Home Explore Help
Register Sign In
alimiracle
/
rose-firewall
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
rose-firewall
/
rose firewall

rose firewall 4.8 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. #!/bin/sh
    2. 

  2. # rose firewall
    3. 

  3. # script to make firewall so ease
    4. 

  4. # and Activates/Deactivates the firewall at boot time
    5. 

  5. 

  6. # Copyright (c) 2012 ali abdul ghani <blade.vp2020@gmail.com>
    7. 

  7. #    This Program is free software: you can redistribute it and/or modify
    8. 

  8. #    it under the terms of the GNU  General Public License as published by
    9. 

  9. #    the Free Software Foundation, either version 3 of the License, or
    10. 

  10. #    (at your option) any later version.
    11. 

  11. #    This Program is distributed in the hope that it will be useful,
    12. 

  12. #    but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13. #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14. #    GNU General Public License for more details.
    15. 

  15.  #    You should have received a copy of the GNU General Public License
    16. 

  16. #    along with this library.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17. 

  18. 

  19. ### BEGIN INIT INFO
    20. 

  20. # Required-Start:    $local_fs
    21. 

  21. # Required-Stop:     $local_fs
    22. 

  22. # Default-Start:     S
    23. 

  23. # Default-Stop:      0 6
    24. 

  24. # X-Start-Before:    $network
    25. 

  25. # X-Stop-After:      $network
    26. 

  26. ### END INIT INFO
    27. 

  27. #
    28. 

  28. #
    29. 

  29. # Caveats:
    30. 

  30. # - This configuration applies to all network interfaces
    31. 

  31. #   if you want to restrict this to only a given interface use
    32. 

  32. #   '-i INTERFACE' in the iptables calls.
    33. 

  33. # - Remote access for TCP/UDP services is granted to any host, 
    34. 

  34. #   you probably will want to restrict this using '--source'.
    35. 

  35. #
    36. 

  36. # chkconfig: 2345 9 91
    37. 

  37. #
    38. 

  38. # You can test this script before applying with the following shell
    39. 

  39. # snippet, if you do not type anything in 10 seconds the firewall
    40. 

  40. # rules will be cleared.
    41. 

  41. #---------------------------------------------------------------
    42. 

  42. #  while true; do test=""; read  -t 20 -p "OK? " test ; \
    43. 

  43. #  [ -z "$test" ] && /etc/init.d/myfirewall clear ; done
    44. 

  44. #---------------------------------------------------------------
    45. 

  45. 

  46. PATH=/bin:/sbin:/usr/bin:/usr/sbin
    47. 

  47. 

  48. # Services that the system will offer to the network
    49. 

  49. TCP_SERVICES=""
    50. 

  50. UDP_SERVICES=""
    51. 

  51. # Services the system will use from the network
    52. 

  52. REMOTE_TCP_SERVICES=""
    53. 

  53. REMOTE_UDP_SERVICES=""
    54. 

  54. 

  55. 

  56. if ! [ -x /sbin/iptables ]; then  
    57. 

  57.     exit 0
    58. 

  58. fi
    59. 

  59. 

  60. fw_start () {
    61. 

  61.     
    62. 

  62.     # Input traffic:
    63. 

  63.     /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    64. 

  64.     # Services
    65. 

  65.     if [ -n "$TCP_SERVICES" ] ; then
    66. 

  66. 	for PORT in $TCP_SERVICES; do
    67. 

  67. 	    /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
    68. 

  68. 	done
    69. 

  69.     fi
    70. 

  70.     if [ -n "$UDP_SERVICES" ] ; then
    71. 

  71. 	for PORT in $UDP_SERVICES; do
    72. 

  72. 	    /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
    73. 

  73. 	done
    74. 

  74.     fi
    75. 

  75. 

  76.     /sbin/iptables -A INPUT -p icmp -j ACCEPT
    77. 

  77.     /sbin/iptables -A INPUT -i lo -j ACCEPT
    78. 

  78.     /sbin/iptables -P INPUT DROP
    79. 

  79.     /sbin/iptables -A INPUT -j LOG
    80. 

  80.     
    81. 

  81.     # Output:
    82. 

  82.     /sbin/iptables -A OUTPUT -j ACCEPT -o lo 
    83. 

  83.     /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    84. 

  84.     # ICMP is permitted:
    85. 

  85.     /sbin/iptables -A OUTPUT -p icmp -j ACCEPT
    86. 

  86. 

  87.     if [ -n "$REMOTE_TCP_SERVICES" ] ; then
    88. 

  88. 	for PORT in $REMOTE_TCP_SERVICES; do
    89. 

  89. 	    /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
    90. 

  90. 	done
    91. 

  91.     fi
    92. 

  92.     if [ -n "$REMOTE_UDP_SERVICES" ] ; then
    93. 

  93. 	for PORT in $REMOTE_UDP_SERVICES; do
    94. 

  94. 	    /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
    95. 

  95. 	done
    96. 

  96.     fi
    97. 

  97. 

  98.     # All other connections are registered in syslog
    99. 

  99.     /sbin/iptables -A OUTPUT -j LOG
    100. 

  100.     /sbin/iptables -A OUTPUT -j REJECT 
    101. 

  101.     /sbin/iptables -P OUTPUT DROP
    102. 

  102.     # Other network protections
    103. 

  103.     # (some will only work with some kernel versions)
    104. 

  104.     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    105. 

  105.     echo 0 > /proc/sys/net/ipv4/ip_forward 
    106. 

  106.     echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
    107. 

  107.     echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 
    108. 

  108.     #echo 1 > /proc/sys/net/ipv4/ip_always_defrag
    109. 

  109.     echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    110. 

  110.     echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    111. 

  111.     echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    112. 

  112.     echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    113. 

  113.     
    114. 

  114. }
    115. 

  115. 

  116. fw_stop () {
    117. 

  117.     /sbin/iptables -F
    118. 

  118.     /sbin/iptables -t nat -F
    119. 

  119.     /sbin/iptables -t mangle -F
    120. 

  120.     /sbin/iptables -P INPUT DROP
    121. 

  121.     /sbin/iptables -P FORWARD DROP
    122. 

  122.     /sbin/iptables -P OUTPUT ACCEPT
    123. 

  123. }
    124. 

  124. 

  125. fw_clear () {
    126. 

  126.     /sbin/iptables -F
    127. 

  127.     /sbin/iptables -t nat -F
    128. 

  128.     /sbin/iptables -t mangle -F
    129. 

  129.     /sbin/iptables -P INPUT ACCEPT
    130. 

  130.     /sbin/iptables -P FORWARD ACCEPT
    131. 

  131.     /sbin/iptables -P OUTPUT ACCEPT
    132. 

  132. }
    133. 

  133. 

  134. case "$1" in
    135. 

  135.     start|restart)
    136. 

  136.         echo -n "Starting firewall.."
    137. 

  137.         fw_stop 
    138. 

  138.         fw_start
    139. 

  139.         echo "done."
    140. 

  140.         ;;
    141. 

  141.     stop)
    142. 

  142.         echo -n "Stopping firewall.."
    143. 

  143.         fw_stop
    144. 

  144.         echo "done."
    145. 

  145.         ;;
    146. 

  146.     clear)
    147. 

  147.         echo -n "Clearing firewall rules.."
    148. 

  148.         fw_clear
    149. 

  149.         echo "done."
    150. 

  150.         ;;
    151. 

  151.     *)
    152. 

  152.         echo "Usage: $0 {start|stop|restart|clear}"
    153. 

  153.         exit 1
    154. 

  154.         ;;
    155. 

  155. esac
    156. 

  156. exit 0
    157. 

  157.