Rabu, 14 Mei 2008

IPtables

#!/bin/sh
# —————————————————
# Copyright (C) 2005
# Last modified by Dani ‘Abah’ Hadimukti : 09-05-2005
# This firewall configuration is suitable for Router.
# —————————————————
IPTABLES=/sbin/iptables

# Definisi komponen sistem untuk mempermudah perawatan.
# —————————————————————————–
LOOPBACK_INTERFACE=”lo” # Interface Loopback
CLASS_D_MULTICAST=”224.0.0.0/4? # Class D multicast addr
CLASS_E_RESERVED_NET=”240.0.0.0/5? # Class E reserved addr
OSPF_MCAST=”224.0.0.5? # OSPF
OSPFD_MCAST=”224.0.0.6? # OSPFD
BROADCAST_src=”0.0.0.0? mce_src=”0.0.0.0? # Broadcast source addr
BROADCAST_DEST=”255.255.255.255? # Broadcast destination addr
PRIVPORTS=”0:1023? # Privileged port range
UNPRIVPORTS=”1024:” # Unprivileged port range
SSH_LOCAL_PORTS=”1022:65535? # Port range for local clients
SSH_REMOTE_PORTS=”513:65535? # Port range for remote clients
TRACEROUTE_SRC_PORTS=”32769:65535? # Port range sources for traceroute
TRACEROUTE_DEST_PORTS=”33434:33523? # Port range destination for traceroute
# —————————————————————————–

# Firewalls…. begins here!

# Kosongin semua aturan
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F

# Buat aturan firewall (DROP semua)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Spesifik Rule Firewall
# Furtive Port scanner
$IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
# Batasi Paket Flooding
$IPTABLES -A INPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
# Batasi Ping of Death
$IPTABLES -A INPUT -p icmp -m length –length 512: -j DROP
$IPTABLES -A FORWARD -p icmp -m length –length 512: -j DROP
$IPTABLES -A OUTPUT -p icmp -m length –length 512: -j DROP

$IPTABLES -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT

# Unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# OSPF
$IPTABLES -A INPUT -p ospf -j ACCEPT
$IPTABLES -A FORWARD -p ospf -j ACCEPT
$IPTABLES -A OUTPUT -p ospf -j ACCEPT

# GRE Tunneling
#$IPTABLES -A INPUT -p GRE -j ACCEPT
#$IPTABLES -A FORWARD -p GRE -j ACCEPT
#$IPTABLES -A OUTPUT -p GRE -j ACCEPT

# ICMP
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

# TRACEROUTE (-S 32769:65535 -D 33434:33523)
$IPTABLES -A INPUT -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT

# Dynamic Routing (2600-2605)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT

# HTTP (80)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT

# WebCache (8080)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT

# DNS: full server (53)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p udp –sport 53 –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 53 –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 53 –dport 53 -j ACCEPT

# DNS client (53)
$IPTABLES -A INPUT -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT

# DNS Zone Transfers (53)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT

# HTTPS (443)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
# Mikrotik (3987)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT

# SSH (22)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT

# FTP (20-21)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 20:1024 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 20:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 20:1024 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 20:21 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 20:21 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 20:21 -j ACCEPT

# POP3 (110)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT

# Instant Messanger (5050)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT

# VoIP (5060)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT

# SNMP (161)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 161 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 161 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
#$IPTABLES -A INPUT -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
# IMAP over SSL (993)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT

# IMAP (143)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT

# QMQP (628)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT

# SMTP (25)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT

# IMAP (143)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT

# QMQP (628)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT

# SMTP (25)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT

Tidak ada komentar: