탐색 도움말
로그인
lhubert
/
lfirewall
1
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: 03fa1f8ab9
브랜치 태그
lfirewall
/
scripts
/
lfirewall

lfirewall 8.1 KB
히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313 
  1. #!/bin/sh
    2. 

  2. ### BEGIN INIT INFO
    3. 

  3. # Provides:          firewall.sh
    4. 

  4. # Required-Start:    $syslog $network
    5. 

  5. # Required-Stop:     $syslog $network
    6. 

  6. # Default-Start:     2 3 4 5
    7. 

  7. # Default-Stop:      0 1 6
    8. 

  8. # Short-Description: Start firewall daemon at boot time
    9. 

  9. # Description:       Custom Firewall scrip.
    10. 

  10. ### END INIT INFO
    11. 

  11. 

  12. #
    13. 

  13. # Light Firewall configuration.
    14. 

  14. #
    15. 

  15. # Original author : Nicolargo
    16. 

  16. #
    17. 

  17. # chkconfig: 2345 9 91
    18. 

  18. # description: Activates/Deactivates the firewall at boot time
    19. 

  19. #
    20. 

  20. 

  21. PATH=/bin:/sbin:/usr/bin:/usr/sbin
    22. 

  22. 

  23. #Defautl network interface
    24. 

  24. NETWORK_IF=eth0
    25. 

  25. 

  26. # Services that the system will offer to the network
    27. 

  27. TCP_SERVICES="22" # SSH only
    28. 

  28. UDP_SERVICES=""
    29. 

  29. # Services the system will use from the network
    30. 

  30. REMOTE_TCP_SERVICES="80 443" # web browsing
    31. 

  31. REMOTE_UDP_SERVICES="53" # DNS
    32. 

  32. 

  33. 

  34. # Network that will be used for remote mgmt
    35. 

  35. # (if undefined, no rules will be setup)
    36. 

  36. # NETWORK_MGMT=192.168.0.0/24
    37. 

  37. 

  38. # Port used for the SSH service, define this is you have setup a
    39. 

  39. # management network but remove it from TCP_SERVICES
    40. 

  40. SSH_PORT="22"
    41. 

  41. 

  42. CONFIGURATION_FILE=/etc/lfirewall/lfirewall.conf
    43. 

  43. if [ -f $CONFIGURATION_FILE ] ; then
    44. 

  44. 	. $CONFIGURATION_FILE
    45. 

  45. fi
    46. 

  46. 

  47. IP_TABLES="/sbin/iptables"
    48. 

  48. 

  49. if ! [ -x $IP_TABLES ]; then
    50. 

  50. 	exit 0
    51. 

  51. fi
    52. 

  52. 

  53. do_action=do_exec
    54. 

  54. 

  55. IPTABLES_CHECK=__iptables_check_action
    56. 

  56. IPTABLES_ADD=__iptable_add_action
    57. 

  57. IPTABLES_SET_POLICY=__iptable_set_policy_action
    58. 

  58. 

  59. do_exec () {
    60. 

  60. 	case $1 in
    61. 

  61. 		__iptable_add_action)
    62. 

  62. 			shift
    63. 

  63. 			iptables_option=-A
    64. 

  64. 		;;
    65. 

  65. 		__iptable_set_policy_action)
    66. 

  66. 			shift
    67. 

  67. 			iptables_option=-P
    68. 

  68. 		;;
    69. 

  69. 		*)
    70. 

  70. 			echo "Nothing to be done for $1"
    71. 

  71. 		;;
    72. 

  72. 	esac
    73. 

  73. 	$IP_TABLES $iptables_option $*	
    74. 

  74. }
    75. 

  75. 

  76. do_check () {
    77. 

  77. 	the_action=$1
    78. 

  78. 	shift
    79. 

  79. 	case $the_action in
    80. 

  80. 		__iptable_add_action)
    81. 

  81. 			iptables_option=-A
    82. 

  82. 		;;
    83. 

  83. 		__iptable_set_policy_action)
    84. 

  84. 			return 0
    85. 

  85. 		;;
    86. 

  86. 		*)
    87. 

  87. 			echo "Nothing to be done for $1"
    88. 

  88. 		;;
    89. 

  89. 	esac
    90. 

  90. 	default_option=-C
    91. 

  91. 	$do_log "$the_action:" $IP_TABLES -C $*
    92. 

  92. 	$IP_TABLES -C $*
    93. 

  93. 	global_status=$((global_status+$?))
    94. 

  94. }
    95. 

  95. 

  96. log_action () {
    97. 

  97. 	echo $*
    98. 

  98. }
    99. 

  99. 

  100. do_not_log_action () {
    101. 

  101. 	return 0
    102. 

  102. }
    103. 

  103. 

  104. do_log=do_not_log_action
    105. 

  105. 

  106. ##########################
    107. 

  107. # Start the Firewall rules
    108. 

  108. ##########################
    109. 

  109. 

  110. fw_start () {
    111. 

  111. 	#**************************************************************************#
    112. 

  112. 	# Input traffic:
    113. 

  113. 	#**************************************************************************#
    114. 

  114. 

  115. 	### Keep existing connections
    116. 

  116. 	$do_action $IPTABLES_ADD INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    117. 

  117. 	# Services
    118. 

  118. 	if [ -n "$TCP_SERVICES" ] ; then
    119. 

  119. 		for PORT in $TCP_SERVICES; do
    120. 

  120. 			$do_action $IPTABLES_ADD INPUT -p tcp --dport ${PORT} -j ACCEPT
    121. 

  121. 		done
    122. 

  122. 	fi
    123. 

  123. 	if [ -n "$UDP_SERVICES" ] ; then
    124. 

  124. 		for PORT in $UDP_SERVICES; do
    125. 

  125. 			$do_action $IPTABLES_ADD INPUT -p udp --dport ${PORT} -j ACCEPT
    126. 

  126. 		done
    127. 

  127. 	fi
    128. 

  128. 	# Remote management
    129. 

  129. 	if [ -n "$NETWORK_MGMT" ] ; then
    130. 

  130. 		$do_action $IPTABLES_ADD INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
    131. 

  131. 	else
    132. 

  132. 		$do_action $IPTABLES_ADD INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
    133. 

  133. 	fi
    134. 

  134. 

  135. 	#**************************************************************************#
    136. 

  136. 	# NGINX
    137. 

  137. 	#**************************************************************************#
    138. 

  138. 	$do_action $IPTABLES_ADD INPUT -i lo -s localhost -d localhost -j ACCEPT
    139. 

  139. 	$do_action $IPTABLES_ADD OUTPUT -o lo -s localhost -d localhost -j ACCEPT
    140. 

  140. 	$do_action $IPTABLES_ADD INPUT  -p tcp --dport http -j ACCEPT
    141. 

  141.         $do_action $IPTABLES_ADD INPUT  -p tcp --dport https -j ACCEPT
    142. 

  142. 

  143. 

  144. 	# Remote testing
    145. 

  145. 	### Allows PING
    146. 

  146. 	$do_action $IPTABLES_ADD INPUT -p icmp -j ACCEPT
    147. 

  147. 

  148. 	### Allows LOOPBACK
    149. 

  149. 	$do_action $IPTABLES_ADD INPUT -i lo -j ACCEPT
    150. 

  150. 

  151. 	$IP_TABLES -P INPUT DROP
    152. 

  152. 	$do_action $IPTABLES_ADD INPUT -j LOG
    153. 

  153. 

  154. 	#**************************************************************************#
    155. 

  155. 	# Output:
    156. 

  156. 	#**************************************************************************#
    157. 

  157. 	### Allows LOOPBACK
    158. 

  158. 	$do_action $IPTABLES_ADD OUTPUT -j ACCEPT -o lo
    159. 

  159. 

  160. 	###
    161. 

  161. 	$do_action $IPTABLES_ADD OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    162. 

  162. 

  163. 	# ICMP is permitted:
    164. 

  164. 	### Allows ping:
    165. 

  165. 	$do_action $IPTABLES_ADD OUTPUT -p icmp -j ACCEPT
    166. 

  166. 

  167. 	# As well as the services we have defined:
    168. 

  168. 	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
    169. 

  169. 		for PORT in $REMOTE_TCP_SERVICES; do
    170. 

  170. 			$do_action $IPTABLES_ADD OUTPUT -p tcp --dport ${PORT} -j ACCEPT
    171. 

  171. 		done
    172. 

  172. 	fi
    173. 

  173. 	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
    174. 

  174. 		for PORT in $REMOTE_UDP_SERVICES; do
    175. 

  175. 			$do_action $IPTABLES_ADD OUTPUT -p udp --dport ${PORT} -j ACCEPT
    176. 

  176. 		done
    177. 

  177. 	fi
    178. 

  178. 	# All other connections are registered in syslog
    179. 

  179. 	$do_action $IPTABLES_ADD OUTPUT -j LOG
    180. 

  180. 	$do_action $IPTABLES_ADD OUTPUT -j REJECT
    181. 

  181. 	$do_action $IPTABLES_SET_POLICY OUTPUT DROP
    182. 

  182. 

  183. 	$do_action $IPTABLES_ADD FORWARD -j LOG
    184. 

  184. 

  185. 	#**************************************************************************#
    186. 

  186. 	# DOS attack protection
    187. 

  187. 	#**************************************************************************#
    188. 

  188. 	# See http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
    189. 

  189. 	#
    190. 

  190. 	$IP_TABLES -I INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
    191. 

  191. 	$IP_TABLES -I INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
    192. 

  192. 	$IP_TABLES -I INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
    193. 

  193. 	$IP_TABLES -I INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
    194. 

  194. 

  195. 	#**************************************************************************#
    196. 

  196. 	# Other network protections
    197. 

  197. 	# (some will only work with some kernel versions)
    198. 

  198. 	#**************************************************************************#
    199. 

  199. 	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    200. 

  200. 	echo 0 > /proc/sys/net/ipv4/ip_forward
    201. 

  201. 	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    202. 

  202. 	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    203. 

  203. 	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    204. 

  204. 	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    205. 

  205. 	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    206. 

  206. 	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    207. 

  207. 

  208. 	iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
    209. 

  209. 	iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
    210. 

  210. }
    211. 

  211. 

  212. ##########################
    213. 

  213. # Stop the Firewall rules
    214. 

  214. ##########################
    215. 

  215. 

  216. fw_stop () {
    217. 

  217. 	$IP_TABLES -F
    218. 

  218. 	$IP_TABLES -t nat -F
    219. 

  219. 	$IP_TABLES -t mangle -F
    220. 

  220. 	$IP_TABLES -P INPUT DROP
    221. 

  221. 	$IP_TABLES -P FORWARD DROP
    222. 

  222. 	$IP_TABLES -P OUTPUT ACCEPT
    223. 

  223. }
    224. 

  224. 

  225. ##########################
    226. 

  226. # Clear the Firewall rules
    227. 

  227. ##########################
    228. 

  228. 

  229. fw_clear () {
    230. 

  230. 	$IP_TABLES -F
    231. 

  231. 	$IP_TABLES -t nat -F
    232. 

  232. 	$IP_TABLES -t mangle -F
    233. 

  233. 	$IP_TABLES -P INPUT ACCEPT
    234. 

  234. 	$IP_TABLES -P FORWARD ACCEPT
    235. 

  235. 	$IP_TABLES -P OUTPUT ACCEPT
    236. 

  236. }
    237. 

  237. 

  238. ##########################
    239. 

  239. # Test the Firewall rules
    240. 

  240. ##########################
    241. 

  241. 

  242. fw_save () {
    243. 

  243. 	$IP_TABLES-save > /etc/iptables.backup
    244. 

  244. }
    245. 

  245. 

  246. fw_restore () {
    247. 

  247. 	if [ -e /etc/iptables.backup ]; then
    248. 

  248. 		$IP_TABLES-restore < /etc/iptables.backup
    249. 

  249. 	fi
    250. 

  250. }
    251. 

  251. 

  252. fw_test () {
    253. 

  253. 	fw_save
    254. 

  254. 	sleep 30 && echo "Restore previous Firewall rules..." && fw_restore &
    255. 

  255. 	fw_stop
    256. 

  256. 	fw_start
    257. 

  257. }
    258. 

  258. 

  259. case "$1" in
    260. 

  260. 	start|restart)
    261. 

  261. 		echo -n "Starting firewall.."
    262. 

  262. 		fw_stop
    263. 

  263. 		fw_start
    264. 

  264. 		echo "done."
    265. 

  265. 	;;
    266. 

  266. 	stop)
    267. 

  267. 		echo "###############################################################"
    268. 

  268. 		echo "I do not stop for now."
    269. 

  269. 		echo "Use 'clear' to remove all firewall blocking rules."
    270. 

  270. 		echo "Use 'dropall' to stop any traffic and block everything."
    271. 

  271. 		echo "###############################################################"
    272. 

  272. 	;;
    273. 

  273. 	clear)
    274. 

  274. 		echo -n "Clearing firewall rules.."
    275. 

  275. 		fw_clear
    276. 

  276. 		echo "done."
    277. 

  277. 	;;
    278. 

  278. 	dropall)
    279. 

  279. 		echo -n "Droping all connections !!!"
    280. 

  280. 		fw_stop
    281. 

  281. 		echo "done."
    282. 

  282. 	;;
    283. 

  283. 	test)
    284. 

  284. 		echo -n "Test Firewall rules..."
    285. 

  285. 		fw_test
    286. 

  286. 		echo -n "Previous configuration will be restore in 30 seconds"
    287. 

  287. 	;;
    288. 

  288. 	status)
    289. 

  289. 		do_action=do_check
    290. 

  290. 		global_status=0
    291. 

  291. 		if [ "$2" = "-v" ] ; then
    292. 

  292. 			do_log=log_action
    293. 

  293. 		fi
    294. 

  294. 		# Start will not really start but exec the "check" action
    295. 

  295. 		fw_start
    296. 

  296. 		if [ 0 -eq "$global_status" ] ; then
    297. 

  297. 			echo "Firewall rules match configuration"
    298. 

  298. 			exit 0
    299. 

  299. 		else
    300. 

  300. 			echo "Some firewall rules are not set correctly"
    301. 

  301. 			exit $global_status
    302. 

  302. 		fi
    303. 

  303. 	;;
    304. 

  304. 	*)
    305. 

  305. 		echo "Usage: $0 {start|dropall|stop|restart|clear|test}"
    306. 

  306. 		echo "###############################################################"
    307. 

  307. 		echo "# Be aware that 'stop' drop all incoming/outgoing traffic !!! #"
    308. 

  308. 		echo "###############################################################"
    309. 

  309. 		echo "Use clear option to allow all traffic."
    310. 

  310. 		exit 1
    311. 

  311. 	;;
    312. 

  312. esac
    313. 

  313. exit 0
    314.