iptables

#!/bin/bash
 
# The outside interface, use ADSL
EXTIF="eth0"

# the inside interface
INIF="eth1"

# the inside network, This is for NAT's network
INNET="192.168.1.0/24"   

#this shell is only for kernel 2.4 2.5 2.6
kver=`uname -r | cut -c 1-3`
if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ] && [ "$kver" != "2.6" ]; then
    echo "Your Linux Kernel Version may not be suported by this script!"
    echo "This scripts will not be runing"
    exit
fi

#remove ipchain mode
ipchains=`lsmod | grep ipchains`
if [ "$ipchains" != "" ]; then
    echo "unload ipchains in your system"
    rmmod ipchains  2>/dev/null
fi

# load some modes
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH EXTIF INIF INNET
modprobe ip_tables         2>/dev/null
modprobe iptable_nat       2>/dev/null
modprobe ip_nat_ftp        2>/dev/null
modprobe ip_nat_irc        2>/dev/null
modprobe ipt_mark          2>/dev/null
modprobe ip_conntrack      2>/dev/null
modprobe ip_conntrack_ftp  2>/dev/null
modprobe ip_conntrack_irc  2>/dev/null
modprobe ipt_MASQUERADE    2>/dev/null
modprobe ip_nat_h323       2>/dev/null
modprobe ip_conntrack_h323 2>/dev/null
#modprobe ip_nat_mms        2>/dev/null
#modprobe ip_conntrack_mms  2>/dev/null
modprobe ip_nat_pptp       2>/dev/null
modprobe ip_conntrack_pptp 2>/dev/null
#modprobe ip_nat_proto_gre        2>/dev/null
#modprobe ip_conntrack_proto_gre  2>/dev/null
#modprobe ip_nat_quake3         2>/dev/null
#modprobe ip_conntrack_quake3   2>/dev/null

# clean the iptables rule
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT   DROP
/sbin/iptables -P OUTPUT  ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING  ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT      ACCEPT

#allow samba,smtp,pop3 
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m multiport --dports 1863,443,110,80,25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s $INNET --dport 139 -j ACCEPT

#allow dns
/sbin/iptables -A INPUT -i $INIF -p udp -m multiport --dports 53 -j ACCEPT

#limit dos connect 15,eles deny
/sbin/iptables -A INPUT -s $INNET -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i $EXTIF -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
/sbin/iptables -A INPUT -s $INNET -p tcp --syn -m connlimit --connlimit-above 15 -j DROP

#setup icmp limit,and recode
/sbin/iptables -A INPUT -p icmp -m limit --limit 3/s -j LOG --log-level INFO --log-prefix "ICMP packet IN: "
/sbin/iptables -A INPUT -p icmp -m limit --limit 6/m -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j DROP

#L7 layer patch filter
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto skypeout -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto skypetoskype -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto bittorrent -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto fasttrack -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto edonkey -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto kugoo -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto code_red -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto kameng -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto poco -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto baiduxiaba -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto 100bao -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto socks -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto nimda -j DROP

#To prevent light weight SYN attacks
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
/sbin/iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
/sbin/iptables -A syn-flood -j REJECT

#FORWARD chain
#/sbin/iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 12:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
#/sbin/iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 13:30 --timestop 21:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
/sbin/iptables -A FORWARD -p tcp  -s $INNET -m multiport --dports 25,110,443,1863 -j ACCEPT
/sbin/iptables -A FORWARD -p udp  -s $INNET --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p gre  -s $INNET -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -s $INNET -j ACCEPT

#deny BT connect
#/sbin/iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
#/sbin/iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
#/sbin/iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP

#only allow 15 ipaddress connect to 80 port to forward at the same
/sbin/iptables -A FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 24 -j DROP

#open syncookie To prevent light weight dos attacks
sysctl -w net.ipv4.tcp_syncookies=1 2>/dev/null
 
#setup defaults tcp connect for 3800s to do nothing
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 2>/dev/null

#setup the max_number 300000 about your server'memory and the version of iptables 
sysctl -w net.ipv4.ip_conntrack_max=300000 2>/dev/null

#innernet ip forward
/sbin/iptables -A INPUT -i lo -j ACCEPT
if [ "$INIF" != "" ]; then
    /sbin/iptables -A INPUT -i $INIF -j ACCEPT
    echo "1" > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
    /sbin/iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 192.168.1.3-192.168.1.253 --dport 80 -j REDIRECT --to-ports 3128
fi
 
#load the deny file and allow file
if [ -f /opt/iptables/iptables.deny ]; then
    sh /opt/iptables/iptables.deny
fi
if [ -f /opt/iptables/iptables.allow ]; then
    sh /opt/iptables/iptables.allow
fi
 
#limit the BW
if [ -f /opt/iptables/QoS.sh ]; then
    sh /opt/iptables/QoS.sh
fi
 
#to prevent attacks
#if [ -f /opt/httpd-err/http-netstat.sh ]; then
#    sh /opt/httpd-err/http-netstat.sh
#fi
 
#allow icmp and the package having connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
    /sbin/iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
 
#open the port
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 21  -j ACCEPT     # FTP
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 22  -j ACCEPT     # SSH
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 25  -j ACCEPT     # SMTP
/sbin/iptables -A INPUT -p UDP -i $EXTIF --dport 53  -j ACCEPT     # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 53  -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 80  -j ACCEPT     # WWW
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT     # POP3
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 113 -j ACCEPT     # auth