echo -e "\tOK,the kernel is now prepared to use for building a firewall!!!" echo -e "\n\t starting firewall ,Waitting ........................" echo -e "\n\tCreating a drop and log chain....." iptables -A DROP-AND-LOG -j LOG --log-level 6 iptables -A DROP-AND-LOG -j DROP echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
#design a chain for syn-flood protect echo -e "\t define a chain for syn-flood pretect.." iptables -A syn-flood -m limit --limit 4000/s --limit-burst 6000 -j RETURN iptables -A syn-flood -j DROP iptables -A INPUT -i ${UPLINK} -p tcp --syn -j syn-flood echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
iptables -A tcpHandler -p tcp -m limit --limit 4000/s --limit-burst 6000 -j RETURN iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections " iptables -A tcpHandler -p tcp -j DROP iptables -A udpHandler -p udp -m limit --limit 200/s --limit-burst 400 -j RETURN iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections" iptables -A udpHandler -p udp -j DROP iptables -A icmpHandler -p icmp -m limit --limit 200/s --limit-burst 400 -j RETURN iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections" iptables -A icmpHandler -p icmp -j DROP
#define a chain for log malformed packages if [ "$MALFORMED_PACKET_LOG" = "yes" ] then echo -e "\tNow logging malformed packages" iptables -A INPUT -i ${UPLINK} -m unclean -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP malformed packet:" iptables -A INPUT -i ${UPLINK} -m unclean -j DROP echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi # drop malformed packages # iptables -A INPUT -i ${UPLINK} -m unclean -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ALL FIN :" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,FIN FIN :" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,PSH PSH:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,URG URG:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/RST SCAN" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " FIN/RST SCAN" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "XMAS-PSH:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "NULL_SCAN" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID SCAN:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
else
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m" fi #DROP packages with a invalid FLAG iptables -A INPUT -i ${UPLINK} -p tcp -j CHECK_FLAGS echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tFinished check_flags rules...."
echo -e "\tNow starting the input rules,please wait......."
#for i in $OPEN_TCP_QUOTA; do # printf " firewall ->port $i tcp open with quota $QUOTA..." #iptables -A INPUT -i $UPLINK -p tcp --syn -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT #iptables -A INPUT -i $UPLINK -p tcp --dport $i -j DROP #done #for i in $OPEN_UDP_QUOTA; do # echo " firewall ->port $i udp open with quota $QUOTA..." #iptables -A INPUT -i $UPLINK -p udp -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT #iptables -A INPUT -i $UPLINK -p udp --dport $i -j DROP #done
#build a chain for deny ip or ip range
for x in ${DENYIP} do iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j LOG --log-prefix "INVAILD:${x} TCP IN:" iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j DROP iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j LOG --log-prefix "INVAILD:${x} SYN IN:" iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j DROP iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -m limit --limit 6/m -j LOG --log-level 6 --log-prefix "DENYED IP ${x} IN:" iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -j DROP iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:" iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:" iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP done
#build a chain for the tcp port or port range you want t