Syed Jahanzaib – Personal Blog to Share Knowledge !

October 7, 2010

ZAiB Secure Firewall & DHCP Process for personnel reference

Filed under: Linux Related — Syed Jahanzaib / Pinochio~:) @ 8:15 AM

#!/bin/sh
echo “Starting ZAIB’s Secure Firewall . . .”
#set -x
IPT=”/sbin/iptables”
DHCP_SERVER=”10.0.8.1″
FILE=`cat path | awk ‘/FINAL_FILE/’ | cut -d”=” -f2`
LOOPBACK=”lo”

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# ALLOW LOOPBACK
$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

# ALLOW WAN (eth2)
$IPT -A INPUT -i eth2 -j ACCEPT
$IPT -A FORWARD -i eth2 -j ACCEPT

# ALLOW PPTPD (TEST FLIGHT)
#$IPT -I INPUT -p tcp –dport 1723 -j ACCEPT
#$IPT -I OUTPUT -p tcp –dport 1723 -j ACCEPT
#$IPT -I INPUT -p 47 -j ACCEPT
#$IPT -I OUTPUT -p 47 -j ACCEPT
#$IPT -A INPUT -i ppp+ -p all -s 0/0 -d 0/0 -j ACCEPT
#$IPT -A FORWARD -i ppp+ -p all -s 0/0 -d 0/0 -j ACCEPT

# ALLOW DHCP
$IPT -A INPUT -p udp -s $DHCP_SERVER –sport 67 -d 255.255.255.255 –dport 68 -j ACCEPT
$IPT -A OUTPUT -p udp -s 255.255.255.255 –sport 68 -d $DHCP_SERVER –dport 67 -j ACCEPT

# DANGER PORTS WILL BE REJECTED
for i in 23 123 135 137 138; do
$IPT -A INPUT -p tcp -s 0/0 -d 0/0 –dport $i -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 –dport $i -j DROP
$IPT -A INPUT -p udp -s 0/0 -d 0/0 –dport $i -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 –dport $i -j DROP
done

#ICMP REPLY LIMITING
$IPT -A INPUT -p icmp -m icmp –icmp-type echo-request -m limit –limit 60/s -m length –length 100:65500 -j DROP
$IPT -A FORWARD -p icmp -m icmp –icmp-type echo-request -m limit –limit 60/s -m length –length 100:65500 -j DROP

cat $FILE | while read MACS
do
IP=`echo $MACS | awk ‘{print $2}’`
MAC=`echo $MACS | awk ‘{print $1}’`
#arp -i br0 -s $IP $MAC
#arp -i eth0 -s $IP $MAC
#arp -i eth1 -s $IP $MAC
$IPT -t mangle -A PREROUTING -s $IP -m mac –mac-source $MAC -j MARK –set-mark 1
done

# SECURENAT SCRIPT START
$IPT -A FORWARD -m state –state NEW -p tcp \
-d 10.0.0.1 –dport 53 -j ACCEPT
$IPT -A FORWARD -p udp -d 10.0.0.1 –dport 53 -j ACCEPT
$IPT -A FORWARD -p udp -d 10.0.0.1 –sport 53 -j ACCEPT
$IPT -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state –state NEW -i eth0 -j ACCEPT

#Allow WAN Interface for web site hosting
#for i in 80 10000 1234; do
#$IPT -A INPUT -p tcp -i eth2 –dport $i -j ACCEPT
#$IPT -A FORWARD -p tcp -i eth2 –dport $i -j ACCEPT
#done

# Allow Marked Packets to be allowed
$IPT -A INPUT -m mark –mark 1 -j ACCEPT
$IPT -A FORWARD -m mark –mark 1 -j ACCEPT
$IPT -A INPUT -m mark ! –mark 1 -j DROP
$IPT -A FORWARD -m mark ! –mark 1 -j DROP

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
echo “ZAiB Secure Firewall & DHCP Process Complete.”

2 Comments »

  1. kindly sms me your phone no plz
    0300-8286341

    Like

    Comment by Arman — January 28, 2011 @ 8:22 AM

    Reply

RSS feed for comments on this post. TrackBack URI

Leave a comment