#!/bin/sh # # --------------------------------- # IrIsT FireWall Ver 2.0 # Licence : Linux # --------------------------------- # # Title : IrIsT Linux FireWall Ver 2.0 # Code : Bash # Author : Sajjad13and11 # Date : 2013 16 May # Home : IrIsT Security Center # # Gr33tz : Am!r | C0dex | B3HZ4D | TaK.FaNaR | 0x0ptim0us | Net.W0lf | # Gr33tz : Skote_Vahshat| Dj.TiniVini| Mr.XHat | Black King | # Gr33tz : E2MAEN | Mr.F@RDIN | M4st3r4N0nY | ICA_r00t | m3hdi | # Gr33tz : x3o-1337 | rEd X | No PM | Gabby | Sukhoi Su-37 # Gr33tz : ARTA | H-SK33PY | (^_^) | Turk Sever | Dr Koderz | # Gr33tz : Joker_s | Mr Zero | Smart Programmer | And All Of IrIsT Memebrz #------------------------------------------------------------------------------------------# clear echo " ### ####### # # " echo " # # # # # " echo " # # # # # " echo " # ##### # # # " echo " # # # # # " echo " # # # # # " echo " ### # ## ## " echo "*****************************************************" echo "* IFW Firewall Dedicated Version (2) *" echo "* Coded By Sajjad13and11 *" echo "* IrIsT.Ir && IrIsT.Ir/en *" echo "* This script don't work on OpenVZ servers *" echo "* The default rules saved in /root/iptables.def *" echo "*****************************************************" sleep 3 # iptables-save > /root/iptables.def MODPROBE="/sbin/modprobe" RMMOD="/sbin/rmmod" ARP="/usr/sbin/arp" IRISTlim="-m limit --limit 2/s --limit-burst 8" LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options" PHIGH="1024:65535" PSSH="1000:1023" echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/ip_forward for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done # iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT # iptables -F iptables -t nat -F iptables -t mangle -F iptables -Z iptables -t nat -Z iptables -t mangle -Z iptables -t filter -F iptables -t filter -X # LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options" iptables -N IRISTac iptables -A IRISTac -j $LOG $IRISTlim --log-prefix "ACCEPT " iptables -A IRISTac -j ACCEPT iptables -N IRISTdr iptables -A IRISTdr -j $LOG $IRISTlim --log-prefix "DROP " iptables -A IRISTdr -j DROP iptables -N IRISTrej iptables -A IRISTrej -j $LOG $IRISTlim --log-prefix "REJECT " iptables -A IRISTrej -p tcp -j REJECT --reject-with tcp-reset iptables -A IRISTrej -j REJECT # iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # iptables -N ICMP iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A ICMP -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A ICMP -j IRISTdr iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT iptables -A INPUT -p icmp -j DROP iptables -A OUTPUT -p icmp -j ACCEPT iptables -A INPUT -p icmp --fragment -j IRISTdr iptables -A OUTPUT -p icmp --fragment -j IRISTdr iptables -A FORWARD -p icmp --fragment -j IRISTdr iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $IRISTlim iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $IRISTlim iptables -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $IRISTlim iptables -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $IRISTlim iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IRISTlim iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $IRISTlim iptables -A INPUT -p icmp -j IRISTdr iptables -A OUTPUT -p icmp -j IRISTdr iptables -A FORWARD -p icmp -j IRISTdr # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP # iptables -N SYN_FLOOD iptables -A INPUT -p tcp --syn -j SYN_FLOOD iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN iptables -A SYN_FLOOD -j DROP # iptables -A INPUT -s 0.0.0.0/7 -j DROP iptables -A INPUT -s 2.0.0.0/8 -j DROP iptables -A INPUT -s 5.0.0.0/8 -j DROP iptables -A INPUT -s 7.0.0.0/8 -j DROP iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 23.0.0.0/8 -j DROP iptables -A INPUT -s 27.0.0.0/8 -j DROP iptables -A INPUT -s 31.0.0.0/8 -j DROP iptables -A INPUT -s 36.0.0.0/7 -j DROP iptables -A INPUT -s 39.0.0.0/8 -j DROP iptables -A INPUT -s 42.0.0.0/8 -j DROP iptables -A INPUT -s 49.0.0.0/8 -j DROP iptables -A INPUT -s 50.0.0.0/8 -j DROP iptables -A INPUT -s 77.0.0.0/8 -j DROP iptables -A INPUT -s 78.0.0.0/7 -j DROP iptables -A INPUT -s 92.0.0.0/6 -j DROP iptables -A INPUT -s 96.0.0.0/4 -j DROP iptables -A INPUT -s 112.0.0.0/5 -j DROP iptables -A INPUT -s 120.0.0.0/8 -j DROP iptables -A INPUT -s 169.254.0.0/16 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -s 173.0.0.0/8 -j DROP iptables -A INPUT -s 174.0.0.0/7 -j DROP iptables -A INPUT -s 176.0.0.0/5 -j DROP iptables -A INPUT -s 184.0.0.0/6 -j DROP iptables -A INPUT -s 192.0.2.0/24 -j DROP iptables -A INPUT -s 197.0.0.0/8 -j DROP iptables -A INPUT -s 198.18.0.0/15 -j DROP iptables -A INPUT -s 223.0.0.0/8 -j DROP iptables -A INPUT -s 224.0.0.0/3 -j DROP # iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT iptables -A INPUT -i ! lo -p tcp -m state --state NEW -m tcp --dport 30000:50000 -j ACCEPT iptables -A INPUT -i ! lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT iptables -A INPUT -i ! lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT iptables -A INPUT -i ! lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m tcp --dport 53 -j ACCEPT iptables -A OUTPUT -o ! lo -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m tcp --sport 53 -j ACCEPT iptables -A OUTPUT -o ! lo -p udp -m udp --sport 53 -j ACCEPT iptables -A OUTPUT -o lo -p tcp -m tcp --dport 587 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 587 -m owner --gid-owner mail -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 587 -j DROP iptables -A OUTPUT -o lo -p tcp -m tcp --dport 465 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 465 -m owner --gid-owner mail -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 465 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 465 -j DROP iptables -A OUTPUT -o lo -p tcp -m tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 25 -j DROP iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 113 -j ACCEPT iptables -A OUTPUT -o ! lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 113 -j ACCEPT iptables -A OUTPUT -o ! lo -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT # iptables-save > /etc/IFW.conf iptables-save service iptables save service iptables restart echo "[*] IFW Firewall Is Running ... " echo "[*] You are safe now . " sleep 2 exit 0
Thứ Ba, 4 tháng 6, 2013
IrisT firewall ver 2 nè
Đăng ký:
Đăng Nhận xét (Atom)
Không có nhận xét nào:
Đăng nhận xét