Halaman

Jumat, 28 Februari 2014

Secure server with bash script 

#!/bin/bash
#
# modified: 18.08.2013 11:49 AM
#
# sys_tweaks, program check and "permissive rules" are from
# http://www.emoticode.net/bash/iptables-firewall.html

firewall="/sbin/iptables"
net_interface="wlan0"
tcp_ports="21,53,80,443,587,993,6697,7000,9600,9418,51000"
udp_ports="53,80,443,51000"


user_check() {
if [ "$(id -u)" != "0" ]; then
  echo "ERROR: This script must be run as root" 1>&2
  exit 1
fi
}

program_check() {
#Check if firewall exists on system
lsmod 2>/dev/null | grep -q -c ip_tables
if [ $? -ne 0 ]; then
  echo -e "ERROR: Can't find ip_tables module" && sleep 1
  echo "Trying to modprobe ip_tables..."
  modprobe ip_tables
  
  if [ $? -ne 0 ]; then
    tput sgr0
    exit 1
  fi

fi

# Check if firewall exists on system
#if [ ! -e "$firewall" ]
#  then
#    echo "ERROR: $firewall is not available. Do you have iptables or netfilter installed?"
#    exit 2
#  fi
}


sys_tweaks() {
# Try to prevent SYN floods
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Disable response to ICMP broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Reject source-routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
# Disable ICMP redirect acceptance
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable send ICMP redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
# Enable reverse path filtering
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
# Log spoofed packets, source-routed packets, redirect packets
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/conf/default/log_martians
# Disable IP forwarding
echo "0" > /proc/sys/net/ipv4/ip_forward
}


permissive_rules() {
echo '[ .. ] Configuring iptables ports and services (permissive rules)...'

#user check
user_check
# Check if firewall exists on system
#program_check
# flush *all* rules
do_flush
# system tweaks
sys_tweaks

# Drop all incoming fragments
#$firewall -A INPUT -i $net_interface -f -j DROP
$firewall -A INPUT -f -j DROP

# Drop outside packets with localhost address - anti-spoofing measure
$firewall -A INPUT -s 127.0.0.0/255.0.0.0 -i !lo -j DROP

# Pass all locally-originating packets
$firewall -A INPUT -i lo -j ACCEPT
$firewall -A OUTPUT -o lo -j ACCEPT

# Allow inbound established and related outside communication
$firewall -A INPUT -m state --state ESTABLISHED,RELATED -i $net_interface -j ACCEPT

# Drop outside initiated connections
#$firewall -A INPUT -m state --state NEW -i $net_interface -j DROP
$firewall -A INPUT -m state --state NEW -j DROP

# Allow all outbound tcp + udp traffic with state
$firewall -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$firewall -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
#$firewall -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
}


do_start () {
echo '[ .. ] Configuring iptables ports and services (Paranoia mode)...'

#user check
user_check
# Check if firewall exists on system
#program_check
# flush *all* rules
do_flush
# system tweaks
sys_tweaks

# ftp stuff
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp

# *Do not allow anything*
$firewall -P INPUT DROP
$firewall -P OUTPUT DROP
$firewall -P FORWARD DROP
# Sometimes you can be nice
#$firewall -P FORWARD REJECT

# almighty localhost for web developing and testing
$firewall -A INPUT -i lo -j ACCEPT
$firewall -A OUTPUT -o lo -j ACCEPT

# allow specified ports for TCP and UDP
$firewall -A OUTPUT -p tcp -m multiport --dports $tcp_ports -j ACCEPT
$firewall -A OUTPUT -p udp -m multiport --dports $udp_ports -j ACCEPT
$firewall -A INPUT -p tcp -m multiport --sports $tcp_ports -m state --state RELATED,ESTABLISHED -j ACCEPT
$firewall -A INPUT -p udp -m multiport --sports $udp_ports -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop outside packets with localhost address - anti-spoofing measure
$firewall -A INPUT -s 127.0.0.0/255.0.0.0 -i !lo -j DROP

# allow all traffic in IP range
#$firewall -A INPUT -s 192.168.1.0/23 -j ACCEPT

#Prevent DDoS?
#$firewall -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# examples for explicitly denying all traffic on port
#$firewall -A INPUT -p udp --dport 22 -j DROP
#$firewall -A INPUT -p tcp --dport 22 -j DROP


# I repeat: *Do not allow anything*
$firewall -P INPUT DROP
$firewall -P OUTPUT DROP
$firewall -P FORWARD DROP
# Sometimes you can be nice
#$firewall -P FORWARD REJECT
}


do_flush () {
echo '[ .. ] Flushing all iptables rules...'

# Check if firewall exists on system
#program_check

$firewall -F
$firewall -X
$firewall -Z
$firewall -t nat -F
$firewall -t mangle -F
$firewall -t filter -F
$firewall -t nat -X
$firewall -t mangle -X
$firewall -t filter -X
$firewall -P INPUT ACCEPT
$firewall -P FORWARD ACCEPT
$firewall -P OUTPUT ACCEPT
}


help () {
echo "$0 - manage iptables rules
usage: $0 action

Actions:
  start      -  use defined (paranoia) iptables rules
  stop       -  flush iptables rules
  permissive -  use permissive mode
  *          -  displays this help and exits"
}


case $@ in
 start      ) do_start ;;
 permissive ) permissive_rules ;;
 stop       ) do_flush ;;
 *          ) help ;;
esac

exit 0
Diposting oleh
Label: ,

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)