标签： Firewall

FreeBSD防火墙Firewall(ipfw)

先將kernel複製出來

mkdir /usr/local/etc/FreeBSD

cd /usr/src/sys/i386/conf

cp GENERIC /usr/local/etc/FreeBSD/MYKERNEL

ln -s /usr/local/etc/FreeBSD/MYKERNEL

vi /usr/local/etc/FreeBSD/MYKERNEL

加入

options IPFIREWALL #firewall

options IPFIREWALL_VERBOSE #enable logging to syslogd(8)

options IPFIREWALL_FORWARD #packet destination changes

options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default

cd /usr/src;make kernel

完成後開始設定

vi /etc/rc.conf

加入

#firewall

firewall_enable=”YES”

firewall_logging=”YES”

firewall_script=”/etc/rc.firewall”

vi /etc/rc.firewall

將內容全部刪除改為

#!/bin/sh

fwcmd=”/sbin/ipfw”

Trust_IP1=”127.0.0.1″ #這裡要換成server本身的IP

Trust_IP2=”120.119.1.0/24″ #可通過的網段

UnTrust_IP1=”192.83.191.0/24″

Allowed_TCP_In_1=”22,25,53,80,443″

#you want to open port

Traceroute=”33433-33499″

Allowed_UDP_Out=”20,21,53,113″

Allowed_UDP_In=”20,21,53,113″

Allowed_UDP_ftp_Out=”65000-65500″

Allowed_UDP_ftp_In=”65000-65500″

Allowed_TCP_ftp_Out=”65000-65500″

Allowed_TCP_ftp_In=”65000-65500″

#ipfw [add/del/fwd] [serial] [allow/deny] [protocol] [from] [ports] to [destation] [ports]

$fwcmd -f flush

#flush ipfw tables

$fwcmd add 1 allow ipv6 from any to any

$fwcmd add 00010 allow tcp from me to any setup keep-state

$fwcmd add 00021 check-state

$fwcmd add 00030 allow ip from ${Trust_IP1} to any

$fwcmd add 00031 allow ip from ${Trust_IP2} to any

$fwcmd add 00060 allow icmp from any to any

$fwcmd add 00061 allow udp from any to any $Traceroute

$fwcmd add 00120 deny ip from ${UnTrust_IP1} to me

$fwcmd add 00121 deny tcp from ${UnTrust_IP1} to me 25

$fwcmd add 56000 allow tcp from any to any ${Allowed_TCP_In_1}

$fwcmd add 56003 allow udp from any ${Allowed_UDP_In} to any

$fwcmd add 56004 allow udp from any to any ${Allowed_UDP_ftp_Out}

$fwcmd add 56005 allow tcp from any to any ${Allowed_TCP_ftp_Out}

$fwcmd add 65534 deny log ip from any to any

#deny all ip

$fwcmd zero

#clean counter

sh /etc/rc.firewall &

reboot

2013-02-21
Linux Iptables Firewall Shell Script For Standalone Server

#!/bin/bash

# A Linux Shell Script with common rules for IPTABLES Firewall.

# By default this script only open port 80, 22, 53 (input)

# All outgoing traffic is allowed (default – output)

# ————————————————————————-

# Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>

# This script is licensed under GNU GPL version 2.0 or above

# ————————————————————————-

# This script is part of nixCraft shell script collection (NSSC)

# Visit http://bash.cyberciti.biz/ for more information.

# ————————————————————————-

IPT=”/sbin/iptables”

SPAMLIST=”blockedip”

SPAMDROPMSG=”BLOCKED IP DROP”

echo “Starting IPv4 Wall…”

$IPT -F

$IPT -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

modprobe ip_conntrack

[ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E “^#|^$” /root/scripts/blocked.ips.txt)

PUB_IF=”eth0″

#unlimited

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

if [ -f /root/scripts/blocked.ips.txt ];

then

# create a new iptables list

$IPT -N $SPAMLIST

for ipblock in $BADIPS

do

$IPT -A $SPAMLIST -s $ipblock -j LOG –log-prefix “$SPAMDROPMSG”

$IPT -A $SPAMLIST -s $ipblock -j DROP

done

$IPT -I INPUT -j $SPAMLIST

$IPT -I OUTPUT -j $SPAMLIST

$IPT -I FORWARD -j $SPAMLIST

fi

# Block sync

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Drop Sync”

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -j DROP

# Block Fragments

$IPT -A INPUT -i ${PUB_IF} -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fragments Packets”

$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# Block bad stuff

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fin Packets Scan”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff

$IPT -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow ssh

$IPT -A INPUT -p tcp –destination-port 22 -j ACCEPT

# allow incomming ICMP ping pong stuff

$IPT -A INPUT -p icmp –icmp-type 8 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p icmp –icmp-type 0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)

$IPT -A INPUT -p udp –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p udp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p tcp –destination-port 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Open port 80

$IPT -A INPUT -p tcp –destination-port 80 -j ACCEPT

##### Add your rules below ######

##### END your rules ############

# Do not log smb/windows sharing packets – too much logging

$IPT -A INPUT -p tcp -i eth0 –dport 137:139 -j REJECT

$IPT -A INPUT -p udp -i eth0 –dport 137:139 -j REJECT

# log everything else and drop

$IPT -A INPUT -j LOG

$IPT -A FORWARD -j LOG

$IPT -A INPUT -j DROP

exit 0

———————————————————

How do I install and use this script?

Type the following command as root server:

# mkdir /root/scripts

# cd /root/scripts

# wget http://bash.cyberciti.biz/dl/381.sh.zip

# wget http://bash.cyberciti.biz/dl/151.sh.zip

# unzip 381.sh.zip

# unzip 151.sh.zip

# mv 381.sh start.fw

# mv 151.sh stop.fw

# chmod +x *.fw

Now edit firewall as per your requirements:
# vi /root/scripts/start.fw
Install firewall:
# echo '/root/scripts/start.fw' >> /etc/rc.local

How do I start firewall from a shell prompt?

# /root/scripts/start.fw

How do I stop firewall from a shell prompt?

# /root/scripts/stop.fw

2012-11-28
CentOS / Redhat Iptables Firewall Configuration Tutorial

#!/bin/bash

# A sample firewall shell script

IPT=”/sbin/iptables”

SPAMLIST=”blockedip”

SPAMDROPMSG=”BLOCKED IP DROP”

SYSCTL=”/sbin/sysctl”

BLOCKEDIPS=”/root/scripts/blocked.ips.txt”

# Stop certain attacks

echo “Setting sysctl IPv4 settings…”

$SYSCTL net.ipv4.ip_forward=0

$SYSCTL net.ipv4.conf.all.send_redirects=0

$SYSCTL net.ipv4.conf.default.send_redirects=0

$SYSCTL net.ipv4.conf.all.accept_source_route=0

$SYSCTL net.ipv4.conf.all.accept_redirects=0

$SYSCTL net.ipv4.conf.all.secure_redirects=0

$SYSCTL net.ipv4.conf.all.log_martians=1

$SYSCTL net.ipv4.conf.default.accept_source_route=0

$SYSCTL net.ipv4.conf.default.accept_redirects=0

$SYSCTL net.ipv4.conf.default.secure_redirects=0

$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1

#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1

$SYSCTL net.ipv4.tcp_syncookies=1

$SYSCTL net.ipv4.conf.all.rp_filter=1

$SYSCTL net.ipv4.conf.default.rp_filter=1

$SYSCTL kernel.exec-shield=1

$SYSCTL kernel.randomize_va_space=1

echo “Starting IPv4 Firewall…”

$IPT -F

$IPT -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

# load modules

modprobe ip_conntrack

[ -f “$BLOCKEDIPS” ] && BADIPS=$(egrep -v -E “^#|^$” “${BLOCKEDIPS}”)

# interface connected to the Internet

PUB_IF=”eth0″

#Unlimited traffic for loopback

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

if [ -f “${BLOCKEDIPS}” ];

then

# create a new iptables list

$IPT -N $SPAMLIST

for ipblock in $BADIPS

do

$IPT -A $SPAMLIST -s $ipblock -j LOG –log-prefix “$SPAMDROPMSG ”

$IPT -A $SPAMLIST -s $ipblock -j DROP

done

$IPT -I INPUT -j $SPAMLIST

$IPT -I OUTPUT -j $SPAMLIST

$IPT -I FORWARD -j $SPAMLIST

fi

# Block sync

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Drop Sync”

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -j DROP

# Block Fragments

$IPT -A INPUT -i ${PUB_IF} -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fragments Packets”

$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# Block bad stuff

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fin Packets Scan”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff

$IPT -A INPUT -i ${PUB_IF} -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -o ${PUB_IF} -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow ssh

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 22 -j ACCEPT

# Allow http / https (open port 80 / 443)

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 80 -j ACCEPT

#$IPT -A INPUT -o ${PUB_IF} -p tcp –destination-port 443 -j ACCEPT

# allow incomming ICMP ping pong stuff

$IPT -A INPUT -i ${PUB_IF} -p icmp –icmp-type 8 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#$IPT -A OUTPUT -o ${PUB_IF} -p icmp –icmp-type 0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)

$IPT -A INPUT -i ${PUB_IF} -p udp –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#$IPT -A OUTPUT -o ${PUB_IF} -p udp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#$IPT -A OUTPUT -o ${PUB_IF} -p tcp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Open port 110 (pop3) / 143

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 110 -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 143 -j ACCEPT

##### Add your rules below ######

#

#

##### END your rules ############

# Do not log smb/windows sharing packets – too much logging

$IPT -A INPUT -p tcp -i ${PUB_IF} –dport 137:139 -j REJECT

$IPT -A INPUT -p udp -i ${PUB_IF} –dport 137:139 -j REJECT

# log everything else and drop

$IPT -A INPUT -j LOG

$IPT -A FORWARD -j LOG

$IPT -A INPUT -j DROP

exit 0

2012-11-19