For some reason, this e-mail was only sent to me. Make sure you send to Centos mailing list. Try to run the script on the command line (not during the standard init process). Put #!/bin/bash as it does look like it's bash (but hey I could be wrong). Try to figure out where the script is hanging by using the -v or -x options, one at a time. #!/bin/bash -v #!/bin/bash -x You definitely need to provide more info. Michael > -----Original Message----- > From: Linux Man [mailto:linuxman.uru at gmail.com] > Sent: Tuesday, December 19, 2006 12:30 AM > To: mikev777 at hotmail.com > Subject: here is the scrpit > > 2006/12/18, Michael Velez <mikev777 at hotmail.com>: > > > > -----Original Message----- > > From: centos-bounces at centos.org <mailto:centos-bounces at centos.org> > > [mailto:centos-bounces at centos.org] On Behalf Of Linux Man > > Sent: Sunday, December 17, 2006 8:30 PM > > To: centos at centos.org <mailto:centos at centos.org> > > Subject: [CentOS] creating script for init.d > > > > Hello. > > I'm moving from a very old Fedora Core 1 to CentOS 4.4, what a > > change!! > > Three year ago, I wrote some script (network related) and > worked very > > well. Now, I can put into init.d by means of chkconfig and > I restarted > > the system, but always hang when executing my srcipt (in my > new centos > > 4.4 ). > > There a manual for making scripts for init.d? > > there is some new requirement by which it does not work anymore? > > Thanks a lots!!!! > > > > > > Are you using the 'su' command in your script? > > This happenned to me when I moved to RHEL4/Centos 4. My > problem was due to SELinux. I was using the 'su' command. > When I changed it to use the 'runuser' command instead, it > worked fine. The reason it was hanging for me is that using > the su command produces a context question on the console > (during password checking) for which I had to press enter. > With 'runuser', you don't get the SELinux context question. > > Michael > > ______________________________ > > _________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > > > > > > This is the scrpit that I use, there's somethig wrong? > > > #Script configurado y optimizado para el servidor SunSet # > #chkconfig: 35 98 27 > # > #Description: Firewall > > > # Hubicacion de los binarios de IPTABLES y sus comandos > IPTABLES="/sbin/iptables" > > > case "$1" in > stop) > echo "Shutting down firewall..." > $IPTABLES -F > $IPTABLES -F -t mangle > $IPTABLES -F -t nat > $IPTABLES -X > $IPTABLES -X -t mangle > $IPTABLES -X -t nat > > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD ACCEPT > echo "...done" > ;; > status) > echo $"Table: filter" > iptables --list > echo $"Table: nat" > iptables -t nat --list > echo $"Table: mangle" > iptables -t mangle --list > ;; > restart|reload) > $0 stop > $0 start > ;; > start) > echo "Starting Firewall..." > echo "" > > > ##--------------------------Inicio del > Firewall---------------------------------## > > > #----Interfaces por Defecto-----# > > ## Interface Externa (a Internet) > DEFAULT_EXTIF="eth0" > > ## Interface Interna (a Lan) > DEFAULT_INTIF="eth1" > > ## Interface Interna (a CAMARA) > DEFAULT_CAMIF="eth2" > > #----Variables Especiales-----# > > # IP y Mascara para todas las IP (all) > UNIVERSE="0.0.0.0/0" > > # Specification of the high unprivileged IP ports. > UNPRIVPORTS="1024:65535" > > # Specification of X Window System (TCP) ports. > XWINPORTS="6000:6063" > > # Ports for IRC-Connection-Tracking > IRCPORTS="6665,6666,6667,6668,6669,7000" > > # Maquinas del Cyber > A1="192.168.0.3" > A2=" 192.168.0.4 <http://192.168.0.4> " > A3="192.168.0.5" > A4="192.168.0.6" > A5="192.168.0.7" > A6=" 192.168.0.8" > A7="192.168.0.9" > A8="192.168.0.10" > B1=" 192.168.0.11 <http://192.168.0.11> " > B2="192.168.0.12" > B3="192.168.0.13" > B4="192.168.0.14" > B5="192.168.0.15" > B6="192.168.0.16" > J1="192.168.0.100" > J2=" 192.168.0.101 <http://192.168.0.101> " > J3="192.168.0.103" > J4="192.168.0.105" > J5="192.168.0.104" > J6="192.168.0.102" > JEJE="192.168.0.2" > > # Casa > # Almaceno en la variable "actual" el valor de la IP actual > ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net > 63.208.196.90 | grep address | awk '{ print $4}') > > # Pruebo por si no hubo respuesta del servidor y en ese caso > uso ns2 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > latinloveruy.homelinux.net 204.13.249.81 | grep address | awk > '{ print $4}') fi > > # Pruebo por si no hubo respuesta del servidor y en ese caso > uso ns3 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > latinloveruy.homelinux.net 204.13.250.81 | grep address | awk > '{ print $4}') fi > > # Pruebo por si no hubo respuesta del servidor y en ese caso > uso ns4 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > latinloveruy.homelinux.net 213.155.150.205 | grep address | > awk '{ print $4}') fi > > # Pruebo por si no hubo respuesta del servidor y en ese caso > uso ns5 if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 > latinloveruy.homelinux.net 63.170.10.81 | grep address | awk > '{ print $4}') fi > > > #-----Port-Forwarding Variables-----# > > > #IP's a Forewardear > > #MUNDAKA="172.16.1.191" > CAMARA="192.168.15.50 " > > #----Flood Variables-----# > > # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" > # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" > > # Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" > # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10" > > #Overall Limit for Ping-Flood-Detection > PINGLIMIT="5/s" > # Burst Limit for Ping-Flood-Detection > PINGLIMITBURST="10" > > > > #----Determinacion Automatica de la informacion para las > Interfaces-----# > > #Permite la determinacion de datos de configuracion de las interfaces > #de forma automatica permitiendo adaptarce a los cambios > logicos de la red > #sin necesidad de editar el script > ### Interface Externa (Internet-IPpublica): > > ## Obtener informacion de la Interface Externa > ## Si no encuentra una interface se pondra el valor por > defecto: DEFAULT_EXTIF como EXTIF > if [ "x$2" != "x" ]; then > EXTIF=$2 > else > EXTIF=$DEFAULT_EXTIF > fi > echo External Interface: $EXTIF > > ## Determinacion de la IP externa (publica) > EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d > \ -f 1`" > if [ "$EXTIP" = '' ]; then > echo "Aborting: Unable to determine the IP-address of $EXTIF !" > exit 1 > fi > echo External IP: $EXTIP > > ## Determincion del Gateway Externo > EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'` > echo Default GW: $EXTGW > > > echo " --- " > > > ### Interface Interna (Lan-IPprivada): > > ## Obtener informacion de la Interface InternaGet internal > interface from command-line > ## Si no encuentra una interface de pondra el valor por > defecto: $DEFAULT_INTIF as INTIF > if [ "x$3" != "x" ]; then > INTIF=$3 > else > INTIF=$DEFAULT_INTIF > fi > echo Internal Interface: $INTIF > > ## Determinacion de IP Interna > INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" > if [ "$INTIP" = '' ]; then > echo "Aborting: Unable to determine the IP-address of $INTIF !" > exit 1 > fi > echo Internal IP: $INTIP > > ## Determinacion de Mascara Interna > INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`" > echo Internal Netmask: $INTMASK > > ## Determinacion de la Network Interna > INTLAN=$INTIP'/'$INTMASK > echo Internal LAN: $INTLAN > > echo "" > > ###--- Interface hacia la CAMARA --- > > CAMIF="eth2" > CAMIFIP="192.168.15.5 " > CAMMASK="255.255.255.0" > > ##--- Reparo problemas de ruteo --- > if [ "$(route | grep 169.254.0.0)" != "" ]; then > ip route del 169.254.0.0/16 > fi > > > #----Cargando Modulos de IPTABLES-----# > > > #Insert modules- should be done automatically if needed > > #If the IRC-modules are available, uncomment them below > > echo "Loading IPTABLES modules" > > dmesg -n 1 #Kill copyright display on module load > /sbin/modprobe ip_tables > /sbin/modprobe iptable_filter > /sbin/modprobe ip_conntrack > /sbin/modprobe ip_conntrack_ftp > /sbin/modprobe ip_nat_ftp > /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS > /sbin/modprobe ip_nat_irc ports=$IRCPORTS > #dmesg -n 6 > > echo " --- " > > > #----Clear/Reset all chains-----# > > #Clear all IPTABLES-chains > > #Flush everything, start from scratch > $IPTABLES -F > $IPTABLES -F -t mangle > $IPTABLES -F -t nat > $IPTABLES -X > $IPTABLES -X -t mangle > $IPTABLES -X -t nat > > #Set default policies to DROP > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT DROP > $IPTABLES -P FORWARD DROP > > > #----Set network sysctl options-----# > > > echo "Setting sysctl options" > > #Enable forwarding in kernel > echo 1 > /proc/sys/net/ipv4/ip_forward > > #Disabling IP Spoofing attacks. > echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter > > #Don't respond to broadcast pings (Smurf-Amplifier-Protection) > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > #Block source routing > echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > > #Kill timestamps > echo 0 > /proc/sys/net/ipv4/tcp_timestamps > > #Enable SYN Cookies > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > #Kill redirects > echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > > #Enable bad error message protection > echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > > #Log martians (packets with impossible addresses) > echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > > #Set out local port range > echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range > > #Reduce DoS'ing ability by reducing timeouts > echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout > echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > echo 0 > /proc/sys/net/ipv4/tcp_sack > > > echo " --- " > > echo "Creating user-chains" > > > > #----Create logging chains-----# > > ##These are the logging-chains. They all have a certain limit > of log-entries/sec to prevent log-flooding > ##The syslog-entries will be fireparse-compatible (see > http://www.fireparse.com <http://www.fireparse.com> ) > > > #Invalid packets (not ESTABLISHED,RELATED or NEW) > $IPTABLES -N LINVALID > $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix > "fp=INVALID:1 a=DROP " --log-level info > $IPTABLES -A LINVALID -j DROP > > #TCP-Packets with one ore more bad flags > $IPTABLES -N LBADFLAG > $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix > "fp=BADFLAG:1 a=DROP " --log-level info > $IPTABLES -A LBADFLAG -j DROP > > #Acceso no permitido a la Camara > $IPTABLES -N LNOCAM > $IPTABLES -A LNOCAM -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=NOCAM:1 a=DROP " > $IPTABLES -A LNOCAM -j DROP > > #Logging of connection attempts on special ports (Trojan > portscans, special services, etc.) > $IPTABLES -N LSPECIALPORT > $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix > "fp=SPECIALPORT:1 a=DROP " --log-level info > $IPTABLES -A LSPECIALPORT -j DROP > > #Logging of possible TCP-SYN-Floods > $IPTABLES -N LSYNFLOOD > $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix > "fp=SYNFLOOD:1 a=DROP " --log-level info > $IPTABLES -A LSYNFLOOD -j DROP > > #Logging of possible Ping-Floods > $IPTABLES -N LPINGFLOOD > $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix > "fp=PINGFLOOD:1 a=DROP " --log-level info > $IPTABLES -A LPINGFLOOD -j DROP > > > #All other dropped packets > $IPTABLES -N LDROP > $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 > a=DROP " --log-level info > $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 > a=DROP " --log-level info > $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 > a=DROP " --log-level info > $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix > "fp=FRAGMENT:4 a=DROP " --log-level info > $IPTABLES -A LDROP -j DROP > > #All other rejected packets > $IPTABLES -N LREJECT > $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 > a=REJECT " --log-level info > $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 > a=REJECT " --log-level info > $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 > a=REJECT " --log-level info > $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT > --limit-burst $LOGLIMITBURST -j LOG --log-prefix > "fp=FRAGMENT:4 a=REJECT " --log-level info > $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset > $IPTABLES -A LREJECT -p udp -j REJECT --reject-with > icmp-port-unreachable > $IPTABLES -A LREJECT -j REJECT > > #passtrue > > # $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT > # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT > > > > > > #----Create Accept-Chains-----# > > > #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in > > $IPTABLES -N TCPACCEPT > $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit > $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT > $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD > $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT > > > #----Create special User-Chains-----# > > > #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with > impossible flag-combinations (Some port-scanners use these, > eg. nmap Xmas,Null,etc.-scan) > > $IPTABLES -N CHECKBADFLAG > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL > FIN,URG,PSH -j LBADFLAG > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL > SYN,RST,ACK,FIN,URG -j LBADFLAG > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST > SYN,RST -j LBADFLAG > $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN > SYN,FIN -j LBADFLAG > > > > #FILTERING FOR SPECIAL PORTS > > > #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't > want in our Logs) > > #SMB-Traffic > $IPTABLES -N SMB > > $IPTABLES -A SMB -p tcp --dport 137 -j DROP > $IPTABLES -A SMB -p tcp --dport 138 -j DROP > $IPTABLES -A SMB -p tcp --dport 139 -j DROP > $IPTABLES -A SMB -p tcp --dport 445 -j DROP > $IPTABLES -A SMB -p udp --dport 137 -j DROP > $IPTABLES -A SMB -p udp --dport 138 -j DROP > $IPTABLES -A SMB -p udp --dport 139 -j DROP > $IPTABLES -A SMB -p udp --dport 445 -j DROP > > $IPTABLES -A SMB -p tcp --sport 137 -j DROP > $IPTABLES -A SMB -p tcp --sport 138 -j DROP > $IPTABLES -A SMB -p tcp --sport 139 -j DROP > $IPTABLES -A SMB -p tcp --sport 445 -j DROP > $IPTABLES -A SMB -p udp --sport 137 -j DROP > $IPTABLES -A SMB -p udp --sport 138 -j DROP > $IPTABLES -A SMB -p udp --sport 139 -j DROP > $IPTABLES -A SMB -p udp --sport 445 -j DROP > > > #Inbound Special Ports > > $IPTABLES -N SPECIALPORTS > > #Deepthroat Scan > $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j > LSPECIALPORT > > #Subseven Scan > $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j > LSPECIALPORT > $IPTABLES -A SPECIALPORTS -p udp --dport 1243 > -j LSPECIALPORT > $IPTABLES -A SPECIALPORTS -p tcp --dport > 27374 -j LSPECIALPORT > $IPTABLES -A SPECIALPORTS -p udp --dport > 27374 -j LSPECIALPORT > $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 > -j LSPECIALPORT > > #Netbus Scan > $IPTABLES -A SPECIALPORTS -p tcp --dport > 12345:12346 -j LSPECIALPORT > $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j > LSPECIALPORT > > #Back Orifice scan > $IPTABLES -A SPECIALPORTS -p udp --dport > 31337:31338 -j LSPECIALPORT > > #X-Win > $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS > -j LSPECIALPORT > > #Hack'a'Tack 2000 > $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT > > > #ICMP/TRACEROUTE FILTERING > > > #Inbound ICMP/Traceroute > > $IPTABLES -N ICMPINBOUND > > #Ping Flood protection. Accept $PINGLIMIT > echo-requests/sec, rest will be logged/dropped > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > echo-request -m limit --limit $PINGLIMIT --limit-burst > $PINGLIMITBURST -j ACCEPT > # > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > echo-request -j LPINGFLOOD > > #Block ICMP-Redirects (Should already be catched by > sysctl-options, if enabled) > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > redirect -j LDROP > > #Block ICMP-Timestamp (Should already be catched by > sysctl-options, if enabled) > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > timestamp-request -j LDROP > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > timestamp-reply -j LDROP > > #Block ICMP-address-mask (can help to prevent > OS-fingerprinting) > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > address-mask-request -j LDROP > $IPTABLES -A ICMPINBOUND -p icmp --icmp-type > address-mask-reply -j LDROP > > > #Allow all other ICMP in > $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT > > > > > #Outbound ICMP/Traceroute > > $IPTABLES -N ICMPOUTBOUND > > #Block ICMP-Redirects (Should already be catched by > sysctl-options, if enabled) > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > redirect -j LDROP > > #Block ICMP-TTL-Expired > #MS Traceroute (MS uses ICMP instead of UDp for tracert) > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > ttl-zero-during-transit -j LDROP > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > ttl-zero-during-reassembly -j LDROP > > #Block ICMP-Parameter-Problem > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > parameter-problem -j LDROP > > #Block ICMP-Timestamp (Should already be catched by > sysctl-options, if enabled) > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > timestamp-request -j LDROP > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > timestamp-reply -j LDROP > > #Block ICMP-address-mask (can help to prevent > OS-fingerprinting) > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > address-mask-request -j LDROP > $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type > address-mask-reply -j LDROP > > > ##Accept all other ICMP going out > $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT > > > # CHAIN PARA LA SEPARACION DE TRAFICO BASADO EN LA IP DE > ORIGEN DE LA LAN > > $IPTABLES -t mangle -N SETEAMARCA > $IPTABLES -t mangle -A SETEAMARCA -s $A1 -j MARK --set-mark 1 > $IPTABLES -t mangle -A SETEAMARCA -s $A2 -j MARK --set-mark 2 > $IPTABLES -t mangle -A SETEAMARCA -s $A3 -j MARK --set-mark 3 > $IPTABLES -t mangle -A SETEAMARCA -s $A4 -j MARK --set-mark 4 > $IPTABLES -t mangle -A SETEAMARCA -s $A5 -j MARK --set-mark 5 > $IPTABLES -t mangle -A SETEAMARCA -s $A6 -j MARK --set-mark 6 > $IPTABLES -t mangle -A SETEAMARCA -s $A7 -j MARK --set-mark 7 > $IPTABLES -t mangle -A SETEAMARCA -s $A8 -j MARK --set-mark 8 > $IPTABLES -t mangle -A SETEAMARCA -s $B1 -j MARK --set-mark 9 > $IPTABLES -t mangle -A SETEAMARCA -s $B2 -j MARK --set-mark 10 > $IPTABLES -t mangle -A SETEAMARCA -s $B3 -j MARK --set-mark 11 > $IPTABLES -t mangle -A SETEAMARCA -s $B4 -j MARK --set-mark 12 > $IPTABLES -t mangle -A SETEAMARCA -s $B5 -j MARK --set-mark 13 > $IPTABLES -t mangle -A SETEAMARCA -s $B6 -j MARK --set-mark 14 > $IPTABLES -t mangle -A SETEAMARCA -s $J1 -j MARK --set-mark 15 > $IPTABLES -t mangle -A SETEAMARCA -s $J2 -j MARK --set-mark 16 > $IPTABLES -t mangle -A SETEAMARCA -s $J3 -j MARK --set-mark 17 > $IPTABLES -t mangle -A SETEAMARCA -s $J4 -j MARK --set-mark 18 > $IPTABLES -t mangle -A SETEAMARCA -s $J5 -j MARK --set-mark 19 > $IPTABLES -t mangle -A SETEAMARCA -s $J6 -j MARK --set-mark 20 > $IPTABLES -t mangle -A SETEAMARCA -s $JEJE -j MARK --set-mark 21 > # $IPTABLES -t mangle -A SETEAMARCA -s $CAMARA -j MARK > --set-mark 22 > > > #----End User-Chains-----# > > > > echo " --- " > > > #----Start Ruleset-----# > > echo "Implementing firewall rules..." > > > ################# > ## INPUT-Chain ## (everything that is addressed to the > firewall itself) > ################# > > > ##GENERAL Filtering > > # Kill INVALID packets (not ESTABLISHED, RELATED or NEW) > $IPTABLES -A INPUT -m state --state INVALID -j LINVALID > > # Check TCP-Packets for Bad Flags > $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG > > > ##Packets FROM FIREWALL-BOX ITSELF > > #Local IF > $IPTABLES -A INPUT -i lo -j ACCEPT > # > #Kill connections to the local interface from the outside > world (--> Should be already catched by kernel/rp_filter) > $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT > > > ##Packets FROM INTERNAL NET > > > ##Allow unlimited traffic from internal network using legit > addresses to firewall-box > ##If protection from the internal interface is needed, alter it > > $IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT > #Kill anything from outside claiming to be from internal > network (Address-Spoofing --> Should be already catched by rp_filter) > $IPTABLES -A INPUT -s $INTLAN -j LREJECT > $IPTABLES -A INPUT -i $EXTIF -s $INTLAN -j LREJECT > > > > ##Packets FROM EXTERNAL NET > > > ##ICMP & Traceroute filtering > > #Filter ICMP > $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND > > #Block UDP-Traceroute > $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > #Drop all SMB-Traffic > $IPTABLES -A INPUT -i $EXTIF -j SMB > > #Silently reject Ident (Don't DROP ident, because of > possible delays when establishing an outbound connection) > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT > --reject-with tcp-reset > > > ##Public services running ON FIREWALL-BOX (comment out to activate): > > > > # ftp-data > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT > > # ftp > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT > > # ssh > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT > > #telnet > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT > > > # smtp > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT > > # webmail > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 26 -j TCPACCEPT > > # DNS > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT > $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT > > # http > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT > > # https > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT > > # POP-3 > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT > > # Bnc > #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31337 -j TCPACCEPT > > > ##Separate logging of special portscans/connection attempts > > $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS > > > > ##Allow ESTABLISHED/RELATED connections in > > $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m > state --state RELATED -j TCPACCEPT > $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m > state --state RELATED -j ACCEPT > > > ##Catch all rule > $IPTABLES -A INPUT -j LDROP > > > > > > ################## > ## Output-Chain ## (everything that comes directly from the > Firewall-Box) > ################## > > > > ##Packets TO FIREWALL-BOX ITSELF > > #Local IF > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > > ##Packets TO INTERNAL NET > > #Allow unlimited traffic to internals networks using legit > addresses > $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -s $INTIP -j ACCEPT > $IPTABLES -A OUTPUT -o $CAMIF -d $CAMARA -s $CAMIFIP -j ACCEPT > > > > ##Packets TO EXTERNAL NET > > > ##ICMP & Traceroute > > $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND > > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > #SMB > $IPTABLES -A OUTPUT -o $EXTIF -j SMB > > #Ident > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT > --reject-with tcp-reset > > > > ##Public services running ON FIREWALL-BOX (comment out to activate): > > # ftp-data > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT > > # ftp > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT > > # ssh > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state > --state ESTABLISHED -j ACCEPT > > #telnet > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state > --state ESTABLISHED -j ACCEPT > > # smtp > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state > --state ESTABLISHED -j ACCEPT > > # webmail > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 88 -j ACCEPT > > # DNS > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT > $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT > > # http > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state > --state ESTABLISHED -j ACCEPT > > # https > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state > --state ESTABLISHED -j ACCEPT > > # POP-3 > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state > --state ESTABLISHED -j ACCEPT > > #Netmeeting > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1720 -j ACCEPT > $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 1720 -j ACCEPT > > #BNC > #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 31337 -j ACCEPT > > > > ##Accept all tcp/udp traffic on unprivileged ports going out > > $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport > $UNPRIVPORTS -j ACCEPT > $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport > $UNPRIVPORTS -j ACCEPT > > > ##Darle una via privada de salida a paquetes del firewall itself > $IPTABLES -t mangle -A OUTPUT -o $EXTIF -s $EXTIP -j MARK > --set-mark 23 > > > ##Catch all rule > > $IPTABLES -A OUTPUT -j LDROP > > > > > #################### > ## FORWARD-Chain ## (everything that passes the firewall) > #################### > > > ##GENERAL Filtering > > #Kill invalid packets (not ESTABLISHED, RELATED or NEW) > $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID > > # Check TCP-Packets for Bad Flags > $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG > > ##Filtering FROM INTERNAL NET > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > #SMB > $IPTABLES -A FORWARD -o $EXTIF -j SMB > > > ##Special Drops/Rejects > # - To be done - > > > ##Filter for some Trojans communicating to outside > # - To be done - > > > ##Port-Forwarding from Ports < 1024 [outbound] (--> Also > see chain PREROUTING) > > #Forwarding a mundaka > #$IPTABLES -A FORWARD -o $EXTIF -s $SAND2002 -p tcp > --sport 25 -j ACCEPT > > > > ##Allow all other forwarding (from Ports > 1024) from > Internals Net's to External Net > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp > --sport $UNPRIVPORTS -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp > --sport $UNPRIVPORTS -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp > -j ACCEPT > $IPTABLES -A FORWARD -i $CAMIF -o $EXTIF -s $CAMARA -d > $ACTUAL -p tcp --sport 9090 -j ACCEPT > > > ##Filtering FROM EXTERNAL NET > > > ##Silent Drops/Rejects (Things we don't want in our logs) > > #SMB > $IPTABLES -A FORWARD -i $EXTIF -j SMB > > > ##Allow replies coming in > $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED > -j ACCEPT > $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS > -m state --state RELATED -j TCPACCEPT > $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS > -m state --state RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state > RELATED -j ACCEPT > > > ##Port-Forwarding [inbound] (--> Also see chain PREROUTING) > > #Forwarding > #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport > 80 -j ACCEPT > #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport > 22 -j ACCEPT > #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SAND2002 --dport > 25 -j ACCEPT > $IPTABLES -A FORWARD -i $EXTIF -o $CAMIF -s $ACTUAL -d > $CAMARA -p tcp --dport 9090 -j ACCEPT > > ##Some ip forward > > # $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT > # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT > > ## Forward entre las redes internas > $IPTABLES -A FORWARD -s $CAMARA -i $CAMIF -o $INTIF -d > $INTLAN -p tcp --sport 9090 -j ACCEPT > $IPTABLES -A FORWARD -d $CAMARA -o $CAMIF -i $INTIF -s > $INTLAN -p tcp --dport 9090 -j ACCEPT > > ## Cortar comunicacion Cyber-Cam (todo lo que vaya o venga a > la Cam, y que no me halla > ## interesado admitir antes, es logeado y luego muere) > $IPTABLES -A FORWARD -o $CAMIF -j LNOCAM > $IPTABLES -A FORWARD -i $CAMIF -j LNOCAM > > ##Catch all rule/Deny every other forwarding > > $IPTABLES -A FORWARD -j LDROP > > ################ > ## PREROUTING ## > ################ > > ##Port-Forwarding (--> Also see chain FORWARD) > > #Puertos Trasladados > # $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP > --dport 25 -j DNAT --to-destination $SAND2002 > $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -s > $ACTUAL -p tcp --dport 9090 -j DNAT --to-destination $CAMARA > > > > ################### > ## POSTROUTING ## > ################### > > #Seteo de marca basado en la dirección de origen > $IPTABLES -t mangle -A POSTROUTING -s $INTLAN -o $EXTIF -j > SETEAMARCA > $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -s $CAMARA -j > MARK --set-mark 22 > > #Masquerade from Internal Net to External Net > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j > SNAT --to-source $EXTIP > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $CAMARA -j > SNAT --to-source $EXTIP > #$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE > > > > #------End Ruleset------# > > echo "...done" > echo "" > > > echo "--> IPTABLES firewall loaded/activated <--" > > > ##--------------------------------End > Firewall---------------------------------## > > > > ;; > *) > echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" > exit 1 > esac > > exit 0 > > > >