[CentOS] creating script for init.d
Michael Velez
mikev777 at hotmail.com
Tue Dec 19 10:19:18 UTC 2006
For some reason, this e-mail was only sent to me. Make sure you send to
Centos mailing list.
Try to run the script on the command line (not during the standard init
process).
Put
#!/bin/bash
as it does look like it's bash (but hey I could be wrong).
Try to figure out where the script is hanging by using the -v or -x options,
one at a time.
#!/bin/bash -v
#!/bin/bash -x
You definitely need to provide more info.
Michael
> -----Original Message-----
> From: Linux Man [mailto:linuxman.uru at gmail.com]
> Sent: Tuesday, December 19, 2006 12:30 AM
> To: mikev777 at hotmail.com
> Subject: here is the scrpit
>
> 2006/12/18, Michael Velez <mikev777 at hotmail.com>:
>
>
> > -----Original Message-----
> > From: centos-bounces at centos.org <mailto:centos-bounces at centos.org>
> > [mailto:centos-bounces at centos.org] On Behalf Of Linux Man
> > Sent: Sunday, December 17, 2006 8:30 PM
> > To: centos at centos.org <mailto:centos at centos.org>
> > Subject: [CentOS] creating script for init.d
> >
> > Hello.
> > I'm moving from a very old Fedora Core 1 to CentOS 4.4, what a
> > change!!
> > Three year ago, I wrote some script (network related) and
> worked very
> > well. Now, I can put into init.d by means of chkconfig and
> I restarted
> > the system, but always hang when executing my srcipt (in my
> new centos
> > 4.4 ).
> > There a manual for making scripts for init.d?
> > there is some new requirement by which it does not work anymore?
> > Thanks a lots!!!!
> >
> >
>
> Are you using the 'su' command in your script?
>
> This happenned to me when I moved to RHEL4/Centos 4. My
> problem was due to SELinux. I was using the 'su' command.
> When I changed it to use the 'runuser' command instead, it
> worked fine. The reason it was hanging for me is that using
> the su command produces a context question on the console
> (during password checking) for which I had to press enter.
> With 'runuser', you don't get the SELinux context question.
>
> Michael
>
> ______________________________
>
> _________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
>
>
>
>
> This is the scrpit that I use, there's somethig wrong?
>
>
> #Script configurado y optimizado para el servidor SunSet #
> #chkconfig: 35 98 27
> #
> #Description: Firewall
>
>
> # Hubicacion de los binarios de IPTABLES y sus comandos
> IPTABLES="/sbin/iptables"
>
>
> case "$1" in
> stop)
> echo "Shutting down firewall..."
> $IPTABLES -F
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -X -t mangle
> $IPTABLES -X -t nat
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> echo "...done"
> ;;
> status)
> echo $"Table: filter"
> iptables --list
> echo $"Table: nat"
> iptables -t nat --list
> echo $"Table: mangle"
> iptables -t mangle --list
> ;;
> restart|reload)
> $0 stop
> $0 start
> ;;
> start)
> echo "Starting Firewall..."
> echo ""
>
>
> ##--------------------------Inicio del
> Firewall---------------------------------##
>
>
> #----Interfaces por Defecto-----#
>
> ## Interface Externa (a Internet)
> DEFAULT_EXTIF="eth0"
>
> ## Interface Interna (a Lan)
> DEFAULT_INTIF="eth1"
>
> ## Interface Interna (a CAMARA)
> DEFAULT_CAMIF="eth2"
>
> #----Variables Especiales-----#
>
> # IP y Mascara para todas las IP (all)
> UNIVERSE="0.0.0.0/0"
>
> # Specification of the high unprivileged IP ports.
> UNPRIVPORTS="1024:65535"
>
> # Specification of X Window System (TCP) ports.
> XWINPORTS="6000:6063"
>
> # Ports for IRC-Connection-Tracking
> IRCPORTS="6665,6666,6667,6668,6669,7000"
>
> # Maquinas del Cyber
> A1="192.168.0.3"
> A2=" 192.168.0.4 <http://192.168.0.4> "
> A3="192.168.0.5"
> A4="192.168.0.6"
> A5="192.168.0.7"
> A6=" 192.168.0.8"
> A7="192.168.0.9"
> A8="192.168.0.10"
> B1=" 192.168.0.11 <http://192.168.0.11> "
> B2="192.168.0.12"
> B3="192.168.0.13"
> B4="192.168.0.14"
> B5="192.168.0.15"
> B6="192.168.0.16"
> J1="192.168.0.100"
> J2=" 192.168.0.101 <http://192.168.0.101> "
> J3="192.168.0.103"
> J4="192.168.0.105"
> J5="192.168.0.104"
> J6="192.168.0.102"
> JEJE="192.168.0.2"
>
> # Casa
> # Almaceno en la variable "actual" el valor de la IP actual
> ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net
> 63.208.196.90 | grep address | awk '{ print $4}')
>
> # Pruebo por si no hubo respuesta del servidor y en ese caso
> uso ns2 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3
> latinloveruy.homelinux.net 204.13.249.81 | grep address | awk
> '{ print $4}') fi
>
> # Pruebo por si no hubo respuesta del servidor y en ese caso
> uso ns3 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3
> latinloveruy.homelinux.net 204.13.250.81 | grep address | awk
> '{ print $4}') fi
>
> # Pruebo por si no hubo respuesta del servidor y en ese caso
> uso ns4 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3
> latinloveruy.homelinux.net 213.155.150.205 | grep address |
> awk '{ print $4}') fi
>
> # Pruebo por si no hubo respuesta del servidor y en ese caso
> uso ns5 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3
> latinloveruy.homelinux.net 63.170.10.81 | grep address | awk
> '{ print $4}') fi
>
>
> #-----Port-Forwarding Variables-----#
>
>
> #IP's a Forewardear
>
> #MUNDAKA="172.16.1.191"
> CAMARA="192.168.15.50 "
>
> #----Flood Variables-----#
>
> # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s"
> # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10"
>
> # Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s"
> # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10"
>
> #Overall Limit for Ping-Flood-Detection
> PINGLIMIT="5/s"
> # Burst Limit for Ping-Flood-Detection
> PINGLIMITBURST="10"
>
>
>
> #----Determinacion Automatica de la informacion para las
> Interfaces-----#
>
> #Permite la determinacion de datos de configuracion de las interfaces
> #de forma automatica permitiendo adaptarce a los cambios
> logicos de la red
> #sin necesidad de editar el script
> ### Interface Externa (Internet-IPpublica):
>
> ## Obtener informacion de la Interface Externa
> ## Si no encuentra una interface se pondra el valor por
> defecto: DEFAULT_EXTIF como EXTIF
> if [ "x$2" != "x" ]; then
> EXTIF=$2
> else
> EXTIF=$DEFAULT_EXTIF
> fi
> echo External Interface: $EXTIF
>
> ## Determinacion de la IP externa (publica)
> EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d
> \ -f 1`"
> if [ "$EXTIP" = '' ]; then
> echo "Aborting: Unable to determine the IP-address of $EXTIF !"
> exit 1
> fi
> echo External IP: $EXTIP
>
> ## Determincion del Gateway Externo
> EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
> echo Default GW: $EXTGW
>
>
> echo " --- "
>
>
> ### Interface Interna (Lan-IPprivada):
>
> ## Obtener informacion de la Interface InternaGet internal
> interface from command-line
> ## Si no encuentra una interface de pondra el valor por
> defecto: $DEFAULT_INTIF as INTIF
> if [ "x$3" != "x" ]; then
> INTIF=$3
> else
> INTIF=$DEFAULT_INTIF
> fi
> echo Internal Interface: $INTIF
>
> ## Determinacion de IP Interna
> INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
> if [ "$INTIP" = '' ]; then
> echo "Aborting: Unable to determine the IP-address of $INTIF !"
> exit 1
> fi
> echo Internal IP: $INTIP
>
> ## Determinacion de Mascara Interna
> INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
> echo Internal Netmask: $INTMASK
>
> ## Determinacion de la Network Interna
> INTLAN=$INTIP'/'$INTMASK
> echo Internal LAN: $INTLAN
>
> echo ""
>
> ###--- Interface hacia la CAMARA ---
>
> CAMIF="eth2"
> CAMIFIP="192.168.15.5 "
> CAMMASK="255.255.255.0"
>
> ##--- Reparo problemas de ruteo ---
> if [ "$(route | grep 169.254.0.0)" != "" ]; then
> ip route del 169.254.0.0/16
> fi
>
>
> #----Cargando Modulos de IPTABLES-----#
>
>
> #Insert modules- should be done automatically if needed
>
> #If the IRC-modules are available, uncomment them below
>
> echo "Loading IPTABLES modules"
>
> dmesg -n 1 #Kill copyright display on module load
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_filter
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
> /sbin/modprobe ip_nat_irc ports=$IRCPORTS
> #dmesg -n 6
>
> echo " --- "
>
>
> #----Clear/Reset all chains-----#
>
> #Clear all IPTABLES-chains
>
> #Flush everything, start from scratch
> $IPTABLES -F
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -X -t mangle
> $IPTABLES -X -t nat
>
> #Set default policies to DROP
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
>
> #----Set network sysctl options-----#
>
>
> echo "Setting sysctl options"
>
> #Enable forwarding in kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> #Disabling IP Spoofing attacks.
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> #Block source routing
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> #Kill timestamps
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
>
> #Enable SYN Cookies
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> #Kill redirects
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> #Log martians (packets with impossible addresses)
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>
> #Set out local port range
> echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range
>
> #Reduce DoS'ing ability by reducing timeouts
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>
>
> echo " --- "
>
> echo "Creating user-chains"
>
>
>
> #----Create logging chains-----#
>
> ##These are the logging-chains. They all have a certain limit
> of log-entries/sec to prevent log-flooding
> ##The syslog-entries will be fireparse-compatible (see
> http://www.fireparse.com <http://www.fireparse.com> )
>
>
> #Invalid packets (not ESTABLISHED,RELATED or NEW)
> $IPTABLES -N LINVALID
> $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix
> "fp=INVALID:1 a=DROP " --log-level info
> $IPTABLES -A LINVALID -j DROP
>
> #TCP-Packets with one ore more bad flags
> $IPTABLES -N LBADFLAG
> $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix
> "fp=BADFLAG:1 a=DROP " --log-level info
> $IPTABLES -A LBADFLAG -j DROP
>
> #Acceso no permitido a la Camara
> $IPTABLES -N LNOCAM
> $IPTABLES -A LNOCAM -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=NOCAM:1 a=DROP "
> $IPTABLES -A LNOCAM -j DROP
>
> #Logging of connection attempts on special ports (Trojan
> portscans, special services, etc.)
> $IPTABLES -N LSPECIALPORT
> $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix
> "fp=SPECIALPORT:1 a=DROP " --log-level info
> $IPTABLES -A LSPECIALPORT -j DROP
>
> #Logging of possible TCP-SYN-Floods
> $IPTABLES -N LSYNFLOOD
> $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix
> "fp=SYNFLOOD:1 a=DROP " --log-level info
> $IPTABLES -A LSYNFLOOD -j DROP
>
> #Logging of possible Ping-Floods
> $IPTABLES -N LPINGFLOOD
> $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix
> "fp=PINGFLOOD:1 a=DROP " --log-level info
> $IPTABLES -A LPINGFLOOD -j DROP
>
>
> #All other dropped packets
> $IPTABLES -N LDROP
> $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1
> a=DROP " --log-level info
> $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2
> a=DROP " --log-level info
> $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3
> a=DROP " --log-level info
> $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix
> "fp=FRAGMENT:4 a=DROP " --log-level info
> $IPTABLES -A LDROP -j DROP
>
> #All other rejected packets
> $IPTABLES -N LREJECT
> $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1
> a=REJECT " --log-level info
> $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2
> a=REJECT " --log-level info
> $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3
> a=REJECT " --log-level info
> $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT
> --limit-burst $LOGLIMITBURST -j LOG --log-prefix
> "fp=FRAGMENT:4 a=REJECT " --log-level info
> $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
> $IPTABLES -A LREJECT -p udp -j REJECT --reject-with
> icmp-port-unreachable
> $IPTABLES -A LREJECT -j REJECT
>
> #passtrue
>
> # $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT
> # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
>
>
>
>
>
> #----Create Accept-Chains-----#
>
>
> #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
>
> $IPTABLES -N TCPACCEPT
> $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit
> $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
> $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
> $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
>
>
> #----Create special User-Chains-----#
>
>
> #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with
> impossible flag-combinations (Some port-scanners use these,
> eg. nmap Xmas,Null,etc.-scan)
>
> $IPTABLES -N CHECKBADFLAG
> $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL
> FIN,URG,PSH -j LBADFLAG
> $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL
> SYN,RST,ACK,FIN,URG -j LBADFLAG
> $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
> $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
> $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST
> SYN,RST -j LBADFLAG
> $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN
> SYN,FIN -j LBADFLAG
>
>
>
> #FILTERING FOR SPECIAL PORTS
>
>
> #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't
> want in our Logs)
>
> #SMB-Traffic
> $IPTABLES -N SMB
>
> $IPTABLES -A SMB -p tcp --dport 137 -j DROP
> $IPTABLES -A SMB -p tcp --dport 138 -j DROP
> $IPTABLES -A SMB -p tcp --dport 139 -j DROP
> $IPTABLES -A SMB -p tcp --dport 445 -j DROP
> $IPTABLES -A SMB -p udp --dport 137 -j DROP
> $IPTABLES -A SMB -p udp --dport 138 -j DROP
> $IPTABLES -A SMB -p udp --dport 139 -j DROP
> $IPTABLES -A SMB -p udp --dport 445 -j DROP
>
> $IPTABLES -A SMB -p tcp --sport 137 -j DROP
> $IPTABLES -A SMB -p tcp --sport 138 -j DROP
> $IPTABLES -A SMB -p tcp --sport 139 -j DROP
> $IPTABLES -A SMB -p tcp --sport 445 -j DROP
> $IPTABLES -A SMB -p udp --sport 137 -j DROP
> $IPTABLES -A SMB -p udp --sport 138 -j DROP
> $IPTABLES -A SMB -p udp --sport 139 -j DROP
> $IPTABLES -A SMB -p udp --sport 445 -j DROP
>
>
> #Inbound Special Ports
>
> $IPTABLES -N SPECIALPORTS
>
> #Deepthroat Scan
> $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j
> LSPECIALPORT
>
> #Subseven Scan
> $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j
> LSPECIALPORT
> $IPTABLES -A SPECIALPORTS -p udp --dport 1243
> -j LSPECIALPORT
> $IPTABLES -A SPECIALPORTS -p tcp --dport
> 27374 -j LSPECIALPORT
> $IPTABLES -A SPECIALPORTS -p udp --dport
> 27374 -j LSPECIALPORT
> $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713
> -j LSPECIALPORT
>
> #Netbus Scan
> $IPTABLES -A SPECIALPORTS -p tcp --dport
> 12345:12346 -j LSPECIALPORT
> $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j
> LSPECIALPORT
>
> #Back Orifice scan
> $IPTABLES -A SPECIALPORTS -p udp --dport
> 31337:31338 -j LSPECIALPORT
>
> #X-Win
> $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS
> -j LSPECIALPORT
>
> #Hack'a'Tack 2000
> $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
>
>
> #ICMP/TRACEROUTE FILTERING
>
>
> #Inbound ICMP/Traceroute
>
> $IPTABLES -N ICMPINBOUND
>
> #Ping Flood protection. Accept $PINGLIMIT
> echo-requests/sec, rest will be logged/dropped
> $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
> echo-request -m limit --limit $PINGLIMIT --limit-burst
> $PINGLIMITBURST -j ACCEPT
> #
> $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
> echo-request -j LPINGFLOOD
>
> #Block ICMP-Redirects (Should already be catched by
> sysctl-options, if enabled)
> $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
> redirect -j LDROP
>
> #Block ICMP-Timestamp (Should already be catched by
> sysctl-options, if enabled)
> $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
> timestamp-request -j LDROP
> $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
> timestamp-reply -j LDROP
>
> #Block ICMP-address-mask (can help to prevent
> OS-fingerprinting)
> $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
> address-mask-request -j LDROP
> $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
> address-mask-reply -j LDROP
>
>
> #Allow all other ICMP in
> $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
>
>
>
>
> #Outbound ICMP/Traceroute
>
> $IPTABLES -N ICMPOUTBOUND
>
> #Block ICMP-Redirects (Should already be catched by
> sysctl-options, if enabled)
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> redirect -j LDROP
>
> #Block ICMP-TTL-Expired
> #MS Traceroute (MS uses ICMP instead of UDp for tracert)
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> ttl-zero-during-transit -j LDROP
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> ttl-zero-during-reassembly -j LDROP
>
> #Block ICMP-Parameter-Problem
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> parameter-problem -j LDROP
>
> #Block ICMP-Timestamp (Should already be catched by
> sysctl-options, if enabled)
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> timestamp-request -j LDROP
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> timestamp-reply -j LDROP
>
> #Block ICMP-address-mask (can help to prevent
> OS-fingerprinting)
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> address-mask-request -j LDROP
> $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type
> address-mask-reply -j LDROP
>
>
> ##Accept all other ICMP going out
> $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
>
>
> # CHAIN PARA LA SEPARACION DE TRAFICO BASADO EN LA IP DE
> ORIGEN DE LA LAN
>
> $IPTABLES -t mangle -N SETEAMARCA
> $IPTABLES -t mangle -A SETEAMARCA -s $A1 -j MARK --set-mark 1
> $IPTABLES -t mangle -A SETEAMARCA -s $A2 -j MARK --set-mark 2
> $IPTABLES -t mangle -A SETEAMARCA -s $A3 -j MARK --set-mark 3
> $IPTABLES -t mangle -A SETEAMARCA -s $A4 -j MARK --set-mark 4
> $IPTABLES -t mangle -A SETEAMARCA -s $A5 -j MARK --set-mark 5
> $IPTABLES -t mangle -A SETEAMARCA -s $A6 -j MARK --set-mark 6
> $IPTABLES -t mangle -A SETEAMARCA -s $A7 -j MARK --set-mark 7
> $IPTABLES -t mangle -A SETEAMARCA -s $A8 -j MARK --set-mark 8
> $IPTABLES -t mangle -A SETEAMARCA -s $B1 -j MARK --set-mark 9
> $IPTABLES -t mangle -A SETEAMARCA -s $B2 -j MARK --set-mark 10
> $IPTABLES -t mangle -A SETEAMARCA -s $B3 -j MARK --set-mark 11
> $IPTABLES -t mangle -A SETEAMARCA -s $B4 -j MARK --set-mark 12
> $IPTABLES -t mangle -A SETEAMARCA -s $B5 -j MARK --set-mark 13
> $IPTABLES -t mangle -A SETEAMARCA -s $B6 -j MARK --set-mark 14
> $IPTABLES -t mangle -A SETEAMARCA -s $J1 -j MARK --set-mark 15
> $IPTABLES -t mangle -A SETEAMARCA -s $J2 -j MARK --set-mark 16
> $IPTABLES -t mangle -A SETEAMARCA -s $J3 -j MARK --set-mark 17
> $IPTABLES -t mangle -A SETEAMARCA -s $J4 -j MARK --set-mark 18
> $IPTABLES -t mangle -A SETEAMARCA -s $J5 -j MARK --set-mark 19
> $IPTABLES -t mangle -A SETEAMARCA -s $J6 -j MARK --set-mark 20
> $IPTABLES -t mangle -A SETEAMARCA -s $JEJE -j MARK --set-mark 21
> # $IPTABLES -t mangle -A SETEAMARCA -s $CAMARA -j MARK
> --set-mark 22
>
>
> #----End User-Chains-----#
>
>
>
> echo " --- "
>
>
> #----Start Ruleset-----#
>
> echo "Implementing firewall rules..."
>
>
> #################
> ## INPUT-Chain ## (everything that is addressed to the
> firewall itself)
> #################
>
>
> ##GENERAL Filtering
>
> # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
> $IPTABLES -A INPUT -m state --state INVALID -j LINVALID
>
> # Check TCP-Packets for Bad Flags
> $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
>
>
> ##Packets FROM FIREWALL-BOX ITSELF
>
> #Local IF
> $IPTABLES -A INPUT -i lo -j ACCEPT
> #
> #Kill connections to the local interface from the outside
> world (--> Should be already catched by kernel/rp_filter)
> $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT
>
>
> ##Packets FROM INTERNAL NET
>
>
> ##Allow unlimited traffic from internal network using legit
> addresses to firewall-box
> ##If protection from the internal interface is needed, alter it
>
> $IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
> #Kill anything from outside claiming to be from internal
> network (Address-Spoofing --> Should be already catched by rp_filter)
> $IPTABLES -A INPUT -s $INTLAN -j LREJECT
> $IPTABLES -A INPUT -i $EXTIF -s $INTLAN -j LREJECT
>
>
>
> ##Packets FROM EXTERNAL NET
>
>
> ##ICMP & Traceroute filtering
>
> #Filter ICMP
> $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND
>
> #Block UDP-Traceroute
> $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
>
>
> ##Silent Drops/Rejects (Things we don't want in our logs)
>
> #Drop all SMB-Traffic
> $IPTABLES -A INPUT -i $EXTIF -j SMB
>
> #Silently reject Ident (Don't DROP ident, because of
> possible delays when establishing an outbound connection)
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT
> --reject-with tcp-reset
>
>
> ##Public services running ON FIREWALL-BOX (comment out to activate):
>
>
>
> # ftp-data
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT
>
> # ftp
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT
>
> # ssh
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
>
> #telnet
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
>
>
> # smtp
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
>
> # webmail
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 26 -j TCPACCEPT
>
> # DNS
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
>
> # http
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT
>
> # https
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT
>
> # POP-3
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT
>
> # Bnc
> #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31337 -j TCPACCEPT
>
>
> ##Separate logging of special portscans/connection attempts
>
> $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
>
>
>
> ##Allow ESTABLISHED/RELATED connections in
>
> $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m
> state --state RELATED -j TCPACCEPT
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m
> state --state RELATED -j ACCEPT
>
>
> ##Catch all rule
> $IPTABLES -A INPUT -j LDROP
>
>
>
>
>
> ##################
> ## Output-Chain ## (everything that comes directly from the
> Firewall-Box)
> ##################
>
>
>
> ##Packets TO FIREWALL-BOX ITSELF
>
> #Local IF
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
>
> ##Packets TO INTERNAL NET
>
> #Allow unlimited traffic to internals networks using legit
> addresses
> $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -s $INTIP -j ACCEPT
> $IPTABLES -A OUTPUT -o $CAMIF -d $CAMARA -s $CAMIFIP -j ACCEPT
>
>
>
> ##Packets TO EXTERNAL NET
>
>
> ##ICMP & Traceroute
>
> $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
>
>
>
> ##Silent Drops/Rejects (Things we don't want in our logs)
>
> #SMB
> $IPTABLES -A OUTPUT -o $EXTIF -j SMB
>
> #Ident
> $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT
> --reject-with tcp-reset
>
>
>
> ##Public services running ON FIREWALL-BOX (comment out to activate):
>
> # ftp-data
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT
>
> # ftp
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT
>
> # ssh
> $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state
> --state ESTABLISHED -j ACCEPT
>
> #telnet
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state
> --state ESTABLISHED -j ACCEPT
>
> # smtp
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state
> --state ESTABLISHED -j ACCEPT
>
> # webmail
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 88 -j ACCEPT
>
> # DNS
> $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
> $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT
>
> # http
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state
> --state ESTABLISHED -j ACCEPT
>
> # https
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state
> --state ESTABLISHED -j ACCEPT
>
> # POP-3
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state
> --state ESTABLISHED -j ACCEPT
>
> #Netmeeting
> $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1720 -j ACCEPT
> $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 1720 -j ACCEPT
>
> #BNC
> #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 31337 -j ACCEPT
>
>
>
> ##Accept all tcp/udp traffic on unprivileged ports going out
>
> $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport
> $UNPRIVPORTS -j ACCEPT
> $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport
> $UNPRIVPORTS -j ACCEPT
>
>
> ##Darle una via privada de salida a paquetes del firewall itself
> $IPTABLES -t mangle -A OUTPUT -o $EXTIF -s $EXTIP -j MARK
> --set-mark 23
>
>
> ##Catch all rule
>
> $IPTABLES -A OUTPUT -j LDROP
>
>
>
>
> ####################
> ## FORWARD-Chain ## (everything that passes the firewall)
> ####################
>
>
> ##GENERAL Filtering
>
> #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
> $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
>
> # Check TCP-Packets for Bad Flags
> $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
>
> ##Filtering FROM INTERNAL NET
>
>
> ##Silent Drops/Rejects (Things we don't want in our logs)
>
> #SMB
> $IPTABLES -A FORWARD -o $EXTIF -j SMB
>
>
> ##Special Drops/Rejects
> # - To be done -
>
>
> ##Filter for some Trojans communicating to outside
> # - To be done -
>
>
> ##Port-Forwarding from Ports < 1024 [outbound] (--> Also
> see chain PREROUTING)
>
> #Forwarding a mundaka
> #$IPTABLES -A FORWARD -o $EXTIF -s $SAND2002 -p tcp
> --sport 25 -j ACCEPT
>
>
>
> ##Allow all other forwarding (from Ports > 1024) from
> Internals Net's to External Net
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp
> --sport $UNPRIVPORTS -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp
> --sport $UNPRIVPORTS -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp
> -j ACCEPT
> $IPTABLES -A FORWARD -i $CAMIF -o $EXTIF -s $CAMARA -d
> $ACTUAL -p tcp --sport 9090 -j ACCEPT
>
>
> ##Filtering FROM EXTERNAL NET
>
>
> ##Silent Drops/Rejects (Things we don't want in our logs)
>
> #SMB
> $IPTABLES -A FORWARD -i $EXTIF -j SMB
>
>
> ##Allow replies coming in
> $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED
> -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS
> -m state --state RELATED -j TCPACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS
> -m state --state RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state
> RELATED -j ACCEPT
>
>
> ##Port-Forwarding [inbound] (--> Also see chain PREROUTING)
>
> #Forwarding
> #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport
> 80 -j ACCEPT
> #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport
> 22 -j ACCEPT
> #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SAND2002 --dport
> 25 -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $CAMIF -s $ACTUAL -d
> $CAMARA -p tcp --dport 9090 -j ACCEPT
>
> ##Some ip forward
>
> # $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT
> # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
>
> ## Forward entre las redes internas
> $IPTABLES -A FORWARD -s $CAMARA -i $CAMIF -o $INTIF -d
> $INTLAN -p tcp --sport 9090 -j ACCEPT
> $IPTABLES -A FORWARD -d $CAMARA -o $CAMIF -i $INTIF -s
> $INTLAN -p tcp --dport 9090 -j ACCEPT
>
> ## Cortar comunicacion Cyber-Cam (todo lo que vaya o venga a
> la Cam, y que no me halla
> ## interesado admitir antes, es logeado y luego muere)
> $IPTABLES -A FORWARD -o $CAMIF -j LNOCAM
> $IPTABLES -A FORWARD -i $CAMIF -j LNOCAM
>
> ##Catch all rule/Deny every other forwarding
>
> $IPTABLES -A FORWARD -j LDROP
>
> ################
> ## PREROUTING ##
> ################
>
> ##Port-Forwarding (--> Also see chain FORWARD)
>
> #Puertos Trasladados
> # $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP
> --dport 25 -j DNAT --to-destination $SAND2002
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -s
> $ACTUAL -p tcp --dport 9090 -j DNAT --to-destination $CAMARA
>
>
>
> ###################
> ## POSTROUTING ##
> ###################
>
> #Seteo de marca basado en la dirección de origen
> $IPTABLES -t mangle -A POSTROUTING -s $INTLAN -o $EXTIF -j
> SETEAMARCA
> $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -s $CAMARA -j
> MARK --set-mark 22
>
> #Masquerade from Internal Net to External Net
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j
> SNAT --to-source $EXTIP
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $CAMARA -j
> SNAT --to-source $EXTIP
> #$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
>
>
>
> #------End Ruleset------#
>
> echo "...done"
> echo ""
>
>
> echo "--> IPTABLES firewall loaded/activated <--"
>
>
> ##--------------------------------End
> Firewall---------------------------------##
>
>
>
> ;;
> *)
> echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
> exit 1
> esac
>
> exit 0
>
>
>
>
More information about the CentOS
mailing list