbin/iptables"
internet="eth1"
rede="192.168.121.0/24"
echo "-----------------======= Firewall =======------------------"
echo " By: Yuri Rodrigues "
echo "LOGS: [ /var/log/kern.log ] "
echo ""
echo "Starting the script "
echo ""
#### Policing ####
# Filter Table
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
# Nat Table
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
# Mangle Table
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
echo "Policing .......................................... [ OK ]"
#### Loading Modules ####
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "Loading Modules ................................... [ OK ]"
#### Flush Rules ####
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo "Flush Rules ....................................... [ OK ]"
echo "1" > /proc/sys/net/ipv4/ip_forward
#### Allowing already established connections ####
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing already established connections .......... [ OK ]"
#### LoopBack Traffic Accepted ####
$iptables -A INPUT -i lo -j ACCEPT
echo ">>>>>>>>>>>>>>>>>> Regras para usuarios <<<<<<<<<<<<<<<<<<"
#### Debugging ####
#$iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix
"[INPUT] : "
#$iptables -A OUTPUT -m limit --limit 3/minute -j LOG --log-prefix
"[OUTPUT] : "
#$iptables -A FORWARD -j LOG --log-prefix "[FORWARD] : "
#### SSH Access ####
## LAN 2 FIREWALL
$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LOG
--log-prefix "[IPTABLES SSH] : " --log-level 6 --log-tcp-options
--log-ip-options
$iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW -j LOG
--log-prefix "[IPTABLES SSH] : " --log-level 6 --log-tcp-options
--log-ip-options
$iptables -A INPUT -p tcp --dport 22 -i $intranet -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $intranet -j ACCEPT
$iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
$iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
## FIREWALL 2 INTERNET
$iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
## INTERNET 2 FIREWALL
$iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
echo "SSH Access ........................................ [ OK ]"
#### Internet Sharing ####
$iptables -A FORWARD -i $intranet -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i $internet -p tcp --sport 80 -j ACCEPT
$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state NEW
-j ACCEPT
$iptables -t nat -A POSTROUTING -j MASQUERADE
echo "Internet Sharing .................................. [ OK ]"
echo "<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
#### SynFloods Protection ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
echo "SynFloods Protection .............................. [ OK ]"
#### Ping Limit ####
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
echo "Ping of Death Protection .......................... [ OK ]"
#### Locking fragmented packets ####
$iptables -A INPUT -f -i $internet -j LOG --log-prefix "Fragmentos: "
$iptables -A INPUT -f -i $internet -j REJECT
echo "Locking fragmented packets ........................ [ OK ]"
#### ICMP Limit ####
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
echo "ICMP Limit ........................................ [ OK ]"
#### Local Conections ####
$iptables -t nat -A POSTROUTING -o lo -j ACCEPT
echo "Local Conections Accepted ......................... [ OK ]"
#### QOS Terminal Service ####
#$iptables -t mangle -A OUTPUT -o $internet -p tcp --dport 3389 -j TOS
--set-tos 0x10
#$iptables -t mangle -A INPUT -i $internet -p tcp --dport 3389 -j TOS
--set-tos 0x10
#$iptables -t mangle -A FORWARD -o $internet -p tcp --dport 3389 -j TOS
--set-tos 0x10
#echo "QoS Terminal Service ............................... [ OK ]"
echo ""
echo "-------------====== Firewall Enabled ======--------------"
Reply to: