탐색 도움말
로그인
lhubert
/
lfirewall
1
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: ecc899c8aa
브랜치 태그
lfirewall
/
scripts
/
firewall

firewall 6.8 KB
히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 
  1. #!/bin/sh
    2. 

  2. ### BEGIN INIT INFO
    3. 

  3. # Provides:          firewall.sh
    4. 

  4. # Required-Start:    $syslog $network
    5. 

  5. # Required-Stop:     $syslog $network
    6. 

  6. # Default-Start:     2 3 4 5
    7. 

  7. # Default-Stop:      0 1 6
    8. 

  8. # Short-Description: Start firewall daemon at boot time
    9. 

  9. # Description:       Custom Firewall scrip.
    10. 

  10. ### END INIT INFO
    11. 

  11. 

  12. #
    13. 

  13. # Simple Firewall configuration.
    14. 

  14. #
    15. 

  15. # Original author : Nicolargo
    16. 

  16. #
    17. 

  17. # chkconfig: 2345 9 91
    18. 

  18. # description: Activates/Deactivates the firewall at boot time
    19. 

  19. #
    20. 

  20. 

  21. PATH=/bin:/sbin:/usr/bin:/usr/sbin
    22. 

  22. 

  23. #Defautl network interface
    24. 

  24. NETWORK_IF=eth0
    25. 

  25. 

  26. # Services that the system will offer to the network
    27. 

  27. TCP_SERVICES="22" # SSH only
    28. 

  28. UDP_SERVICES=""
    29. 

  29. # Services the system will use from the network
    30. 

  30. REMOTE_TCP_SERVICES="80 443" # web browsing
    31. 

  31. REMOTE_UDP_SERVICES="53" # DNS
    32. 

  32. 

  33. 

  34. # Network that will be used for remote mgmt
    35. 

  35. # (if undefined, no rules will be setup)
    36. 

  36. # NETWORK_MGMT=192.168.0.0/24
    37. 

  37. 

  38. # Port used for the SSH service, define this is you have setup a
    39. 

  39. # management network but remove it from TCP_SERVICES
    40. 

  40. SSH_PORT="22"
    41. 

  41. 

  42. CONFIGURATION_FILE=/etc/firewall/firewall.conf
    43. 

  43. if [ -f $CONFIGURATION_FILE ] ; then
    44. 

  44. 	. $CONFIGURATION_FILE
    45. 

  45. fi
    46. 

  46. 

  47. IP_TABLES="/sbin/iptables"
    48. 

  48. 

  49. if ! [ -x $IP_TABLES ]; then
    50. 

  50. 	exit 0
    51. 

  51. fi
    52. 

  52. 

  53. ##########################
    54. 

  54. # Start the Firewall rules
    55. 

  55. ##########################
    56. 

  56. 

  57. fw_start () {
    58. 

  58. 	#**************************************************************************#
    59. 

  59. 	# Input traffic:
    60. 

  60. 	#**************************************************************************#
    61. 

  61. 

  62. 	### Keep existing connections
    63. 

  63. 	$IP_TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    64. 

  64. 	# Services
    65. 

  65. 	if [ -n "$TCP_SERVICES" ] ; then
    66. 

  66. 		for PORT in $TCP_SERVICES; do
    67. 

  67. 			$IP_TABLES -A INPUT -p tcp --dport ${PORT} -j ACCEPT
    68. 

  68. 		done
    69. 

  69. 	fi
    70. 

  70. 	if [ -n "$UDP_SERVICES" ] ; then
    71. 

  71. 		for PORT in $UDP_SERVICES; do
    72. 

  72. 			$IP_TABLES -A INPUT -p udp --dport ${PORT} -j ACCEPT
    73. 

  73. 		done
    74. 

  74. 	fi
    75. 

  75. 	# Remote management
    76. 

  76. 	if [ -n "$NETWORK_MGMT" ] ; then
    77. 

  77. 		$IP_TABLES -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
    78. 

  78. 	else
    79. 

  79. 		$IP_TABLES -A INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
    80. 

  80. 	fi
    81. 

  81. 

  82. 	#**************************************************************************#
    83. 

  83. 	# NGINX
    84. 

  84. 	#**************************************************************************#
    85. 

  85. 	$IP_TABLES -A INPUT -i lo -s localhost -d localhost -j ACCEPT
    86. 

  86. 	$IP_TABLES -A OUTPUT -o lo -s localhost -d localhost -j ACCEPT
    87. 

  87. 	$IP_TABLES -A INPUT  -p tcp --dport http -j ACCEPT
    88. 

  88.         $IP_TABLES -A INPUT  -p tcp --dport https -j ACCEPT
    89. 

  89. 

  90. 

  91. 	# Remote testing
    92. 

  92. 	### Allows PING
    93. 

  93. 	$IP_TABLES -A INPUT -p icmp -j ACCEPT
    94. 

  94. 	### Allows LOOPBACK
    95. 

  95. 	$IP_TABLES -A INPUT -i lo -j ACCEPT
    96. 

  96. 

  97. 	$IP_TABLES -P INPUT DROP
    98. 

  98. 	$IP_TABLES -A INPUT -j LOG
    99. 

  99. 

  100. 	#**************************************************************************#
    101. 

  101. 	# Output:
    102. 

  102. 	#**************************************************************************#
    103. 

  103. 	### Allows LOOPBACK
    104. 

  104. 	$IP_TABLES -A OUTPUT -j ACCEPT -o lo
    105. 

  105. 

  106. 	###
    107. 

  107. 	$IP_TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    108. 

  108. 

  109. 	# ICMP is permitted:
    110. 

  110. 	### Allows ping:
    111. 

  111. 	$IP_TABLES -A OUTPUT -p icmp -j ACCEPT
    112. 

  112. 

  113. 	# As well as the services we have defined:
    114. 

  114. 	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
    115. 

  115. 		for PORT in $REMOTE_TCP_SERVICES; do
    116. 

  116. 			$IP_TABLES -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
    117. 

  117. 		done
    118. 

  118. 	fi
    119. 

  119. 	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
    120. 

  120. 		for PORT in $REMOTE_UDP_SERVICES; do
    121. 

  121. 			$IP_TABLES -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
    122. 

  122. 		done
    123. 

  123. 	fi
    124. 

  124. 	# All other connections are registered in syslog
    125. 

  125. 	$IP_TABLES -A OUTPUT -j LOG
    126. 

  126. 	$IP_TABLES -A OUTPUT -j REJECT
    127. 

  127. 	$IP_TABLES -P OUTPUT DROP
    128. 

  128. 

  129. 	$IP_TABLES -A FORWARD -j LOG
    130. 

  130. 

  131. 	#**************************************************************************#
    132. 

  132. 	# DOS attack protection
    133. 

  133. 	#**************************************************************************#
    134. 

  134. 	# See http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
    135. 

  135. 	#
    136. 

  136. 	$IP_TABLES -I INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
    137. 

  137. 	$IP_TABLES -I INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
    138. 

  138. 	$IP_TABLES -I INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
    139. 

  139. 	$IP_TABLES -I INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
    140. 

  140. 

  141. 	#**************************************************************************#
    142. 

  142. 	# Other network protections
    143. 

  143. 	# (some will only work with some kernel versions)
    144. 

  144. 	#**************************************************************************#
    145. 

  145. 	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    146. 

  146. 	echo 0 > /proc/sys/net/ipv4/ip_forward
    147. 

  147. 	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    148. 

  148. 	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    149. 

  149. 	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    150. 

  150. 	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    151. 

  151. 	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    152. 

  152. 	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    153. 

  153. 

  154. 	iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
    155. 

  155. 	iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
    156. 

  156. }
    157. 

  157. 

  158. ##########################
    159. 

  159. # Stop the Firewall rules
    160. 

  160. ##########################
    161. 

  161. 

  162. fw_stop () {
    163. 

  163. 	$IP_TABLES -F
    164. 

  164. 	$IP_TABLES -t nat -F
    165. 

  165. 	$IP_TABLES -t mangle -F
    166. 

  166. 	$IP_TABLES -P INPUT DROP
    167. 

  167. 	$IP_TABLES -P FORWARD DROP
    168. 

  168. 	$IP_TABLES -P OUTPUT ACCEPT
    169. 

  169. }
    170. 

  170. 

  171. ##########################
    172. 

  172. # Clear the Firewall rules
    173. 

  173. ##########################
    174. 

  174. 

  175. fw_clear () {
    176. 

  176. 	$IP_TABLES -F
    177. 

  177. 	$IP_TABLES -t nat -F
    178. 

  178. 	$IP_TABLES -t mangle -F
    179. 

  179. 	$IP_TABLES -P INPUT ACCEPT
    180. 

  180. 	$IP_TABLES -P FORWARD ACCEPT
    181. 

  181. 	$IP_TABLES -P OUTPUT ACCEPT
    182. 

  182. }
    183. 

  183. 

  184. ##########################
    185. 

  185. # Test the Firewall rules
    186. 

  186. ##########################
    187. 

  187. 

  188. fw_save () {
    189. 

  189. 	$IP_TABLES-save > /etc/iptables.backup
    190. 

  190. }
    191. 

  191. 

  192. fw_restore () {
    193. 

  193. 	if [ -e /etc/iptables.backup ]; then
    194. 

  194. 		$IP_TABLES-restore < /etc/iptables.backup
    195. 

  195. 	fi
    196. 

  196. }
    197. 

  197. 

  198. fw_test () {
    199. 

  199. 	fw_save
    200. 

  200. 	sleep 30 && echo "Restore previous Firewall rules..." && fw_restore &
    201. 

  201. 	fw_stop
    202. 

  202. 	fw_start
    203. 

  203. }
    204. 

  204. 

  205. case "$1" in
    206. 

  206. 	start|restart)
    207. 

  207. 		echo -n "Starting firewall.."
    208. 

  208. 		fw_stop
    209. 

  209. 		fw_start
    210. 

  210. 		echo "done."
    211. 

  211. 	;;
    212. 

  212. 	stop)
    213. 

  213. 		echo "###############################################################"
    214. 

  214. 		echo "I do not stop for now."
    215. 

  215. 		echo "Use 'clear' to remove all firewall blocking rules."
    216. 

  216. 		echo "Use 'dropall' to remove all firewall blocking rules."
    217. 

  217. 		echo "###############################################################"
    218. 

  218. 	;;
    219. 

  219. 	clear)
    220. 

  220. 		echo -n "Clearing firewall rules.."
    221. 

  221. 		fw_clear
    222. 

  222. 		echo "done."
    223. 

  223. 	;;
    224. 

  224. 	dropall)
    225. 

  225. 		echo -n "Droping all connections !!!"
    226. 

  226. 		fw_stop
    227. 

  227. 		echo "done."
    228. 

  228. 	;;
    229. 

  229. 	test)
    230. 

  230. 		echo -n "Test Firewall rules..."
    231. 

  231. 		fw_test
    232. 

  232. 		echo -n "Previous configuration will be restore in 30 seconds"
    233. 

  233. 	;;
    234. 

  234. 	*)
    235. 

  235. 		echo "Usage: $0 {start|dropall|stop|restart|clear|test}"
    236. 

  236. 		echo "###############################################################"
    237. 

  237. 		echo "# Be aware that 'stop' drop all incoming/outgoing traffic !!! #"
    238. 

  238. 		echo "###############################################################"
    239. 

  239. 		echo "Use clear option to allow all traffic."
    240. 

  240. 		exit 1
    241. 

  241. 	;;
    242. 

  242. esac
    243. 

  243. exit 0
    244.