#!/bin/sh INET_IFACE="venet0" INET_ADDRESS="79.99.1.170" LO_IFACE="lo" LO_IP="127.0.0.1" echo "Loading kernel modules ..." # depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc echo "Configuring system ..." # /sbin/sysctl -w net.ipv4.tcp_syncookies="1" /sbin/sysctl -w net.ipv4.conf.all.rp_filter="1" # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts="1" /sbin/sysctl -w net.ipv4.conf.all.accept_source_route="0" /sbin/sysctl -w net.ipv4.conf.all.accept_redirects="0" /sbin/sysctl -w net.ipv4.conf.all.secure_redirects="1" /sbin/sysctl -w net.ipv4.conf.all.log_martians="1" echo "Flushing Tables ..." /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X echo "Locking server down ..." /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP echo "Building namespaces ..." /sbin/iptables -N bad_packets /sbin/iptables -N bad_tcp_packets /sbin/iptables -N icmp_packets /sbin/iptables -N udp_inbound /sbin/iptables -N udp_outbound /sbin/iptables -N tcp_inbound /sbin/iptables -N tcp_outbound echo "Handling bad packets ..." /sbin/iptables -A bad_packets -p ALL -m state --state INVALID -j LOG \ --log-prefix "Invalid packet: " /sbin/iptables -A bad_packets -p ALL -m state --state INVALID -j DROP /sbin/iptables -A bad_packets -p tcp -j bad_tcp_packets /sbin/iptables -A bad_packets -p ALL -j RETURN echo "Handling bad TCP packets ..." /sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn: " /sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \ --log-prefix "Stealth scan: " /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \ --log-prefix "Stealth scan: " /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ --log-prefix "Stealth scan: " /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \ --log-prefix "Stealth scan: " /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \ --log-prefix "Stealth scan: " /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \ --log-prefix "Stealth scan: " /sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP /sbin/iptables -A bad_tcp_packets -p tcp -j RETURN echo "Handling ICMP packets ..." /sbin/iptables -A icmp_packets --fragment -p ICMP -j LOG \ --log-prefix "ICMP Fragment: " /sbin/iptables -A icmp_packets --fragment -p ICMP -j DROP /sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP /sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT /sbin/iptables -A icmp_packets -p ICMP -j RETURN echo "Handling UDP" /sbin/iptables -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP /sbin/iptables -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP /sbin/iptables -A udp_inbound -p UDP -s 0/0 --destination-port 9000:9024 -j ACCEPT /sbin/iptables -A udp_inbound -p UDP -j RETURN /sbin/iptables -A udp_outbound -p UDP -s 0/0 -j ACCEPT echo "Handling TCP" /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:64000 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 8000:8006 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 8895 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 9000:9024 -j ACCEPT /sbin/iptables -A tcp_inbound -p TCP -j RETURN /sbin/iptables -A tcp_outbound -p TCP -s 0/0 -j ACCEPT echo "Handlng Input" /sbin/iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT /sbin/iptables -A INPUT -p ALL -j bad_packets /sbin/iptables -A INPUT -p ALL -d 224.0.0.1 -j DROP /sbin/iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT /sbin/iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound /sbin/iptables -A INPUT -p UDP -i $INET_IFACE -j udp_inbound /sbin/iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # /sbin/iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP /sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "INPUT packet died: " echo "Handling output" /sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP /sbin/iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT /sbin/iptables -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT /sbin/iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT /sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "OUTPUT packet died: " echo " [IPtables built]"