echo "\n\nSETTING UP IPTABLES FIREWALL..."
echo " Loading firewall server rules..."
UNIVERSE="0.0.0.0/0"
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
# Flush the user chain.. if it exists
if [ "`iptables -L | grep LOG_AND_DROP`" ]; then
iptables -F LOG_AND_DROP
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N LOG_AND_DROP
iptables -A LOG_AND_DROP -j LOG --log-prefix "atack happens------->"
iptables -A LOG_AND_DROP -j REJECT --reject-with icmp-host-unreachable
echo " - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -s 192.168.0.0/24 -j LOG_AND_DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG_AND_DROP
iptables -A INPUT -s 200.200.200.200 -j LOG_AND_DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG_AND_DROP
iptables -A INPUT -p ip -f -j LOG_AND_DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG_AND_DROP
iptables -A INPUT -m state -p icmp --state INVALID -j LOG_AND_DROP
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -s 200.200.200.200 -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j LOG_AND_DROP
echo " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
iptables -A OUTPUT -o lo -d 200.200.200.200 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
echo " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
# Allow all connections OUT and only existing/related IN
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j LOG_AND_DROP
echo " Firewall server rule loading complete\n\n"
entao é isto k andas a fazer no trabalho..lol
ResponderEliminar