Linux Inspirations

Membuat Firewall dengan scripts Iptables Standar

Posted on: 12 Desember, 2006

Contoh Iptables standar, kalau anda ingin membuat internet sharing silahkan anda copy code dibawah kedalam rc.local yang ada dalam folder /etc , selanjutnya silahkan anda ganti bagian yang ini “INET_ADDRESS=”202.xxx.xxx.xxx” menjadi IP Public punya anda.


#!/bin/sh

# LOKASI SYSCTL
SYSCTL=”/sbin/sysctl -w”

# LOKASI IPTABLES BERADA
IPT=”/sbin/iptables”
IPTS=”/sbin/iptables-save”
IPTR=”/sbin/iptables-restore”

# INTERFACE KE INTERNET ATAU ETH0
INET_IFACE=”eth0″
INET_ADDRESS=”202.xxx.xxx.xxx”

# INTERFACE KE LOCAL LAN ATAU ETH1
LOCAL_IFACE=”eth1″
LOCAL_IP=”192.168.1.1″
LOCAL_NET=”192.168.1.0/24″
LOCAL_BCAST=”192.168.1.255″

# LOCAL INTERFACE ATAU DISEBUT LOOPBACK
LO_IFACE=”lo”
LO_IP=”127.0.0.1″

# SIMPAN DAN RESTORE SETTINGAN IPTABLES
if [ “$1” = “save” ]
then
echo -n “Saving firewall to /etc/sysconfig/iptables … ”
$IPTS > /etc/sysconfig/iptables
echo “done”
exit 0
elif [ “$1” = “restore” ]
then
echo -n “Restoring firewall from /etc/sysconfig/iptables … ”
$IPTR < /etc/sysconfig/iptables
echo “done”
exit 0
fi

# KETERANGAN ATAU VERBOSE LOAD MODULE KERNEL
echo “Loading kernel modules …”

# MODULE NET-FILTER
/sbin/modprobe ip_tables

# MODULE TRACKER
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

# ALTERNATIF SYSCTL
if [ “$SYSCTL” = “” ]
then
echo “1” > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward=”1″
fi
if [ “$SYSCTL” = “” ]
then
echo “1” > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies=”1″
fi
if [ “$SYSCTL” = “” ]
then
echo “1” > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter=”1″
fi
if [ “$SYSCTL” = “” ]
then
echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=”1″
fi
if [ “$SYSCTL” = “” ]
then
echo “0” > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route=”0″
fi
if [ “$SYSCTL” = “” ]
then
echo “1” > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects=”1″
fi
if [ “$SYSCTL” = “” ]
then
echo “1” > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians=”1″
fi

# HAPUS SEMUA ATURAN YANG ADA
echo “Flushing Tables …”
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# HAPUS ATURAN YANG SUDAH ADA
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# BUANG ATURAN YANG TIDAK STANDAR
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ “$1” = “stop” ]
then
echo “Firewall completely flushed! Now running with no firewall.”
exit 0
fi

# SET ATURAN

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo “Create and populate custom rule chains …”

# BUAT FILTER PAKET YANG TIDAK DIPERLUKAN
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

# PAKET-PAKET YANG DIBUANG SERTA DI MASUKKAN KEDALAM LOGS SYSTEM
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
–log-prefix “Illegal source: ”
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state –state INVALID -j LOG \
–log-prefix “Invalid packet: ”
$IPT -A bad_packets -p ALL -m state –state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN

# ATURAN BARU UNTUK PAKET RUSAK
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \
–log-prefix “New not syn: ”
$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j LOG \
–log-prefix “Stealth scan: ”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j LOG \
–log-prefix “Stealth scan: ”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG \
–log-prefix “Stealth scan: ”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
–log-prefix “Stealth scan: ”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j LOG \
–log-prefix “Stealth scan: ”
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG \
–log-prefix “Stealth scan: ”
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN

# ATURAN UNTUK ICMP ATAU PAKET PING
$IPT -A icmp_packets –fragment -p ICMP -j LOG \
–log-prefix “ICMP Fragment: ”
$IPT -A icmp_packets –fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN

# ATURAN UNTUK TCP & UDP
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# PAKET MASUK YANG DISETUJUI ATAU PORT-PORT YANG DIBUKA 80, 21, 21
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 21 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 –source-port 20 -j ACCEPT

# ATURAN NGGAK JELAS NIH
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

# ATURAN INPUT
echo “Process INPUT chain …”

# DIBERIKAN IZIN UNTUK PAKET LO ATAU LOOPBACK
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# ATURAN PAKET DATANG DARI INTERNET ATAU INPUT RULE
$IPT -A INPUT -p ALL -i $INET_IFACE -m state –state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype –pkt-type broadcast -j DROP
$IPT -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \
–log-prefix “INPUT packet died: ”

# ATURAN RULE FORWARD
echo “Process FORWARD chain …”
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state –state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG \
–log-prefix “FORWARD packet died: ”

# ATURAN RULE OUTPUT LOOPBACK ATAU LO
echo “Process OUTPUT chain …”
$IPT -A OUTPUT -m state -p icmp –state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \
–log-prefix “OUTPUT packet died: ”

# TABLE NAT ATAU NETWORK ADDRESS TRANSLATION
echo “Load rules for nat table …”

# TRANSPARAN PROXY
$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 –destination-port 80 \
-j REDIRECT –to-ports 3128

# TRANSPARAN UNTUK HTTPS
# $IPT -t nat -A PREROUTING -p tcp –destination-port 443 \
# -j REDIRECT –to-ports 8080

# INI NIH RAHASIA INTERNET SHARING
$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT –to-source $INET_ADDRESS

# LOAD ATURAN MANGLE
echo “Load rules for mangle table …”

Tinggalkan Balasan

Please log in using one of these methods to post your comment:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

ABout Me!


WordPress ini sengaja saya buat untuk menulis apa yang telah saya lakukan agar saya selalu ingat, tulisan yang saya buat kebanyakan dalam bentuk tutorials configurasi linux dari hasil uji coba saya dan sebahagian di kutip dari beberapa website lain yang saya anggap perlu untuk saya tulis disini. Mudah-mudahan tutorial yang saya buat ini berguna buat pencinta linux yang lain. Salam Sejahtera.

Blog Stats

  • 120,467 hits

Linux Inspiration

%d blogger menyukai ini: