Articles Comments

{ Berbagi, Menulis, Dan Mengajar } Ilmu… » 7. Operating System » FIREWALL RSDJATIROTO.ikc.co.id

FIREWALL RSDJATIROTO.ikc.co.id

April 20th, 2013 | Add a Comment

#——————————————————————–#
# Skenario: – Eth1 ( Card di Jaringan LAN)                           #
#           – ppp0 ( Interface Dial Up(Internet))                    #
# Firewall Script ini,akan Melakukan Rule NAT Terhadap Jaringan,     #
# Kemudian PC yang ada Dijaringan Dipaksa-kan untuk Melewati Mesin   #
# Proxy Jika Mereka Akan Mengakses Port 80,8080,3128                 #
#    Info : dms@ikc.co.id                                            #
#——————————————————————–#

echo -e “\n\nSETTING UP IPTABLES PROXY…”

INTIF=”eth1″
IPTABLES=/sbin/iptables

EXTIF=”ppp0″

LAN=”192.168.1.0/24″

SERVER=”192.168.1.1″

EXTIP=”180.253.84.62″
EXTIP1=”180.0.0.0/8″
EXTRIM=”0.0.0.0″
REMOTEIP=”36.81.0.0/16″
REMOTEIP1=”125.167.0.0/16″

PORTTRIMA=”22,10000″

echo “Loading required stateful/NAT kernel modules…”

#/bin/internet # Binary Tambahan U/ Aktifasi Internet Menggunakan Flash
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo “1” > /proc/sys/net/ipv4/tcp_syncookies
#echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo “2” > /proc/sys/net/ipv4/conf/all/rp_filter
echo “0” > /proc/sys/net/ipv4/conf/all/accept_source_route
echo “0” > /proc/sys/net/ipv4/tcp_timestamps
echo “0” > /proc/sys/net/ipv4/conf/all/accept_redirects

#echo “1” > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo “1” > /proc/sys/net/ipv4/conf/all/log_martians
echo “32768 61000″ > /proc/sys/net/ipv4/ip_local_port_range
echo “30” > /proc/sys/net/ipv4/tcp_fin_timeout
echo “2400” > /proc/sys/net/ipv4/tcp_keepalive_time
echo “0” > /proc/sys/net/ipv4/tcp_window_scaling
echo “0” > /proc/sys/net/ipv4/tcp_sack

echo “    Enabling IP forwarding…”
echo “1” > /proc/sys/net/ipv4/ip_forward
echo “1” > /proc/sys/net/ipv4/ip_dynaddr

echo “    External interface: $EXTIF”
echo “    External interface IP address is: $EXTIP”

echo “    Loading proxy server rules…”

# Clearing any existing rules and setting default policy
$IPTABLES –flush
$IPTABLES –table nat –flush
$IPTABLES –delete-chain
$IPTABLES –table nat –delete-chain
$IPTABLES -N MACtest

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
#$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j LOG –log-level DEBUG

$IPTABLES -A INPUT -i $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT

#—— Blocking Peer to Peer Port —–#
$IPTABLES -A FORWARD -i $INTIF -p tcp –destination-port 5051:65535 -o $EXTIF -j DROP
$IPTABLES -A FORWARD -i $INTIF -p udp –destination-port 5051:65535 -o $EXTIF -j DROP

#————NAT & MASQUERADE———–#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -A FORWARD -i $INTIF -j ACCEPT

 

#————NAT & MASQUERADE———-#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -A FORWARD -i $INTIF -j ACCEPT

#transparent Proxy TCP
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 8080 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 3128 -j DNAT –to $SERVER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 443 -j DNAT –to $SERVER:8080

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 8080 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 3128 -j REDIRECT –to-port 8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 443 -j REDIRECT –to-port 8080

#transparent Proxy UDP
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 80 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 8080 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 3128 -j DNAT –to $SERVER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 443 -j DNAT –to $SERVER:8080

$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 80 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 8080 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 3128 -j REDIRECT –to-port 8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 443 -j REDIRECT –to-port 8080

#————–INPUT ROLES—————-#

$IPTABLES -I INPUT -p tcp -i $INTIF  –dport 00000:65000 -j DROP
$IPTABLES -I INPUT -p udp -i $INTIF  –dport 00000:65000 -j DROP

$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 22 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 22 -j ACCEPT

$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT

#$IPTABLES -I INPUT -p tcp -i $EXTIF -s 125.167.31.236/32 -d 110.139.54.163/32 –dport 22 -j ACCEPT
#$IPTABLES -I INPUT -p udp -i $EXTIF -s 125.167.31.236/32 -d 110.139.54.163/32 –dport 22 -j ACCEPT

$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 53 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 53 -j ACCEPT

#$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 80 -j ACCEPT
#$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 80 -j ACCEPT

$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 445 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 445 -j ACCEPT

$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT

$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 8080 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 8080 -j ACCEPT

$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 10000 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 10000 -j ACCEPT

#————–FORWARD ROLES—————#

# FWD: Allow all connections OUT and only existing and related ones IN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state –state  ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s $LAN -j ACCEPT

$IPTABLES -A FORWARD -p tcp –dport 00000:65000 -j DROP
$IPTABLES -A FORWARD -p udp –dport 00000:65000 -j DROP

$IPTABLES -A FORWARD -p tcp –dport 182 -j DROP
$IPTABLES -A FORWARD -p udp –dport 182 -j DROP

$IPTABLES -A FORWARD -p tcp -m multiport –dport 21,22,53,110,143,5050,10000  -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport –dport 21,22,53,110,143,5050,10000  -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

#————–DROPING PORT————-#

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 139 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 139 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 113 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 113 -j DROP

#$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 25 -j DROP
#$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 25 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 2049 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 2049 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 111 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 111 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 826 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 826 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 1723 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 1723 -j DROP

#$IPTABLES -A OUTPUT -o ppp0 -d 66.163.181.180 -j DROP

#$IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 –dport 25 -j DROP
#$IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 –dport 25 -j DROP

$IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 -m multiport –dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6999 -j DROP
$IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 -m multiport –dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6999 -j DROP

$IPTABLES -I INPUT -p udp -i $EXTIF -m multiport –dport $PORTTRIMA  -j DROP
$IPTABLES -I INPUT -p tcp -i $EXTIF -m multiport –dport $PORTTRIMA  -j DROP

$IPTABLES -I INPUT -p tcp -i $EXTIF -s $REMOTEIP -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT
$IPTABLES -I INPUT -p udp -i $EXTIF -s $REMOTEIP -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT

$IPTABLES -I INPUT -p tcp -i $EXTIF -s $REMOTEIP1 -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT
$IPTABLES -I INPUT -p udp -i $EXTIF -s $REMOTEIP1 -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT

$IPTABLES -I INPUT -p udp -i ppp0 –dport 21 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 21 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 25 -j DROP
$IPTABLES -I INPUT -p udp -i ppp0 –dport 53 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 53 -j DROP
#$IPTABLES -I INPUT -p udp -i ppp0 –dport 80 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 80 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 106 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 110 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 111 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 113 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 139 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 143 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 443 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 445 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 826 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 901 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 993 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 995 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 3306 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 10000 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 1723 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 2049 -j DROP

$IPTABLES -I INPUT -p tcp -i ppp0 -s 125.161.170.142/32  -d 0/0 –dport 80 -j DROP
$IPTABLES -I INPUT -p tcp -i eth2 -s 125.161.170.142/32  -d 0/0 –dport 80 -j DROP
$IPTABLES -I INPUT -s 24.10.129.59/32 -j DROP
$IPTABLES -I INPUT -s 67.175.251.207/32 -j DROP
$IPTABLES -I INPUT -s 89.142.169.18/32 -j DROP
$IPTABLES -I INPUT -s 24.176.80.10/32 -j DROP
$IPTABLES -I INPUT -s 70.55.20.174/32 -j DROP
$IPTABLES -I INPUT -s 75.72.78.238/32 -j DROP
$IPTABLES -I INPUT -s 71.234.160.25/32 -j DROP
$IPTABLES -I INPUT -s 75.216.230.107/32 -j DROP
$IPTABLES -I INPUT -s 98.30.94.174/32 -j DROP
$IPTABLES -I INPUT -s 195.50.191.14/32 -j DROP
$IPTABLES -I INPUT -s 68.198.229.137/32 -j DROP
$IPTABLES -I INPUT -s 66.74.232.167/32 -j DROP
$IPTABLES -I INPUT -s 101.79.129.21 -j DROP

/sbin/iptables -I INPUT -s 89.114.232.0/21 -j DROP
/sbin/iptables -I INPUT -s 174.127.73.230 -j DROP

#/etc/init.d/shaper restart
#/etc/init.d/shaper start

#/script/ip.drop
#/script/mac.drop

iptables -A FORWARD -m string –algo bm –string “BitTorrent” -j DROP
iptables -A FORWARD -m string –algo bm –string “BitTorrent protocol” -j DROP
iptables -A FORWARD -m string –algo bm –string “peer_id=” -j DROP
iptables -A FORWARD -m string –algo bm –string “.torrent” -j DROP
iptables -A FORWARD -m string –algo bm –string “announce.php?passkey=” -j DROP
iptables -A FORWARD -m string –algo bm –string “torrent” -j DROP
iptables -A FORWARD -m string –algo bm –string “announce” -j DROP
iptables -A FORWARD -m string –algo bm –string “info_hash” -j DROP
iptables -A FORWARD -m string –algo bm –string “/default.ida?” -j DROP #codered virus
iptables -A FORWARD -m string –algo bm –string “.exe?/c+dir” -j DROP #nimda virus
iptables -A FORWARD -m string –algo bm –string “.exe?/c_tftp” -j DROP #nimda virus

# bittorrent key
iptables -A FORWARD -m string –string “peer_id” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “BitTorrent” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “BitTorrent protocol” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “bittorrent-announce” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “announce.php?passkey=” –algo kmp –to 65535 -j DROP

# DHT keyword
iptables -A FORWARD -m string –string “info_hash” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “get_peers” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “announce” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “announce_peers” –algo kmp –to 65535 -j DROP

Written by

Filed under: 7. Operating System

Leave a Reply

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>