Thứ Ba, 4 tháng 6, 2013

IrisT firewall ver 2 nè

#!/bin/sh
#
# ---------------------------------
# IrIsT FireWall Ver 2.0
# Licence : Linux
# ---------------------------------
#
# Title   : IrIsT Linux FireWall Ver 2.0 
# Code    : Bash 
# Author  : Sajjad13and11
# Date    : 2013 16 May
# Home    : IrIsT Security Center
#
# Gr33tz  : Am!r | C0dex | B3HZ4D | TaK.FaNaR | 0x0ptim0us | Net.W0lf | 
# Gr33tz  : Skote_Vahshat| Dj.TiniVini| Mr.XHat | Black King |
# Gr33tz  : E2MAEN | Mr.F@RDIN | M4st3r4N0nY | ICA_r00t | m3hdi |
# Gr33tz  : x3o-1337 | rEd X | No PM  | Gabby | Sukhoi Su-37
# Gr33tz  : ARTA | H-SK33PY | (^_^) | Turk Sever | Dr Koderz |
# Gr33tz  : Joker_s | Mr Zero | Smart Programmer | And All Of IrIsT Memebrz
#------------------------------------------------------------------------------------------#

clear 

echo "   ###   ####### #     #  "
echo "    #    #       #  #  #  "
echo "    #    #       #  #  #  "
echo "    #    #####   #  #  #  "
echo "    #    #       #  #  #  "
echo "    #    #       #  #  #  "
echo "   ###   #        ## ##   "


echo  "*****************************************************"
echo  "* IFW Firewall Dedicated Version (2)                *"
echo  "* Coded By Sajjad13and11                            *"
echo  "* IrIsT.Ir && IrIsT.Ir/en                           *"
echo  "* This script don't work on OpenVZ servers          *"
echo  "* The default rules saved in /root/iptables.def     *"
echo  "*****************************************************"

sleep 3

#
iptables-save > /root/iptables.def
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"
IRISTlim="-m limit --limit 2/s --limit-burst 8"
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
PHIGH="1024:65535"
PSSH="1000:1023"

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -Z
iptables -t nat -Z
iptables -t mangle -Z
iptables -t filter -F
iptables -t filter -X
#
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
iptables -N IRISTac
iptables -A IRISTac -j $LOG $IRISTlim --log-prefix "ACCEPT "
iptables -A IRISTac -j ACCEPT
iptables -N IRISTdr
iptables -A IRISTdr -j $LOG $IRISTlim --log-prefix "DROP "
iptables -A IRISTdr -j DROP
iptables -N IRISTrej
iptables -A IRISTrej -j $LOG $IRISTlim --log-prefix "REJECT "
iptables -A IRISTrej -p tcp -j REJECT --reject-with tcp-reset
iptables -A IRISTrej -j REJECT
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
iptables -N ICMP
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A ICMP -j IRISTdr
iptables  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
iptables  -A INPUT -p icmp -j DROP
iptables  -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp --fragment -j IRISTdr
iptables -A OUTPUT -p icmp --fragment -j IRISTdr
iptables -A FORWARD -p icmp --fragment -j IRISTdr
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $IRISTlim
iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $IRISTlim
iptables -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $IRISTlim
iptables -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $IRISTlim
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IRISTlim
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $IRISTlim
iptables -A INPUT -p icmp -j IRISTdr
iptables -A OUTPUT -p icmp -j IRISTdr
iptables -A FORWARD -p icmp -j IRISTdr
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
iptables -A SYN_FLOOD -j DROP
#
iptables -A INPUT -s 0.0.0.0/7 -j DROP
iptables -A INPUT -s 2.0.0.0/8 -j DROP
iptables -A INPUT -s 5.0.0.0/8 -j DROP
iptables -A INPUT -s 7.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 23.0.0.0/8 -j DROP
iptables -A INPUT -s 27.0.0.0/8 -j DROP
iptables -A INPUT -s 31.0.0.0/8 -j DROP
iptables -A INPUT -s 36.0.0.0/7 -j DROP
iptables -A INPUT -s 39.0.0.0/8 -j DROP
iptables -A INPUT -s 42.0.0.0/8 -j DROP
iptables -A INPUT -s 49.0.0.0/8 -j DROP
iptables -A INPUT -s 50.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/7 -j DROP
iptables -A INPUT -s 92.0.0.0/6 -j DROP
iptables -A INPUT -s 96.0.0.0/4 -j DROP
iptables -A INPUT -s 112.0.0.0/5 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 173.0.0.0/8 -j DROP
iptables -A INPUT -s 174.0.0.0/7 -j DROP
iptables -A INPUT -s 176.0.0.0/5 -j DROP
iptables -A INPUT -s 184.0.0.0/6 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 197.0.0.0/8 -j DROP
iptables -A INPUT -s 198.18.0.0/15 -j DROP
iptables -A INPUT -s 223.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 30000:50000 -j ACCEPT
iptables -A INPUT -i ! lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT
iptables -A INPUT -i ! lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT
iptables -A INPUT -i ! lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o ! lo -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o ! lo -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 587 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 587 -j DROP
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 465 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 465 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 465 -j DROP
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j DROP
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 113 -j ACCEPT
iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT
iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT
iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 113 -j ACCEPT
iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
#
iptables-save > /etc/IFW.conf
iptables-save
service iptables save
service iptables restart
echo "[*] IFW Firewall Is Running ... "
echo "[*] You are safe now . "

sleep 2

exit 0






















Không có nhận xét nào:

Đăng nhận xét