Tentang IT dan Komputer

Teknologi Informasi

Script IpTables Squid

Posted by intrik on April 26, 2007

Form : Arief Yudhawarman

Script IpTables Squid

Sebelumnya skemanya seperti ini:

eth0 eth1/ppp0
[ LAN ]—[ Linux BOX ]—–[modem adsl]— link adsl — PSTN

Jadi eth0 interface untuk local area network,

Ini rc.firewall:

——– skrip /etc/rc.d/rc.firewall mulai di sini ——

#!/bin/sh

PATH=/sbin:/bin:/usr/bin

INET_IFACE=”ppp0″
INET_IP=`ifconfig $INET_IFACE | sed -n ‘/inet/s/^[ ]*inet addr:\([0-9.]*\).*/\1/p’`

LAN_IFACE=”eth0″
LAN_MASK=”255.255.255.0″
LAN_IP=`ifconfig $LAN_IFACE | sed -n ‘/inet/s/^[ ]*inet addr:\([0-9.]*\).*/\1/p’`
LAN_IP_RANGE=”192.168.0.0/24″

LO_IFACE=”lo”
LO_IP=”127.0.0.1″

##IPTABLES=”/usr/local/sbin/iptables”
IPTABLES=”/sbin/iptables”

# Flush table

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Filter table

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -F bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \
-m state –state NEW -j REJECT –reject-with tcp-reset
# no log
#$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \
#–log-prefix “New not syn:”
$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

#
# allowed chain
#

$IPTABLES -N allowed
$IPTABLES -F allowed
$IPTABLES -A allowed -p TCP –syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -N tcp_packets
$IPTABLES -F tcp_packets
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed

#
# ICMP rules
#

$IPTABLES -N icmp_packets
$IPTABLES -F icmp_packets
# echo reply
$IPTABLES -A icmp_packets -p icmp –icmp-type 0 -m limit –limit 1/second -j ACCEPT
# echo request
$IPTABLES -A icmp_packets -p icmp –icmp-type 8 -m limit –limit 1/second -j ACCEPT
# destination unreachable
$IPTABLES -A icmp_packets -p icmp -m icmp –icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -m icmp –icmp-type 11 -j ACCEPT

#
# WWW.INVOLUITON.COM
#

# Log Suspicious Packets
#
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS

## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL FIN,URG,PSH -m limit \
–limit 5/minute -j LOG –log-level 6 –log-prefix “NMAP-XMAS:”
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

## Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL ALL -m limit \
–limit 5/minute -j LOG –log-level 6 –log-prefix “Merry XMAS:”
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL ALL -j DROP

## Another Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit \
–limit 5/minute -j LOG –log-level 6 –log-prefix “XMAS-PSH:”
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

## Null Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL NONE -m limit \
–limit 5/minute -j LOG –log-level 6 –log-prefix “NULL_SCAN:”
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags ALL NONE -j DROP
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags SYN,RST SYN,RST -m limit \
–limit 5/minute -j LOG –log-level 6 –log-prefix “SYN/RST:”
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

## SYN/FIN — Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit \
–limit 5/minute -j LOG –log-level 6 –log-prefix “SYN/FIN:”
$IPTABLES -A CHECK_FLAGS -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

## Make some types of port scans annoyingly slow, also provides some protection
## against certain DoS attacks. The rule in chain KEEP_STATE referring to the
## INVALID state should catch most TCP packets with the RST or FIN bits set that
## aren’t associate with an established connection. Still, these will limit the
## amount of stuff that is accepted through our open ports(if any). I suggest you
## test these for your configuration before you uncomment them, as they could cause
## problems.

# This chain will DROP/LOG packets based on port number

$IPTABLES -N DENY_SPORTS
$IPTABLES -F DENY_SPORTS

## Unknow virus spreading itself through port 30128, 35959, 36088, 36215
## 38228, 38345, 38464

for sports in 30128 35959 36088 36215 38228 38345 38464
do
$IPTABLES -A DENY_SPORTS -i $LAN_IFACE -p tcp –sport $sports -j DROP
done

$IPTABLES -N DENY_PORTS
$IPTABLES -F DENY_PORTS

## NFS, X, VNC, SMB, blah blah
$IPTABLES -A DENY_PORTS -p tcp –dport 137:139 -j DROP
# microsoft-ds
$IPTABLES -A DENY_PORTS -p tcp –dport 445 -j DROP
# NFS-or-IIS
$IPTABLES -A DENY_PORTS -p tcp –dport 1025 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –sport 137:139 -j DROP

$IPTABLES -A DENY_PORTS -p tcp –dport 1433 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –sport 1433 -j DROP

$IPTABLES -A DENY_PORTS -p tcp –dport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –sport 2049 -j DROP

$IPTABLES -A DENY_PORTS -p tcp –dport 5432 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –sport 5432 -j DROP

$IPTABLES -A DENY_PORTS -p tcp –dport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –sport 5999:6063 -j DROP

$IPTABLES -A DENY_PORTS -p tcp –dport 5900:5910 -j ACCEPT
$IPTABLES -A DENY_PORTS -p tcp –sport 5900:5910 -j ACCEPT

## (Possibly) Evil Stuff ##

## Possible rpc.statd exploit shell
$IPTABLES -A DENY_PORTS -p tcp –dport 9704 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –dport 9704 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “rpc.statd(9704) Shell:”

$IPTABLES -A DENY_PORTS -p tcp –sport 9704 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –sport 9704 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “rpc.statd(9704) Shell:”

## NetBus and NetBus Pro
$IPTABLES -A DENY_PORTS -p tcp –dport 20034 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –dport 20034 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “NetBus Pro:”
$IPTABLES -A DENY_PORTS -p tcp –dport 12345:12346 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –dport 12345:12346 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “NetBus:”

## Trinoo
$IPTABLES -A DENY_PORTS -p tcp –sport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –dport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p tcp –sport 27665 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “Trinoo:”
$IPTABLES -A DENY_PORTS -p tcp –dport 27665 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “Trinoo:”

$IPTABLES -A DENY_PORTS -p udp –sport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp –dport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp –sport 27444 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “Trinoo:”
$IPTABLES -A DENY_PORTS -p udp –dport 27444 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “Trinoo:”

$IPTABLES -A DENY_PORTS -p udp –sport 31335 -j DROP
$IPTABLES -A DENY_PORTS -p udp –dport 31335 -j DROP
$IPTABLES -A DENY_PORTS -p udp –sport 31335 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “Trinoo:”
$IPTABLES -A DENY_PORTS -p udp –dport 31335 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “Trinoo:”

## Back Orifice
$IPTABLES -A DENY_PORTS -p tcp –dport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp –dport 31337 -j DROP

$IPTABLES -A DENY_PORTS -p tcp –sport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp –sport 31337 -j DROP

$IPTABLES -A DENY_PORTS -p tcp –dport 31337 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “BackOrifice-TCP:”
$IPTABLES -A DENY_PORTS -p udp –dport 31337 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “BackOrifice-UDP:”

$IPTABLES -A DENY_PORTS -p tcp –sport 31337 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “BackOrifice-TCP:”
$IPTABLES -A DENY_PORTS -p udp –sport 31337 -m limit –limit 5/minute \
-j LOG –log-level 6 –log-prefix “BackOrifice-UDP:”

## Special Chain SRC_EGRESS
## Rules to Provide Egress Filtering Based on Source IP Address.

$IPTABLES -N SRC_EGRESS
$IPTABLES -F SRC_EGRESS

## Block EGRESS traffic and worm propagation attempts
WORMPORTS=31337,33270,1234,6711,16660,60001,12345,12346,1524,27665,27444,31335,6000,6001,6002

$IPTABLES -A SRC_EGRESS -p udp -m multiport –dport $WORMPORTS -j DROP
$IPTABLES -A SRC_EGRESS -p tcp -m multiport –dport $WORMPORTS -j DROP

## Special Chain DST_EGRESS
## Rules to Provide Egress Filtering Based on Destination IP Address.

$IPTABLES -N DST_EGRESS
$IPTABLES -F DST_EGRESS

## DROP all reserved private IP addresses. Some of these may be legit
## for certain networks and configurations. For connection problems,
## traceroute is your friend.

## Class A Reserved
$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP

## Class B Reserved
$IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP

## Class C Reserved
#$IPTABLES -A DST_EGRESS -d 192.168.0.0/24 -j ACCEPT

## Class D Reserved
$IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP

## Class E Reserved
$IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP

#
# Bad TCP packets we don’t want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# http://www.involution.com
$IPTABLES -A INPUT -p tcp -j CHECK_FLAGS
#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $LAN_IFACE -s $LAN_IP_RANGE -j icmp_packets
$IPTABLES -A INPUT -p TCP –syn –dport 8080 -m connlimit –connlimit-above 20 -j DROP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

#
# Rules for incoming packets from the internet.
#

# do not accept all traffic except established & related (EXCEPT 113) !
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don’t match the above.
#

#no log please
#$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \
#–log-level DEBUG –log-prefix “IPT INPUT packet died: ”

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don’t want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -p tcp -j CHECK_FLAGS
$IPTABLES -A FORWARD -p tcp -j DENY_PORTS
$IPTABLES -A FORWARD -p tcp -j DENY_SPORTS
$IPTABLES -A FORWARD -p udp -j DENY_PORTS
# Block faked or spoofed packets from getting through the firewall
$IPTABLES -A FORWARD -i $LAN_IFACE -s ! $LAN_IP_RANGE -j DROP
$IPTABLES -A FORWARD -p all -j SRC_EGRESS
$IPTABLES -A FORWARD -p all -j DST_EGRESS

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -m tcp -p tcp –dport 23 -j DROP
# smtp keluar diblok, mencegah virus
$IPTABLES -A FORWARD -i $LAN_IFACE -m tcp -p tcp –dport 25 -j DROP
$IPTABLES -A FORWARD -p TCP -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $LAN_IFACE -j DROP
$IPTABLES -A FORWARD -p UDP -i $LAN_IFACE -j DROP
#$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

#
# Special OUTPUT rules to decide which IP’s to allow.
#
# problem with squid redirect when the computer reboot/shutdown
# so the local ip is always accepted

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -d $LO_IP -j ACCEPT

#
# Bad TCP packets we don’t want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# 4.2 nat table
#
# PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j SNAT –to-source $INET_IP

——– skrip /etc/rc.d/rc.firewall berakhir di sini ——

Apakah ini sudah dijalankan?

echo “1″ > /proc/sys/net/ipv4/ip_forward
echo “1″ > /proc/sys/net/ipv4/ip_dynaddr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: