[Link]

php- RAID help

Handy Linux iptables script

by Hersey on Apr.23, 2009, under My Notes, Networking, Tools

Here is a script I put together some years ago to create a simple

Iptables firewall on my linux webserver. Some of the code was
borrowed from a linux security book but I do not remember which
one. Anyway it is a pretty handy script to give you some control and
protection.

First create three files in /usr/local/etc:

[Link] – this file contains a list of ip addresses you want to

blacklist. One ip or subnet per line.

Example:

[Link]
[Link]/8

[Link] – this file contains a list of ip addresses that you allow

unrestricted access (Be careful with this). One ip or subnet per line.
Make sure you add localhost to this file.

Example:

localhost
[Link] #Home IP Address

[Link] – this file contains a list of ports you allow.

Example:

22 #SSH
25 #SMTP
53 #DNS/Domain
80 #HTTPD
443 #HTTPS

Add this [Link] script to /usr/local/sbin

#!/bin/sh

#Iptables for webserver

IPTABLES=/sbin/iptables
WHITELIST=/usr/local/etc/[Link]
BLACKLIST=/usr/local/etc/[Link]
PORTSLIST=/usr/local/etc/[Link]

#—-Flood Variables—–#

# Overall Limit for TCP-SYN-Flood detection

TCPSYNLIMIT=”5/s”
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST=”10″

# Overall Limit for Loggging in Logging-Chains

LOGLIMIT=”2/s”
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST=”10″

# Overall Limit for Ping-Flood-Detection

PINGLIMIT=”5/s”

# Burst Limit for Ping-Flood-Detection

PINGLIMITBURST=”10″

#Clear any current filters

$IPTABLES -F

#Process Whitelist
for x in `grep -v ^# $WHITELIST | awk ‘{print $1}’`; do
echo “Permitting $x…”
$IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done

#Process Blacklist
for x in `grep -v ^# $BLACKLIST | awk ‘{print $1}’`; do
echo “Blocking $x…”
#$IPTABLES -A INPUT -t filter -s $x -j LOG
$IPTABLES -A INPUT -t filter -s $x -j DROP
done

#Allow Ports list

for port in `grep -v ^# $PORTSLIST | awk ‘{print $1}’`; do
echo “Accepting port $port…”
$IPTABLES -A INPUT -t filter -p tcp –dport $port -j ACCEPT
done

$IPTABLES -A INPUT -t filter -p tcp –syn -j DROP

#ICMP TIMESTAMP REQUEST AND REPLY

$IPTABLES -A INPUT -p icmp –icmp-type timestamp-request -j DROP
$IPTABLES -A FORWARD -p icmp –icmp-type timestamp-request -j
DROP

#Logging of possible TCP-SYN-Floods

$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit –limit $LOGLIMIT –limit-burst
$LOGLIMITBURST -j LOG –log-prefix “fp=SYNFLOOD:1 a=DROP ”
$IPTABLES -A LSYNFLOOD -j DROP

#INVALID SYN packets

$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -
j DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j
DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j
DROP

#Logging of possible Ping-Floods

$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit –limit $LOGLIMIT –limit-burst
$LOGLIMITBURST -j LOG –log-prefix “fp=PINGFLOOD:1 a=DROP ”
$IPTABLES -A LPINGFLOOD -j DROP

Add /usr/local/sbin/[Link] to [Link] so that it runs when the

machine starts up.

Anytime you make changes to the [Link], [Link], or [Link]

files rerun the [Link] script to apply the rules.

The script also applies iptable rules to help protect against ping
floods, SYN flood, and invalid SYN packets.