#! / bin / shinterface = "Lo eth0" UPLINK = "Eth0" Service = "80" allow_ports = "23" denytcpports = "23 139 445 3389" Denyudpport = "23 139 455 3389" IF ["$ 1" = "start "] Thenecho" Starting FireWall ... "echo" now prepareing kernel for use, please wait ... "IF [-e / proc / sys / net / ipv4 / tcp_syncookies] Thenecho" enable the syn Cook Flood Protection ... "Echo 1> / Proc / Sys / Net / IPv4 / TCP_SYNCOOKIESECHO" OK !!!! "Fiif [-e / proc / sys / net / ipv4 / ip_local_port_range] Thenecho" Setting Local Port Range for TCP / UDP Connection ... "echo -e" 32768 / t61000 "> / proc / sys / net / ipv4 / ip_local_port_rangeecho" OK !!!! "FIF [-e / proc / sys / net / ipv4 / icmp_ignore_bogus_error_responses] thenecho "Enable bad error message protection ......" echo 1> / proc / sys / net / ipv4 / icmp_ignore_bogus_error_responsesecho "OK !!!!" fiif [-e / proc / sys / net / ipv4 / tcp_ecn] thenecho "disabling tcp_ecn, please wait ..." echo 0> / proc / sys / net / ipv4 / tcp_ecnecho "OK !!!!" fifor x in $ {interfaces} do #echo "enabling rp_filter On $ {x}, please wait ... "EC HO 1> / proc / sys / net / ipv4 / conf / $ {x} / rp_filterecho "$ {x} ok !!!!" DONEIF [-E / proc / sys / net / ipv4 / icmp_echo_ignore_broadcasts] the "ignore Any Broadcast ICMP Echo Requests ... "Echo 1> / Proc / Sys / Net / IPv4 / ICMP_ECHO_IGNORE_BROADCASTSECHO" OK !!!! "Fiecho" OK, The Kernel Is Now Prepared To Use for building a firewall !!! " Echo "Now flushing the rules ..."
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROPiptables -F -t filteriptables -F -t natiptables -F -t mangleiptables -Ziptables -Xecho "OK !!!" echo "Now starting the new tables ..... . "iptables -N CHECK_FLAGSiptables -N denyportsiptables -N insrviptables -N outsrviptables -N inusrlistiptables -N outusrlistecho" OK !!! "echo" Now Starting the new rules ...... "iptables -A INPUT -j CHECK_FLAGSiptables -A OUTPUT -j CHECK_FLAGSiptables -A INPUT -j denyportsiptables -A INPUT -i $ {UPLINK} -j insrviptables -A INPUT -i $ {UPLINK} -j inusrlistiptables -A INPUT -p tcp -i $ {UPLINK} -j REJECT - -reject-with tcp-resetiptables -a INPUT -P udp -i $ {UPLINK} -j respject --reject-with icmp-port-unreachableiptables -a output -o lo -j acceptiptables -a output -o $ {UPLINK} -j outsrviptables -a output -o $ {uplink} -j outusrlistiptables -a output -p tcp -o $ {UPLINK} -j respject --reject-with tcp-resetiptables -a output -p udp-{uplink} -j REJECT - Reject-with icmp-port-unreachableecho "Now Sta Rting the check_flag rules, please wait .... "iptables -a check_flags -p tcp --tcp-flags all all -m limit --limit 5 / minute -j log --log-level 6 --log-prefix" Merry Xmas Tree: "iptables -a check_flags -p tcp --tcp-flags all all -j dropiptables -a check_flags -p tcp - TCP-FLAGS All SYN, RST, ACK, FIN, URG -M LIMIT --LIMIT 5 / minute -j log --Log-level 6 --log-prefix "Xmas-psh:" iptables -a check_flags -p tcp -tcp-flags all syn, RST, ACK, FIN, URG -J DROPIPTABLES -A CHECK_FLAGS -P TCP - TCP-FLAGS All Fin, URG, PSH -M Limit --LIMIT 5 / Minute -j log --Log-Level 6 --Log-Prefix "Invaild NMap Scan"
iptables -a check_flags -p tcp-flags all fin, urg, psh -j dropiptables -a check_flags -p tcp -tcp-flags syn, RST SYN, RST -M LIMIT --LIMIT 5 / Minute -j log --Log-Level 6 --Log-Prefix "SYN / RST" iptables -a check_flags -p TCP --TCP-FLAGS SYN, RST SYN, RST -J DropipTables -a Check_Flags -p TCP --TCP-Flags SYN, FIN SYN, FIN -M LIMIT --LIMIT 5 / Minute -j log --Log-Level 6 --Log-prefix "SYN / FIN SCAN" iptables -a check_flags -p tcp --tcp-flags syn, FIN SYN, Fin -j dropiptables -a check_flags -p tcp --tcp-flags all none -m limited --LIMIT 5 / minute -j log --log-level 6 --Log-prefix "null_scan" iptables -a check_flags -p tcp --TCP-FLAGS All none -j dropiptables -a check_flags -p tcp --TCP-OPTION 64 -M LIMIT --LIMIT 5 / Minute -j log --Log-Level 6 --Log-prefix "Bogus TCP Flag 64 "iptables -a check_flags -p tcp-stextion 64 -j dropiptables -a check_flags -p tcp --tcp-option 128 -m limit --LIMIT 5 / minute -j log --log-level 6 --log -prefix "Bogus TCP FLAG 128" iptables -a check_flags -p tcp --tcp-option 128 -J Dropecho "OK !!!! Finished Check_Flags Rules ...." echo "now starting the denyports's rules ..." for x in $ {Denytcpports} doiptables -a denyports -p tcp --dport $ {x} -j log --log-prefix "invaild port: $ {x} TCP in:" iptables -a denyports -p tcp --dport $ {x} -j resport --reject-with tcp-reSetDOnefor x in $ {Denyudpports} DOIPTABLES -A DENYPORTS -P UDP - Dport $ {x} -j log --log-prefix "Invaild Port: $ {x} udp in:" iptables -a denyports -p udp --dport $ { X} -j repject --reject-with icmp-port-unreachabledoneecho "ok !!!"
For x in $ {service} doiptables -a insrv -p tcp --dport $ {x} -m State --State New, Established, Related -j Acceptiptables -a Outsrv -p TCP --SPORT $ {x} -m state --state ESTABLISHED, RELATED -j ACCEPTdonefor x in $ {ALLOW_PORTS} doiptables -A inusrlist -i $ {UPLINK} -p tcp --sport $ {x} -m state --state ESTABLISHED, RELATED -j ACCEPTiptables -A Outusrlist -o $ {UPLINK} -p tcp --dport $ {x} -m state --state new, established, related -j acceptddoneecho "OK !!!" echo "The firewall Has successful started up !!!" ineor = "Error" While ["$ ineor" = "Error"] doecho "" read -p "now Would you like Save the rules for the firewall? [y / n]"
IF ["$ reply" = "y"] Theniptables-saveineor = "" Elif "=" n "] the men" if you want to save the rules by your want to save the rules by yourself, please read the man page for the iptables-save "Ineral =" "elseecho" please type y or n! "FIDONE
elif [ "$ 1" = "stop"] thenecho "Stopping firewall ......" iptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTiptables -F -t filteriptables -F -t natiptables -F -t mangleiptables - Ziptables -Xecho "The FireWall Has Successful Shuted Down !!! Be Careful !!!"
Ineor = "Error" while ["$ ineor" = "error"] doecho "" read -p "now Would you like? [Y / n]"
IF ["$ reply" = "y"] Theniptables-saveineor = "" Elif "=" n "] the men" if you want to save the rules by your want to save the rules by yourself, please read the man page for the iptables-save "Inell =" "Elseecho" please type y or n! "Fidoneelseecho" Usage: $ 0 {start | stop |} "Fi
