Firewall Installation Script for CentOS


Variables & Paths
message=”dropped ip”

Sysctl net.ipv4 Settings
echo “net.ipv4 tuneables”
sysctl net.ipv4.conf.all.rp_filter=1
sysctl net.ipv4.conf.default.rp_filter=1
sysctl net.ipv4.conf.all.accept_source_route=0
sysctl net.ipv4.conf.all.send_redirects=0
sysctl net.ipv4.conf.default.send_redirects=0
sysctl net.ipv4.conf.all.accept_redirects=0
sysctl net.ipv4.conf.all.secure_redirects=0
sysctl net.ipv4.conf.all.log_martians=1   # to log spoofed and source routed and redirects
sysctl net.ipv4.ip_forward=0  # think this is the default anyways
sysctl net.ipv4.conf.default.accept_source_route=0
sysctl net.ipv4.conf.default.accept_redirects=0
sysctl net.ipv4.conf.default.secure_redirects=0
sysctl net.ipv4.tcp_syncookies=1
sysctl kernel.exec-shield=1
sysctl kernel.randomize_va_space=1
echo “done net.ipv4”

Starting Filtering Rules
$ipt -X
$ipt -F

Load Kernel Module
modprobe ip_conntrack

Open LoopBack
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

DROP all Incomming Traffic

if [ ! -s /etc/evil_ip_list ]; then
echo “no IP’s to block”
$ipt -N $spammers # create a new iptables chain name

for bad_ip in $(cat /etc/evil_ip_list); do
$ipt -A $spammers -s $bad_ip -j LOG –log-prefix “$message ”
$ipt -A $spammers -s $bad_ip -j DROP

Solidify Chain Name
$ipt -I INPUT -j $spammers
$ipt -I OUTPUT -j $spammers
$ipt -I FORWARD -j $spammers

Allow SSH Only From Local Network
$ipt -A INPUT -i eth1 -p tcp –destination-port 22 -j ACCEPT

Open Web Ports
$ipt -A INPUT -i eth0 -p tcp –destination-port 80 -j ACCEPT
$ipt -A INPUT -i eth0 -p tcp –destination-port 443 -j ACCEPT

Drop Scan Type Packets
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 10/m –limit-burst 8 -j LOG –log-level 4 –log-
prefix “FIN Packet Scan”
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags FIN,ACK FIN -j DROP
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

General Blocks
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP # drop NULL packets

Out-of-State FIN (or) ACK Packet
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 10/m –limit-burst 8 -j LOG –log-level 4 —
log-prefix “XMAS Packets”
$ipt  -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

Block Some Sync & Fragmented Packets
$ipt -A INPUT -i eth0 -p tcp ! –syn -m state –state NEW  -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 —
log-prefix “Drop Sync” # not sure this works yet. test me.
$ipt -A INPUT -i eth0 -p tcp ! –syn -m state –state NEW -j DROP
$ipt -A INPUT -i eth0 -f  -m limit –limit 10/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fragmented Packets”
$ipt -A INPUT -i eth0 -f -j DROP

Allow Full Outgoing Traffic Not Incoming Traffic
$ipt -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

DROP Bad Traffic & Log
$ipt -A INPUT -j LOG
$ipt -A FORWARD -j LOG
$ipt -A INPUT -j DROP

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s