Πρώτο commit
Αυτό το commit περιλαμβάνεται σε:
infl00p
commit
8ec8e9bee2
451 αρχεία άλλαξαν με 46736 προσθήκες και 0 διαγραφές
159
static/34/fw.rules
Κανονικό αρχείο
159
static/34/fw.rules
Κανονικό αρχείο
|
|
@ -0,0 +1,159 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -z $1 ]; then
|
||||
# Äåí Ý÷ïõìå command line argument, ïðüôå äåí áöÞíïõìå êáíÝíáí íá óõíäåèåß ìå SSH óå ìáò.
|
||||
echo Disallowing SSH access...
|
||||
NOSSH=1
|
||||
else
|
||||
# ¸÷ïõìå IP address óôç ãñáììÞ åíôïëþí, ðïõ èÝëïõìå íá óõíäÝåôáé óå ìáò ìå SSH.
|
||||
echo Allowing SSH access for $1...
|
||||
fi
|
||||
|
||||
##############################
|
||||
#### ÃÅÍÉÊÅÓ ÐÑÏÖÕËÁÎÅÉÓ #####
|
||||
##############################
|
||||
|
||||
## Ìçí áðáíôÜò óå ping.
|
||||
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
## Ìçí áðáíôÜò óå broadcasts.
|
||||
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||
|
||||
## Ìç äÝ÷åóáé source routed ðáêÝôá.
|
||||
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
|
||||
|
||||
## Ìç êÜíåéò ICMP redirect.
|
||||
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
|
||||
|
||||
## Ðñïóôáóßá Ýíáíôé ðåñßåñãùí ëáèþí.
|
||||
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
||||
|
||||
## Åíåñãïðïßçóå ôï reverse path filtering.
|
||||
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
/bin/echo "1" > ${interface}
|
||||
done
|
||||
|
||||
## Óçìåßùóå óôá system logs (/var/log/messages by default) ôá ðáêÝôá ðïõ öáßíåôáé íá Ý÷ïõí øåýôéêåò äéåèýíóåéò Þ ãåíéêþò íá åßíáé ýðïðôá.
|
||||
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
|
||||
|
||||
## Ìçí ëåéôïõñãåßò óáí router (ìçí ðñïùèåßò ðáêÝôá óå Üëëåò äéåõèýíóåéò).
|
||||
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
##################
|
||||
#### FIREWALL ####
|
||||
##################
|
||||
|
||||
## Öüñôùóå ôá connection-tracking modules.
|
||||
/sbin/modprobe ipt_state
|
||||
/sbin/modprobe ip_conntrack
|
||||
/sbin/modprobe ip_conntrack_ftp #ports=2121
|
||||
#/sbin/modprobe ipt_owner
|
||||
|
||||
## ÊáèÜñéóå ôõ÷üí åíåñãÜ rules
|
||||
/sbin/iptables -F
|
||||
## ÄéÝãñáøå ôõ÷üí custom tables
|
||||
/sbin/iptables -X
|
||||
## ÌçäÝíéóå üëïõò ôïõò ìåôñçôÝò ðáêÝôùí
|
||||
/sbin/iptables -Z
|
||||
|
||||
## By default êÜíïõìå DROP (áãíïïýìå) üëá ôá ðáêÝôá (þóôå íá ðåñíÜíå ìüíï áõôÜ ðïõ Ý÷ïõí ëüãï íá ðåñíÜíå)
|
||||
/sbin/iptables -P INPUT DROP
|
||||
/sbin/iptables -P OUTPUT DROP
|
||||
|
||||
|
||||
#####################
|
||||
#### ÅÉÓÅÑ×ÏÌÅÍÁ ####
|
||||
#####################
|
||||
|
||||
## Äå÷üìáóôå üëåò ôéò ôïðéêÝò óõíäÝóåéò
|
||||
/sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
|
||||
|
||||
## Äå÷üìáóôå ðáêÝôá áðü üëåò ôéò Þäç õðÜñ÷ïõóåò óõíäÝóåéò (ëüãù ôùí õðïëïßðùí rules, áíáãêáóôéêÜ ôéò Ý÷ïõìå îåêéíÞóåé åìåßò ïðüôå õðïèÝôïõìå üôé åßíáé áóöáëåßò)
|
||||
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
if [ $NOSSH ]; then
|
||||
# Êáèüìáóôå.
|
||||
echo
|
||||
else
|
||||
## ÅðÝôñåøå óõíäÝóåéò SSH áðü ôç äéåýèõíóç ðïõ ðáñÝ÷ïõìå óôç ãñáììÞ åíôïëþí
|
||||
/sbin/iptables -A INPUT -p tcp -s $1 --sport 1024: --dport 22 -j ACCEPT
|
||||
fi
|
||||
|
||||
######################
|
||||
##### ÅÎÅÑ×ÏÌÅÍÁ #####
|
||||
######################
|
||||
|
||||
## Äå÷üìáóôå ôïðéêÝò óõíäÝóåéò
|
||||
/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||
|
||||
## SSH
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
|
||||
|
||||
## HTTP
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
|
||||
|
||||
## HTTPS
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
|
||||
|
||||
## POP3
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
|
||||
|
||||
## SMTP
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
|
||||
|
||||
## DNS
|
||||
/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
||||
|
||||
## FTP (command)
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
|
||||
## FTP (data::Active)
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
|
||||
|
||||
## FTP (data::Passive)
|
||||
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
if [ $NOSSH ]; then
|
||||
echo
|
||||
else
|
||||
## ÅðéôñÝðïõìå óôïí SSH server ìáò íá áðáíôÞóåé.
|
||||
/sbin/iptables -A OUTPUT -p tcp --sport 22 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
## ICMP
|
||||
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
|
||||
|
||||
## dict.org:2628
|
||||
/sbin/iptables -A OUTPUT -p tcp -d 66.111.36.30 --dport 2628 -j ACCEPT
|
||||
|
||||
## Importing OpenPGP keys áðü pgp.mit.edu:11371
|
||||
/sbin/iptables -A OUTPUT -p tcp -d 18.7.14.139 --dport 11371 -j ACCEPT
|
||||
|
||||
## JETDIRECT printing
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 9100 -j ACCEPT
|
||||
|
||||
## Whois queries
|
||||
/sbin/iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT
|
||||
|
||||
## NTP updates
|
||||
/sbin/iptables -A OUTPUT -p tcp -d 128.2.4.21/16 --dport 123 -j ACCEPT
|
||||
/sbin/iptables -A OUTPUT -p udp --sport 123 -d 128.2.4.21/16 --dport 123 -j ACCEPT
|
||||
|
||||
|
||||
#################
|
||||
#### LOGGING ####
|
||||
#################
|
||||
## ÁõôÜ ôá ìçíýìáôá êáôá÷ùñïýíôáé óôï /var/log/messages
|
||||
# Ìå Ýíá tail -f /var/log/messages óáí root ôá ðáñáêïëïõèïýìå
|
||||
|
||||
## Log åéóåñ÷üìåíá TCP ðáêÝôá ðïõ áðïññßöèçêáí.
|
||||
/sbin/iptables -A INPUT -p tcp -j LOG --log-prefix "iptables:IN-TCP DROPPED:"
|
||||
|
||||
## Log åîåñ÷üìåíá TCP ðáêÝôá ðïõ áðïññßöèçêáí.
|
||||
/sbin/iptables -A OUTPUT -p tcp -j LOG --log-prefix "iptables:OUT-TCP DROPPED:"
|
||||
|
||||
## Log ïôéäÞðïôå Üëëï ðïõ äåí ðÝñáóå
|
||||
#/sbin/iptables -A INPUT -j LOG --log-prefix "iptables:INCOMING DROPPED:"
|
||||
/sbin/iptables -A OUTPUT -j LOG --log-prefix "iptables:OUTGOING DROPPED:"
|
||||
|
||||
## ÔÝëïò ôïõ iptables script
|
||||
Φόρτωση…
Προσθήκη πίνακα
Προσθήκη υπερσυνδέσμου
Παράθεση σε νέο ζήτημα