#!/bin/sh
#Simple Netfilter Firewall
IPT="/sbin/iptables"
#Clean Iptables rules
$IPT --flush
$IPT --delete-chain
$IPT -t nat -F
$IPT -t mangle -F
#Paths
IPEXT="`wget http://ipinfo.io/ip -qO -`"
WAN="eth1"
LAN="eth0"
#INPUT Rules
$IPT -A INPUT -i $WAN -p tcp -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
$IPT -A INPUT -i $WAN -p udp -m udp -s 0/0 -d $IPEXT --sport 53 --dport 1024:65535 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp -m tcp -s 0/0 -d $IPEXT --sport 80:443 --dport 1024:65535 -j ACCEPT
$IPT -A INPUT -i $LAN -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $WAN -m conntrack --ctstate NEW -m limit --limit 1/m --j LOG --log-prefix "FW_SYN_WAN_log:"
$IPT -A INPUT -p tcp -m tcp --syn -j DROP
$IPT -A INPUT -p udp -m udp --dport 0:1024 -j DROP
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Nat Rules
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
$IPT -t nat -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
#Mangle Rules
$IPT -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $WAN -j TCPMSS --set-mss 1492
$IPT -t mangle -I PREROUTING -p tcp --tcp-flags ACK,FIN,SYN SYN -i $WAN -j TCPMSS --set-mss 1492
#Auto-add deny.hosts
tail -12 /var/log/messages | grep "FW_SYN_WAN_log:" | cut -d '=' -f5-5 | cut -d ' ' -f 1 > lista1
awk '{print "ALL: " $1 }' lista1 >> /etc/hosts.deny
echo "%#%Firewall Netfilter Iptables Upstart%#%"
#Add rules to suit your needs.
Nenhum comentário:
Postar um comentário