For some reason, this e-mail was only sent to me. Make sure you send to Centos mailing list.
Try to run the script on the command line (not during the standard init process).
Put
#!/bin/bash
as it does look like it's bash (but hey I could be wrong).
Try to figure out where the script is hanging by using the -v or -x options, one at a time.
#!/bin/bash -v
#!/bin/bash -x
You definitely need to provide more info.
Michael
-----Original Message----- From: Linux Man [mailto:linuxman.uru@gmail.com] Sent: Tuesday, December 19, 2006 12:30 AM To: mikev777@hotmail.com Subject: here is the scrpit
2006/12/18, Michael Velez mikev777@hotmail.com:
-----Original Message----- From: centos-bounces@centos.org mailto:centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Linux Man Sent: Sunday, December 17, 2006 8:30 PM To: centos@centos.org mailto:centos@centos.org Subject: [CentOS] creating script for init.d
Hello. I'm moving from a very old Fedora Core 1 to CentOS 4.4, what a change!! Three year ago, I wrote some script (network related) and
worked very
well. Now, I can put into init.d by means of chkconfig and
I restarted
the system, but always hang when executing my srcipt (in my
new centos
4.4 ). There a manual for making scripts for init.d? there is some new requirement by which it does not work anymore? Thanks a lots!!!!
Are you using the 'su' command in your script?
This happenned to me when I moved to RHEL4/Centos 4. My problem was due to SELinux. I was using the 'su' command. When I changed it to use the 'runuser' command instead, it worked fine. The reason it was hanging for me is that using the su command produces a context question on the console (during password checking) for which I had to press enter. With 'runuser', you don't get the SELinux context question.
Michael
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This is the scrpit that I use, there's somethig wrong?
#Script configurado y optimizado para el servidor SunSet # #chkconfig: 35 98 27 # #Description: Firewall
# Hubicacion de los binarios de IPTABLES y sus comandos IPTABLES="/sbin/iptables"
case "$1" in stop) echo "Shutting down firewall..." $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "...done" ;;status) echo $"Table: filter" iptables --list echo $"Table: nat" iptables -t nat --list echo $"Table: mangle" iptables -t mangle --list ;; restart|reload) $0 stop $0 start ;; start) echo "Starting Firewall..." echo ""
##--------------------------Inicio del Firewall---------------------------------##
#----Interfaces por Defecto-----#
## Interface Externa (a Internet) DEFAULT_EXTIF="eth0"
## Interface Interna (a Lan) DEFAULT_INTIF="eth1"
## Interface Interna (a CAMARA) DEFAULT_CAMIF="eth2"
#----Variables Especiales-----#
# IP y Mascara para todas las IP (all) UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports. XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking IRCPORTS="6665,6666,6667,6668,6669,7000"
# Maquinas del Cyber A1="192.168.0.3" A2=" 192.168.0.4 http://192.168.0.4 " A3="192.168.0.5" A4="192.168.0.6" A5="192.168.0.7" A6=" 192.168.0.8" A7="192.168.0.9" A8="192.168.0.10" B1=" 192.168.0.11 http://192.168.0.11 " B2="192.168.0.12" B3="192.168.0.13" B4="192.168.0.14" B5="192.168.0.15" B6="192.168.0.16" J1="192.168.0.100" J2=" 192.168.0.101 http://192.168.0.101 " J3="192.168.0.103" J4="192.168.0.105" J5="192.168.0.104" J6="192.168.0.102" JEJE="192.168.0.2"
# Casa # Almaceno en la variable "actual" el valor de la IP actual ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 63.208.196.90 | grep address | awk '{ print $4}')
# Pruebo por si no hubo respuesta del servidor y en ese caso uso ns2 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 204.13.249.81 | grep address | awk '{ print $4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese caso uso ns3 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 204.13.250.81 | grep address | awk '{ print $4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese caso uso ns4 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 213.155.150.205 | grep address | awk '{ print $4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese caso uso ns5 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 63.170.10.81 | grep address | awk '{ print $4}') fi
#-----Port-Forwarding Variables-----#
#IP's a Forewardear
#MUNDAKA="172.16.1.191" CAMARA="192.168.15.50 "
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10"
#Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10"
#----Determinacion Automatica de la informacion para las Interfaces-----#
#Permite la determinacion de datos de configuracion de las interfaces #de forma automatica permitiendo adaptarce a los cambios logicos de la red #sin necesidad de editar el script ### Interface Externa (Internet-IPpublica):
## Obtener informacion de la Interface Externa ## Si no encuentra una interface se pondra el valor por defecto: DEFAULT_EXTIF como EXTIF if [ "x$2" != "x" ]; then EXTIF=$2 else EXTIF=$DEFAULT_EXTIF fi echo External Interface: $EXTIF
## Determinacion de la IP externa (publica) EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$EXTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $EXTIF !" exit 1 fi echo External IP: $EXTIP
## Determincion del Gateway Externo EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'` echo Default GW: $EXTGW
echo " --- "
### Interface Interna (Lan-IPprivada):
## Obtener informacion de la Interface InternaGet internal interface from command-line ## Si no encuentra una interface de pondra el valor por defecto: $DEFAULT_INTIF as INTIF if [ "x$3" != "x" ]; then INTIF=$3 else INTIF=$DEFAULT_INTIF fi echo Internal Interface: $INTIF
## Determinacion de IP Interna INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$INTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $INTIF !" exit 1 fi echo Internal IP: $INTIP
## Determinacion de Mascara Interna INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`" echo Internal Netmask: $INTMASK
## Determinacion de la Network Interna INTLAN=$INTIP'/'$INTMASK echo Internal LAN: $INTLAN
echo ""
###--- Interface hacia la CAMARA ---
CAMIF="eth2" CAMIFIP="192.168.15.5 " CAMMASK="255.255.255.0"
##--- Reparo problemas de ruteo --- if [ "$(route | grep 169.254.0.0)" != "" ]; then ip route del 169.254.0.0/16 fi
#----Cargando Modulos de IPTABLES-----#
#Insert modules- should be done automatically if needed
#If the IRC-modules are available, uncomment them below
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS /sbin/modprobe ip_nat_irc ports=$IRCPORTS #dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding ##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com http://www.fireparse.com )
#Invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -N LINVALID $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " --log-level info $IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags $IPTABLES -N LBADFLAG $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " --log-level info $IPTABLES -A LBADFLAG -j DROP
#Acceso no permitido a la Camara $IPTABLES -N LNOCAM $IPTABLES -A LNOCAM -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=NOCAM:1 a=DROP " $IPTABLES -A LNOCAM -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.) $IPTABLES -N LSPECIALPORT $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP " --log-level info $IPTABLES -A LSPECIALPORT -j DROP
#Logging of possible TCP-SYN-Floods $IPTABLES -N LSYNFLOOD $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " --log-level info $IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods $IPTABLES -N LPINGFLOOD $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " --log-level info $IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets $IPTABLES -N LDROP $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " --log-level info $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " --log-level info $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " --log-level info $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " --log-level info $IPTABLES -A LDROP -j DROP
#All other rejected packets $IPTABLES -N LREJECT $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT " --log-level info $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT " --log-level info $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT " --log-level info $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT " --log-level info $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A LREJECT -j REJECT
#passtrue
# $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit$TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALLFIN,URG,PSH -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#FILTERING FOR SPECIAL PORTS
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don'twant in our Logs)
#SMB-Traffic $IPTABLES -N SMB $IPTABLES -A SMB -p tcp --dport 137 -j DROP $IPTABLES -A SMB -p tcp --dport 138 -j DROP $IPTABLES -A SMB -p tcp --dport 139 -j DROP $IPTABLES -A SMB -p tcp --dport 445 -j DROP $IPTABLES -A SMB -p udp --dport 137 -j DROP $IPTABLES -A SMB -p udp --dport 138 -j DROP $IPTABLES -A SMB -p udp --dport 139 -j DROP $IPTABLES -A SMB -p udp --dport 445 -j DROP $IPTABLES -A SMB -p tcp --sport 137 -j DROP $IPTABLES -A SMB -p tcp --sport 138 -j DROP $IPTABLES -A SMB -p tcp --sport 139 -j DROP $IPTABLES -A SMB -p tcp --sport 445 -j DROP $IPTABLES -A SMB -p udp --sport 137 -j DROP $IPTABLES -A SMB -p udp --sport 138 -j DROP $IPTABLES -A SMB -p udp --sport 139 -j DROP $IPTABLES -A SMB -p udp --sport 445 -j DROP #Inbound Special Ports $IPTABLES -N SPECIALPORTS #Deepthroat Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -jLSPECIALPORT
#Subseven Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -jLSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT
#Netbus Scan $IPTABLES -A SPECIALPORTS -p tcp --dport12345:12346 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
#Back Orifice scan $IPTABLES -A SPECIALPORTS -p udp --dport31337:31338 -j LSPECIALPORT
#X-Win $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS-j LSPECIALPORT
#Hack'a'Tack 2000 $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute $IPTABLES -N ICMPINBOUND #Ping Flood protection. Accept $PINGLIMITecho-requests/sec, rest will be logged/dropped $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT # $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
#Block ICMP-Redirects (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-Timestamp (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to preventOS-fingerprinting) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP
#Allow all other ICMP in $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT #Outbound ICMP/Traceroute $IPTABLES -N ICMPOUTBOUND #Block ICMP-Redirects (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-TTL-Expired #MS Traceroute (MS uses ICMP instead of UDp for tracert) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-typettl-zero-during-transit -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
#Block ICMP-Parameter-Problem $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-typeparameter-problem -j LDROP
#Block ICMP-Timestamp (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to preventOS-fingerprinting) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT# CHAIN PARA LA SEPARACION DE TRAFICO BASADO EN LA IP DE ORIGEN DE LA LAN
$IPTABLES -t mangle -N SETEAMARCA $IPTABLES -t mangle -A SETEAMARCA -s $A1 -j MARK --set-mark 1 $IPTABLES -t mangle -A SETEAMARCA -s $A2 -j MARK --set-mark 2 $IPTABLES -t mangle -A SETEAMARCA -s $A3 -j MARK --set-mark 3 $IPTABLES -t mangle -A SETEAMARCA -s $A4 -j MARK --set-mark 4 $IPTABLES -t mangle -A SETEAMARCA -s $A5 -j MARK --set-mark 5 $IPTABLES -t mangle -A SETEAMARCA -s $A6 -j MARK --set-mark 6 $IPTABLES -t mangle -A SETEAMARCA -s $A7 -j MARK --set-mark 7 $IPTABLES -t mangle -A SETEAMARCA -s $A8 -j MARK --set-mark 8 $IPTABLES -t mangle -A SETEAMARCA -s $B1 -j MARK --set-mark 9 $IPTABLES -t mangle -A SETEAMARCA -s $B2 -j MARK --set-mark 10 $IPTABLES -t mangle -A SETEAMARCA -s $B3 -j MARK --set-mark 11 $IPTABLES -t mangle -A SETEAMARCA -s $B4 -j MARK --set-mark 12 $IPTABLES -t mangle -A SETEAMARCA -s $B5 -j MARK --set-mark 13 $IPTABLES -t mangle -A SETEAMARCA -s $B6 -j MARK --set-mark 14 $IPTABLES -t mangle -A SETEAMARCA -s $J1 -j MARK --set-mark 15 $IPTABLES -t mangle -A SETEAMARCA -s $J2 -j MARK --set-mark 16 $IPTABLES -t mangle -A SETEAMARCA -s $J3 -j MARK --set-mark 17 $IPTABLES -t mangle -A SETEAMARCA -s $J4 -j MARK --set-mark 18 $IPTABLES -t mangle -A SETEAMARCA -s $J5 -j MARK --set-mark 19 $IPTABLES -t mangle -A SETEAMARCA -s $J6 -j MARK --set-mark 20 $IPTABLES -t mangle -A SETEAMARCA -s $JEJE -j MARK --set-mark 21# $IPTABLES -t mangle -A SETEAMARCA -s $CAMARA -j MARK --set-mark 22
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
################# ## INPUT-Chain ## (everything that is addressed to the firewall itself) #################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF $IPTABLES -A INPUT -i lo -j ACCEPT # #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to firewall-box ##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT #Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter) $IPTABLES -A INPUT -s $INTLAN -j LREJECT $IPTABLES -A INPUT -i $EXTIF -s $INTLAN -j LREJECT
##Packets FROM EXTERNAL NET
##ICMP & Traceroute filtering
#Filter ICMP $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND
#Block UDP-Traceroute $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
##Silent Drops/Rejects (Things we don't want in our logs)
#Drop all SMB-Traffic $IPTABLES -A INPUT -i $EXTIF -j SMB
#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection) $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to activate):
# ftp-data #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT
# ftp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT
# ssh $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
#telnet #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
# smtp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
# webmail #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 26 -j TCPACCEPT
# DNS $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
# http #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT
# https #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT
# POP-3 #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT
# Bnc #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31337 -j TCPACCEPT
##Separate logging of special portscans/connection attempts
$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
##Catch all rule $IPTABLES -A INPUT -j LDROP
################## ## Output-Chain ## (everything that comes directly from the Firewall-Box) ##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF $IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internals networks using legit addresses $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -s $INTIP -j ACCEPT $IPTABLES -A OUTPUT -o $CAMIF -d $CAMARA -s $CAMIFIP -j ACCEPT
##Packets TO EXTERNAL NET
##ICMP & Traceroute
$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB $IPTABLES -A OUTPUT -o $EXTIF -j SMB
#Ident $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to activate):
# ftp-data #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT
# ftp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT
# ssh $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#telnet #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
# smtp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
# webmail #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 88 -j ACCEPT
# DNS $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT
# http #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# https #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# POP-3 #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
#Netmeeting $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1720 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 1720 -j ACCEPT
#BNC #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 31337 -j ACCEPT
##Accept all tcp/udp traffic on unprivileged ports going out
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT
##Darle una via privada de salida a paquetes del firewall itself $IPTABLES -t mangle -A OUTPUT -o $EXTIF -s $EXTIP -j MARK --set-mark 23
##Catch all rule
$IPTABLES -A OUTPUT -j LDROP
#################### ## FORWARD-Chain ## (everything that passes the firewall) ####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Filtering FROM INTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB $IPTABLES -A FORWARD -o $EXTIF -j SMB
##Special Drops/Rejects # - To be done -
##Filter for some Trojans communicating to outside # - To be done -
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)
#Forwarding a mundaka #$IPTABLES -A FORWARD -o $EXTIF -s $SAND2002 -p tcp --sport 25 -j ACCEPT
##Allow all other forwarding (from Ports > 1024) from Internals Net's to External Net $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT $IPTABLES -A FORWARD -i $CAMIF -o $EXTIF -s $CAMARA -d $ACTUAL -p tcp --sport 9090 -j ACCEPT
##Filtering FROM EXTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB $IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT
##Port-Forwarding [inbound] (--> Also see chain PREROUTING)
#Forwarding #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 80 -j ACCEPT #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 22 -j ACCEPT #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SAND2002 --dport 25 -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $CAMIF -s $ACTUAL -d $CAMARA -p tcp --dport 9090 -j ACCEPT
##Some ip forward
# $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
## Forward entre las redes internas $IPTABLES -A FORWARD -s $CAMARA -i $CAMIF -o $INTIF -d $INTLAN -p tcp --sport 9090 -j ACCEPT $IPTABLES -A FORWARD -d $CAMARA -o $CAMIF -i $INTIF -s $INTLAN -p tcp --dport 9090 -j ACCEPT
## Cortar comunicacion Cyber-Cam (todo lo que vaya o venga a la Cam, y que no me halla ## interesado admitir antes, es logeado y luego muere) $IPTABLES -A FORWARD -o $CAMIF -j LNOCAM $IPTABLES -A FORWARD -i $CAMIF -j LNOCAM
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################ ## PREROUTING ## ################
##Port-Forwarding (--> Also see chain FORWARD)
#Puertos Trasladados # $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 25 -j DNAT --to-destination $SAND2002 $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -s $ACTUAL -p tcp --dport 9090 -j DNAT --to-destination $CAMARA
################### ## POSTROUTING ## ###################
#Seteo de marca basado en la dirección de origen $IPTABLES -t mangle -A POSTROUTING -s $INTLAN -o $EXTIF -j SETEAMARCA $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -s $CAMARA -j MARK --set-mark 22
#Masquerade from Internal Net to External Net
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j SNAT --to-source $EXTIP $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $CAMARA -j SNAT --to-source $EXTIP #$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#------End Ruleset------#
echo "...done" echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End Firewall---------------------------------##
;; *) echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" exit 1 esac
exit 0