Firewall script

Discussion in 'Server Operation' started by ColdDoT, May 8, 2006.

  1. ColdDoT

    ColdDoT Member

    Hello

    atlast i have found a nice firewall script.
    after custemizing it it wil not work for everything. it only works for ssh(ppff and i'm happy that that isn't blocked) and ftp(so far i have tested it)

    this is my script
    Code:
    #!/bin/bash
NAME="firewall"
IPTABLES="/sbin/iptables"
case "$1" in
start)
echo -n "Starting firewall.."
#Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

# For ping and traceroute
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 30 -j ACCEPT

# For traceroute
$IPTABLES -A INPUT -i eth0 -p udp --source-port 32769:65535 \
--destination-port 33434:33523 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --source-port 32769:65535 \
--destination-port 33434:33523 -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 30 -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

############################################################################################################
#Custom ports from low to high
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################################################################
#query                #Soort                   #poort        #accpet/deny      #Protecol
$IPTABLES -A INPUT -p tcp --destination-port   20:21 -j      ACCEPT            # FTP
$IPTABLES -A INPUT -p tcp --destination-port   22 -j         ACCEPT            # SSH
$IPTABLES -A INPUT -p tcp --destination-port   25 -j         ACCEPT            # SMTP
$IPTABLES -A INPUT -p tcp --destination-port   53 -j         ACCEPT            # DNS
$IPTABLES -A INPUT -p udp --destination-port   53 -j         ACCEPT            # DNS
$IPTABLES -A INPUT -p tcp --destination-port   143 -j        ACCEPT            # IMAP
$IPTABLES -A INPUT -p tcp --destination-port   443 -j        ACCEPT            # HTTPS
$IPTABLES -A INPUT -p tcp --destination-port   666 -j        ACCEPT            # HTTPS monit
$IPTABLES -A INPUT -p udp --destination-port   666 -j        ACCEPT            # TeamSpeak cold server
$IPTABLES -A INPUT -p udp --destination-port   7777 -j       ACCEPT            # Tactical Ops server
$IPTABLES -A INPUT -p udp --destination-port   7778 -j       ACCEPT            # Tactical Ops server query
$IPTABLES -A INPUT -p udp --destination-port   32768 -j      ACCEPT            # DNS
$IPTABLES -A INPUT -p tcp --dport auth --j                   REJECT            # Reject sunrpc 111
############################################################################################################
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################################################################
#query                 #Soort                   #poort        #accpet/deny      #Protecol
$IPTABLES -A OUTPUT -p tcp --destination-port   20:21 -j      ACCEPT            # FTP
$IPTABLES -A OUTPUT -p tcp --destination-port   25 -j         ACCEPT            # SMTP
$IPTABLES -A OUTPUT -p tcp --destination-port   80 -j         ACCEPT            # HTTP
$IPTABLES -A OUTPUT -p tcp --destination-port   110 -j        ACCEPT            # POP
$IPTABLES -A OUTPUT -p tcp --destination-port   143 -j        ACCEPT            # IMAP
$IPTABLES -A OUTPUT -p tcp --destination-port   666 -j        ACCEPT            # HTTPS monit
$IPTABLES -A OUTPUT -p udp --destination-port   666 -j        ACCEPT            # TeamSpeak cold server
$IPTABLES -A OUTPUT -p tcp --destination-port   993 -j        ACCEPT            # SIMAP
$IPTABLES -A OUTPUT -p tcp --destination-port   995 -j        ACCEPT            # SPOP
$IPTABLES -A OUTPUT -p udp --destination-port   7777 -j       ACCEPT            # Tactical Ops server
$IPTABLES -A OUTPUT -p udp --destination-port   7778 -j       ACCEPT            # Tactical Ops server query
$IPTABLES -A OUTPUT -p tcp --destination-port   8090 -j       ACCEPT            # FrontPage extension
$IPTABLES -A OUTPUT -p tcp --destination-port   14534 -j      ACCEPT            # TeamSpeak admin page
############################################################################################################
#End custom ports
############################################################################################################
$IPTABLES -A INPUT -p tcp --dport auth --j REJECT # Reject sunrpc 111
$IPTABLES -A INPUT -p tcp -i lo -d 0/0 -j ACCEPT
echo "..done"
;;
stop)
echo -n "Stopping firewall.."
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
echo "done"
;;
*)
echo "Usage: $NAME {start|stop}"
exit 1
;;
esac
    i run this script with this command after chmod 755
    /etc/init.d/firewall start ; sleep 30 ; /etc/init.d/firewall stop(just in case)

    does any1 now what wrong with it
    i can't acces my site with the firewall on
    www.colddot.nl
    or any of my client sites.

    greets kevin valk
     
    ColdDoT, May 8, 2006
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    I can't find
    Code:
    $IPTABLES -A INPUT -p tcp --destination-port   80 -j        ACCEPT
    in that script...
     
    falko, May 8, 2006
    #2

Share This Page