#!/bin/bash
# firewall sederhana buat warnet
# prinsip di blok semua, baru di buka 1 1 (jgn buka2 yg laen2 ya ) :D
#--- clear tables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -F
# LOCALHOST
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# INCOMING TRAFFIC
#--- Local ---#
#--- proxy
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3128 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 3128 -j ACCEPT
#--- snmp--> misalkan isp butuh ngecek snmp anda
iptables -A INPUT -p udp -s 202.xxx.xxx.xxx --dport 161:162 -j ACCEPT
iptables -A INPUT -p udp -s 202.xxx.xxx.xxx --dport 161:162 -j ACCEPT
#--- ping
iptables -A INPUT -p icmp -s 202.xxx.xxx.xxx -j ACCEPT
iptables -A INPUT -p icmp -s 202.xxx.xxx.xxx -j ACCEPT
#--- ssh ---> misalkan hanya ip public tertentu boleh akses ssh & local
iptables -A INPUT -p tcp -s 202.69.97.241 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
#--- dns
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
#--- ident
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp --sport 111 -j ACCEPT
#--- traceroute
#iptables -A INPUT -p udp --dport 33434:33524 -j ACCEPT
#--- ftp
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#iptables -A INPUT -p tcp --sport 21 -j ACCEPT
#iptables -A INPUT -p tcp --dport 20 -j ACCEPT
#iptables -A INPUT -p tcp --sport 20 -j ACCEPT
#--- response traffic
iptables -A INPUT -p tcp ! --syn -j ACCEPT
#--- default
#iptables -A INPUT -j LOG --log-level info --log-prefix local0
iptables -P INPUT DROP
# FORWARDING TRAFFIC
#---------------------------------------------------------------------------
#--- dropped traffic ---
#-- netbios ---> paket virus (huheueheue, port mikocok)
iptables -A FORWARD -p tcp --dport 135 -j DROP
iptables -A FORWARD -p udp --dport 135 -j DROP
iptables -A FORWARD -p tcp --dport 137 -j DROP
iptables -A FORWARD -p udp --dport 137 -j DROP
iptables -A FORWARD -p tcp --dport 138 -j DROP
iptables -A FORWARD -p udp --dport 138 -j DROP
iptables -A FORWARD -p tcp --dport 139 -j DROP
iptables -A FORWARD -p udp --dport 139 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p udp --dport 445 -j DROP
#--- permit local
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
#-- local
#iptables -A FORWARD -s 10.0.0.0/8 -j DROP
#iptables -A FORWARD -d 10.0.0.0/8 -j DROP
#iptables -A FORWARD -s 172.16.0.0/12 -j DROP
#iptables -A FORWARD -d 172.16.0.0/12 -j DROP
#iptables -A FORWARD -s 192.168.0.0/16 -j DROP
#iptables -A FORWARD -d 192.168.0.0/16 -j DROP
iptables -P FORWARD DROP
# NAT tuk IRC (bila perlu ganti ip, kl irc anda kena akill) --> ip block
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/24 --dport 6000:7000 -j SNAT --to-source 202.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/24 --dport 6000:7000 -j SNAT --to-source 202.xxx.xxx.xxx
# NAT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 202.xxx.xxx.xxx
# TRANSPARENT PROXY
iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128
# END
Jumat, 18 April 2008
Script Firewall Sederhana dengan IPTABLES
Langganan:
Posting Komentar (Atom)
1 komentar:
mantabs neh, btw ada script php untuk ngejalanin perintah ini gk?? klo ada ane minta gan.,
Posting Komentar