RE: [CentOS] creating script for init.d

21 Dec 2006

      ...
-----Original Message-----
From: centos-bounces@centos.org 
[mailto:centos-bounces@centos.org] On Behalf Of Linux Man
Sent: Wednesday, December 20, 2006 11:44 PM
To: CentOS mailing list
Subject: Re: [CentOS] creating script for init.d
This is what I found in /var/lor/messages:
Dec 21 02:02:28 Promaster firewall.light: + /sbin/iptables -t 
nat -A POSTROUTING -o eth0 -s 192.168.15.50 -j SNAT 
--to-source 192.168.1.5 http://192.168.1.5 Dec 21 02:02:28 
Promaster firewall.light: + echo ...done Dec 21 02:02:28 
Promaster firewall.light: + echo ''
Dec 21 02:02:28 Promaster firewall.light: + echo '--> 
IPTABLES firewall loaded/activated <--' 
Dec 21 02:02:28 Promaster firewall.light: + exit 0 Dec 21 
02:02:28 Promaster rc: Iniciando  firewall.light:  succeeded 
Dec 21 02:02:28 Promaster haldaemon: Iniciación de haldaemon 
succeeded Dec 21 02:02:28 Promaster fstab-sync[3722]: removed 
all generated mount points Dec 21 02:02:28 Promaster 
fstab-sync[3739]: added mount point /media/cdrom for /dev/hdc 
Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo 
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= 
127.0.0.1 DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 
ID=22436 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 
ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 
a=DROP IN=lo OUT= 
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= 127.0.0.1 
DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22438 DF 
PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 
Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo 
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= 
127.0.0.1 DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 
ID=22440 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 
ACK PSH URGP=0
As you can see, it look like the script execute good, but 
hangs de keybordad, monitor, mouse, etc. Nevertheless theres 
some activicty from lo to lo ?¿?¿?¿
2006/12/20, Linux Man linuxman.uru@gmail.com:
If I hit ENTER anything hapens (even with a lots of enter's)
   In /var/log/messages seems to compleate the scrips, I'm 
realy comfiusing (and :( of course)
   Can be SElinux? can I disable it to try?
   At terminal all work smooth, I don't understand why 
hangs at boot time
   Thanks a lot guys for you help!!
2006/12/20, Michael Velez mikev777@hotmail.com:
At this point, I doubt you have the same problem I had (SELinux is not
asking a question for you to respond to). What Craig is saying is accurate.
CentOS 4.4 already has an iptables script. You should start with that.  Then
add your customized iptables rules from the command line and once you have
verified them, save them to /etc/sysconfig/iptables with 'service iptables
save'.  Are you using your old Fedora iptables script?
I don't know enough about the iptables script to help you out here. Other
experts on the list should know but starting from the base Centos 4.4 script
should be better.  In any case, I posted your own script below (which you
had sent out).
Michael
...
...
This is the scrpit that I use, there's somethig wrong?
#Script configurado y optimizado para el servidor SunSet #
#chkconfig: 35 98 27
#
#Description: Firewall
# Hubicacion de los binarios de IPTABLES y sus comandos 
IPTABLES="/sbin/iptables"
case "$1" in
   stop)
      echo "Shutting down firewall..."
      $IPTABLES -F 
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -P OUTPUT ACCEPT 
  $IPTABLES -P FORWARD ACCEPT
  echo "...done"
  ;;

status)
      echo $"Table: filter"
      iptables --list
      echo $"Table: nat"
      iptables -t nat --list 
      echo $"Table: mangle"
      iptables -t mangle --list
      ;;
   restart|reload)
      $0 stop
      $0 start
      ;;
   start)
    echo "Starting Firewall..."
    echo ""
##--------------------------Inicio del 
Firewall---------------------------------##
#----Interfaces por Defecto-----#
## Interface Externa (a Internet)
DEFAULT_EXTIF="eth0"
## Interface Interna (a Lan)
DEFAULT_INTIF="eth1"
## Interface Interna (a CAMARA)
DEFAULT_CAMIF="eth2"
#----Variables Especiales-----#
# IP y Mascara para todas las IP (all) UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking
IRCPORTS="6665,6666,6667,6668,6669,7000"
# Maquinas del Cyber
A1="192.168.0.3"
A2=" 192.168.0.4 http://192.168.0.4 "
A3="192.168.0.5"
A4="192.168.0.6"
A5="192.168.0.7"
A6=" 192.168.0.8"
A7="192.168.0.9"
A8="192.168.0.10"
B1=" 192.168.0.11 http://192.168.0.11 "
B2="192.168.0.12"
B3="192.168.0.13"
B4="192.168.0.14"
B5="192.168.0.15"
B6="192.168.0.16"
J1="192.168.0.100"
J2=" 192.168.0.101 http://192.168.0.101 "
J3="192.168.0.103"
J4="192.168.0.105"
J5="192.168.0.104" 
J6="192.168.0.102"
JEJE="192.168.0.2"
# Casa
# Almaceno en la variable "actual" el valor de la IP actual 
ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 63.208.196.90 | 
grep address | awk '{ print $4}')
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns2
...
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
latinloveruy.homelinux.net 204.13.249.81 | grep address |
awk '{ print
...
$4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns3
...
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
latinloveruy.homelinux.net 204.13.250.81 | grep address |
awk '{ print
...
$4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns4
...
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
latinloveruy.homelinux.net 213.155.150.205 | grep address | awk '{ 
print $4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns5
...
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 
latinloveruy.homelinux.net 63.170.10.81 | grep address |
awk '{ print
...
$4}') fi
#-----Port-Forwarding Variables-----#
#IP's a Forewardear
#MUNDAKA="172.16.1.191"
CAMARA="192.168.15.50 "
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10"
#Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10"
#----Determinacion Automatica de la informacion para las 
Interfaces-----#
#Permite la determinacion de datos de configuracion de las
interfaces
...
#de forma automatica permitiendo adaptarce a los cambios
logicos de la
...
red #sin necesidad de editar el script ### Interface Externa 
(Internet-IPpublica):
## Obtener informacion de la Interface Externa ## Si no
encuentra una
...
interface se pondra el valor por
defecto: DEFAULT_EXTIF como EXTIF
if [ "x$2" != "x" ]; then
   EXTIF=$2
else
   EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF
## Determinacion de la IP externa (publica)
EXTIP="`ifconfig $EXTIF |
...
grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$EXTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $EXTIF !"
     exit 1
  fi
echo External IP: $EXTIP
## Determincion del Gateway Externo
EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'` echo
Default GW:
...
$EXTGW
echo " --- "
### Interface Interna (Lan-IPprivada):
## Obtener informacion de la Interface InternaGet internal
interface
...
from command-line ## Si no encuentra una interface de
pondra el valor
...
por
defecto: $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
   INTIF=$3
else
   INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF
## Determinacion de IP Interna
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut
-d \  -f 1`"
...
if [ "$INTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of
$INTIF !"
...
 exit 1

fi
echo Internal IP: $INTIP
## Determinacion de Mascara Interna
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK
## Determinacion de la Network Interna
INTLAN=$INTIP'/'$INTMASK echo
...
Internal LAN: $INTLAN
echo ""
###--- Interface hacia la CAMARA ---
CAMIF="eth2"
CAMIFIP="192.168.15.5 "
CAMMASK="255.255.255.0"
##--- Reparo problemas de ruteo ---
if [ "$(route | grep 169.254.0.0)" != "" ]; then ip route del 
169.254.0.0/16 fi
#----Cargando Modulos de IPTABLES-----#
#Insert modules- should be done automatically if needed
#If the IRC-modules are available, uncomment them below
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load /sbin/modprobe 
ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack 
/sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp 
/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS /sbin/modprobe 
ip_nat_irc ports=$IRCPORTS #dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings
(Smurf-Amplifier-Protection) echo 1
...
...
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses) echo 1 > 
/proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts echo 30 > 
/proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
##These are the logging-chains. They all have a certain limit of 
log-entries/sec to prevent log-flooding ##The
syslog-entries will be
...
fireparse-compatible (see http://www.fireparse.com 
http://www.fireparse.com )
#Invalid packets (not ESTABLISHED,RELATED or NEW)
    $IPTABLES -N LINVALID
    $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst 
$LOGLIMITBURST -j LOG --log-prefix
"fp=INVALID:1 a=DROP " --log-level info 
    $IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
    $IPTABLES -N LBADFLAG
    $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst 
$LOGLIMITBURST -j LOG --log-prefix
"fp=BADFLAG:1 a=DROP " --log-level info 
    $IPTABLES -A LBADFLAG -j DROP
#Acceso no permitido a la Camara
    $IPTABLES -N LNOCAM
    $IPTABLES -A LNOCAM -m limit --limit $LOGLIMIT --limit-burst 
$LOGLIMITBURST -j LOG --log-prefix "fp=NOCAM:1 a=DROP "
    $IPTABLES -A LNOCAM -j DROP
#Logging of connection attempts on special ports (Trojan portscans, 
special services, etc.)
    $IPTABLES -N LSPECIALPORT
    $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT
--limit-burst
...
$LOGLIMITBURST -j LOG --log-prefix
"fp=SPECIALPORT:1 a=DROP " --log-level info 
    $IPTABLES -A LSPECIALPORT -j DROP
#Logging of possible TCP-SYN-Floods
    $IPTABLES -N LSYNFLOOD
    $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst 
$LOGLIMITBURST -j LOG --log-prefix
"fp=SYNFLOOD:1 a=DROP " --log-level info 
    $IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods
    $IPTABLES -N LPINGFLOOD
    $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT
--limit-burst
...
$LOGLIMITBURST -j LOG --log-prefix
"fp=PINGFLOOD:1 a=DROP " --log-level info 
    $IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets
    $IPTABLES -N LDROP
    $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT
--limit-burst
...
$LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
--log-level info
...
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT 

--limit-burst
...
$LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
--log-level info
...
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT 

--limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3
a=DROP "
...
--log-level info
    $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst 
$LOGLIMITBURST -j LOG --log-prefix
"fp=FRAGMENT:4 a=DROP " --log-level info
    $IPTABLES -A LDROP -j DROP
#All other rejected packets 
    $IPTABLES -N LREJECT
    $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT 
--limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1
a=REJECT "
...
--log-level info
    $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT 
--limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2
a=REJECT "
...
--log-level info
    $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT 
--limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3
a=REJECT "
...
--log-level info
    $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT
--limit-burst
...
$LOGLIMITBURST -j LOG --log-prefix
"fp=FRAGMENT:4 a=REJECT " --log-level info 
    $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
    $IPTABLES -A LREJECT -p udp -j REJECT --reject-with 
icmp-port-unreachable
    $IPTABLES -A LREJECT -j REJECT
#passtrue
#  $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT #
$IPTABLES -A
...
FORWARD -p tcp -d $MUNDAKA -j ACCEPT
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT 
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit 

$TCPSYNLIMIT
...
--limit-burst $TCPSYNLIMITBURST -j ACCEPT
    $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
    $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with
impossible
...
flag-combinations (Some port-scanners use these, eg. nmap 
Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG 
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j 

LBADFLAG
    $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL 
SYN,RST,ACK,FIN,URG -j LBADFLAG
    $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j
LBADFLAG
...
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE 

-j LBADFLAG
...
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j 

LBADFLAG
    $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j 
LBADFLAG
#FILTERING FOR SPECIAL PORTS
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't 

want in our
...
Logs)
    #SMB-Traffic
    $IPTABLES -N SMB

    $IPTABLES -A SMB -p tcp --dport 137 -j DROP 
    $IPTABLES -A SMB -p tcp --dport 138 -j DROP
    $IPTABLES -A SMB -p tcp --dport 139 -j DROP
    $IPTABLES -A SMB -p tcp --dport 445 -j DROP
    $IPTABLES -A SMB -p udp --dport 137 -j DROP
    $IPTABLES -A SMB -p udp --dport 138 -j DROP
    $IPTABLES -A SMB -p udp --dport 139 -j DROP
    $IPTABLES -A SMB -p udp --dport 445 -j DROP

    $IPTABLES -A SMB -p tcp --sport 137 -j DROP 
    $IPTABLES -A SMB -p tcp --sport 138 -j DROP
    $IPTABLES -A SMB -p tcp --sport 139 -j DROP
    $IPTABLES -A SMB -p tcp --sport 445 -j DROP
    $IPTABLES -A SMB -p udp --sport 137 -j DROP
    $IPTABLES -A SMB -p udp --sport 138 -j DROP
    $IPTABLES -A SMB -p udp --sport 139 -j DROP
    $IPTABLES -A SMB -p udp --sport 445 -j DROP

#Inbound Special Ports

    $IPTABLES -N SPECIALPORTS

    #Deepthroat Scan
      $IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j 

LSPECIALPORT
      #Subseven Scan
      $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j 

LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j 
LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport
27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport
27374 -j LSPECIALPORT 
          $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j 
LSPECIALPORT
      #Netbus Scan
      $IPTABLES -A SPECIALPORTS -p tcp --dport

12345:12346 -j LSPECIALPORT
          $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j 
LSPECIALPORT
      #Back Orifice scan
      $IPTABLES -A SPECIALPORTS -p udp --dport

31337:31338 -j LSPECIALPORT
      #X-Win
      $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j 

LSPECIALPORT
    #Hack'a'Tack 2000
    $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j 

LSPECIALPORT
...
#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute

    $IPTABLES -N ICMPINBOUND

    #Ping Flood protection. Accept $PINGLIMIT 

echo-requests/sec,
...
rest will be logged/dropped
          $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
echo-request -m
...
limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
          #
          $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
echo-request -j
...
LPINGFLOOD
      #Block ICMP-Redirects (Should already be catched by 

sysctl-options, if enabled)
          $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j 
LDROP
      #Block ICMP-Timestamp (Should already be catched by 

sysctl-options, if enabled)
          $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
timestamp-request -j LDROP
          $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
timestamp-reply
...
-j LDROP
      #Block ICMP-address-mask (can help to prevent

OS-fingerprinting)
          $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
address-mask-request -j LDROP
          $IPTABLES -A ICMPINBOUND -p icmp --icmp-type 
address-mask-reply -j LDROP
      #Allow all other ICMP in
      $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

#Outbound ICMP/Traceroute

    $IPTABLES -N ICMPOUTBOUND

    #Block ICMP-Redirects (Should already be catched by 

sysctl-options, if enabled)
          $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j 
LDROP
      #Block ICMP-TTL-Expired
    #MS Traceroute (MS uses ICMP instead of UDp for tracert) 
    $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 

ttl-zero-during-transit -j LDROP
          $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
ttl-zero-during-reassembly -j LDROP
      #Block ICMP-Parameter-Problem 
      $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 

parameter-problem -j LDROP
      #Block ICMP-Timestamp (Should already be catched by 

sysctl-options, if enabled)
          $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
timestamp-request -j LDROP
          $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
timestamp-reply -j LDROP
      #Block ICMP-address-mask (can help to prevent

OS-fingerprinting)
          $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
address-mask-request -j LDROP
          $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type 
address-mask-reply -j LDROP
      ##Accept all other ICMP going out
      $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

# CHAIN PARA LA SEPARACION DE TRAFICO BASADO EN LA IP DE
ORIGEN DE LA
...
LAN
$IPTABLES -t mangle -N SETEAMARCA
$IPTABLES -t mangle -A SETEAMARCA -s $A1 -j MARK --set-mark 1
$IPTABLES -t mangle -A SETEAMARCA -s $A2 -j MARK --set-mark 2
$IPTABLES -t mangle -A SETEAMARCA -s $A3 -j MARK --set-mark 3 
$IPTABLES -t mangle -A SETEAMARCA -s $A4 -j MARK --set-mark 4
$IPTABLES -t mangle -A SETEAMARCA -s $A5 -j MARK --set-mark 5
$IPTABLES -t mangle -A SETEAMARCA -s $A6 -j MARK --set-mark 6
$IPTABLES -t mangle -A SETEAMARCA -s $A7 -j MARK --set-mark 7 
$IPTABLES -t mangle -A SETEAMARCA -s $A8 -j MARK --set-mark 8
$IPTABLES -t mangle -A SETEAMARCA -s $B1 -j MARK --set-mark 9
$IPTABLES -t mangle -A SETEAMARCA -s $B2 -j MARK --set-mark 10
$IPTABLES -t mangle -A SETEAMARCA -s $B3 -j MARK --set-mark 11 
$IPTABLES -t mangle -A SETEAMARCA -s $B4 -j MARK --set-mark 12
$IPTABLES -t mangle -A SETEAMARCA -s $B5 -j MARK --set-mark 13
$IPTABLES -t mangle -A SETEAMARCA -s $B6 -j MARK --set-mark 14
$IPTABLES -t mangle -A SETEAMARCA -s $J1 -j MARK --set-mark 15 
$IPTABLES -t mangle -A SETEAMARCA -s $J2 -j MARK --set-mark 16
$IPTABLES -t mangle -A SETEAMARCA -s $J3 -j MARK --set-mark 17
$IPTABLES -t mangle -A SETEAMARCA -s $J4 -j MARK --set-mark 18
$IPTABLES -t mangle -A SETEAMARCA -s $J5 -j MARK --set-mark 19 
$IPTABLES -t mangle -A SETEAMARCA -s $J6 -j MARK --set-mark 20
$IPTABLES -t mangle -A SETEAMARCA -s $JEJE -j MARK --set-mark 21

#    $IPTABLES -t mangle -A SETEAMARCA -s $CAMARA -j MARK 
--set-mark 22
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
#################
## INPUT-Chain ## (everything that is addressed to the firewall 
itself) #################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
  $IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags 
  $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF
  $IPTABLES -A INPUT -i lo -j ACCEPT
  #
  #Kill connections to the local interface from the outside 
world (--> Should be already catched by kernel/rp_filter) 
  $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit 
addresses to firewall-box
 ##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
  #Kill anything from outside claiming to be from internal 
network (Address-Spoofing --> Should be already catched by
rp_filter)
...
$IPTABLES -A INPUT -s $INTLAN -j LREJECT
  $IPTABLES -A INPUT -i $EXTIF -s $INTLAN -j LREJECT
##Packets FROM EXTERNAL NET
##ICMP & Traceroute filtering
#Filter ICMP
  $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND
#Block UDP-Traceroute
  $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
##Silent Drops/Rejects (Things we don't want in our logs)
#Drop all SMB-Traffic
  $IPTABLES -A INPUT -i $EXTIF -j SMB
#Silently reject Ident (Don't DROP ident, because of 
possible delays when establishing an outbound connection)
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT 
--reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to
activate):
...
# ftp-data
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 20 -j TCPACCEPT
# ftp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 21 -j TCPACCEPT
# ssh
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
#telnet
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
# smtp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
# webmail
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 26 -j TCPACCEPT
# DNS
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
# http
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT
# https
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT
# POP-3
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT
# Bnc
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31337 -j TCPACCEPT
##Separate logging of special portscans/connection attempts
$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED
-j ACCEPT
...
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m 
state --state RELATED -j TCPACCEPT 
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m 
state --state RELATED -j ACCEPT
##Catch all rule
  $IPTABLES -A INPUT -j LDROP
##################
## Output-Chain ## (everything that comes directly from the 
Firewall-Box) 
##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internals networks using legit 
addresses 
  $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -s $INTIP -j ACCEPT
  $IPTABLES -A OUTPUT -o $CAMIF -d $CAMARA -s $CAMIFIP -j ACCEPT
##Packets TO EXTERNAL NET
##ICMP & Traceroute
$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
  $IPTABLES -A OUTPUT -o $EXTIF -j SMB
#Ident
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT 
--reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to
activate):
...
# ftp-data
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 20 -j ACCEPT
# ftp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 21 -j ACCEPT
# ssh
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state 
--state ESTABLISHED -j ACCEPT
#telnet
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state 
--state ESTABLISHED -j ACCEPT
# smtp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state 
--state ESTABLISHED -j ACCEPT
# webmail 
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 88 -j ACCEPT
# DNS
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT 
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT
# http
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state 
--state ESTABLISHED -j ACCEPT
# https
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state 
--state ESTABLISHED -j ACCEPT
# POP-3
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state 
--state ESTABLISHED -j ACCEPT
#Netmeeting
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1720 -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 1720 -j ACCEPT
#BNC
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 31337 -j ACCEPT
##Accept all tcp/udp traffic on unprivileged ports going out
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport 
$UNPRIVPORTS -j ACCEPT 
  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport 
$UNPRIVPORTS -j ACCEPT
##Darle una via privada de salida a paquetes del firewall itself
  $IPTABLES -t mangle -A OUTPUT -o $EXTIF -s $EXTIP -j MARK 
--set-mark 23
##Catch all rule
$IPTABLES -A OUTPUT -j LDROP
####################
## FORWARD-Chain  ## (everything that passes the firewall)
####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW)
  $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags 
  $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Filtering FROM INTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
   $IPTABLES -A FORWARD -o $EXTIF -j SMB
##Special Drops/Rejects
   # - To be done -
##Filter for some Trojans communicating to outside
   # - To be done -
##Port-Forwarding from Ports < 1024 [outbound] (--> Also 
see chain PREROUTING)
#Forwarding a mundaka 
   #$IPTABLES -A FORWARD -o $EXTIF -s $SAND2002 -p tcp 
--sport 25 -j ACCEPT
##Allow all other forwarding (from Ports > 1024) from 
Internals Net's to External Net
  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp 
--sport $UNPRIVPORTS -j ACCEPT 
  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp 
--sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp 
-j ACCEPT
  $IPTABLES -A FORWARD -i $CAMIF -o $EXTIF -s $CAMARA -d 
$ACTUAL -p tcp --sport 9090 -j ACCEPT
##Filtering FROM EXTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
  $IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in
  $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED 
-j ACCEPT 
  $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS 
-m state --state RELATED -j TCPACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS 
-m state --state RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state 
RELATED -j ACCEPT
##Port-Forwarding [inbound] (--> Also see chain PREROUTING)
#Forwarding
  #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 
80 -j ACCEPT
  #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 
22 -j ACCEPT 
  #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SAND2002 --dport 
25 -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -o $CAMIF -s $ACTUAL -d 
$CAMARA -p tcp --dport 9090 -j ACCEPT
##Some ip forward
# $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT 
 # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
## Forward entre las redes internas
  $IPTABLES -A FORWARD -s $CAMARA -i $CAMIF -o $INTIF -d 
$INTLAN -p tcp --sport 9090 -j ACCEPT
  $IPTABLES -A FORWARD -d $CAMARA -o $CAMIF -i $INTIF -s 
$INTLAN -p tcp --dport 9090 -j ACCEPT
## Cortar comunicacion Cyber-Cam (todo lo que vaya o venga a 
la Cam, y que no me halla
## interesado admitir antes, es logeado y luego muere)
  $IPTABLES -A FORWARD -o $CAMIF -j LNOCAM
  $IPTABLES -A FORWARD -i $CAMIF -j LNOCAM
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################
## PREROUTING ##
################
##Port-Forwarding (--> Also see chain FORWARD)
#Puertos Trasladados 
#  $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP 
--dport 25 -j DNAT --to-destination $SAND2002
  $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -s 
$ACTUAL -p tcp --dport 9090 -j DNAT --to-destination $CAMARA
###################
##  POSTROUTING  ##
###################
#Seteo de marca basado en la dirección de origen
  $IPTABLES -t mangle -A POSTROUTING -s $INTLAN -o $EXTIF -j 
SETEAMARCA
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -s $CAMARA -j 
MARK --set-mark 22
#Masquerade from Internal Net to External Net
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j 
SNAT --to-source $EXTIP
  $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $CAMARA -j 
SNAT --to-source $EXTIP 
  #$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#------End Ruleset------#
echo "...done"
echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End 
Firewall---------------------------------##
;;
   *)
      echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
      exit 1 
esac
exit 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

RE: [CentOS] creating script for init.d