Seberapa pantas kah kau kuamankan
Aku bukan Satpam yang gagah dalam berjalan , tegap tanpa hambatan , dengan membawa alat perang tapi bukan itu yang dimaksud dan bukan pula dalam dunia nyata ... sadar aku cuma seorang satpam yang terpaku pada layar didepan mataku ... dengan jurus-jurus yang aku punya ... dan aku menyukai senjata perangku .... yaaa firewall , walau senjata ku cuma tameng aku dapat menangkal serangan musuhku ... inilah firewall menggunakan ip tables
Firewall = Tameng
dan tameng akan melawan pedang dan pistol , jika tameng itu titanium yang keras dan tak akan pernah rusak apa yang terjadi ......
#!/bin/sh
echo "------------------- Starting Firewall -----------------------"
echo " Setting Iptables Directory"
IPTABLES="/sbin/iptables"
CONLOG="/var/log/console.log"
echo "-------Reset the default policies in the filter table--------"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "----------Reset the default policies in the nat table--------"
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
echo "--------reset the default policies in the mangle table-------"
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
echo "-------flush all the rules in the filter and nat tables------"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
echo "-erase all chains that's not default in filter and nat table-"
echo ""
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
echo "------------------- Block Trojan Ports ----------------------"
$IPTABLES -N bad-ports
$IPTABLES -F bad-ports
$IPTABLES -A bad-ports -p tcp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p udp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 12345 -j DROP
$IPTABLES -A bad-ports -p udp --dport 12345 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 1524 -j DROP
$IPTABLES -A bad-ports -p udp --dport 1524 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 2049 -j DROP
$IPTABLES -A bad-ports -p udp --dport 2049 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 9035 -j DROP
$IPTABLES -A bad-ports -p udp --dport 9035 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 27444 -j DROP
$IPTABLES -A bad-ports -p udp --dport 27444 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 31335 -j DROP
$IPTABLES -A bad-ports -p udp --dport 31335 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 27665 -j DROP
$IPTABLES -A bad-ports -p udp --dport 27665 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 31337 -j DROP
$IPTABLES -A bad-ports -p udp --dport 31337 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 65535 -j DROP
$IPTABLES -A bad-ports -p udp --dport 65535 -j DROP
#----Load IPTABLES-modules-----#
echo "-------------------Loading IPTABLES modules -----------------"
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables 2>&1 >> $CONLOG
/sbin/modprobe iptable_filter 2>&1 >> $CONLOG
/sbin/modprobe ip_conntrack 2>&1 >> $CONLOG
/sbin/modprobe ip_conntrack_ftp 2>&1 >> $CONLOG
/sbin/modprobe ip_nat_ftp 2>&1 >> $CONLOG
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS 2>&1 >> $CONLOG
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS 2>&1 >> $CONLOG
dmesg -n 6
echo "------------------Block Portscan in ETH1---------------------"
EXTIF="eth0"
INTIF="eth1"
#----Log-Level----#
# Set the log-level for the logging-chains. Defaults to "info" to avoid logging to the console
# 6 is info only - Hope the console Sh... goes away
#LOG_EMERG 0 kernel panic
#LOG_ALERT 1 condition needing immediate attention
#LOG_CRIT 2 critical conditions
#LOG_ERR 3 errors
#LOG_WARNING 4 warning messages
#LOG_NOTICE 5 not an error but may need attention
#LOG_INFO 6 informational messages THAT'S IT
#LOG_DEBUG 7 when debugging a system
LOGLEVEL="0"
#Kill PortScans (the badly formatted packets
#[[======= KillPortScans user defined chain ====]]
$IPTABLES -N KillPortScans
#REJECT ident requests...
# $IPTABLES -t filter -A KillPortScans -p tcp --dport 113 \
# -j LOG --log-level $LOGLEVEL --log-prefix "IDENT1 ACPT : "
# $IPTABLES -t filter -A KillPortScans -p tcp --dport 113 \
# -j REJECT --reject-with tcp-reset
#reject port scans coming from $EXTIF
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN,URG,PSH \
-j LOG --log-level $LOGLEVEL --log-prefix "FUP to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN,URG,PSH -j DROP
#
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN -j LOG --log-level $LOGLEVEL --log-prefix "F to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN -j DROP
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL NONE \
-j LOG --log-level $LOGLEVEL --log-prefix "NONE to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL NONE -j DROP
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,FIN SYN,FIN \
-j LOG --log-level $LOGLEVEL --log-prefix "SF to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,RST SYN,RST \
-j LOG --log-level $LOGLEVEL --log-prefix "SR to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,RST SYN,RST -j DROP
# block RPC ports from INET_IFACE
for TCP_PORT in $RPC_TCP_PORTS; do
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--dport $TCP_PORT -j DROP
done
# block RPC ports from INET_IFACE
for UDP_PORT in $RPC_UDP_PORTS; do
$IPTABLES -t filter -A KillPortScans -p udp -i $EXTIF \
--dport $UDP_PORT -j DROP
done
# ========================= End of KillPortScans =================
#Snat And REdirect Squid
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 10.11.13.0/24 -j SNAT --to 202.127.169.241
$IPTABLES -A PREROUTING -t nat -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
#Kill The ICMP
#$IPTABLES -t nat -I POSTROUTING -p icmp -d 0.0.0.0/0 -o $EXTIF -j DROP
#Spesific legal IP for ping server
$IPTABLES -A FORWARD -s 10.11.13.0/24 -p icmp -j DROP
#$IPTABLES -A INPUT -i $INTIF -p icmp -j DROP
$IPTABLES -A INPUT -i $EXTIF -p icmp -s 0.0.0.0/0.0.0.0 -j DROP
#ANTI SPOOFINg
$IPTABLES -A INPUT -s 0.0.0.0/8 -i ! lo -j DROP
$IPTABLES -A INPUT -s 255.255.255.255 -i ! lo -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
echo "Loading firewall --------------------------------------------"
Semoga anda Aman selalu ........
Firewall = Tameng
dan tameng akan melawan pedang dan pistol , jika tameng itu titanium yang keras dan tak akan pernah rusak apa yang terjadi ......
#!/bin/sh
echo "------------------- Starting Firewall -----------------------"
echo " Setting Iptables Directory"
IPTABLES="/sbin/iptables"
CONLOG="/var/log/console.log"
echo "-------Reset the default policies in the filter table--------"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "----------Reset the default policies in the nat table--------"
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
echo "--------reset the default policies in the mangle table-------"
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
echo "-------flush all the rules in the filter and nat tables------"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
echo "-erase all chains that's not default in filter and nat table-"
echo ""
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
echo "------------------- Block Trojan Ports ----------------------"
$IPTABLES -N bad-ports
$IPTABLES -F bad-ports
$IPTABLES -A bad-ports -p tcp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p udp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 12345 -j DROP
$IPTABLES -A bad-ports -p udp --dport 12345 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 1524 -j DROP
$IPTABLES -A bad-ports -p udp --dport 1524 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 2049 -j DROP
$IPTABLES -A bad-ports -p udp --dport 2049 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 9035 -j DROP
$IPTABLES -A bad-ports -p udp --dport 9035 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 27444 -j DROP
$IPTABLES -A bad-ports -p udp --dport 27444 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 31335 -j DROP
$IPTABLES -A bad-ports -p udp --dport 31335 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 27665 -j DROP
$IPTABLES -A bad-ports -p udp --dport 27665 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 31337 -j DROP
$IPTABLES -A bad-ports -p udp --dport 31337 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 65535 -j DROP
$IPTABLES -A bad-ports -p udp --dport 65535 -j DROP
#----Load IPTABLES-modules-----#
echo "-------------------Loading IPTABLES modules -----------------"
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables 2>&1 >> $CONLOG
/sbin/modprobe iptable_filter 2>&1 >> $CONLOG
/sbin/modprobe ip_conntrack 2>&1 >> $CONLOG
/sbin/modprobe ip_conntrack_ftp 2>&1 >> $CONLOG
/sbin/modprobe ip_nat_ftp 2>&1 >> $CONLOG
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS 2>&1 >> $CONLOG
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS 2>&1 >> $CONLOG
dmesg -n 6
echo "------------------Block Portscan in ETH1---------------------"
EXTIF="eth0"
INTIF="eth1"
#----Log-Level----#
# Set the log-level for the logging-chains. Defaults to "info" to avoid logging to the console
# 6 is info only - Hope the console Sh... goes away
#LOG_EMERG 0 kernel panic
#LOG_ALERT 1 condition needing immediate attention
#LOG_CRIT 2 critical conditions
#LOG_ERR 3 errors
#LOG_WARNING 4 warning messages
#LOG_NOTICE 5 not an error but may need attention
#LOG_INFO 6 informational messages THAT'S IT
#LOG_DEBUG 7 when debugging a system
LOGLEVEL="0"
#Kill PortScans (the badly formatted packets
#[[======= KillPortScans user defined chain ====]]
$IPTABLES -N KillPortScans
#REJECT ident requests...
# $IPTABLES -t filter -A KillPortScans -p tcp --dport 113 \
# -j LOG --log-level $LOGLEVEL --log-prefix "IDENT1 ACPT : "
# $IPTABLES -t filter -A KillPortScans -p tcp --dport 113 \
# -j REJECT --reject-with tcp-reset
#reject port scans coming from $EXTIF
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN,URG,PSH \
-j LOG --log-level $LOGLEVEL --log-prefix "FUP to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN,URG,PSH -j DROP
#
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN -j LOG --log-level $LOGLEVEL --log-prefix "F to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN -j DROP
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL NONE \
-j LOG --log-level $LOGLEVEL --log-prefix "NONE to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL NONE -j DROP
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,FIN SYN,FIN \
-j LOG --log-level $LOGLEVEL --log-prefix "SF to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,RST SYN,RST \
-j LOG --log-level $LOGLEVEL --log-prefix "SR to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,RST SYN,RST -j DROP
# block RPC ports from INET_IFACE
for TCP_PORT in $RPC_TCP_PORTS; do
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--dport $TCP_PORT -j DROP
done
# block RPC ports from INET_IFACE
for UDP_PORT in $RPC_UDP_PORTS; do
$IPTABLES -t filter -A KillPortScans -p udp -i $EXTIF \
--dport $UDP_PORT -j DROP
done
# ========================= End of KillPortScans =================
#Snat And REdirect Squid
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 10.11.13.0/24 -j SNAT --to 202.127.169.241
$IPTABLES -A PREROUTING -t nat -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
#Kill The ICMP
#$IPTABLES -t nat -I POSTROUTING -p icmp -d 0.0.0.0/0 -o $EXTIF -j DROP
#Spesific legal IP for ping server
$IPTABLES -A FORWARD -s 10.11.13.0/24 -p icmp -j DROP
#$IPTABLES -A INPUT -i $INTIF -p icmp -j DROP
$IPTABLES -A INPUT -i $EXTIF -p icmp -s 0.0.0.0/0.0.0.0 -j DROP
#ANTI SPOOFINg
$IPTABLES -A INPUT -s 0.0.0.0/8 -i ! lo -j DROP
$IPTABLES -A INPUT -s 255.255.255.255 -i ! lo -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
echo "Loading firewall --------------------------------------------"
Semoga anda Aman selalu ........
Komentar
Posting Komentar