hi there
your’re looking for iptables firewall?
here is my suggestion to do this :-)
#!/bin/bash
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: IPTABLES Firewall
# Description: Used to Firewall a computer
### END INIT INFO
# Author: Paranoids <markus(at)paranoids(dot)at>
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
ETH0="eth0"
TUN6TO4="tun6to4"
LOCAL="lo"
ALLOWEDTCPPORTS="80"
ALLOWEDUDPPORTS="53"
ALLOWEDTCPPORTS6="80"
ALLOWEDUDPPORTS6="53"
ALLOWEDIPS="192.168.1.1 192.168.2.0/24"
ALLOWEDIPS6="dead:beef:dead::/48"
case "$1" in
start)
echo "Starting Firewall"
if [ -r /proc/sys/net/ipv4/ip_forward ]; then
echo "Disabling ipv4 forwarding"; echo "0" > /proc/sys/net/ipv4/ip_forward
fi
if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then
echo "Enabling ipv4 tcp_syncookies"; echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi
#flushing firewall
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT6 -F
$IPT6 -X
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
#set input chain
$IPT -N IN_ETH0
$IPT -A IN_ETH0 -p tcp --syn -m state --state NEW -m connlimit --connlimit-above 50 --connlimit-mask 32 -m recent --set --name firewall
$IPT -A IN_ETH0 -p tcp -m recent --update --seconds 60 --hitcount 2 --name firewall -j DROP
$IPT -A IN_ETH0 -p tcp -m state --state INVALID -j DROP
for PORT in $ALLOWEDTCPPORTS
do $IPT -A IN_ETH0 -p tcp --dport $PORT -j ACCEPT
done
for PORT in $ALLOWEDUDPPORTS
do $IPT -A IN_ETH0 -p udp --dport $PORT -j ACCEPT
done
for PORT in $ALLOWEDIPS
do $IPT -A IN_ETH0 -s $PORT -j ACCEPT
done
$IPT -A IN_ETH0 -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A IN_ETH0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A IN_ETH0 -j LOG --log-prefix "iptables: "
$IPT -A IN_ETH0 -j DROP
$IPT6 -N IN_TUN6TO4
$IPT6 -A IN_TUN6TO4 -p tcp --syn -m state --state NEW -m connlimit --connlimit-above 50 --connlimit-mask 32 -m recent --set --name firewall6
$IPT6 -A IN_TUN6TO4 -p tcp -m recent --rttl --update --seconds 60 --hitcount 1 --name firewall6 -j DROP
$IPT6 -A IN_TUN6TO4 -p tcp -m state --state INVALID -j DROP
for PORT in $ALLOWEDTCPPORTS6
do $IPT6 -A IN_TUN6TO4 -p tcp --dport $PORT -j ACCEPT
done
for PORT in $ALLOWEDUDPPORTS6
do $IPT6 -A IN_TUN6TO4 -p udp --dport $PORT -j ACCEPT
done
for PORT in $ALLOWEDIPS6
do $IPT6 -A IN_TUN6TO4 -s $PORT -j ACCEPT
done
$IPT6 -A IN_TUN6TO4 -p icmpv6 -j ACCEPT
$IPT6 -A IN_TUN6TO4 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT6 -A IN_TUN6TO4 -j LOG --log-prefix "iptables: "
$IPT6 -A IN_TUN6TO4 -j DROP
$IPT -A INPUT -i $ETH0 -j IN_ETH0
$IPT -A INPUT -i $LOCAL -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "iptables: "
$IPT -A INPUT -j DROP
$IPT6 -A INPUT -i $TUN6TO4 -j IN_TUN6TO4
$IPT6 -A INPUT -i $LOCAL -j ACCEPT
$IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT6 -A INPUT -j LOG --log-prefix "iptables: "
$IPT6 -A INPUT -j DROP
$IPT -A FORWARD -j LOG --log-prefix "iptables: "
$IPT -A FORWARD -j DROP
$IPT6 -A FORWARD -j LOG --log-prefix "iptables: "
$IPT6 -A FORWARD -j DROP
$IPT -N OUT_ETH0
for PORT in $ALLOWEDTCPPORTS
do $IPT -A OUT_ETH0 -p tcp --sport $PORT -j ACCEPT
done
for PORT in $ALLOWEDUDPPORTS
do $IPT -A OUT_ETH0 -p udp --sport $PORT -j ACCEPT
done
for PORT in $ALLOWEDIPS
do $IPT -A OUT_ETH0 -d $PORT -j ACCEPT
done
$IPT -A OUT_ETH0 -p udp --dport 53 -j ACCEPT
$IPT -A OUT_ETH0 -p tcp --dport 53 -j ACCEPT
$IPT -A OUT_ETH0 -p udp --dport 123 -j ACCEPT
#antiwebspamming(hacking)
$IPT -A OUT_ETH0 -m owner --uid-owner 0 -j ACCEPT
$IPT -A OUT_ETH0 -m owner --gid-owner 0 -j ACCEPT
$IPT -A OUT_ETH0 -m owner --uid-owner 1004 -j ACCEPT
$IPT -A OUT_ETH0 -m owner --gid-owner 1004 -j ACCEPT
$IPT -A OUT_ETH0 -m state --state NEW -p udp -j LOG --log-uid --log-prefix "iptables: "
$IPT -A OUT_ETH0 -m state --state NEW -p udp -j DROP
$IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: "
$IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j DROP
$IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: "
$IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j DROP
$IPT -A OUT_ETH0 -m state --state NEW -p tcp --dport 1024: -j LOG --log-uid --log-prefix "iptables: "
$IPT -A OUT_ETH0 -m state --state NEW -p tcp --dport 1024: -j DROP
$IPT -A OUT_ETH0 -j ACCEPT
$IPT6 -N OUT_TUN6TO4
for PORT in $ALLOWEDTCPPORTS
do $IPT6 -A OUT_TUN6TO4 -p tcp --sport $PORT -j ACCEPT
done
for PORT in $ALLOWEDUDPPORTS
do $IPT6 -A OUT_TUN6TO4 -p udp --sport $PORT -j ACCEPT
done
for PORT in $ALLOWEDIPS6
do $IPT6 -A OUT_TUN6TO4 -d $PORT -j ACCEPT
done
#antiwebspamming(hacking)
$IPT6 -A OUT_TUN6TO4 -p udp --dport 53 -j ACCEPT
$IPT6 -A OUT_TUN6TO4 -p tcp --dport 53 -j ACCEPT
$IPT6 -A OUT_TUN6TO4 -p udp --dport 123 -j ACCEPT
$IPT6 -A OUT_TUN6TO4 -m owner --uid-owner 0 -j ACCEPT
$IPT6 -A OUT_TUN6TO4 -m owner --gid-owner 0 -j ACCEPT
$IPT6 -A OUT_TUN6TO4 -m owner --uid-owner 1004 -j ACCEPT
$IPT6 -A OUT_TUN6TO4 -m owner --gid-owner 1004 -j ACCEPT
$IPT6 -A OUT_TUN6TO4 -m state --state NEW -p udp -j LOG --log-uid --log-prefix "iptables: "
$IPT6 -A OUT_TUN6TO4 -m state --state NEW -p udp -j DROP
$IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: "
$IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j DROP
$IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: "
$IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j DROP
$IPT6 -A OUT_TUN6TO4 -m state --state NEW -p tcp --dport 1024: -j LOG --log-uid --log-prefix "iptables: "
$IPT6 -A OUT_TUN6TO4 -m state --state NEW -p tcp --dport 1024: -j DROP
$IPT6 -A OUT_TUN6TO4 -j ACCEPT
$IPT -A OUTPUT -o $ETH0 -j OUT_ETH0
$IPT -A OUTPUT -o $LOCAL -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -j LOG --log-prefix "iptables: "
$IPT -A OUTPUT -j DROP
$IPT6 -A OUTPUT -o $TUN6TO4 -j OUT_TUN6TO4
$IPT6 -A OUTPUT -o $LOCAL -j ACCEPT
$IPT6 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT6 -A OUTPUT -j LOG --log-prefix "iptables: "
$IPT6 -A OUTPUT -j DROP
;;
stop)
echo "Shutting down Firewall"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT6 -F
$IPT6 -X
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
;;
status)
$IPT -L -v -n --line-numbers
;;
status6)
$IPT6 -L -v -n --line-numbers
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
;;
esac
have fun!