Main > Free Download Search >

Free firewall script software for linux

firewall script

Sponsored Links
Sponsored Links
All software
Freeware
Trial / Shareware
Business / Commercial
Sort by >> Relevance Date Popularity Rating
rss
Secleted [ 0 ] software to compare
Results 1 - 15 of about 4172
IPv6 FireWall script

IPv6 FireWall script


IPv6 FireWall script is a firewall based on ip6tables. more>>
IPv6 FireWall script is a firewall based on ip6tables.

firewall6.sh 122 lines

#!/bin/bash

# Basic IPv6 FireWall script by Dennis Kruyt (dennis@klingon.nl)
#
# Sun Jan 5 18:26:28 2003 - DK

#debug
#set -x

cd /opt/scripts/firewall

source ./config6
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11

# change to script directory
cd ${SCRIPTSDIR}

SCRIPT=${SCRIPTSDIR}/firewall6.sh

case "$1" in
flush)
echo -e "Starting Firewall:"
${IPTABLE6} -F >> /dev/null 2>&1
${IPTABLE6} -X >> /dev/null 2>&1
echo -e "Setting defaults op ACCEPT!"
echo -e "ALERT: no firewall rules active"
#
${IPTABLE6} -P INPUT ACCEPT
${IPTABLE6} -P OUTPUT ACCEPT
${IPTABLE6} -P FORWARD ACCEPT
;;
start|reload)
echo -n "Starting Firewall: "
# paging!
#

# create a backup
TIME=`date +%s`
tar -czf /opt/backups/firewall/firewall.${TIME}.tar.gz /opt/scripts/firewall

# sending mail
mail email@address.com -s "Firewall - (re)started" < $0

# wait
sleep 1

# kerneloptions
echo -n "Loading Kernel options.."
./kernel_options6.sh

echo -n "Flushing and deleting all chains.."
${IPTABLE6} -F >> /dev/null 2>&1
${IPTABLE6} -X >> /dev/null 2>&1

# default policy
echo -n "Setting default policy DROP.."
${IPTABLE6} -P INPUT DROP
${IPTABLE6} -P OUTPUT DROP
${IPTABLE6} -P FORWARD DROP

# ?????????????
#${IPTABLE} -F -t mangle
#${IPTABLE} -t mangle -X

echo -e "Loading chains.."
# create chain blacklist
${IPTABLE6} --new blacklist
#And drop the evil ones
for i in $BLACKLIST6;do
${IPTABLE6} -A blacklist --src $i -j DROP
done

#icmp chain
${IPTABLE6} --new icmprules
${IPTABLE6} -A icmprules -p icmpv6 -j ACCEPT

# create out chain
${IPTABLE6} --new out
#localhost to localhost
${IPTABLE6} -A out --src $LOCALHOST6 --dst $LOCALHOST6 -j ACCEPT
# for now accept all outgoing IPv6 traffic
${IPTABLE6} -A out --src $SIXXS --dst $ANY6 -j ACCEPT

# create in chain
${IPTABLE6} --new in
#localhost to localhost
${IPTABLE6} -A in --src $LOCALHOST6 --dst $LOCALHOST6 -j ACCEPT
# for now accept all incomming IPv6 traffic
${IPTABLE6} -A in --dst $SIXXS --src $ANY6 -j ACCEPT

#All that are in trusted may ssh
for i in $THRUSTED6;do
${IPTABLE6} -A in -p tcp --dst $SIXXS --dport 22 --src $i -j ACCEPT
done

# jump to all ipv6 chains
${IPTABLE6} -A INPUT -j blacklist
${IPTABLE6} -A OUTPUT -j blacklist
${IPTABLE6} -A FORWARD -j blacklist

${IPTABLE6} -A INPUT -j icmprules
${IPTABLE6} -A OUTPUT -j icmprules

${IPTABLE6} -A INPUT -j in
${IPTABLE6} -A OUTPUT -j out

;;
show)
echo -e "Rules in the firewall: ${CHAIN} n"
${IPTABLE6} -L -n
;;
*)
echo -e "Usage: ${SCRIPT} {flush|start|reload|show} n"
exit 1
;;
esac
exit 0

config6 12 lines

export IPTABLE6=/sbin/ip6tables

export SCRIPTSDIR=/opt/scripts/firewall

export EXT="eth0" # device
export SIXXS="3ffe:8114:1000::50f/127" # extern

export ANY6="::/0"
export LOCALHOST6="::1/128"

export THRUSTED6=""

export BLACKLIST6="3ffe:8114:2fff:1391::1"

kernel_options6.sh 7 lines

#!/bin/bash


# forwarding on
#echo "1" > /proc/sys/net/ipv6 blablabla

# Set some other IPv6 proc settings
#echo "1" > /proc/sys/net/ipv6 blablabla
<<less
Download (0.002MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
994 downloads
UTIN Firewall script

UTIN Firewall script


UTIN Firewall script project is a script for Linux 2.4.x and iptables. more>>
UTIN Firewall script project is a script for Linux 2.4.x and iptables.

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)

LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

INET_IP="194.236.50.155"
INET_IFACE="eth0"

IPTABLES="/usr/local/sbin/iptables"

#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IPs
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP

#
# Bad TCP packets we dont want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward between interfaces.
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# INPUT chain
#
# Bad TCP packets we dont want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from anywhere
#

$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
<<less
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
985 downloads
DMZ IP Firewall script

DMZ IP Firewall script


DMZ IP Firewall script project is a script for Linux 2.4.x and iptables. more>>
DMZ IP Firewall script project is a script for Linux 2.4.x and iptables.

Sample:

# Configuration options, these will speed you up getting this script to work with your own setup.

# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0

# STATIC_IP is used by me to allow myself to do anything to myself, might be a security risc but sometimes I want this. If you dont have a static IP, I suggest not using this option at all for now but its still enabled per default and will add some really nifty security bugs for all those who skips reading the documentation

LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"

INET_IP="194.236.50.152"
INET_IFACE="eth0"

HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

LO_IP="127.0.0.1"
LO_IFACE="lo"


IPTABLES="/usr/local/sbin/iptables"
<<less
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
997 downloads

firewall script related searches

: iptables firewall script, firewall scripts, linux firewall script, firewall script generator, disable windows firewall script, norton firewall script error, firewall script nulled, hyperwrt firewall script, firewall script iptables, disable xp firewall script, firewall script rapidshare, firewall scripting, firewall script 2008, arnou0027s firewall script, firewall script tomato,
DHCP IP Firewall script

DHCP IP Firewall script


DHCP IP Firewall script project is a script for Linux 2.4.x and iptables. more>>
DHCP IP Firewall script project is a script for Linux 2.4.x and iptables.

Sample:

1. Configuration options - use these to quicken up the set up.

####################################
# Local Area Network configuration.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"

######################################
#
# Localhost configuration.
#
# Localhost Interface and IP. Should not need any changes.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#######################################
#
# Internet configuration.
#
# All information pertaining to the Internet and the Internet connection.
#

INET_IFACE="eth0"

#######################################
#
# DHCP Configuration.
#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to No if you dont get IP from DHCP. If you get DHCP over the Internet set this variable to Yes, and set up the proper IP adress for the DHCP server in the DHCP_SERVER variable.

DHCP="No"
DHCP_SERVER="195.22.90.65"

#########################################
#
# PPPOE Configuration.
#
# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not getting through while small mail get through properly etc, you may set this option to "yes" which may fix the problem. This option will set a rule in the PREROUTING chain of the mangle table which will clamp (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since the PPPoE configuration option will give less overhead.

PPPOE_PMTU="No"

##########################################
#
# IPTABLES configuration.
#
# Options pertaining to iptables such as searchpath, etc.
#

IPTABLES="/usr/sbin/iptables"
<<less
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
986 downloads
iptables firewall script 0.5

iptables firewall script 0.5


iptables firewall script is an Linux firewall based on the iptables software. more>>
iptables firewall script is an Linux firewall based on the iptables software.

Sample:

######## START FUNCTIONS #########
scripthelp () {
cat /dev/null 2>&1

Every 5 minutes
*/5 * * * * /path/to/this/script restart > /dev/null 2>&1

refresh
-------

Dumps current rules and reloads them.

stop
----

Dumps current rules and halts firewall.
---------------------------------------------------------

Usage: $0 [start|restart|refresh|stop]

SCRIPTHELP
}

fireme () {
if [ -z "`lsmod|grep iptable_filter`" ];
then
modprobe iptable_filter
fi

#######################################
#---------- Start predefined target rulesets ----------#
#######################################

# On the fly
$PROG -N ONTHEFLY
$PROG -A ONTHEFLY -j LOG --log-level 5 --log-prefix "TL0G_ONTHEFLY: "
$PROG -A ONTHEFLY -j DROP

# DENIED PORTS Privileged (1-1023) Target Ruleset
$PROG -N DENIED_PORT_PRIV
$PROG -A DENIED_PORT_PRIV -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_PRIV -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_PRIV: "
$PROG -A DENIED_PORT_PRIV -j DROP

# DENIED PORTS Unprivileged TCP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_TCP
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_UNPRIV_TCP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_T-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state NEW,INVALID -j DROP

# DENIED PORTS Unprivileged UDP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_UDP
$PROG -A DENIED_PORT_UNPRIV_UDP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_U-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_UDP -j DROP

#######################################
#---------- End predefined target rulesets ----------#
######################################

# Services
$PROG -A INPUT -p tcp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV

$PROG -A INPUT -p tcp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV

# NFS
$PROG -A INPUT -p tcp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP

# X11
$PROG -A INPUT -p tcp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP

# Netbus
$PROG -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP

# Deny all else on TCP unless initiated from local machine/network.
# This rule covers NFS, X11, and Netbus listed above, its a catch-all for any TCP
# ports you may have services running on, but dont know what ports they use.
# Prevents an accidental crack attempt via TCP services.
# If you wish to allow any services, or alter the existing rules, they must be
# added BEFORE the rule below.

$PROG -A INPUT -p tcp --dport 1024:65535 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP

echo "[ [32;01mOK [0m]"
echo "rc.firewall loaded with IP: $IP and interface: $IFACE."
}

########################### END FUNCTIONS ##########################

##############################################
#----------------- START CONFIGURATION SECTION --------------------#
##############################################
# Set path to iptables program

PROG=/path/to/iptables

# Set interface type, ie; eth0, ppp0

IFACE=""

###############################################
#------------------ END CONFIGURATION SECTION ---------------------#
##############################################

# Test to make sure configuration variables are set, die if not.

if [ ! -x "$PROG" ] || [ -z "$IFACE" ];
then
echo "$PROG is not executable, or interface is not set, exiting."
exit 0
else

# Get current IP address

IP=`ifconfig $IFACE| grep inet| cut -f2 -d:| cut -f1 -d" "`

# Get old IP from last firewall load (if any).
# The purpose of getting OLDIP is so you can use this script in a cron
# job to update the firewall with the current IP, great for dialups
# and other dynamic connections.
# Examples:
# Check every 15 minutes:
# */15 * * * * /path/to/this/script restart > /dev/null 2>&1
# Check every 5 minutes:
# */5 * * * * /path/to/this/script restart > /dev/null 2>&1

OLDIP=`$PROG -n -L INPUT| grep 6005|grep udp| cut -b55-|cut -f1 -d u`

case $1 in

start)
if [ -z "$OLDIP" ];
then
echo -n "Starting firewall..."
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
fi
;;
restart)
echo -n "Restarting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
refresh)
echo -n "Resetting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
stop)
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
echo "Firewall stopped...[ [32;01mOK [0m]"
;;
*)
echo
scripthelp
;;
esac
fi
<<less
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
986 downloads
 
Other version of iptables firewall script

IPTables Firewall Script 0.1

IPTables Firewall Script 0.1Obsid - IPTables Firewall Script contains two example firewall scripts rc.firewall.iptables. IPTables
License:GPL (GNU General Public License)
Download (0.43MB)
1221 downloads
Added: 2006-07-07
NAT iptables firewall script

NAT iptables firewall script


NAT iptables firewall script is an iptables firewall script. more>>
NAT iptables firewall script is an iptables firewall script.

This script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.

Sample:

# interface definitions
BAD_IFACE=eth0

DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28

GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24

MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3

# testing
#set -x

ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE

# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# flush all rules in the filter table
#iptables -F

# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good

iptables -N icmp-acc

# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT

# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad

iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good

iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good

# drop anything that doesnt fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP

# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP

# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP

# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP

# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l

# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP

# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP

# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT

# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if

# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if

# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY

# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT

# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP


# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
<<less
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
603 downloads
Arnos IPTABLES Firewall Script 1.8.8i

Arnos IPTABLES Firewall Script 1.8.8i


Arnos IPTABLES firewall script was initially written because I needed to protect my single-homed Linux machine at work. more>>
Arnos IPTABLES firewall script was initially written because I needed to protect my single-homed Linux machine at work. I wrote it at the time I couldnt find any script that really satisfied my needs except for one that was written by a guy called Seven.
I helped him for several months with the work on his script by suppling patches, reporting bugs etc. In this period I was fortunately also able to master scripting for iptables myself because soon Seven discontinued his work, I never got to even talk to the guy ever again. At that point I decided to continue his work, or actually I started my own branch based on his script.
In the summer of 2002 I finally got an ADSL connection at home. Initially I used the iptables firewall that came with the great ADSL4LINUX-package (http://www.adsl4linux.nl). But it didnt take me long to come to the conclusion that their iptables firewall lacked important features like port-forwarding and flexbility with "trusted hosts" etc.
I also didnt like the fact that I had to use a different firewall for my home machine and the machine at work. This made me decide to use some of the ADSL4LINUX knowledge to implement ADSL support.
By now (about 1 year later as of writing) there are only few remnants left of Sevens original script and many, many, many improvements were applied. One major improvement is the ADSL and NAT support (Check the features page with the specifiations of my firewall). For version 2 (alpha) I plan to completely rewrite to script to make it more flexible and to increase the usability for others.
Main features:
- Very secure stateful filtering firewall
- Both kernel 2.4 & 2.6 support
- It can be used for both single- and multi(eg. dual)-homed boxes
- Masquerading (NAT) and SNAT support
- Multiple external (internet) interfaces
- Support multiroute NAT & SNAT (load balancing over multiple (internet) interfaces)
- Port forwarding (NAT)
- Support MAC address filtering
- Support for DSL/ADSL modems
- Support for PPPoE, PPPoA and bridging modem setups
- Support for static and ISP assigned (DHCP) IPs
- Support for (transparent) proxies
- Full support for DMZs and DMZ-2-LAN forwarding. You can also use it to isolate your eg. wireless LAN.
- (Nmap)(stealth) portscan detection
- Protection against SYN-flooding (DoS attacks)
- Protection against ICMP-flooding (DoS attacks)
- Extensive user-definable logging with rate limiting to prevent log flooding
- Includes options to optimize your throughput
- User definable open ports, closed ports, trusted hosts, blocked hosts etc.
- Log & protection options are both highly customizable
- Support for custom iptables rules in a seperate file
- It can be used with chkconfig runlevel system (eg. RedHat/Fedora)
- Main focus on TCP/UDP/ICMP but additional support for *ALL* IP protocols
- It works with Freeswan IPSEC (VPN) & SSH Sentinel (http://www.freeswan.org) (+virtual IPs)
- It works with PoPTop PPTP (http://www.poptop.org)
- It works with UPnP
- DRDOS protection/detection (experimental)
- Its easy to configure
- And much more.
Enhancements:
- This release fixes a nasty bug in the NAT forwarding rules that caused using subnet-source-restrictions not to work.
- It adds an extra rule to the DHCP server section to allow packets from DHCP servers in the same segment.
- There are several plugin updates.
- A Racoon IPSEC VPN plugin and a transparent DNAT plugin have been added.
<<less
Download (0.081MB)
Added: 2007-07-03 License: GPL (GNU General Public License) Price:
854 downloads
Firewall Generator 3.0

Firewall Generator 3.0


Firewall Generator is a CGI script that generates a firewall. more>>
Firewall Generator is a CGI script that generates a bash shell script that contains a list of commands for configuring a set of firewall rules.

It is the best solution to know something about system security.
<<less
Download (0.002MB)
Added: 2006-07-13 License: GPL (GNU General Public License) Price:
1206 downloads
Firebred iptables Script 0.9

Firebred iptables Script 0.9


Firebred iptables Script is a firewall designed if you want to share your internet connection between a lan of computers. more>>
Firebred iptables Script is a firewall designed if you want to share your internet connection between a lan of computers, all you need is a 2.4.x kernel, bash and iptables.
Main features:
- Easily specify allowed inbound ports for UDP and TCP
- Allow in traffic for pptp (microsoft vpn)
- Set up a transparent proxy along with squid or wwwoffle
Install
Simply set it up like your other init scripts, it does however need to be run after your dns starts and is connected to the outside world
<<less
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
984 downloads
Firewall Admin 0.4

Firewall Admin 0.4


Firewall Admin is not a firewall generator. more>>
Firewall Admin is not a firewall generator. This tool allows network administrators to manage iptables rules from anywhere though a simple administration interface through a Web browser. Any user can put some extra plug-ins to interact with netfilter modules.
Main features:
- View rules of Filter, NAT and Mangle tables
- Create and delete chains
- Create, replace and delete rules (filter, nat and mangle)
- Modules: tcp, udp, icmp, limit, mac, multiport, state, iprange, string, owner, comment, quota, mport, time, dscp, ecn, pktype, connmark and random
- Packets/bytes counter
- Rename userchains
- Mangle targets: TOS, MARK and DSCP
- Up and Down rules
- Change policy (ACCEPT and DROP)
- Flush chains
- Configuration
- Backup and Restore firewall rules and chains
Enhancements:
- fixed userchains targets to support no targets (default: ACCEPT)
- ruleoptions directory was removed (performance impact)
- support for patch-o-matic modules comment and quota
- support for native modules mport, time, string, dscp, ecn, pktype and connmark
- support for native modules random
- packages/bytes counter support
- rename userchains
- added support to mangle targets: MARK and DSCP
- disabled notices in php
<<less
Download (0.056MB)
Added: 2006-07-12 License: GPL (GNU General Public License) Price:
1211 downloads
Firewall Tester 1.0

Firewall Tester 1.0


The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) c more>>
The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the connection spoofing option. A script called freport is also available for automatically write to log files.
Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
These two scripts were written because I was tired of doing this by hand (with packet-crafting tools and tcpdump), I know that there are at least two dozens of other methods to do this but another reason was to learn some perl ;). I hope that you enjoy them.
Main features:
- firewall testing
- IDS testing
- simulation of real tcp connections for stateful inspection firewalls and IDS
- connection spoofing
- IP fragmentation / TCP segmentation
- IDS evasion techniques
<<less
Download (0.030MB)
Added: 2006-07-07 License: GPL (GNU General Public License) Price:
1206 downloads
jsfirewall 0.7.2

jsfirewall 0.7.2


jsfirewall increases the safety for the desktop PC with one network card. more>>
jsfirewall increases the safety for the desktop PC with one network card.
The program is quickly administrated and it is easy to generate an iptables based firewall script.
It has no ROUTER function, but is a personal firewall and it is developed for use behind a router or for direct connections like ppp over ethernet.
jsfirewall uses the program "dialog", you can use it either on the X server or on the console.
Advanced features are built in and you can save or view logging files, tuning the logging and the kernel parameters, save and load, or delete, generated firewall templates.
There is optional support for an additional portrange as the default and you can give one command owner for every chosen port.
Installation:
Unpack the tar ball: tar xzf jsfirewall-0.7.1.tar.gz
cd jsfirewall-0.7.1
Open the file jsfirewall.conf and change the settings if you want (e.g. with vi).
Run ./install.sh in the console.
OPTIONS: install, update, cancel
Enhancements:
- A completly new config section was written.
- You can now edit in the "config" menu directly like in the "global" menu. jsfirewall now supports OpenVPN and can generate an OpenVPN styled firewall script.
- Help can now support all languages.
- All sections of the code were split into scripts.
- The program is now faster and open for other GUI languages and iptables based generator scripts.
- I The LANG variable in 0.7.1 was renamed to LANGU.
<<less
Download (0.030MB)
Added: 2005-10-02 License: GPL (GNU General Public License) Price:
1482 downloads
Firewall-1 Response 1.0

Firewall-1 Response 1.0


Firewall-1 Response is a Perl script for performing simple active responses based on a Checkpoint Firewall-1. more>>
Firewall-1 Response is a Perl script for performing simple active responses based on a Checkpoint Firewall-1. It is good for closing off your network against people who do port scans or network sweeps.

fw sam provides a command line interface to a limited feature-set of the firewall security policy. The purpose of this is to allow scripts such as this a way to dynamically change the security policy of one or more firewalls without administrator intervention. This should scare you, because of the potential of these changes allowing bad guys to run a DoS attack against you.
<<less
Download (0.029MB)
Added: 2006-07-12 License: GPL (GNU General Public License) Price:
1201 downloads
PCX Firewall 2.24

PCX Firewall 2.24


PCX Firewall is an IPTables firewalling solution. more>>
PCX Firewall is an IPTables firewalling solution that uses Perl to generate static shell scripts based upon the users configuration settings.
This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Enhancements:
- All known bugs have been fixed. Support has been added for Debian Sarge and Red Hat FC[1-3] as "official" distributions to work with when generating init scripts. The ability has been added to just install the generated firewall script into /etc/init.d or /etc/pcx-firewall without starting it.
<<less
Download (0.036MB)
Added: 2005-06-29 License: GPL (GNU General Public License) Price:
1579 downloads
Firewall by Jim 1.30

Firewall by Jim 1.30


Firewall by Jim is a firewall that takes advantage of tcp_wrappers information to block users. more>>
Firewall by Jim is a firewall that takes advantage of tcp_wrappers information to block users. I got tired of the firewall scripts out there not doing what I wanted them to.. I wanted a firewall that was flexible to use, but did its job. I wanted one that could be configured to any circumstance easily without changing the script itself. That is why I designed my firewall to use simple text files for configuration ease.

I have built in mutlple mean of protection into the firewall itself. Of the most notable is the hacker, trojan, spam, and blacklist capabilities.

The hacker protection will prevent the outside world from running unwanted commands. If you choose to enable this function.

The hacker protection will prevent the outside world from running unwanted commands. The trojan protection has two different levels. Standard and Intensive. The standard protection only protections from known linux and unix trojans. Where as the intensive will protect from all known trojans from windows, linux, and unix based.

The spam protection will block any IP address which is in list, from sending mail to your SMTP server.

The blacklist protection will block total communications to a site. I have also included a blacklist update script which will pull blacklist information from http://www.dshield.org .
<<less
Download (0.043MB)
Added: 2006-07-11 License: GPL (GNU General Public License) Price:
1202 downloads
Secleted [ 0 ] software to compare
  • Page: 1 of 5
  • 1
  • 2
  • 3
  • 4
  • 5

firewall script in Related Categories

linux / System /

Networking
linux / System /

Monitoring
linux / Miscellaneous /

Security
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above firewall script search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed