04-10-2018
Quote:
Originally Posted by
stomp
This way too, you disabled your firewall-functionality completely.
---
The first 3 rules of INPUT Chain seem defective. They have no effect and there must be some error in the rules so that the rules show up like this.
Whoops!
I fix now.
---------- Post updated at 01:42 PM ---------- Previous update was at 01:40 PM ----------
This is the script now.
I'm testing it
Code :
#!/bin/sh
#a simple script firewall
# We need this for redirection
echo 1 > /proc/sys/net/ipv4/ip_forward
firewall_start() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
# Default policy
#iptables -P PREROUTING ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P POSTROUTING ACCEPT
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
# firewall rules INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# X11
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 6000 -j ACCEPT
# Vdr
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 2000 -j ACCEPT
# Samba
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 445 -j ACCEPT
# Amule
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 65529 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 65530 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 65533 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 65529 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 65533 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 65530 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 4711:4712 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 4711:4712 -j ACCEPT
# Mail
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT
# Print
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 515 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 515 -j ACCEPT
# Nfs
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 111 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 662 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 662 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 4001 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 4001 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 32768 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 32768 -j ACCEPT
# Ssh
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 2122 -j ACCEPT
# Ftp
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 2121 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2121 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 60000:65535 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 60000:65535 -j ACCEPT
# Secure telnet
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 5859 -j ACCEPT
# Ktorrent
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 54233:54234 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 54233:54234 -j ACCEPT
# Firewall rules NAT/OUTPUT
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A OUTPUT -s 192.168.0.0/24 -p tcp -o lo --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 22 -j REDIRECT --to-ports 2122
iptables -t nat -A OUTPUT -s 192.168.0.0/24 -p tcp -o lo --dport 22 -j REDIRECT --to-ports 2122
# Icmp
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# Log
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG
#Final rules
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}
firewall_stop() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
}
firewall_restart() {
firewall_stop
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
10 More Discussions You Might Find Interesting
1. Solaris
dear all
i want to enable the below logs can you help me
/var/adm/xferlog
/var/spool/uucp/.Admin
thanx you (0 Replies)
Discussion started by: murad.jaber
0 Replies
2. Linux
Hi,
I want to enable hibernate in my machine.
when i click hibernate option, it is throwing message that hibernate is not enabled in kernel.
earlier, i was hibernating in the same machine with windows os.
any idea ?
Thx in advance.
Siva (0 Replies)
Discussion started by: Sivaswami
0 Replies
3. AIX
Hello everyone,
I installed AIX the other day (several times!) but I can't get XDMCP to work.
I remember from when I installed it the last time it worked out of the box.
So why doesn't it work now?
This is the error message I get:
XDMCP fatal error: Session failed Session 2 failed for... (3 Replies)
Discussion started by: Kotzkroete
3 Replies
4. AIX
How to enable SMT in aix 5.2 ml 9? If i run smtctl it gives error
ksh: smtctl: not found.
please tell me if SMT is supported in 5.2 (4 Replies)
Discussion started by: vjm
4 Replies
5. Shell Programming and Scripting
Hi,
I develop simple animation ping script on Solaris Platform. It is like Cisco ping.
Examples and source code are below.
bash-3.00$ gokcell 152.155.180.8 30
Sending 30 Ping Packets to 152.155.180.8
!!!!!!!!!!!!!.!!!!!!!!!!!!!!!.
% 93.33 success... % 6.66 packet loss...... (1 Reply)
Discussion started by: gokcell
1 Replies
6. Shell Programming and Scripting
Hi
I am using perl to ping a list of nodes - with script below :
$p = Net::Ping->new("icmp");
if ($p->ping($host,1)){
print "$host is alive.\n";
}
else {
print "$host is unreacheable.\n";
}
$p->close();... (4 Replies)
Discussion started by: tavanagh
4 Replies
7. SCO
edit: solution found
Auditing Quick Start and Compatibility Notes (1 Reply)
Discussion started by: Linusolaradm1
1 Replies
8. UNIX for Advanced & Expert Users
Hi Folks!
I am writing a script which changes lpfc.conf if there it has been setup on RHEL BOXes, do I need to put dracut -f for enabling it? I am not sure,
Can someone help! (6 Replies)
Discussion started by: nixhead
6 Replies
9. Programming
help with bash script!
im am working on this script to make sure my server will stay online, so i made this script..
HOSTS="192.168.138.155"
COUNT=4
pingtest(){
for myhost in "$@"
do
ping -c "$COUNT" "$myhost" &&return 1
done
return 0
}
if pingtest $HOSTS
#100% failed... (4 Replies)
Discussion started by: mort3924
4 Replies
10. Linux
I have installed the "mipsel tuxbox" compile suite for crosscompile
Host system is x86_64 slackware
destination is mipsel32bit "vuduo+"
For example,I want to compile a program, I use this script
make clean
export TOOLCHAIN=/opt/mipsel-tuxbox-linux-gnu
export... (0 Replies)
Discussion started by: Linusolaradm1
0 Replies