187 lines
4.8 KiB
Bash
187 lines
4.8 KiB
Bash
#!/bin/bash
|
|
### BEGIN INIT INFO
|
|
# Provides: firewall_rules
|
|
# Required-Start: $local_fs $remote_fs $network
|
|
# Required-Stop: $local_fs $remote_fs $network
|
|
# Should-Start:
|
|
# Should-Stop:
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
# Short-Description: agadmin firewall rules
|
|
### END INIT INFO
|
|
|
|
ACTION=$1
|
|
|
|
TLD="cn iq ir kp ru tr tw"
|
|
|
|
URL="http://www.ipdeny.com/ipblocks/data/countries/"
|
|
INPUT="INPUT"
|
|
OUTPUT="OUTPUT"
|
|
PIDDIR="/var/run"
|
|
|
|
function block_country_chains {
|
|
if [ "$1" == "STOP" ]; then
|
|
for Z in `iptables -S | grep -E '^-N' | grep ".ct.chain" | awk '{print $2;}'`
|
|
do
|
|
iptables -D $INPUT -j $Z
|
|
iptables -F $Z
|
|
iptables -X $Z
|
|
done
|
|
return
|
|
fi
|
|
cd /tmp
|
|
# chains bilden und in INPUT chain einbinden
|
|
for C in $TLD
|
|
do
|
|
iptables -N $C.ct.chain
|
|
iptables -A $INPUT -j $C.ct.chain
|
|
done
|
|
|
|
sleep 10
|
|
for C in $TLD
|
|
do
|
|
wget $URL$C.zone > /dev/null 2>&1
|
|
done
|
|
|
|
for C in $TLD
|
|
do
|
|
for IP in `cat $C.zone`
|
|
do
|
|
iptables -A $C.ct.chain -s $IP -j DROP > /dev/null 2>&1
|
|
done
|
|
done
|
|
}
|
|
|
|
function services_chain {
|
|
if [ "$1" == "STOP" ]; then
|
|
iptables -D $INPUT -j SERVICES.chain
|
|
iptables -F SERVICES.chain
|
|
iptables -X SERVICES.chain
|
|
return
|
|
fi
|
|
SERVICES="993 995 587 465 25 143 110 443 80 53 389"
|
|
iptables -N SERVICES.chain
|
|
for PORT in $SERVICES; do
|
|
iptables -A SERVICES.chain -p tcp --dport "$PORT" -j ACCEPT
|
|
done
|
|
iptables -A SERVICES.chain -p udp --dport 53 -j ACCEPT
|
|
iptables -A $INPUT -j SERVICES.chain
|
|
}
|
|
|
|
function admin_chain {
|
|
if [ "$1" == "STOP" ]; then
|
|
iptables -D $INPUT -j ADMIN.chain
|
|
iptables -F ADMIN.chain
|
|
iptables -X ADMIN.chain
|
|
return
|
|
fi
|
|
iptables -N ADMIN.chain
|
|
iptables -A ADMIN.chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
iptables -A ADMIN.chain -p tcp --dport 22 -j ACCEPT
|
|
iptables -A ADMIN.chain -p udp --dport 161 -j ACCEPT
|
|
iptables -A ADMIN.chain -p tcp --dport 953 -j ACCEPT
|
|
iptables -A ADMIN.chain -d 127.0.0.0/8 -j ACCEPT
|
|
iptables -A ADMIN.chain -s 5.1.84.159 -j ACCEPT
|
|
iptables -A ADMIN.chain -s 5.1.84.160 -j ACCEPT
|
|
iptables -A ADMIN.chain -s 62.113.250.204 -j ACCEPT
|
|
iptables -A ADMIN.chain -p icmp -j ACCEPT
|
|
iptables -A $INPUT -j ADMIN.chain
|
|
}
|
|
|
|
function imscp_logging_chains {
|
|
if [ "$1" == "STOP" ]; then
|
|
iptables -D $INPUT -j IMSCP_INPUT
|
|
iptables -D $OUTPUT -j IMSCP_OUTPUT
|
|
iptables -F IMSCP_INPUT
|
|
iptables -F IMSCP_OUTPUT
|
|
iptables -X IMSCP_INPUT
|
|
iptables -X IMSCP_OUTPUT
|
|
return
|
|
fi
|
|
SERVICES_IN="80 443 110 143 25 465 587 995 993"
|
|
SERVICES_OUT="25 465 587"
|
|
|
|
iptables -N IMSCP_INPUT
|
|
iptables -N IMSCP_OUTPUT
|
|
|
|
iptables -A $INPUT -j IMSCP_INPUT
|
|
iptables -A $OUTPUT -j IMSCP_OUTPUT
|
|
|
|
for PORT in $SERVICES_IN; do
|
|
iptables -A IMSCP_INPUT -p tcp --dport "$PORT"
|
|
iptables -A IMSCP_OUTPUT -p tcp --sport "$PORT"
|
|
done
|
|
|
|
for PORT in $SERVICES_OUT; do
|
|
iptables -A IMSCP_INPUT -p tcp --sport "$PORT"
|
|
iptables -A IMSCP_OUTPUT -p tcp --dport "$PORT"
|
|
done
|
|
|
|
iptables -A IMSCP_INPUT -j RETURN
|
|
iptables -A IMSCP_OUTPUT -j RETURN
|
|
}
|
|
|
|
#####################################################################################################
|
|
|
|
case $ACTION in
|
|
start)
|
|
if [ -f $PIDDIR/firewall.pid ]; then
|
|
echo "Firewall bereits aktiv"
|
|
exit
|
|
fi
|
|
echo "Firewall wird gestartet"
|
|
touch $PIDDIR/firewall.pid
|
|
iptables -P $INPUT DROP
|
|
#imscp_logging_chains START
|
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
block_country_chains START &
|
|
sleep 5
|
|
services_chain START
|
|
admin_chain START
|
|
;;
|
|
stop)
|
|
if [ ! -f $PIDDIR/firewall.pid ]; then
|
|
echo "Firewall bereits gestoppt"
|
|
exit
|
|
fi
|
|
echo "Firewall wird gestoppt"
|
|
rm $PIDDIR/firewall.pid
|
|
iptables -P $INPUT ACCEPT
|
|
#imscp_logging_chains STOP
|
|
iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
block_country_chains STOP
|
|
services_chain STOP
|
|
admin_chain STOP
|
|
;;
|
|
reload|restart)
|
|
if [ -f $PIDDIR/firewall.pid ]; then
|
|
echo "Firewall wird gestoppt"
|
|
rm $PIDDIR/firewall.pid
|
|
iptables -P $INPUT ACCEPT
|
|
#imscp_logging_chains STOP
|
|
iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
block_country_chains STOP
|
|
services_chain STOP
|
|
admin_chain STOP
|
|
else
|
|
echo "Firewall nicht gestartet"
|
|
fi
|
|
echo "Firewall wird gestartet"
|
|
touch $PIDDIR/firewall.pid
|
|
iptables -P $INPUT DROP
|
|
#imscp_logging_chains START
|
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
block_country_chains START &
|
|
sleep 5
|
|
services_chain START
|
|
admin_chain START
|
|
;;
|
|
status)
|
|
if [ -f $PIDDIR/firewall.pid ]; then
|
|
echo "Firewall aktiv"
|
|
exit
|
|
fi
|
|
echo "Firewall nicht aktiv"
|
|
;;
|
|
esac
|