Friday, March 07, 2008

Seberapa pantas kah kau kuamankan

Aku bukan Satpam yang gagah dalam berjalan , tegap tanpa hambatan , dengan membawa alat perang tapi bukan itu yang dimaksud dan bukan pula dalam dunia nyata ... sadar aku cuma seorang satpam yang terpaku pada layar didepan mataku ... dengan jurus-jurus yang aku punya ... dan aku menyukai senjata perangku .... yaaa firewall , walau senjata ku cuma tameng aku dapat menangkal serangan musuhku ... inilah firewall menggunakan ip tables

Firewall = Tameng

dan tameng akan melawan pedang dan pistol , jika tameng itu titanium yang keras dan tak akan pernah rusak apa yang terjadi ......


#!/bin/sh

echo "------------------- Starting Firewall -----------------------"
echo " Setting Iptables Directory"
IPTABLES="/sbin/iptables"
CONLOG="/var/log/console.log"

echo "-------Reset the default policies in the filter table--------"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

echo "----------Reset the default policies in the nat table--------"
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

echo "--------reset the default policies in the mangle table-------"
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

echo "-------flush all the rules in the filter and nat tables------"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

echo "-erase all chains that's not default in filter and nat table-"

echo ""
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

echo "------------------- Block Trojan Ports ----------------------"
$IPTABLES -N bad-ports
$IPTABLES -F bad-ports
$IPTABLES -A bad-ports -p tcp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p udp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 12345 -j DROP
$IPTABLES -A bad-ports -p udp --dport 12345 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 1524 -j DROP
$IPTABLES -A bad-ports -p udp --dport 1524 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 2049 -j DROP
$IPTABLES -A bad-ports -p udp --dport 2049 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 9035 -j DROP
$IPTABLES -A bad-ports -p udp --dport 9035 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 27444 -j DROP
$IPTABLES -A bad-ports -p udp --dport 27444 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 31335 -j DROP
$IPTABLES -A bad-ports -p udp --dport 31335 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 27665 -j DROP
$IPTABLES -A bad-ports -p udp --dport 27665 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 31337 -j DROP
$IPTABLES -A bad-ports -p udp --dport 31337 -j DROP
$IPTABLES -A bad-ports -p tcp --dport 65535 -j DROP
$IPTABLES -A bad-ports -p udp --dport 65535 -j DROP
#----Load IPTABLES-modules-----#

echo "-------------------Loading IPTABLES modules -----------------"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables 2>&1 >> $CONLOG
/sbin/modprobe iptable_filter 2>&1 >> $CONLOG
/sbin/modprobe ip_conntrack 2>&1 >> $CONLOG
/sbin/modprobe ip_conntrack_ftp 2>&1 >> $CONLOG
/sbin/modprobe ip_nat_ftp 2>&1 >> $CONLOG
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS 2>&1 >> $CONLOG
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS 2>&1 >> $CONLOG
dmesg -n 6

echo "------------------Block Portscan in ETH1---------------------"

EXTIF="eth0"
INTIF="eth1"

#----Log-Level----#

# Set the log-level for the logging-chains. Defaults to "info" to avoid logging to the console
# 6 is info only - Hope the console Sh... goes away

#LOG_EMERG 0 kernel panic
#LOG_ALERT 1 condition needing immediate attention
#LOG_CRIT 2 critical conditions
#LOG_ERR 3 errors
#LOG_WARNING 4 warning messages
#LOG_NOTICE 5 not an error but may need attention
#LOG_INFO 6 informational messages THAT'S IT
#LOG_DEBUG 7 when debugging a system

LOGLEVEL="0"


#Kill PortScans (the badly formatted packets
#[[======= KillPortScans user defined chain ====]]

$IPTABLES -N KillPortScans

#REJECT ident requests...
# $IPTABLES -t filter -A KillPortScans -p tcp --dport 113 \
# -j LOG --log-level $LOGLEVEL --log-prefix "IDENT1 ACPT : "
# $IPTABLES -t filter -A KillPortScans -p tcp --dport 113 \
# -j REJECT --reject-with tcp-reset

#reject port scans coming from $EXTIF
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN,URG,PSH \
-j LOG --log-level $LOGLEVEL --log-prefix "FUP to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN,URG,PSH -j DROP
#
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN -j LOG --log-level $LOGLEVEL --log-prefix "F to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL FIN -j DROP

$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL NONE \
-j LOG --log-level $LOGLEVEL --log-prefix "NONE to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags ALL NONE -j DROP

$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,FIN SYN,FIN \
-j LOG --log-level $LOGLEVEL --log-prefix "SF to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,FIN SYN,FIN -j DROP

$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,RST SYN,RST \
-j LOG --log-level $LOGLEVEL --log-prefix "SR to eth0: "
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--tcp-flags SYN,RST SYN,RST -j DROP

# block RPC ports from INET_IFACE
for TCP_PORT in $RPC_TCP_PORTS; do
$IPTABLES -t filter -A KillPortScans -p tcp -i $EXTIF \
--dport $TCP_PORT -j DROP
done


# block RPC ports from INET_IFACE
for UDP_PORT in $RPC_UDP_PORTS; do
$IPTABLES -t filter -A KillPortScans -p udp -i $EXTIF \
--dport $UDP_PORT -j DROP
done

# ========================= End of KillPortScans =================


#Snat And REdirect Squid

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 10.11.13.0/24 -j SNAT --to 202.127.169.241
$IPTABLES -A PREROUTING -t nat -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128

#Kill The ICMP
#$IPTABLES -t nat -I POSTROUTING -p icmp -d 0.0.0.0/0 -o $EXTIF -j DROP


#Spesific legal IP for ping server

$IPTABLES -A FORWARD -s 10.11.13.0/24 -p icmp -j DROP
#$IPTABLES -A INPUT -i $INTIF -p icmp -j DROP
$IPTABLES -A INPUT -i $EXTIF -p icmp -s 0.0.0.0/0.0.0.0 -j DROP

#ANTI SPOOFINg

$IPTABLES -A INPUT -s 0.0.0.0/8 -i ! lo -j DROP
$IPTABLES -A INPUT -s 255.255.255.255 -i ! lo -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

echo "Loading firewall --------------------------------------------"



Semoga anda Aman selalu ........

No comments:

Post a Comment